Suppose I have a big file encrypted using AES (any mode you want) with key kA.
I'd like to give an untrusted proxy a kA->kB "conversion key" so that it re-encodes the file from kA to kB without learning the contents of the file or any of the keys.
Is this possible?
If not, are there any widely-supported encryption algorithms that allow that?
Well, if you use AES in counter-mode, you could give the proxy the XOR of both counter-mode streams; he could then XOR in that XOR with the file encrypted with one key, and that'll give him the file encrypted with the other.
This does have the drawbacks:
This XOR is as large as the file you've encrypted
This XOR is specific to the IV you used to encrypt (and so if multiple files are encrypted this way, you'll need a separate conversion key for each one)
There is no integrity checking on the encryption format.
On the other hand, if we allow the use of public key encryption methods, we can do this with Integrated Encryption Scheme.
Here, the public key is a value $A = g^a$, and ciphertext consists of a pair $g^x$ and the actual message encrypted using symmetric crypto keyed based on the value $C = A^x$ (and so the holder of $a$ the private key can compute $A^x = C^a$, and then use that to decrypt the symmetric portions.
Now, this allows a conversion key $y = ab^{-1} \bmod q$ (where $q$ is the size of the subgroup we're working in); then, the proxy can compute $D = C^y$, and then substitute $D$ in place of $C$ in the ciphertext. Then, the holder of $b$ the other private key can compute $D^b = C^{(ab^{-1})b} = C^a = A^x$, and then use that value to decrypt.
And, the value $y$ (and the values of the public keys $A, B$) does not give the proxy enough information to deduce the private key values.
