2

as the title says, for example, A uses B's public key to encrypt a message and sent it to B. In later stages, a new member C joins and B would like to let C be able to see this encrypted message (i.e., give the decryption ability to C). How to achieve this without letting A encrypt the message again using C's public key?

One way I can think of now is that B decrypts the message first and uses C's public key to encrypt it again and then send it to C. But is there any method that requires fewer operations to share the decryption ability to C more kind of automatically? Thanks.

Leo
  • 99
  • 1
  • 6

1 Answers1

0

If you want C to be able to decrypt anything addressed to B, then the simplest thing is to simply give B's decryption key to C.

There is also something called proxy re-encryption that is also in the spirit of "re-addressing" a ciphertext. In proxy re-encryption, there is an algorithm $\textsf{ProxyKey}(sk_B, pk_C) \to rk_{B\to C}$: it takes B's private key and C's public key as input, and generates a re-encryption key $rk_{B \to C}$. Whoever has this re-encryption key can do $\textsf{ReEncrypt}(rk_{B \to C}, ctxt) \to ctxt'$, which takes a ciphertext $ctxt$ addressed to $B$ and transforms it into $ctxt'$, an encryption of the same thing but addressed to $C$.

(There are also variants where $\textsf{ProxyKey}$ needs the private key of both parties.)

The important distinction here is that the person who "re-addresses" the ciphertext (the "proxy") can be someone other than B or C. A proxy who only has $rk_{B\to C}$ but who doesn't know B or C's private keys can't open ciphertexts addressed to B or C. They can only transform ciphertexts for B into ciphertexts for C (and not vice-versa) without looking inside. Assuming the proxy and C are distinct parties, then C can only read messages addressed to B that the proxy chooses to transform.

Mikero
  • 14,908
  • 2
  • 35
  • 58