Combined Proxy Re-Encryption
S. Canard and J. Devigne

Among the variants of public key encryption schemes, the proxy re-encryption primitive (PRE) allows a user, say Alice, to decide that a delegate, say Bob, will be able to read her private messages. This is made possible thanks to a third party, the proxy, which is given a re-encryption key to transform a ciphertext intended to Alice into one intended to Bob. Different properties on PRE schemes exist. Some of them are \textit{unidirectional} and allow the proxy to translate a ciphertext only from Alice to Bob. The other case is called \textit{bidirectional} and permits the proxy, with only one re-encryption key, to translate from Alice to Bob but also from Bob to Alice. Most of the time, a bidirectional scheme is \emph{multi-hop}, meaning that a ciphertext can be forwarded several times, and a unidirectional scheme is \emph{single-hop}, meaning that a ciphertext can be transformed just once. We here investigate the way to design a combined (single/multi hop) PRE scheme which permits both unidirectional single-hop and bidirectional multi-hop. We formalize this concept, give several generic results and finally propose a practical construction. We argue that this case is very interesting in practice to the design of a secure and privacy-preserving cloud storage system, such as defined by Ateniese \emph{et al.} in 2006, and particularly when the device of a user is lost.