Proxy Re-Encryption (PRE) is a cryptographic protocol where a semi-trusted proxy uses a special re-encryption key to convert a ciphertext from Alice's key to Bob's key. Critically, the proxy performs this transformation directly on the ciphertext without accessing the plaintext or either party's private key, maintaining end-to-end confidentiality while enabling secure delegation of decryption rights.
Glossary
Proxy Re-Encryption

What is Proxy Re-Encryption?
A public-key cryptographic primitive enabling a semi-trusted proxy server to transform ciphertext encrypted under one public key into ciphertext encrypted under a different public key without ever decrypting the underlying plaintext.
PRE is foundational for secure cloud data sharing and encrypted inference architectures. Unlike standard public-key encryption, it prevents the data owner from needing to download, decrypt, and re-encrypt data for each recipient. In homomorphic inference pipelines, PRE allows a model host to re-encrypt an encrypted result under the end-user's key without exposing the inference output, ensuring the compute node remains blind to the plaintext.
Key Properties of Proxy Re-Encryption
Proxy Re-Encryption (PRE) is a cryptographic primitive enabling a semi-trusted proxy to transform ciphertexts between key pairs without accessing the plaintext. These properties define its security model and practical utility in secure data sharing.
Unidirectional Transformation
The proxy can only transform ciphertexts from Alice to Bob, not the reverse. This is enforced cryptographically using a re-encryption key (RK) generated by Alice using her secret key and Bob's public key. The RK is mathematically directional—it contains the quotient of the two keys. This prevents the proxy from reversing the transformation or deriving either party's private key. Unidirectionality is critical for delegation scenarios where trust is asymmetric, such as granting read access to a subordinate without enabling them to re-share upward.
- Key generation: Alice computes
RK_{A→B}usingsk_Aandpk_B - Security guarantee: Proxy cannot compute
RK_{B→A}fromRK_{A→B} - Use case: Hierarchical data sharing in enterprise file systems
Non-Interactive Re-Encryption Key Generation
Alice can generate the re-encryption key without any interaction with Bob. She only needs Bob's public key, which can be retrieved from a public key infrastructure (PKI) or directory. This non-interactive property is essential for asynchronous delegation—Alice can grant access to Bob even when Bob is offline or does not yet exist in the system. The scheme relies on the algebraic structure of pairing-based cryptography or lattice-based hardness assumptions to enable this offline delegation.
- No handshake required: Bob's participation is unnecessary during RK generation
- Enables pre-provisioning: Access can be granted before Bob joins the system
- Contrast with: Interactive proxy re-encryption schemes requiring Bob's secret key
Collusion Resistance
Even if the proxy colludes with Bob and shares the re-encryption key, they cannot jointly recover Alice's secret key. This property, known as collusion safety or master secret security, is achieved through cryptographic separation: the re-encryption key encodes a transformation function, not a decryption capability. In pairing-based constructions, this relies on the hardness of the Bilinear Diffie-Hellman (BDH) problem. Without collusion resistance, a malicious proxy and delegatee could conspire to decrypt all of Alice's past and future ciphertexts.
- Threat model: Proxy + Delegatee coalition
- Protected secret: Alice's long-term private key
sk_A - Cryptographic basis: BDH assumption or LWE hardness in lattice-based variants
Transparency to the Delegatee
From Bob's perspective, a re-encrypted ciphertext is indistinguishable from a ciphertext originally encrypted under his public key. Bob uses his standard secret key sk_B for decryption—no special proxy-aware decryption algorithm is required. This transparency property means Bob's client software needs no modification to receive delegated data. The proxy transformation produces a valid second-level ciphertext that conforms exactly to the underlying encryption scheme's ciphertext space.
- Bob's decryption: Standard
Decrypt(sk_B, C') - No proxy metadata: Ciphertext format is identical to direct encryption
- Backward compatibility: Existing decryption clients work without upgrades
Proxy Opacity
The proxy never learns the underlying plaintext during the transformation process. The re-encryption operation is performed entirely on ciphertexts—the proxy takes Enc(pk_A, m) and the re-encryption key RK_{A→B}, and outputs Enc(pk_B, m) without ever seeing m. This opacity is the defining characteristic that distinguishes a semi-trusted proxy from a fully trusted one. It enables architectures where cloud infrastructure or edge nodes can mediate secure data sharing without being granted decryption rights.
- Proxy's view: Only ciphertexts and re-encryption keys
- No decryption capability: Proxy lacks any secret key material
- Architectural implication: Enables secure cloud-based access control proxies
Multi-Hop vs. Single-Hop Delegation
Single-hop PRE allows only one re-encryption: Alice → Proxy → Bob. The resulting ciphertext cannot be re-encrypted again. Multi-hop PRE enables transitive delegation chains: Alice → Proxy1 → Proxy2 → Carol, where each proxy applies its own re-encryption key. Multi-hop schemes require additional cryptographic machinery to prevent ciphertext bloat and manage noise accumulation. The choice between single-hop and multi-hop represents a trade-off between expressiveness and efficiency.
- Single-hop: Simpler construction, lower overhead, sufficient for most access control
- Multi-hop: Enables complex delegation graphs and cascading permissions
- Security consideration: Each hop introduces additional collusion risk vectors
- Lattice-based PRE: Often supports multi-hop natively via key switching techniques
Frequently Asked Questions
Answers to common questions about the mechanics, security properties, and practical applications of proxy re-encryption in modern cryptographic systems.
Proxy re-encryption (PRE) is a cryptographic primitive that allows a semi-trusted proxy to transform a ciphertext encrypted under Alice's public key into a ciphertext encrypted under Bob's public key without ever decrypting the underlying plaintext. The mechanism works through a re-encryption key (RK) generated by Alice using her secret key and Bob's public key. Alice delegates this RK to the proxy, which applies a ReEncrypt() algorithm to convert ciphertexts. Critically, the proxy learns nothing about the plaintext or either party's secret key during this transformation. PRE schemes are classified as unidirectional (Alice→Bob only) or bidirectional (interchangeable), and single-hop (one transformation) or multi-hop (cascading re-encryptions). Modern constructions like the AFGH and BBS98 schemes base their security on pairing-based cryptography and the decisional Diffie-Hellman assumption.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Proxy re-encryption is a fundamental building block for secure data sharing. These related cryptographic concepts and operational mechanisms are essential for understanding how PRE integrates into broader privacy-preserving architectures.
Key Switching
The core cryptographic operation that enables proxy re-encryption. Key switching transforms a ciphertext encrypted under one secret key into a ciphertext encrypting the same plaintext under a different secret key.
- Requires a switching key generated by the original key holder
- Used extensively in homomorphic encryption for relinearization and rotation operations
- The proxy never learns either secret key during the transformation
- Forms the mathematical basis for both single-hop and multi-hop PRE schemes
Conditional Proxy Re-Encryption (CPRE)
An extension of standard PRE where the proxy can only transform ciphertexts that satisfy a specific condition embedded at encryption time.
- Conditions can be based on attributes, time windows, or keywords
- Enables fine-grained access control without trusting the proxy
- Used in attribute-based encryption systems for cloud data sharing
- Prevents unauthorized re-encryption even if the proxy is compromised
- Critical for regulatory compliance in healthcare and finance
Re-Encryption Key Generation
The process by which a delegator creates a cryptographic token that authorizes the proxy to transform ciphertexts. This key is unidirectional or bidirectional depending on the scheme.
- Unidirectional: Alice can delegate to Bob, but Bob cannot delegate to Alice
- Bidirectional: The key works symmetrically between both parties
- Generated using the delegator's private key and delegatee's public key
- Can be time-limited or use-limited in advanced schemes
- Must be transmitted to the proxy over a secure channel
Attribute-Based Encryption (ABE)
A cryptographic scheme where ciphertexts and secret keys are associated with attributes, and decryption succeeds only when attributes match a defined policy. PRE extends ABE for revocation and delegation.
- Ciphertext-Policy ABE: Access policy embedded in the ciphertext
- Key-Policy ABE: Access policy embedded in the user's key
- PRE enables dynamic re-encryption when user attributes change
- Eliminates the need to re-encrypt data from scratch during user revocation
- Foundational for secure cloud storage and digital rights management
Lattice-Based PRE
Proxy re-encryption schemes constructed on lattice hardness assumptions like Learning With Errors (LWE), providing post-quantum security guarantees.
- Resistant to attacks by both classical and quantum computers
- Based on the same mathematical foundations as homomorphic encryption
- Supports key homomorphism for multi-hop re-encryption
- Enables PRE for FHE ciphertexts, allowing delegated computation on encrypted data
- Active area of NIST post-quantum standardization research

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us