In this paper, we introduce a new primitive called (t, N)-Threshold Full-Grained Proxy Re-Encryption (ThFPRE). With a (t, N)-ThFPRE scheme, t honest proxies can collaboratively transform an encryption of m intended for delegator A into another ciphertext encrypting a function value of m intended for delegatee B. In this way, delegator A has flexible control over the information shared with B. We define the HR A security for (t, N)-ThFPRE, which guarantees the security of delegator’s challenge ciphertext in face of collusion between t - 1 malicious proxies and the delegatee. The HRA security is stronger than the CPA security since it even allows the adversary to obtain full-grained re-encryptions of the challenge ciphertext to corrupted users (under some constraint to avoid trivial attacks).

We propose a generic construction of HRA-secure ThFPRE from Threshold Fully Homomorpic Encryption (ThFHE) and a PRF function. We also instantiate the generic construction of ThFPRE to obtain a specific (t, N)-ThFPRE scheme from lattices for all circuits of polynomial sizes. Our (t, N)-ThFPRE scheme can support arbitrary circuits of polynomial sizes, i.e., they enable transformation from a ciphertext encrypting m for delegator A into a delegatee B’s ciphertext encrypting C(m) for any polynomial-sized circuit C. Our (t, N)-ThFPRE scheme has HRA security based on the LWE assumption in the standard model and hence enjoys post-quantum security. The threshold technique decentralizes the re-encryption power to N proxies, and it makes our (t, N)-ThFPRE schemes resilient to N - t proxy failures. And the HRA security makes our (t, N)-ThFPRE schemes resilient to collusion of t - 1 malicious proxies and the delegatee.