Which encryption algorithms could be used for the following scenario?
To achieve that the user can be provided with a kind of "diff" secret, I suppose. It may be a password based algorithm.
This is possible with the Integrated Encryption System
In this system, there are global values $p$ (a large prime) and $g$ (a generator of a prime subgroup in $\mathbb{Z}_p^*$). A private key is a value $x$ and the corresponding public key is the value $y = g^x \bmod p$.
To encrypt a message $M$ using the public key $y$, you select a random value $r$, and publish the pair $(C, D)$ with $C = g^r \bmod p$ and $D = E_{y^r \bmod p}( M )$ (where $E_k(M)$ is the message $M$ encrypted using the key $k$ with some symmetric cipher).
To decrypt a message $(C, D)$ using the public key $x$, you just compute $C^x \bmod p$; this is the value $y^r \bmod p$, which you can then use as the key for the symmetric cipher in $D$.
Now, here comes the interesting part; to update the key from $x$ to $x'$, what the holder of the private key would do is compute $s = x x'^{-1} \bmod p-1$; he then sends it to the user. The user then replaces $(C, D)$ with $(C^s \bmod p, D)$
We can see that the updated ciphertext $(C^s \bmod p, D)$ is a valid ciphertext to the new public key $y' = g^{x'} \bmod p$; the decryption computes $(C^s)^{x'} = C^{x}$, which is the same key that was originally used to encrypt D, hence decryption works as expected.
This is possible with Homomorphic Encryption, though for decryption in this case both keys would be required, and it would be VERY computationally expensive as most fully homomorphic encryption schemes are. This is also possible via secret sharing, though the use case would dictate whether the constraints imposed by this paradigm would be acceptable. In secret sharing schemes the secret, or in this case file, is split into various parts which must be recombined in order for them to be reconstructed to regain the "cleartext". This is different from the ciphertext/key combination for normal encryption.
Homomorphic Encryption: https://en.wikipedia.org/wiki/Homomorphic_encryption
Secret Sharing: https://en.wikipedia.org/wiki/Secret_sharing
Here is an idea: Use a stream cipher, for example AES in counter mode.
If you want to change the key or even use an other stream cipher, you send the XOR of the keystream of the old cipher and the keystream of the new cipher. The receiver who has the file stored then XORs the ciphertext with this data.
The downside is that the data you have to send is as large as the file. But this is still better then downloading the file, re-encrypting it, and then uploading it again.
