cryspen / atlas

BMBF ATLAS project
https://cryspen.com/atlas/
4 stars 1 forks source link

[ScrambleDB] Double encryption is insufficient #45

Open jschneider-bensch opened 10 months ago

jschneider-bensch commented 10 months ago

Double encryption is insufficient for re-randomization: Colluding source and destination can re-link incoming and outgoing ciphertexts since the original incoming ciphertext can be reconstructed from the re-encrypted one.

Possible solutions:

franziskuskiefer commented 10 months ago

What's the path forward here? For the spec something like ElGamal is fine, but we should recommend what implementations should use or reason on why this is fine.

jschneider-bensch commented 10 months ago

My proposal would be to spec it with ElGamal for now and then see if an alternative based on symmetric proxy-reencryption matches the desired security notions or not. Would it be okay for the spec to offer the double encryption version as a possible implementation choice with the resulting security implications clearly stated?

franziskuskiefer commented 10 months ago

I'd be fine with stating the security implications. ElGamal won't really be practical. So I'm not sure if that's worth doing (other than for prosperity and have the paper in code). We can add a comment saying that new research is needed to get the security from the paper in a real world setting. And then wait for some symmetric proxy-reencryption. But we should put this up on slack to get their take, also on what they want to deploy (sine), and what they want to research (hpi).