franziskuskiefer
commented
7 months ago What's the path forward here? For the spec something like ElGamal is fine, but we should recommend what implementations should use or reason on why this is fine.
Open jschneider-bensch opened 7 months ago
franziskuskiefer
commented
7 months ago What's the path forward here? For the spec something like ElGamal is fine, but we should recommend what implementations should use or reason on why this is fine.
jschneider-bensch
commented
7 months ago My proposal would be to spec it with ElGamal for now and then see if an alternative based on symmetric proxy-reencryption matches the desired security notions or not. Would it be okay for the spec to offer the double encryption version as a possible implementation choice with the resulting security implications clearly stated?
franziskuskiefer
commented
7 months ago I'd be fine with stating the security implications. ElGamal won't really be practical. So I'm not sure if that's worth doing (other than for prosperity and have the paper in code). We can add a comment saying that new research is needed to get the security from the paper in a real world setting. And then wait for some symmetric proxy-reencryption. But we should put this up on slack to get their take, also on what they want to deploy (sine), and what they want to research (hpi).
Double encryption is insufficient for re-randomization: Colluding source and destination can re-link incoming and outgoing ciphertexts since the original incoming ciphertext can be reconstructed from the re-encrypted one.
Possible solutions: