Proxy Re-Encryption
image credit: https://medium.com/nucypher/unveiling-umbral-3d9d4423cd71
Proxy Re-Encryption (PRE) is a cryptographic technique that allows ciphertexts encrypted under one public key to be re-encrypted to another public key without revealing the underlying plaintext. This transformation is performed using a special cryptographic key called a re-encryption key (ReKey). In the context of Orbis, PRE enables secure and private transfer of encrypted secrets between different parties, ensuring that the secret is never exposed to intermediaries.
Key Concepts
Re-Encryption Key (ReKey):
- Definition: A special cryptographic key generated to convert ciphertext encrypted under one public key (A) to another public key (B). The ReKey is derived from the private key associated with public key A and the public key B.
- Purpose in Orbis: ReKeys are used to securely transfer encrypted secrets from the Secret Ring's public key to a requesting user's ephemeral public key, enabling the user to decrypt the secret without exposing it to the Secret Ring or any intermediaries.
Delegated Re-Encryption:
- Definition: The process of re-encrypting ciphertext using a ReKey, which can be performed by an untrusted third party or server. The third party does not gain access to the plaintext during this process.
- Purpose in Orbis: Delegated re-encryption allows the Orbis system to offload the re-encryption process to nodes without risking exposure of the underlying secret. This capability is essential for maintaining the privacy and security of the user's data.
Ciphertext Transformation:
- Definition: The process by which encrypted data (ciphertext) is converted from being encrypted under one public key to another, using a ReKey. This transformation ensures that the data remains encrypted throughout the process.
- Purpose in Orbis: Ciphertext transformation is used to manage access to secrets without decrypting them. For example, a secret encrypted under the Secret Ring's public key can be transformed to be decryptable only by the intended recipient's public key, maintaining confidentiality.
PRE and DKG in Orbis
In the Orbis system, PRE and Distributed Key Generation (DKG) work in tandem to provide a robust and secure framework for secret management:
- DKG: DKG enables the decentralized creation of a shared public-private keypair, with the private key split into shares held by different nodes. This setup ensures that no single participant has access to the full private key, enhancing security.
- PRE: Utilizing the public key generated by the DKG process, PRE allows for the secure re-encryption of data. The private key shares generated during DKG are used to create ReKeys without reconstructing the full private key, thus maintaining security and privacy. This integration ensures that even though the secret's ciphertext is transformed between different public keys, the underlying plaintext remains protected from unauthorized access.
The combination of DKG and PRE in Orbis ensures that secrets can be securely managed and transferred across different parties, all while preserving the integrity and confidentiality of the data.
Conclusion
Proxy Re-Encryption (PRE) is a powerful cryptographic primitive that, in conjunction with Distributed Key Generation (DKG), enables secure and private data transfer within the Orbis system. By leveraging ReKeys and delegated re-encryption, Orbis ensures that secrets are securely managed and transferred without exposing the plaintext to unauthorized parties. PRE and DKG together provide robust security and privacy guarantees, making Orbis a reliable solution for decentralized custodial secret management.