[ScrambleDB] Double encryption is insufficient

[jschneider-bensch]

Double encryption is insufficient for re-randomization: Colluding source and destination can re-link incoming and outgoing ciphertexts since the original incoming ciphertext can be reconstructed from the re-encrypted one.

Possible solutions:

• symmetric proxy-reencryption
• fallback to ElGamal

[franziskuskiefer]

What's the path forward here?
For the spec something like ElGamal is fine, but we should recommend what implementations should use or reason on why this is fine.

[jschneider-bensch]

My proposal would be to spec it with ElGamal for now and then see if an alternative based on symmetric proxy-reencryption matches the desired security notions or not. Would it be okay for the spec to offer the double encryption version as a possible implementation choice with the resulting security implications clearly stated?

[franziskuskiefer]

I'd be fine with stating the security implications. ElGamal won't really be practical. So I'm not sure if that's worth doing (other than for prosperity and have the paper in code). We can add a comment saying that new research is needed to get the security from the paper in a real world setting. And then wait for some symmetric proxy-reencryption.
But we should put this up on slack to get their take, also on what they want to deploy (sine), and what they want to research (hpi).