Paper 2017/833

Efficient Hybrid Proxy Re-Encryption for Practical Revocation and Key Rotation

Steven Myers and Adam Shull


We consider the problems of i) using public-key encryption to enforce dynamic access control on clouds; and ii) key rotation of data stored on clouds. Historically, proxy re-encryption, ciphertext delegation, and related technologies have been advocated as tools that allow for revocation and the ability to cryptographically enforce \emph{dynamic} access control on the cloud, and more recently they have suggested for key rotation of data stored on clouds. Current literature frequently assumes that data is encrypted directly with public-key encryption primitives. However, for efficiency reasons systems would need to deploy with hybrid encryption. Unfortunately, we show that if hybrid encryption is used, then schemes are susceptible to a key-scraping attack. Given a proxy re-encryption or delegation primitive, we show how to construct a new hybrid scheme that is resistant to this attack and highly efficient. The scheme only requires the modification of a small fraction of the bits of the original ciphertext. The number of modifications scales linearly with the security parameter and logarithmically with the file length: it does not require the entire symmetric-key ciphertext to be re-encrypted! Beyond the construction, we introduce new security definitions for the problem at hand, prove our construction secure, discuss use cases, and provide quantitative data showing its practical benefits and efficiency. We show the construction extends to identity-based proxy re-encryption and revocable-storage attribute-based encryption, and thus that the construction is robust, supporting most primitives of interest.

Available format(s)
Publication info
Proxy Re-encryptionCiphertext DelegationHybrid EncryptionKey RotationDynamic Cryptographic Access Control
Contact author(s)
amshull @ indiana edu
2017-09-07: revised
2017-08-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Steven Myers and Adam Shull},
      title = {Efficient Hybrid Proxy Re-Encryption for Practical Revocation and Key Rotation},
      howpublished = {Cryptology ePrint Archive, Paper 2017/833},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.