dCypher
Update: We're excited to announce that dCypher has received funding from the Shift Crypto Grant Program! Read our press release to learn more about this milestone and what it means for the future of decentralized private storage.
Recryption changes the cloud storage game
Decentralized systems are missing a major key component that will greatly expand their surface area of usefulness and put them closer to par with equivalent centralized systems: private, shareable, revocable cloud storage.
We need a highly available storage provider that does not act as a trusted intermediary. It must not have access to the plaintext of what is stored on it. Additionally, the owner of the data should be able to delegate access to any other user / pubkey, and later be able to revoke that access.
In the current paradigm the data storage medium can see the plaintext of what is being stored and thus can share it with anyone, which is extremely useful. This is neither secure nor private, although a number of corporations have been able to utilize this to great profit. Whoever runs the server that is offering the storage can see all of everyone's data.
In response to this trusted custodian model, the personal data store (PDS) movement has gained popularity. It is indeed more decentralized, but trying to get non-technical people to run a data pod has proven even more challenging than teaching them to manage a private key properly. The majority of people genuinely don't want to run a data storage server. And so, as an incremental improvement, several projects have moved towards a more federated model where a group of service providers run the servers, offering it as a service, and users can choose one (e.g. Mastodon). >:) The idea is that it's better than a single centralized service, and that the attack surface is lower, no one custodian has access to everything. But in practice, it means you have to decide on a server operator with very little trust/reputation information to go on. Operators are often enthusiastic hobbyists who can and do decide to change their hobby, and users end up inadvertently homeless, looking for a new place for their data to live. And still having to search without a good rubric for figuring out which server to switch to.
Recryption changes the game. It flips the game board entirely where you can store your data on any cloud provider. The cloud provider can never see unencrypted data, and at the same time, you can share that data with any other individual or group with a private key. You can later revoke their access without worrying about decryption keys leaking and being indiscriminately shared.
So what are you making exactly?
We are building an open source, easy-to-deploy, production-ready recryption proxy that can take ciphertext encrypted to a particular private key, and re-encrypt it to a different private key. It should be fast enough to operate without undue resources and be able to handle multiple streams at once. We would like it to be quantum-resistant. A skilled infra operator should be able to deploy it to cloud hardware, it should be deployable on a local server (raspberry pi in the closet), and ideally it should be able to be deployed in a scalable fashion on "serverless" platforms. It will support a simple ACL API to manage an access control list. Authentication/Authorization will be via private key.
We plan to deploy this in tandem with a simple S3-compatible store that's able to handle user-encrypted blobs. Techniques like content-based addressing will allow verifiability and agility in storage location. And we will work on nailing down a standard method for metadata querying to be able to find the current storage location, etc., so we can move towards a more federated model of storage where the user can choose between storage providers (or run their own if desired).
Why isn't this being done already?
After learning of the technique, a year later I was trying to solve the access control problem for encrypted cloud storage, and recryption seemed like such an obvious fit. I was sure that someone else must be working on this. There has been a lot of research on the subject, but TL;DR I haven't found anything production-ready using these techniques for this use case.
In 2005, AFGH already described the problem well, and in detail:
A secure file system is a natural application of proxy re-encryption because the system often assumes a model of untrusted storage. A number of distributed file systems build confidential storage out of untrusted components by using cryptographic storage. Confidentiality is obtained by encrypting the contents of stored files. These encrypted files can then be stored on untrusted file servers. The server operators can distribute encrypted files without having access to the plaintext files themselves. In a single-user cryptographic file system, access control is straightforward. The user creates all the keys protecting content. Thus, there is no key distribution problem.... Other systems...use a trusted access control server to distribute keys. The access control server model requires a great deal of trust in the server operator. Should the operator prove unworthy of this trust, he or she could abuse the server’s key material to decrypt any data stored on the system. Furthermore, even if the access control server operator is trustworthy, placing so much critical key data in a single location makes for an inviting target. In contrast, our system makes use of a semi-trusted access control server. We propose a significant security improvement to the access control in cryptographic storage, using proxy cryptography to reduce the amount of trust in the access control server.
They even implemented their unidirectional proxy re-encryption into a secure distributed read-only file system (SFSRO), but it was an academic exercise and AFAIK was never deployed in a production context. It was also from another era: at the bottom of the paper, the authors say that access to the CVS source code repo is available by emailing them. AFGH SFSRO
One relatively recent (last 10 years) project taking proxy re-encryption to the public is NuCypher, which then merged with Threshold Network. Their Umbral PRE system combines PRE with threshold encryption. The library is good, but the goals of Threshold Network are more around cryptocurrency bridging, and less geared towards creating decentralized storage systems with flexible access control. In the initial phase of the project we plan to evaluate lattice-based cryptography as a quantum resistant methodology for implementing recryption, compared to utilizing bilinear pairing and possibly leveraging an existing PRE library. So using the Umbral library isn't out of the question, as long as the GPL doesn't mess too badly with our desired MIT/Apache free license.
Duality has published some great work recently on homomorphic, lattice-based PRE. They are using their system for sharing the results of computations securely and doing homomorphic operations on encrypted results. Their implementation is publicly available as part of the OpenFHE library. They suggest that adding threshold cryptography to this method should also be possible. Duality Blog ePrint 2024/681 Duality Paper
There's some good work coming out of Shandong, China this year on the subject as well. ePrint 2025/656
Our focus, though, is on implementing something people can use, so we'd like to leverage as much prior theoretical work and tested libs as possible.
What sorts of network topologies does this enable?
This technique opens up so many more possibilities. Yes, centralized systems are terrible in terms of privacy, and yet they benefit from economies of scale and professional management. The downside is, of course, they store everything and can see everybody's data.
A fully distributed model means that each person is maintaining their own data store, which has issues in user skill in managing their data store. And doing it securely. The Federated Model is more decentralized, but as stated above, it can be challenging to choose a provider, and providers are less professional overall, etc.
Recryption-based sharing opens up network topologies where you can store all your data in a single storage provider, if you want. Even if that provider gets breached, you hold your own decryption keys. You have agility across storage providers. And you can also use a federated model. All of these are applicable and possible without negatively affecting security.
The recryption technique?
Our planned approach is to use lattice-based encryption rather than bilinear pairing. The first approaches to recryption, aka proxy re-encryption (PRE), relied on bilinear pairing, an extension of the set of Diffie-Hellman techniques. However, this, like so many other encryption methods, is vulnerable to prime factorization attacks. It is not, in other words, quantum resistant.
Fortunately, in the last few years, an open source community has gathered and DARPA has funded a very high quality, quantum resistant and fully homomorphic cryptography library, OpenFHE. It makes otherwise very challenging things like using lattices correctly, setting noise floors, and doing the matrix operations correctly accessible. However, we still have to evaluate whether this is appropriate, easy to implement, and computationally fast enough for the real-world use we're going for, as well as evaluate the strength of the security guarantees given that it's a relatively new way of approaching encryption.
Why are we the team to do this?
In 2008, I worked at PGP on their email encryption server. I saw firsthand the power dynamics and political importance of public key infrastructure. And I also got to see what actual privacy and secure communication afforded groups of people. I did not work on the fundamental cryptography; asymmetric-key encryption was fairly well established by then. However, fundamental technologies are not always easy to apply, and usable software is never easy to make--especially where it enables a new affordance. My focus has been in applied cryptography and later in decentralized systems and crypto-economics in the context of products, services, and libraries that are meant for actual people to use to solve their actual problems.
We have assembled around the larger banner of the IdentiKey project a talented group of people who are in it to win it. So far they have all been volunteers. Receiving a grant would go a long way for myself and these good people to be able to fully focus on making these fundamental building blocks that don't always promise short-term ROI but are truly necessary for getting to the more open, secure, egalitarian world that I want my kids to live in.
Together we can actually change the world
We have the theoretical basis, proofs of concepts, and mathematical proofs for all the technologies that we need to enable a more free egalitarian and sovereign society, intermediated as we now are through the medium of the digital. What is needed now are those who will bridge that gap and make products that are usable by non-experts and give us all access to the incredible powers of permissionless, decentralized, censorship-resistant, self-sovereign technologies.
Using these well-studied techniques in this specific way promises to bring secure access control to cloud storage while retaining privacy completely. This is a revolutionary capability, and I believe to be an absolutely necessary step on our journey towards data sovereignty and the larger journey of human sovereignty in the digital space.
Addendum
Open Questions & Directions
Will lattice-based cryptography be efficient enough to be deployed in this regard at a large scale? Benchmarks look promising. Can lattice methods be expanded to use threshold cryptography to enable sharing trust between multiple encryption proxies like Umbral does? Is OpenFHE up to the task, and are the security guarantees sufficiently proven yet, or would it be more prudent to fall back to unidirectional bilinear pairing?
The ideal deployment of this technology would be in concert with a storage system that is decentralized, leverages erasure encoding for redundancy, and has privacy-preserving data validation.
The Recryption Proxy is a partially trusted entity in that by default it will end up with access to key metadata as well as it holds the Recryption keys. So you do rely on trusting the Proxy to revoke access.
Use Cases
(written by Gemini LLM) The unique capability of PRE—transforming ciphertexts between keys without decryption—enables a wide range of applications, particularly those involving secure delegation of access rights in distributed or untrusted environments.
- Secure Cloud Data Sharing & Access Control: This is arguably the most prominent application domain. A user (Alice) encrypts her data using her public key before uploading it to a cloud storage provider. The cloud provider acts as the proxy. When Alice wants to share a file with Bob, she generates a re-encryption key rkA→B and sends it to the cloud proxy. The proxy can then transform Alice's ciphertext into one decryptable by Bob upon his request. This allows fine-grained access control without the cloud provider ever seeing the plaintext or Alice's secret key.
- Encrypted Email Forwarding: The classic motivating example. Alice configures her email server (proxy) with a re-encryption key rkA→B. When an encrypted email arrives for Alice (Enc(pkA,m)), the server transforms it into Enc(pkB,m), which is then forwarded to Bob. Bob can decrypt it using skB. Alice does not need to give her secret key to the server or Bob.
- Secure Distributed Storage / File Systems: PRE can manage access control in systems where encrypted files are stored on untrusted servers. A centralized (or decentralized) access control server acts as the proxy. File encryption keys might themselves be encrypted under a master key or individual user keys. When access is granted, the server uses PRE to re-encrypt the relevant file key for the authorized user, without learning the file key itself.
- Digital Rights Management (DRM): PRE can be used to manage permissions for encrypted digital content (music, video, software). A license server could act as a proxy, holding ciphertexts of content keys encrypted under a publisher's key. Upon purchase or authorization, the server uses a re-encryption key to transform the content key ciphertext into one decryptable by the user's specific device or player key.
- Healthcare Data Sharing: PRE offers a mechanism for patients or institutions to share sensitive medical records securely. A patient's record, encrypted under their key, could be stored at a hospital (proxy). The patient can issue re-encryption keys to grant temporary access to specific doctors or specialists for consultation, or for emergency access, without revealing their main decryption key. HPRE could further allow for privacy-preserving analysis on shared medical data.
- Secure Publish-Subscribe Systems: In pub/sub architectures, publishers can encrypt messages under their own key. A broker (proxy) manages subscriptions. When a subscriber is authorized, the publisher (or an access control entity) provides a re-encryption key to the broker, allowing it to transform published messages for that subscriber. Unidirectional PRE is particularly well-suited, as the publisher doesn't need to know subscribers in advance.
- Key Escrow / Law Enforcement Access: PRE provides a technical mechanism for implementing key escrow systems where authorized third parties (e.g., law enforcement) can be granted decryption capabilities under specific legal conditions, without the service provider holding user keys directly. This application remains controversial due to privacy implications.
- Blockchain / Decentralized Applications: PRE can enable confidential data sharing in otherwise transparent blockchain systems. Users might store large encrypted data off-chain and place only pointers or hashes on-chain. Access can be granted by issuing re-encryption keys (potentially managed via smart contracts or decentralized proxy networks) to specific recipients, allowing them to access the off-chain data.
- Secure Computation (via HPRE): Homomorphic PRE enables scenarios where data encrypted under different keys needs to be brought into a common encryption domain for computation, or where the results of a homomorphic computation need to be securely shared with multiple parties without decryption by the computation server.
- Secure Network Function Virtualization (NFV) / 5G: PRE can secure data flows across different network functions or slices that may operate under distinct administrative or trust domains. A network element can act as a proxy to re-encrypt data payloads as they traverse boundaries, ensuring confidentiality without requiring intermediate decryption.
- Secure Payment Systems: PRE has been cited as applicable in securing payment transactions, potentially for delegating payment authorization or managing encrypted transaction data.
These diverse applications underscore the versatility of PRE as a tool for managing encrypted data access in modern distributed systems.