Skip to content

Re-Encryption and Re-Signing Concepts

This document explains the re-encryption and re-signing processes implemented by the system, emphasizing their security and efficiency. Both processes operate in a streaming manner so that data (whether encrypted or signed) is never fully exposed in plaintext and only passes once through the pipeline.

Re-Encryption Process

Re-encryption allows you to decrypt data under an old key (e.g., RSA-2048) and immediately encrypt it under a new key (e.g., Kyber/ML-KEM) without ever writing the plaintext to disk or returning it to the client. The operation is performed block-by-block in a single streaming pass.

Why It's Secure

  • No Plaintext Exposure: The system reads an encrypted chunk, decrypts it in memory, and re-encrypts it on the fly.
  • Continuous Pipeline: Each data block flows through decryption → encryption → output.
  • No Intermediate Storage: Plaintext is not stored on the server or sent back to the client.

Re-Encryption Process Diagram

stateDiagram-v2
    [*] --> ReadingBlock: Encrypted File<br>(RSA 2048)
    ReadingBlock --> DecryptingBlock: Read 8KB block
    DecryptingBlock --> ReencryptingBlock: Decrypt chunk
    ReencryptingBlock --> WritingBlock: Re-encrypt chunk
    WritingBlock --> ReadingBlock: Write output chunk<br>(continue streaming)

    WritingBlock --> GeneratedFile: No more data
    GeneratedFile: Encrypted File<br>(Kyber / ML-KEM-512)
    GeneratedFile --> [*]
Key Points

  1. ReadingBlock: Reads a portion of the encrypted file (e.g., RSA-2048).
  2. DecryptingBlock: Decrypts that chunk in memory using the old key.
  3. ReencryptingBlock: Immediately encrypts the plaintext chunk using the new key (e.g., Kyber/ML-KEM).
  4. WritingBlock: Streams the newly encrypted chunk out to the resulting file or output stream.
  5. GeneratedFile: The end result is an entirely new file encrypted under the post-quantum algorithm.

Re-Signing Process

Re-signing migrates an existing digital signature from an old key (e.g., RSA-2048) to a new key (e.g., Falcon-1024). It verifies the existing signature block-by-block while simultaneously signing the data with the new algorithm in a single pass.

Why It's Secure and Efficient

  • Single Pass: The file is read once. Each chunk is checked against the old signature and then signed under the new algorithm.
  • No Extra Storage: Data is never fully buffered in plaintext; it's validated chunk by chunk.
  • Security Assurance: The system ensures the old signature is valid before generating the new signature.

Re-Signing Process Diagram

stateDiagram-v2
    [*] --> ReadingBlock: Signed File (Old Algorithm)

    ReadingBlock --> VerifyingBlock: Verify chunk (Old Signature)
    ReadingBlock --> ReSigningBlock: Sign chunk (New Algorithm)

    VerifyingBlock --> WritingSignatureBlock: Pass verification result
    ReSigningBlock --> WritingSignatureBlock: Pass new signature

    WritingSignatureBlock --> CompletedFile: Write combined output chunk
    CompletedFile: File + New Signature
    CompletedFile --> [*]
Key Points

  • ReadingBlock
    • Reads a chunk of the signed file (originally signed with an old algorithm/key).
  • VerifyingBlock
    • Validates the old signature on that chunk in real time, ensuring the data is authentic.
  • ReSigningBlock
    • Immediately signs the same chunk with the new key (e.g., Falcon) once the chunk is read.
  • WritingSignatureBlock
    • Combines both the verification result (to confirm validity) and the new signature output, then streams the chunk (or signature portion) to the next stage.
  • CompletedFile
    • Represents the fully re-signed data, ready for distribution or storage.

Summary

  • Re-Encryption: Safely migrates ciphertext from one key to another (RSA → Kyber/ML-KEM) without exposing plaintext.
  • Re-Signing: Verifies existing signatures (RSA → Falcon) in real time and generates the new signature in a single pass.
  • Post-Quantum Security: By adopting Kyber for encryption and Falcon for signatures, you protect your data and communications against future quantum-based threats.

Both re-encryption and re-signing are designed for high security and scalability, ensuring that even large files can be migrated to post-quantum algorithms with minimal performance overhead and no plaintext exposure.