Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian - - PowerPoint PPT Presentation

Fast and Secure Updatable Encryption

Colin Boyd 1 Gareth T. Davies 2 Kristian Gjøsteen 1 Yao Jiang 1 August 10, 2020

1Norwegian University of Science and Technology (NTNU), Norway 2Bergische Universität Wuppertal, Germany

1

Table of contents

• 1. Updatable Encryption
• 2. Security Properties
• 3. Relations
• 4. UE Constructions
• 5. Summary

2

Updatable Encryption

Problem Motivation: Outsourcing

3

Enck0(m) = C0 k0 C0

Problem Motivation: Outsourcing

3

Deck0(C0) = m0 k0 C0

• Threats: Key compromise

Problem Motivation: Outsourcing

3

k0

k1

C0 C1

• Threats: Key compromise
• Solution: Key rotation

Key Rotation: a standard approach

4

k1 k0 C0

Key Rotation: a standard approach

4

k1 k0 m = Deck0(C0)

Key Rotation: a standard approach

4

k1 k0 k0 Enck1(m) = C1

Key Rotation: a standard approach

4

k1 k0 k0 C1 C1

• Download and re-upload is infeasible

even for moderate storage requirements

Key Rotation: Updatable Encryption (UE)

5

k1 ∆1 k0

C0 ∆1 C1

• Key Homomorphic PRFs and their Applications

Boneh, Lewi, Montgomery, Raghunathan; CRYPTO ’13 (+ ePrint 2015/220)

Key Rotation: Updatable Encryption (UE)

5

• Client only ever needs to store one key
• fresh encryptions, updated ciphertexts and tokens should all reveal

nothing about plaintext

k1 ∆1 k0

C0 ∆1 C1

• Key Homomorphic PRFs and their Applications

Boneh, Lewi, Montgomery, Raghunathan; CRYPTO ’13 (+ ePrint 2015/220)

What Is Realistic?

• Security properties: confjdentiality and integrity
• What an attacker can possibly do?
• What is the right security notion for UE?
• Users do encryption, then server(s) update ciphertexts

for millions of users

• Encryption and update must be effjcient

6

• Updatable Encryption with Post-Compromise Security

Lehmann, Tackmann; Eurocrypt ’18

Security Properties

Epoch-based Corruptions

1 2 3 4 5 6 7 … n ∆1 ∆2 ∆3 ∆4 ∆5 ∆6 ∆7 … k0 k1 k2 k3 k4 k5 k6 k7 … kn C0 C1 C2 C3 C4 C5 C6 C7 … Cn

7

• Directly obtained information:
• Adversary adaptively corrupts keys and tokens
• Adversary can asks for ciphertexts
• Inferred information (Assume bi-directionality):
• Ci+1 and ∆i+1 is enough to compute Ci
• ki+1 and ∆i+1 is enough to compute ki
• ki and ki+1 is enough to compute ∆i+1
• Adversary can use this information to trivially win a security game!

Confidentiality: a motivating example

8

k0 Enck0(Contact A) = C0 C0

Confidentiality: a motivating example

8

C0

∆1

k0

k1 ∆1 ∆1

C′

Confidentiality: a motivating example

8

k1

C0 ∆1 C′

Confidentiality: a motivating example

8

k1

C′ Enck1(Contact B) = C1 C1 C1 C′

• Which ciphertext is the newest?
• How many ciphertexts are recently added?

Prior notions: Indistinguishability of Encryptions (IND-ENC)

9

• Updatable Encryption with Post-Compromise Security

Lehmann, Tackmann; Eurocrypt ’18

AIND-ENC m0, m1 ˜ C˜

e b

$

← − {0, 1} ˜ C˜

e ← Enc(mb)

b′ O.Enc O.Dec O.Next

e → e + 1

O.Corr O.Upd O.Upd˜ C

m Ce Ce m (e, key/token) ke/∆e C Ce ˜ C ˜ Ce

• Challenger checks for trivial wins

Only in CCA games does an adversary have access to O.Dec

Prior notions: Indistinguishability of Updates (IND-UPD)

10

• Updatable Encryption with Post-Compromise Security

Lehmann, Tackmann; Eurocrypt ’18

AIND-UPD C0, C1 ˜ C˜

e b

$

← − {0, 1} ˜ C˜

e ← Upd(Cb)

b′ O.Enc O.Dec O.Next

e → e + 1

O.Corr O.Upd O.Upd˜ C

m Ce Ce m (e, key/token) ke/∆e C Ce ˜ C ˜ Ce

• Challenger checks for trivial wins

Only in CCA games does an adversary have access to O.Dec

What else do we want to achieve?

11

• None of the prior notions capture our journalist motivating example.
• Can we fjnd a notion captures a ciphertext freshly created is

indistinguishable from an updated ciphertext?

A New Notion for Updatable Encryption (IND-UE)

12

AIND-UE m, C˜

e-1

˜ C˜

e b

$

← − {0, 1} if b = 0 : ˜ C˜

e ← Enc(m)

if b = 1 : ˜ C˜

e ← Upd(C˜ e−1)

b′ O.Enc O.Dec O.Next

e → e + 1

O.Corr O.Upd O.Upd˜ C

m Ce Ce m (e, key/token) ke/∆e C Ce ˜ C ˜ Ce

• Challenger checks for trivial wins

Scheme that leaks epoch number of original upload can be IND-ENC and IND-UPD but not IND-UE

IND-ENC + IND-UPD ⇏ IND-UE

Only in CCA games does an adversary have access to O.Dec

Ciphertext integrity

13

AINT-CTXT ˜ C˜

e m′ ← Dec(˜ C˜

e)

if m′ ̸= ⊥ : A wins if m′ = ⊥ : A loses

O.Enc O.Next

e → e + 1

O.Corr O.Upd

m Ce (e, key/token) ke/∆e C Ce

• Challenger checks for trivial wins∗
• CPA + CTXT =

⇒ CCA?

• (R)CCA secure updatable encryption with integrity protection

Klooß, Lehmann and Rupp; Eurocrypt ’19

Relations

Relations among IND-ENC, IND-UPD and IND-UE

14

randIND-UE-CPA IND-ENC-CPA randIND-UPD-CPA IND-ENC-CPA +randIND-UPD-CPA \ detIND-UE-CPA IND-ENC-CPA detIND-UPD-CPA IND-ENC-CPA +detIND-UPD-CPA \ \ detIND-UE-CCA IND-ENC-CPA detIND-UPD-CCA IND-ENC-CCA +detIND-UPD-CCA \

Relations among CPA, CTXT and CCA

15

CPA + CTXT = ⇒ CCA for UE IND-ENC-CPA + INT-CTXT = ⇒ IND-ENC-CCA det IND-UPD-CPA + INT-CTXT = ⇒ det IND-UPD-CCA det IND-UE-CPA + INT-CTXT = ⇒ det IND-UE-CCA

UE Constructions

Secure Homomorphic Ideal-cipher Nonce-based Encryption (SHINE)

16

SHINE.Enc : N||m π Expk1 C C = π(N||m)k1 SHINE.Dec : N||m N||m = π−1(C1/k1) π−1 Exp1/k1 C

Secure Homomorphic Ideal-cipher Nonce-based Encryption (SHINE)

16

SHINE.Upd : N||m π Expk1 C1 C1 = π(N||m)k1 Exp∆2 C2 C2 = π(N||m)k2 ∆2 = k2/k1 N||m π−1 Exp1/k2

OK, but is it secure?

17

• How can we embed the challenge, with deterministic

updates and adaptive security?

• Partition epoch set into air-gapped segments (‘fjrewalls’)
• Updatable Encryption with Post-Compromise Security

Lehmann, Tackmann; Eurocrypt ’18

• (R)CCA secure updatable encryption with integrity protection

Klooß, Lehmann and Rupp; Eurocrypt ’19

Firewalls: cryptographic separation

1 2 3 4 5 6 7 … n ∆1 ∆2 ∆3 ∆4 ∆5 ∆6 ∆7 … k0 k1 k2 k3 k4 k5 k6 k7 … kn C0 C1 C2 C3 C4 C5 C6 C7 … Cn

18

k5 k6 k2 ∆4 ∆3 ∆5

• Firewalls (insulated region) defjnition:
• No key inside fjrewalls is corrupted
• Tokens ‘on’ the fjrewalls are not corrupted
• All tokens inside fjrewalls are corrupted
• Separate keys, tokens and ciphertexts using fjrewalls

OK, but is it secure?

19

• How can we embed the challenge, with deterministic

updates and adaptive security?

• Partition epoch set into air-gapped segments (‘fjrewalls’)
• Hybrid argument across insulated regions
• Embed the challenge in the i-th insulated region.
• Updatable Encryption with Post-Compromise Security

Lehmann, Tackmann; Eurocrypt ’18

• (R)CCA secure updatable encryption with integrity protection

Klooß, Lehmann and Rupp; Eurocrypt ’19

Hybrid argument across insulated regions

1 2 3 4 5 6 7 . . . n ∆1 ∆2 ∆3 ∆4 ∆5 ∆6 ∆7 . . . k0 k1 k2 k3 k4 k5 k6 k7 . . . kN C0 C1 C2 C3 C4 C5 C6 C7 . . . CN

20

1st 2nd 3rd Nth k7 k6 k2 L tw tw L L L tw L L ∆1 ∆5 ∆7

• Game 0

Hybrid argument across insulated regions

1 2 3 4 5 6 7 . . . n ∆1 ∆2 ∆3 ∆4 ∆5 ∆6 ∆7 . . . k0 k1 k2 k3 k4 k5 k6 k7 . . . kN C0 C1 C2 C3 C4 C5 C6 C7 . . . CN

20

1st 2nd 3rd Nth k7 k6 k2 L tw tw L L L tw R R ∆1 ∆5 ∆7

• Game 1

Hybrid argument across insulated regions

1 2 3 4 5 6 7 . . . n ∆1 ∆2 ∆3 ∆4 ∆5 ∆6 ∆7 . . . k0 k1 k2 k3 k4 k5 k6 k7 . . . kN C0 C1 C2 C3 C4 C5 C6 C7 . . . CN

20

1st 2nd 3rd Nth k7 k6 k2 L tw tw L L R tw R R ∆1 ∆5 ∆7

• Game 2

Hybrid argument across insulated regions

1 2 3 4 5 6 7 . . . n ∆1 ∆2 ∆3 ∆4 ∆5 ∆6 ∆7 . . . k0 k1 k2 k3 k4 k5 k6 k7 . . . kN C0 C1 C2 C3 C4 C5 C6 C7 . . . CN

20

1st 2nd 3rd Nth k7 k6 k2 L tw tw R R R tw R R ∆1 ∆5 ∆7

• Game 3

Hybrid argument across insulated regions

1 2 3 4 5 6 7 . . . n ∆1 ∆2 ∆3 ∆4 ∆5 ∆6 ∆7 . . . k0 k1 k2 k3 k4 k5 k6 k7 . . . kN C0 C1 C2 C3 C4 C5 C6 C7 . . . CN

20

1st 2nd 3rd Nth k7 k6 k2 R tw tw R R R tw R R ∆1 ∆5 ∆7

• Game N

OK, but is it secure?

21

SHINE is det IND-UE-CPA Secure

Assuming DDH, and in the ideal cipher model

SHINE0

22

SHINE0.Enc : N||m||0t π Expk1 C SHINE0.Dec : N′||m′||Z = 0t? π−1 Exp1/k1 C

OK, but is it secure?

23

SHINE is det IND-UE-CPA Secure

Assuming DDH, and in the ideal cipher model

SHINE is INT-CTXT Secure

Assuming CDH, and in the ideal cipher model

SHINE is det IND-UE-CCA Secure

Assuming DDH and CDH, and in the ideal cipher model

OK, but is it secure?

24

IND INT BLMR+ (weak,UE,CPA) ✘ RISE (rand,UE,CPA) ✘ NYUAE (rand, ENC, RCCA) (rand, UPD, RCCA) PTXT E&M (det, ENC, CCA) (det, UPD, CCA) CTXT SHINE0 (det, UE, CCA) CTXT MirrorSHINE (det, UE, CCA) CTXT OCBSHINE (det, UE, CCA) CTXT

(xx, yy, atk) represents the best possible xxIND-yy-atk notion that each scheme can achieve.

OK, but is it effjcient?

25

|M| |C| Enc (Upd) BLMR+ n|G| (n + 1)|G| nE RISE 1|G| 2|G| 2E NYUAE 1|G1| (58|G1|, 44|G2|) (110E,90E) E&M 1|G| 3|G| 3E SHINE0[CPA] (1 − γ)|G| 1|G| 1E SHINE0 (1 − 2γ)|G| 3|G| 3E MirrorSHINE (1 − γ)|G| 2|G| 2E OCBSHINE n|G| (n + 2)|G| (n + 2)E

E = Exponentiation

γ represents the bit-size of the used nonce as a proportion of the group element bit-size. BLMR+ and OCBSHINE support encryption of arbitrary size messages (of n blocks), with |M| ≈ n|G|.

Summary

Summary

26

• New notion, IND-UE, that implies past notions
• Generic composition result
• New scheme, SHINE, that meets detIND-UE-CCA and INT-CTXT
• A greater understanding of the proof techniques
• in particular in the context of deterministic updates

Thank you for your attention! Questions?

27