improving speed and security in updatable encryption
play

Improving Speed and Security in Updatable Encryption Schemes Dan - PowerPoint PPT Presentation

Oct 26, 2023 •99 likes •1.2k views

Improving Speed and Security in Updatable Encryption Schemes Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems Key Rotation Key Rotation Good Reasons to

  1. Updatable Encryption from Nested AES How to hide ciphertext age? Ciphertext header Ciphertext header Idea 1: pad up to fixed max size Ciphertext header with random data But this ruins integrity Ciphertext Body Idea 2: generate random data from PRG, include seed in header See paper for full scheme

  2. Updatable Encryption from KH-PRFs [BLMR13, EPRS17] Supports as many re-encryptions as you want Decryption time does not depend on number of re-encryptions Still fast, but slower than nested scheme New caveat: somewhat weaker integrity and age-hiding guarantee

  3. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k

  4. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k Key-Homomorphic PRF: Same security property, new functionality

  5. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k Key-Homomorphic PRF: Same security property, new functionality F(k 1 , x) ⊞ F(k 2 , x) = F(k 1 + k 2 , x)

  6. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k Key-Homomorphic PRF: Same security property, new functionality F(k 1 , x) ⊞ F(k 2 , x) = F(k 1 + k 2 , x) Example: F(k,x) = H(x) k

  7. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k Key-Homomorphic PRF: Same security property, new functionality F(k 1 , x) ⊞ F(k 2 , x) = F(k 1 + k 2 , x) Example: F(k,x) = H(x) k F(k 1 , x) * F(k 2 , x) = H(x) k1 * H(x) k2 = H(x) k1+k2 = F(k 1 + k 2 , x)

  8. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1

  9. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF

  10. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF c 0 = m 0 + F(k 1 , 0) c 1 = m 1 + F(k 1 , 1) … c n = m n + F(k 1 , n)

  11. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF Update process: c 0 = m 0 + F(k 1 , 0) 1. Download/decrypt header c 1 = m 1 + F(k 1 , 1) 2. Pick key k 2 … 3. Upload new header and k up = k 2 - k 1 c n = m n + F(k 1 , n) Server updates body encryptions with k up

  12. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF Update process: c 0 ’ = c 0 + F(k up , 0) 1. Download/decrypt header c 1 ’ = c 1 + F(k up , 1) 2. Pick key k 2 … 3. Upload new header and k up = k 2 - k 1 c n ’ = c n + F(k up , n) Server updates body encryptions with k up

  13. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF Update process: c 0 ’ = c 0 + F(k up , 0) = m 0 + F(k 2 , 0) 1. Download/decrypt header c 1 ’ = c 1 + F(k up , 1) = m 1 + F(k 2 , 1) 2. Pick key k 2 … 3. Upload new header and k up = k 2 - k 1 c n ’ = c n + F(k up , n) = m n + F(k 2 , n) Server updates body encryptions with k up

  14. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) *In Random Oracle model

  15. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* *In Random Oracle model

  16. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* n ) F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small in Z q *In Random Oracle model

  17. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* n ) F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small in Z q See paper for construction *In Random Oracle model

  18. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* n ) F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small in Z q See paper for construction Result: ~500x faster performance *In Random Oracle model

  19. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* n ) F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small in Z q See paper for construction Result: ~500x faster performance …but how to handle the noise? *In Random Oracle model

  20. Updatable Encryption from Almost KH-PRFs F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small) Issue: noisy KH-PRF corrupts message

  21. Updatable Encryption from Almost KH-PRFs F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small) Issue: noisy KH-PRF corrupts message General solution: error correcting codes

  22. Updatable Encryption from Almost KH-PRFs F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small) Issue: noisy KH-PRF corrupts message General solution: error correcting codes Observation: noise is always on low-order bits

  23. Updatable Encryption from Almost KH-PRFs F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small) Issue: noisy KH-PRF corrupts message General solution: error correcting codes Observation: noise is always on low-order bits Simple solution: pad low-order bits of each block with zeros

  24. Evaluation

  25. Encryption and Re-encryption Throughput for encrypting/re-encrypting 32KB messages (MB/sec) ReCrypt [EPRS17] Almost KH-PRF Nested (128 layers) Encrypt 0.12 61.90 1836.9 Re-encrypt 0.15 83.06 2606.8

  26. Encryption and Re-encryption Throughput for encrypting/re-encrypting 32KB messages (MB/sec) ReCrypt [EPRS17] Almost KH-PRF Nested (128 layers) Encrypt 0.12 61.90 1836.9 Re-encrypt 0.15 83.06 2606.8 Almost KH-PRF is ~500x faster than ReCrypt Nested AES is ~30x faster than almost KH-PRF

  27. Decryption

  28. Decryption

  29. Decryption Nested construction faster for up to 50 re-encryptions ReCrypt (not shown) 500x slower than KH-PRF construction

  30. Decryption Nested construction faster for up to 50 re-encryptions ReCrypt (not shown) 500x slower than KH-PRF construction Recommendations Use nested AES construction for infrequent, routine re-keying Use KH-PRF for frequent re-keying

  31. Ciphertext Expansion Nested AES and ReCrypt have smallest ciphertext expansion

  32. Ciphertext Expansion Nested AES and ReCrypt have smallest ciphertext expansion Recommendations Use nested AES construction for infrequent, routine re-keying If space is costly and computation is cheap, use ReCrypt for frequent rekeying

  33. Can we do Better? Speed: Not by much - Nested scheme: already close to AES throughput - Almost KH-PRF: KH-PRF implies key exchange [AMP19]

  34. Can we do Better? Speed: Not by much - Nested scheme: already close to AES throughput - Almost KH-PRF: KH-PRF implies key exchange [AMP19] Ciphertext expansion: Good place for improvement One potential approach: more elaborate error-correction to reduce bits wasted by padding

  35. Improving Updatable Encryption Improved security definitions for updatable encryption Two new constructions -- from Nested AES and RLWE-based KH-PRF Orders of magnitude performance improvement over prior work Paper: eprint.iacr.org/2020/222.pdf Source Code: https://github.com/moshih/UpdateableEncryption_Code Contact: saba@cs.stanford.edu

  36. Encryption and Re-encryption

  37. Where R q = Z q [X]/(X n +1)

  38. Confidentiality Security Game [EPRS17] Adversary Challenger Setup Send dishonest keys Generate h “honest keys” and d “dishonest keys” Game

  39. Confidentiality Security Game [EPRS17] Adversary Challenger Setup Send dishonest keys Generate h “honest keys” and d “dishonest keys” Game Encrypt message m under key i Encrypt Enc( k i , m )

  40. Confidentiality Security Game [EPRS17] Adversary Challenger Setup Send dishonest keys Generate h “honest keys” and d “dishonest keys” Game Encrypt message m under key i Encrypt Enc( k i , m ) Encrypt message m 0 or m 1 under honest key i Enc( k i , m b ) Challenge Adversary wins if it guesses b correctly. Guess b A scheme is secure if the adversary has negligible advantage in guessing b .

  41. Confidentiality Security Game [EPRS17] Adversary Challenger Setup Send dishonest keys Generate h “honest keys” and d “dishonest keys” Game Encrypt Adversary wins if it guesses b correctly. A scheme is secure if the adversary has negligible Challenge advantage in guessing b .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems Key Rotation Key Rotation Good Reasons to

1.5k views • 97 slides
Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure Updatable Encryption with Integrity Protection. EUROCRYPT 2019 M Klooss, A Lehmann, A Rupp Updatable Encryption with Post-Compromise Security. EUROCRYPT

1.08k views • 46 slides
Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM Research Zurich Motivation | Outsourced Storage Data owner stores encrypted data at (untrusted) data host symmetric encryption Proactive

763 views • 24 slides
Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and Technology (NTNU), Norway 2 Bergische Universitt Wuppertal, Germany 1 Colin Boyd 1 Gareth T. Davies 2 Kristian Gjsteen 1 Yao Jiang 1 Table of contents

578 views • 46 slides
Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency ASIACRYPT 2013 Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee, Jong Hwan Park and Moti Yung Korea University, US Naval Academy, Korea

993 views • 26 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang, Heiner Litz, David R. Cheriton Stanford University DAMON14 Database Indexing Databases use precomputed indexes to speed up processing avoid

518 views • 18 slides
Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania

Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania

Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania IBM PLDay 09 2 2 Pennsylvania yanks voter site after data leak Passport applicant finds massive privacy breach Privacy issue

728 views • 40 slides
Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance

Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance

Do you care about Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance Enhancement for Encryption and Decryption June 11. & 12. 2007 Amsterdam An ECRYPT/VAMPIRE workshop on software speeds for

300 views • 4 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should not reveal the persons height Shafi Goldwasser and Silvio Micali, 1982 1 Design of Encryption Algorithms Encryption algorithms are

421 views • 7 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
5/15/2019 Improving the Agenda speed of payment Speed of Payment Introduction under the

5/15/2019 Improving the Agenda speed of payment Speed of Payment Introduction under the

5/15/2019 Improving the Agenda speed of payment Speed of Payment Introduction under the new Prompt Payment Applicability of Prompt Payment Construction Act The Proper Invoice Payment Terms Certification of

357 views • 9 slides
TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals are *NOT* At rest encryption Best practices for web/HTTP going to encryption How perfectly and good we are- we made

529 views • 18 slides
Course Introduction Department of Computer Science University of Maryland, College Park Course

Course Introduction Department of Computer Science University of Maryland, College Park Course

CMSC 132: Object-Oriented Programming II Course Introduction Department of Computer Science University of Maryland, College Park Course Catalog Description Introduction to use of computers to solve problems using software engineering

700 views • 15 slides
Quiz 4 February 14, 2008 Nabil Mustafa 20 mins Q1. There are 100 students in some school, and

Quiz 4 February 14, 2008 Nabil Mustafa 20 mins Q1. There are 100 students in some school, and

Lahore University of Management Sciences Winter 07-08 CS 211a: Discrete Mathematics 1 Quiz 4 February 14, 2008 Nabil Mustafa 20 mins Q1. There are 100 students in some school, and some of them honest and some dishonest. Imagine yourself to

169 views • 3 slides
Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Yehuda Lindell (BIU) Amos Beimel (BGU BGU) Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty protocols wi without out an honest majority Positive result: 1/p-secure protocols for cons

487 views • 27 slides
Wentworth Institute of Technology College of Engineering and Technology COMP3770 Introduction

Wentworth Institute of Technology College of Engineering and Technology COMP3770 Introduction

Wentworth Institute of Technology College of Engineering and Technology COMP3770 Introduction to Artificial Intelligence Spring 2016 Instructor Nate Derbinsky Office Dobbs 140 MWF 10AM-11AM and by appointment Contact (617) 989-4287

428 views • 5 slides
CMPE 415: Programmable Logic Devices Course: CMPE 415: Programmable Logic Devices, Fall 2008. 3

CMPE 415: Programmable Logic Devices Course: CMPE 415: Programmable Logic Devices, Fall 2008. 3

CMPE 415: Programmable Logic Devices Course: CMPE 415: Programmable Logic Devices, Fall 2008. 3 credits. Instructor: Reza M. Rad Office: ITE 374, Telephone: 5-8776 Email: reza2@umbc.edu, Home Page: http://www.cs.umbc.edu/~reza2/ Office

445 views • 3 slides
CONCORD PRIMARY SCHOOL An Amazing Adventure 2 Key Personnel Mr Chan Chok Seng Mr Chan Chok

CONCORD PRIMARY SCHOOL An Amazing Adventure 2 Key Personnel Mr Chan Chok Seng Mr Chan Chok

CONCORD PRIMARY SCHOOL An Amazing Adventure 2 Key Personnel Mr Chan Chok Seng Mr Chan Chok Seng Year Head/Lower Primary Year Head/Lower Primary Key Personnel Mdm Elaine Lee Mdm Elaine Lee Level Head/Mathematics Level Head/Mathematics

749 views • 43 slides
Human Resources Bo. Chapter 9 What are Human Resources? Hiring the right people Keeping

Human Resources Bo. Chapter 9 What are Human Resources? Hiring the right people Keeping

Human Resources Bo. Chapter 9 What are Human Resources? Hiring the right people Keeping the balance of skills and exper?se right for the work of the organisa?ons. Administra?on rela?ng to employment Complying with the law Legal

645 views • 40 slides
Parent Seminar (Day 1) Time Item Venue 11.30am to 12 pm Opening Address by Principal P1

Parent Seminar (Day 1) Time Item Venue 11.30am to 12 pm Opening Address by Principal P1

Parent Seminar (Day 1) Time Item Venue 11.30am to 12 pm Opening Address by Principal P1 Mathematics 12 pm to 12.20pm Hall, Level 2 Curriculum & Assessment P1 English 12.20pm to 12.40pm Curriculum & Assessment 12.40pm to 1.10pm

1.43k views • 116 slides

More recommend