Updatable Encryption & Key Rotation Anja Lehmann IBM Research - - PowerPoint PPT Presentation

Updatable Encryption & Key Rotation

Anja Lehmann

IBM Research – Zurich

(R)CCA Secure Updatable Encryption with Integrity Protection. EUROCRYPT 2019 M Klooss, A Lehmann, A Rupp Updatable Encryption with Post-Compromise Security. EUROCRYPT 2018 A Lehmann, B Tackmann

Motivation | Outsourced Storage

▪ Data owner stores encrypted data at (untrusted) data host ▪ Proactive security by periodically changing the secret key – Key rotation reduces risk & impact of key or data exposure ▪ Key rotation often mandated in high-security environments and by PCI DSS symmetric encryption

2

Motivation | Key Rotation

▪ How to update exiting ciphertexts to the new key? ▪ Standard symmetric encryption → download all ciphertext & re-encrypt from scratch ▪ Inefficient: down&upload of all ciphertexts, symmetric key often protected by hardware

3

Motivation | Updatable Encryption

▪ Proposed by Boneh et al. [BLMR13]: ciphertexts can be updated w/o secret key Key update generates key & update token Update token allows to „blindly“ transforms ciphertexts ▪ Update operation of ciphertexts is shifted to (untrusted) data host w/o harming security

4

Updatable Encryption | State-of-the-Art

• UE. setup 𝜇 → 𝑙0
• UE. enc 𝑙𝑓, 𝑛 → 𝐷𝑓
• UE. dec 𝑙𝑓, 𝐷𝑓 → 𝑛
• UE. next 𝑙𝑓 → (𝑙𝑓+1, Δ𝑓+1)
• UE. upd Δ𝑓+1, 𝐷𝑓 → 𝐷𝑓+1

▪ BLMR13: high level idea & scheme,

no security definitions

▪ EPRS17: partial definition & scheme

• UE. setup 𝜇 → 𝑙0
• UE. enc 𝑙𝑓, 𝑛 → 𝐷𝑓
• UE. dec 𝑙𝑓, 𝐷𝑓 → 𝑛
• UE. next 𝑙𝑓 → 𝑙𝑓+1
• UE. token 𝑙𝑓, 𝑙𝑓+1, 𝐷𝑓 → Δ𝐷,𝑓+1
• UE. upd Δ𝐷,𝑓+1, 𝐷𝑓 → 𝐷𝑓+1

▪ BLMR15: partial definitions & new scheme ▪ EPRS17: comprehensive treatment,

improved definitions & schemes Ciphertext-Independent Ciphertext-Dependent

▪ Our works: formal definitions & secure

schemes for ciphertext-independent setting

5

Updatable Encryption | State-of-the-Art

• UE. setup 𝜇 → 𝑙0
• UE. enc 𝑙𝑓, 𝑛 → 𝐷𝑓
• UE. dec 𝑙𝑓, 𝐷𝑓 → 𝑛
• UE. next 𝑙𝑓 → (𝑙𝑓+1, Δ𝑓+1)
• UE. upd Δ𝑓+1, 𝐷𝑓 → 𝐷𝑓+1

▪ BLMR13: high level idea & scheme,

no security definitions

▪ EPRS17: partial definition & scheme

• UE. setup 𝜇 → 𝑙0
• UE. enc 𝑙𝑓, 𝑛 → 𝐷𝑓
• UE. dec 𝑙𝑓, 𝐷𝑓 → 𝑛
• UE. next 𝑙𝑓 → 𝑙𝑓+1
• UE. token 𝑙𝑓, 𝑙𝑓+1, 𝐷𝑓 → Δ𝐷,𝑓+1
• UE. upd Δ𝐷,𝑓+1, 𝐷𝑓 → 𝐷𝑓+1

▪ BLMR15: partial definitions & new scheme ▪ EPRS17: comprehensive treatment,

improved definitions & schemes Ciphertext-Independent Ciphertext-Dependent

▪ Our works: formal definitions & secure

schemes for ciphertext-independent setting

6

Updatable Encryption | Sequential Setting

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷0 𝐷1 𝐷2 𝐷3 𝐷4 𝐷5 𝐷6 … 1 2 3 4 5 6 …

▪ Our work: strictly sequential setting ▪ Previous works: adaptions of proxy re-encryption definition – Allows re-encryptions across arbitrary epochs (back & forward) – No notion of time → hard to grasp when key corruptions are allowed

7

Updatable Encryption | Security

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷0 𝐷1 𝐷2 𝐷3 𝐷4 𝐷5 𝐷6 … b ← {0,1} 𝐹𝑜𝑑 𝑙𝑓∗, 𝑛𝑐 1 2 3 4 5 6 … 𝑛0, 𝑛1 ෪ 𝐷𝑓∗ 𝑐 ? Forward Security Post-Compromise Security

Challenge

+ = IND-ENC

8

Corrupt Return key 𝑙𝑓

• r token Δ𝑓

𝑙𝑓𝑧/𝑢𝑝𝑙𝑓𝑜(𝑓) 𝑙𝑓 / Δ𝑓

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

9

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

10

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

11

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

12

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

13

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

14

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

▪ Real: bi

bidirectional ciphertext-updates

Δe+1 ෪ 𝐷𝑓 ෫ 𝐷𝑓+1

15

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷0 ෪ 𝐷1 ෪ 𝐷2 ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

▪ Real: bi

bidirectional ciphertext-updates

Δe+1 ෪ 𝐷𝑓 ෫ 𝐷𝑓+1

16

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷0 ෪ 𝐷1 ෪ 𝐷2 ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 … Δe+1 ෪ 𝐷𝑓 ෫ 𝐷𝑓+1 Δe+1 𝑙𝑓 𝑙𝑓+1

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

▪ Real: bi

bidirectional ciphertext & key-up update dates

17

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | Capturing Trivial Wins

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷0 ෪ 𝐷1 ෪ 𝐷2 ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 … Δe+1 ෪ 𝐷𝑓 ෫ 𝐷𝑓+1 Δe+1 𝑙𝑓 𝑙𝑓+1

▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni

unidirectional ciphertext-updates

▪ Real: bi

bidirectional ciphertext & key-up update dates

18

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

Updatable Encryption | IND-ENC

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge ▪ IND-ENC

ENC definiti tion

– Adaptive and retroactive key & token corruptions – Formalizes inferable information of keys & challenge

ciphertexts → exclude trivial wins

– Covers CPA, post-compromise and forward security

for fresh h encrypt ptions

• ns & update

ted ciphertexts ts

▪ Wrong claim in EC’18 paper:

19

𝑛 Encrypt 𝐷𝑓 Next 𝐷𝑓′ ReEnc* 𝐷𝑓

with e′< e

IND-ENC is not sufficient. No guarantees about updated ciphertexts!

* “honest” ciphertexts only

Updatable Encryption | What IND-ENC is not guaranteeing

20

Attributes

Patient Alice Bob Record 𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … 𝐷0 𝐷1 𝐷2 𝐷3 𝐷4 𝐷5 𝐷6 … 1 2 3 4 5 6 …

▪ No security after full breach – inference attacks through linkability

Patient OWHBBZ ANEPDHS Record

Treatment Ongoing Pregnant No

Attributes

Treatment HXFDPF Pregnant IEKLBR

= ≠

Updatable Encryption | IND-UPD

21

▪ IND-UPD

PD definiti tion n = Update Indisti sting ngui uisha shabi bili lity ty

– Unlinkability of updated ciphertexts – no leakage

through correlation attacks

b ← {0,1} 𝐕𝐅. 𝐯𝐪𝐞 𝚬𝒇∗, 𝑫𝒄 𝐷0, 𝐷1 ෪ 𝐷𝑓∗ 𝑐 ?

Challenge

𝐷0, 𝐷1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge 𝑛 Encrypt 𝐷𝑓 Next 𝐷𝑓′ ReEnc* 𝐷𝑓

with e′< e

* “honest” ciphertexts only

IND-ENC = Secure Updatable Encryption IND-ENC + IND-UPD = Strongly Secure Updatable Encryption

But much more expensive (for large ciphertexts)

Updatable Encryption | (In)Secure Schemes

2ENC (folklore) XOR-KEM (EPRS17) BLMR (BLMR13) Enc 𝐹𝑜𝑑(𝑙𝑓

𝑝, 𝐹𝑜𝑑(𝑙𝑗,𝑛))

𝑙𝑓 ⊕ 𝑦 , 𝐹𝑜𝑑(𝑦, 𝑛) 𝑄𝑆𝐺 𝑙𝑓, 𝑂 ⊗ 𝑛, 𝑂 Tok Δ𝑓+1 (𝑙𝑓

𝑝, 𝑙𝑓+1 𝑝

) 𝑙𝑓 ⊕ 𝑙𝑓+1 𝑙𝑓 ⊕ 𝑙𝑓+1 IND-ENC

(with limitations) Key-homomorph PRF

IND-UPD

(with limitations)

RISE (LT18)

DDH DDH Key-homomorphic PRF: 𝑄𝑆𝐺 𝑙1, 𝑂 ⊗ 𝑄𝑆𝐺 𝑙2, 𝑂 = 𝑄𝑆𝐺 𝑙1 ⊕ 𝑙2, 𝑂 Also crucial building block in ReCrypt [EPRS17] = ciphertext-dependent UE Known instantiations either DL or lattice-based Re-Randomizable Ciphertext-Independent Symmetric ElGamal

22

Updatable Encryption | Secure Construction (RISE)

23

Updatable Encryption | Secure Construction (RISE)

Re Re-random

• miza

ization

• n → updated

ed ciphert ertexts xts are unlinkable (fresh sh & updated ones s are indist stingu guishab shable)

24

Updatable Encryption | Efficiency & Comparison

BLMR (BLMR13) RISE (LT18) Enc&MAC (KLR19) NY&GS (KLR19) ReCrypt (EPRS17)

IND-ENC IND-UPD Encrypt 2 exp 2 exp 2 exp Token 2 exp 1 exp 2n exp ReEnc 2n exp 2.5n exp 2n exp Ciphertext-Dependen ent

25

Ciphertext-Indepen enden dent

Updatable Encryption | Efficiency & Comparison

BLMR (BLMR13) RISE (LT18) Enc&MAC (KLR19) NY&GS (KLR19) ReCrypt (EPRS17)

IND-ENC CPA CPA CPA IND-UPD CPA CPA Integrity CTXT Encrypt 2 exp 2 exp 2 exp Token 2 exp 1 exp 2n exp ReEnc 2n exp 2.5n exp 2n exp Ciphertext-Dependen ent

26

Ciphertext-Indepen enden dent

Updatable Encryption | Efficiency & Comparison

BLMR (BLMR13) RISE (LT18) Enc&MAC (KLR19) NY&GS (KLR19) ReCrypt (EPRS17)

IND-ENC CPA CPA CCA CPA IND-UPD CPA CCA CPA Integrity CTXT CTXT

• Arb. ReEnc

partially Encrypt 2 exp 2 exp 2 exp Token 2 exp 1 exp 2n exp ReEnc 2n exp 2.5n exp 2n exp Ciphertext-Dependen ent

27

Ciphertext-Indepen enden dent

CCA Security | How to add Dec Oracle?

𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge

IND-ENC ENC-CCA

▪ Decryptions of challenge ciphertext must be prevented – e.g., RISE has re-randomizable ciphertexts ▪ Same trick as in ReEnc? → makes Dec oracle obsolete ▪ Use idea of EPRS17: – Deterministic re-encryption UE. upd Δ𝑓+1, 𝐷𝑓 → 𝐷𝑓+1 – Unique challenge ciphertext ෪

𝐷𝑓 in each epoch

– Dec takes all ciphertexts except ෪

𝐷𝑓

28

𝑛 Encrypt 𝐷𝑓 Next 𝐷𝑓′ ReEnc* 𝐷𝑓

with e′< e

* “honest” ciphertexts only

𝑛 Decrypt 𝐷𝑓

INT-CTXT

▪ Adversary must produce valid & non-trivial ciphertext

𝐷𝑓

∗ s.t. UE. dec 𝐷𝑓 ∗, 𝑙𝑓 ≠ ⊥

▪ 𝐷𝑓

∗ must not be response from Enc/ReEnc or trivial re-encryption

→ Deterministic ReEnc allows to keep track of trivial ciphertexts

Ciphertext-Integrity

Corrupt

29

Encrypt Next ReEnc* Decrypt

𝑫𝒇

∗

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷 𝐵,1 … 1 2 3 4 5 6 …

INT-CTXT

▪ Adversary must produce valid & non-trivial ciphertext

𝐷𝑓

∗ s.t. UE. dec 𝐷𝑓 ∗, 𝑙𝑓 ≠ ⊥

▪ 𝐷𝑓

∗ must not be response from Enc/ReEnc or trivial re-encryption

→ Deterministic ReEnc allows to keep track of trivial ciphertexts

Ciphertext-Integrity

Corrupt

30

Encrypt Next ReEnc* Decrypt

𝑫𝒇

∗

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷 𝐵,1 … 1 2 3 4 5 6 …

INT-CTXT

▪ Adversary must produce valid & non-trivial ciphertext

𝐷𝑓

∗ s.t. UE. dec 𝐷𝑓 ∗, 𝑙𝑓 ≠ ⊥

▪ 𝐷𝑓

∗ must not be response from Enc/ReEnc or trivial re-encryption

→ Deterministic ReEnc allows to keep track of trivial ciphertexts

Ciphertext-Integrity

Corrupt

31

Encrypt Next ReEnc* Decrypt

𝑫𝒇

∗

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷 𝐵,1 𝐷 𝐵,2 … 1 2 3 4 5 6 …

INT-CTXT

▪ Adversary must produce valid & non-trivial ciphertext

𝐷𝑓

∗ s.t. UE. dec 𝐷𝑓 ∗, 𝑙𝑓 ≠ ⊥

▪ 𝐷𝑓

∗ must not be response from Enc/ReEnc or trivial re-encryption

→ Deterministic ReEnc allows to keep track of trivial ciphertexts

Ciphertext-Integrity

Corrupt

32

Encrypt Next ReEnc* Decrypt

𝑫𝒇

∗

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷 𝐵,1 𝐷 𝐵,2 … 𝐷 𝐶,4 1 2 3 4 5 6 …

INT-CTXT

▪ Adversary must produce valid & non-trivial ciphertext

𝐷𝑓

∗ s.t. UE. dec 𝐷𝑓 ∗, 𝑙𝑓 ≠ ⊥

▪ 𝐷𝑓

∗ must not be response from Enc/ReEnc or trivial re-encryption

→ Deterministic ReEnc allows to keep track of trivial ciphertexts

Ciphertext-Integrity

Corrupt

33

Encrypt Next ReEnc* Decrypt

𝑫𝒇

∗

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷 𝐵,1 𝐷 𝐵,2 … 𝐷 𝐶,3 𝐷 𝐶,4 1 2 3 4 5 6 …

INT-CTXT

▪ Adversary must produce valid & non-trivial ciphertext

𝐷𝑓

∗ s.t. UE. dec 𝐷𝑓 ∗, 𝑙𝑓 ≠ ⊥

▪ 𝐷𝑓

∗ must not be response from Enc/ReEnc or trivial re-encryption

→ Deterministic ReEnc allows to keep track of trivial ciphertexts

Ciphertext-Integrity

Corrupt

34

Encrypt Next ReEnc* Decrypt

𝑫𝒇

∗

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷 𝐵,1 𝐷 𝐵,2 … 𝐷 𝐶,3 𝐷 𝐶,4 𝑏𝑚𝑚 𝐷5 1 2 3 4 5 6 …

INT-CTXT

▪ Adversary must produce valid & non-trivial ciphertext

𝐷𝑓

∗ s.t. UE. dec 𝐷𝑓 ∗, 𝑙𝑓 ≠ ⊥

▪ 𝐷𝑓

∗ must not be response from Enc/ReEnc or trivial re-encryption

→ Deterministic ReEnc allows to keep track of trivial ciphertexts

Ciphertext-Integrity

Corrupt

35

Encrypt Next ReEnc* Decrypt

𝑫𝒇

∗

𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷 𝐵,1 𝐷 𝐵,2 … 𝐷 𝐶,3 𝐷 𝐶,4 𝑏𝑚𝑚 𝐷5 𝑏𝑚𝑚 𝐷6 1 2 3 4 5 6 …

CCA & CTXT | High-Level Idea (Enc & MAC )

▪ (Somewhat) generic transformation of CPA-secure encryption and PRF ▪ SE needs some special properties: tidy, randomness recoverable, … – 𝐹𝑜𝑑 𝑙𝑇𝐹, 𝑛; 𝑠

→ 𝐷

– 𝐸𝑓𝑑 𝑙𝑇𝐹, 𝐷

→ 𝑛, 𝑠

▪ Encrypt 𝑛 : 𝐹𝑜𝑑 𝑙𝑇𝐹, 𝑛; 𝑠 → 𝐷 𝑏𝑜𝑒 𝑄𝑆𝐺 𝑙𝑄𝑆𝐺, 𝑛, 𝑠

→ 𝑢. 𝑆𝑓𝑢𝑣𝑠𝑜 (𝐷, 𝑢)

▪ Decrypt (𝐷, 𝑢): 𝐸𝑓𝑑 𝑙𝑇𝐹, 𝐷 → (𝑛′, 𝑠′) 𝑏𝑜𝑒 𝑄𝑆𝐺 𝑙𝑄𝑆𝐺, 𝑛′, 𝑠′

→ 𝑢′. 𝑆𝑓𝑢𝑣𝑠𝑜 𝑛′ 𝑗𝑔 𝑢 = 𝑢′

▪ Update: update 𝐷, 𝑢 using key-rotatable building blocks

36

CCA & CTXT | Building Blocks: Updatable PRF

▪ Updatable PRF – based on DDH-PRF by NPR99 ▪ Group (𝐻, 𝑕, 𝑟) in which DDH assumption holds, hash function 𝐼: 0,1 ∗ → 𝐻 – KeyGen: 𝑙 ∈ 𝑎𝑟

∗

– Eval: 𝑢 = 𝐼 𝑛 𝑙 – TokenGen for old key 𝑙 new key 𝑙′:

𝛦 = 𝑙′ / 𝑙

– Update: 𝑢′ = 𝑢Δ = 𝐼 𝑛 𝑙′

Standard rd PRF security ity (under er DDH & RO) Simulata table le Token en Gener eratio tion

37

CCA & CTXT | Building Blocks: Updatable SE

▪ Updatable (CPA) Encryption Scheme – ELGamal based ▪ Group (𝐻, 𝑕, 𝑟) in which DDH assumption holds – KeyGen: 𝑦1, 𝑦2 ∈ 𝑎𝑟

∗ . 𝑙𝑇𝐹 = (𝑦1, 𝑦2)

– Encrypt: 𝑕𝑠 ∈ 𝐻.

𝐷1 = 𝑕𝑠𝑦1 and 𝐷2 = 𝑕𝑠𝑦2 ⋅ 𝑛

– Decrypt: 𝑕𝑠 = 𝐷1

−𝑦1

and m = 𝐷2 / 𝑕𝑠𝑦2

– TokenGen for old key 𝑦1, 𝑦2 , new key 𝑦′1, 𝑦′2 : Δ1 =

𝑦1

′

𝑦1 𝑏𝑜𝑒 Δ2 = 𝑦2

′−𝑦2

𝑦1

– Update: 𝐷′1 = 𝐷1

Δ1 = 𝑕𝑠𝑦′1 and 𝐷′2 = 𝐷1 Δ2 ⋅ 𝐷2 = 𝑕𝑠𝑦′2 ⋅ 𝑛

Determi erministic istic Re-en encryptio ryption & entire ire ciphertex text t is updated ted Re Re-en encryptio yption = d decrypt ypt-the then-en encrypt ypt:

• UE. 𝑣𝑞𝑒 Δ, 𝐷 = 𝑉𝐹. 𝑓𝑜𝑑(𝑙′, 𝑉𝐹. 𝑒𝑓𝑑 𝑙, 𝐷 )

Simulata table le Token en

38

BLMR (BLMR13) RISE (LT18) Enc&MAC (KLR19) NY&GS (KLR19) ReCrypt (EPRS17)

IND-ENC CPA CPA CCA CPA IND-UPD CPA CCA CPA Integrity CTXT CTXT

• Arb. ReEnc

partially Encrypt 2 exp 2 exp 3 exp 2 exp Token 2 exp 1 exp 3 exp 2n exp ReEnc 2n exp 2.5n exp 3n exp 2n exp

CCA & CTXT | Efficiency & Comparison

Ciphertext-Dependen ent

39

Ciphertext-Indepen enden dent ▪ Encrypt 𝑛 : 𝐹𝑜𝑑 𝑙𝑇𝐹, 𝑛; 𝑠

→ 𝐷 𝑏𝑜𝑒 𝑄𝑆𝐺 𝑙𝑄𝑆𝐺, 𝑛, 𝑠 → 𝑢. 𝑆𝑓𝑢𝑣𝑠𝑜 (𝐷, 𝑢)

▪ Decrypt (𝐷, 𝑢): 𝐸𝑓𝑑 𝑙𝑇𝐹, 𝐷

→ (𝑛′, 𝑠′) 𝑏𝑜𝑒 𝑄𝑆𝐺 𝑙𝑄𝑆𝐺, 𝑛′, 𝑠′ → 𝑢′. 𝑆𝑓𝑢𝑣𝑠𝑜 𝑛′ 𝑗𝑔 𝑢 = 𝑢′

▪ TokenGen: get SE. TokGen 𝑙𝑇𝐹, 𝑙𝑇𝐹

′

→ ΔSE and PRF. TokGen 𝑙𝑄𝑆𝐺, 𝑙𝑄𝑆𝐺

′

→ Δ𝑄𝑆𝐺

▪ Update: update 𝐷, 𝑢 using SE. Upd Δ𝑇𝐹, 𝐷 → 𝐷′ and PRF. Upd Δ𝑄𝑆𝐺, 𝑢 → 𝑢′

CCA & CTXT | Efficiency & Comparison

BLMR (BLMR13) RISE (LT18) Enc&MAC (KLR19) NY&GS (KLR19) ReCrypt (EPRS17)

IND-ENC CPA CPA CCA CPA IND-UPD CPA CCA CPA Integrity CTXT CTXT

• Arb. ReEnc

partially Encrypt 2 exp 2 exp 3 exp 2 exp Token 2 exp 1 exp 3 exp 2n exp ReEnc 2n exp 2.5n exp 3n exp 2n exp Ciphertext-Dependen ent

40

Ciphertext-Indepen enden dent

CCA & CTXT | Efficiency & Comparison

BLMR (BLMR13) RISE (LT18) Enc&MAC (KLR19) NY&GS (KLR19) ReCrypt (EPRS17)

IND-ENC CPA CPA CCA CPA IND-UPD CPA CCA CPA Integrity CTXT CTXT

• Arb. ReEnc

partially Encrypt 2 exp 2 exp 3 exp 2 exp Token 2 exp 1 exp 3 exp 2n exp ReEnc 2n exp 2.5n exp 3n exp 2n exp Ciphertext-Dependen ent

41

Ciphertext-Indepen enden dent 𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge 𝑛 Encrypt 𝐷𝑓 Next 𝐷𝑓′ ReEnc* 𝐷𝑓

with e′< e

* “honest” ciphertexts only

𝑛 Decrypt 𝐷𝑓

CCA & CTXT | Efficiency & Comparison

BLMR (BLMR13) RISE (LT18) Enc&MAC (KLR19) NY&GS (KLR19) ReCrypt (EPRS17)

IND-ENC CPA CPA CCA CPA IND-UPD CPA CCA CPA Integrity CTXT CTXT

• Arb. ReEnc

partially Encrypt 2 exp 2 exp 3 exp 2 exp Token 2 exp 1 exp 3 exp 2n exp ReEnc 2n exp 2.5n exp 3n exp 2n exp Ciphertext-Dependen ent

42

Ciphertext-Indepen enden dent 𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge 𝑛 Encrypt 𝐷𝑓 Next 𝐷𝑓′ ReEnc* 𝐷𝑓

with e′< e

* “honest” ciphertexts only

𝑛 Decrypt 𝐷𝑓 ▪ ReEnc marks epochs as challenge-equal when 𝐷 is challenge ciphertext ▪ RISE and Enc&MAC can “blind” query to ReEnc oracle – Submit invalid ciphertext → unblind later

CCA & CTXT | Efficiency & Comparison

BLMR (BLMR13) RISE (LT18) Enc&MAC (KLR19) NY&GS (KLR19) ReCrypt (EPRS17)

IND-ENC CPA CPA CCA RCCA CPA IND-UPD CPA CCA RCCA CPA Integrity CTXT PTXT CTXT

• Arb. ReEnc

partially Encrypt 2 exp 2 exp 3 exp 2 exp Token 2 exp 1 exp 3 exp 2n exp ReEnc 2n exp 2.5n exp 3n exp 2n exp Ciphertext-Dependen ent

43

Ciphertext-Indepen enden dent

• Arb. ReEnc Security | High-Level Idea

44

▪ Make ciphertext validity publicly verifiable → Naor-Yung transform (CPA → CCA) – 𝐹𝑜𝑑 𝑙1, 𝑛

→ 𝐷1 𝑏𝑜𝑒 𝐹𝑜𝑑 𝑙2, 𝑛 → 𝐷2

– 𝑂𝐽𝑎𝐿 𝐷1 = 𝐹𝑜𝑑 𝑙1, 𝑛

∧ 𝐹𝑜𝑑 𝑙2, 𝑛 → 𝜌

– 𝐷𝑗𝑞ℎ𝑓𝑠𝑢𝑓𝑦𝑢: 𝐷1, 𝐷2, 𝜌 ▪ Use CPA-secure Updatable Encryption: RISE ▪ Use Malleable NIZK: Groth-Sahai (GS) proofs ▪ Both building blocks create re-randomizable 𝐷 / 𝜌 ▪ Achieve RCCA & PTXT instead

Dec oracle rejects if 𝐸𝑓𝑑 𝑙, 𝐷 → 𝑛0 or 𝑛1 (challenge plaintext)

→ CCA and CTXT is impossible ReEnc is not deterministic anymore

Updatable Encryption | Efficiency & Comparison

BLMR (BLMR13) RISE (LT18) Enc&MAC (KLR19) NY&GS (KLR19) ReCrypt (EPRS17)

IND-ENC CPA CPA CCA RCCA CPA IND-UPD CPA CCA RCCA CPA Integrity CTXT PTXT CTXT

• Arb. ReEnc

partially Encrypt 2 exp 2 exp 3 exp 2 exp Token 2 exp 1 exp 3 exp 2n exp ReEnc 2n exp 2.5n exp 3n exp 2n exp Ciphertext-Dependen ent

45

dete terministi tic c ReEnc nc dete terministi tic ReEnc

Ciphertext-Indepen enden dent

Summary

▪ Key rotation mandatory in many high-security environments ▪ Updatable Encryptions allow convenients updates of ciphertexts in untrusted domain – Ciphertext-dependent vs. Ciphertext-independent updates ▪ Lots of open problems: – CCA/CTXT with Arbitrary ReEnc Security ....w/o deterministic ReEnc – All schemes are bi-directional → are there uni-directional ones? – IND-UPD Definition implies PKE → weaker notions?

46

anj@zurich.ibm.com

Th Than anks! Questio ions?