Updatable Encryption with Post-Compromise Security Anja Lehmann - - PowerPoint PPT Presentation
Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM Research Zurich Motivation | Outsourced Storage Data owner stores encrypted data at (untrusted) data host symmetric encryption Proactive
▪ Data owner stores encrypted data at (untrusted) data host ▪ Proactive security by periodically changing the secret key – Key rotation reduces risk & impact of key or data exposure ▪ Key rotation often mandated in high-security environments and by PCI DSS symmetric encryption
2
▪ How to update exiting ciphertexts to the new key? ▪ Standard symmetric encryption → download all ciphertext & re-encrypt from scratch ▪ Inefficient: down&upload of all ciphertexts, symmetric key often protected by hardware
3
▪ Proposed by Boneh et al. [BLMR13]: ciphertexts can be updated w/o secret key Key update generates key & update token Update token allows to „blindly“ transforms ciphertexts ▪ Update operation of ciphertexts is shifted to (untrusted) data host w/o harming security
4
→ 𝐷𝑓+1
▪ BLMR13: high level idea & scheme,
no security definitions
▪ EPRS17: partial definition & scheme
▪ BLMR15: partial definitions & new scheme ▪ EPRS17: comprehensive treatment,
improved definitions & schemes Ciphertext-Independent Ciphertext-Dependent
5
→ 𝐷𝑓+1
▪ BLMR13: high level idea & scheme,
no security definitions
▪ EPRS17: partial definition & scheme
▪ BLMR15: partial definitions & new scheme ▪ EPRS17: comprehensive treatment,
improved definitions & schemes Ciphertext-Independent Ciphertext-Dependent
▪ This work: formal definitions & secure
schemes for ciphertext-independent setting
6
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷0 𝐷1 𝐷2 𝐷3 𝐷4 𝐷5 𝐷6 … 1 2 3 4 5 6 …
▪ This work: strictly sequential setting ▪ Previous works: adaptions of proxy re-encryption definition – Allows re-encryptions across arbitrary epochs (back & forward) – No notion of time → hard to grasp when key corruptions are allowed
7
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … 𝐷0 𝐷1 𝐷2 𝐷3 𝐷4 𝐷5 𝐷6 … b ← {0,1} 𝐹𝑜𝑑 𝑙𝑓∗, 𝑛𝑐 1 2 3 4 5 6 … 𝑛0, 𝑛1 ෪ 𝐷𝑓∗ 𝑐 ? Forward Security Post-Compromise Security
Challenge
+ = IND-ENC
8
Corrupt Return key 𝑙𝑓
𝑙𝑓𝑧/𝑢𝑝𝑙𝑓𝑜(𝑓) 𝑙𝑓 / Δ𝑓
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
9
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
10
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
11
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
12
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
13
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
14
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
▪ Real: bi
bidirectional ciphertext-updates
Δe+1 ෪ 𝐷𝑓 ෫ 𝐷𝑓+1
15
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷0 ෪ 𝐷1 ෪ 𝐷2 ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 …
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
▪ Real: bi
bidirectional ciphertext-updates
Δe+1 ෪ 𝐷𝑓 ෫ 𝐷𝑓+1
16
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷0 ෪ 𝐷1 ෪ 𝐷2 ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 … Δe+1 ෪ 𝐷𝑓 ෫ 𝐷𝑓+1 Δe+1 𝑙𝑓 𝑙𝑓+1
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
▪ Real: bi
bidirectional ciphertext & ke key-up updates
17
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑙0 𝑙1 𝑙2 𝑙3 𝑙4 𝑙5 𝑙6 … Δ1 Δ2 Δ3 Δ4 Δ5 Δ6 Δ7 … ෪ 𝐷0 ෪ 𝐷1 ෪ 𝐷2 ෪ 𝐷3 ෪ 𝐷4 ෪ 𝐷5 ෪ 𝐷6 … 1 2 3 4 5 6 … Δe+1 ෪ 𝐷𝑓 ෫ 𝐷𝑓+1 Δe+1 𝑙𝑓 𝑙𝑓+1
▪ Trivial win: secret key corruption in a challenge-equal epoch ▪ Capturing inferable information: ▪ Ideal: uni
unidirectional ciphertext-updates
▪ Real: bi
bidirectional ciphertext & ke key-up updates
18
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge
𝑛0, 𝑛1 𝑐 ? 𝑙𝑓 / Δ𝑓 Corrupt ෪ 𝐷𝑓∗ Challenge ▪ IND-ENC definitio
ion
– Adaptive and retroactive key & token corruptions – Formalizes indirect knowledge of keys & challenge cipherexts – Covers CPA, post-compromise and forward security
could contain 𝐷𝑓, i.e., history of all old ciphertexts ( 𝐷′3 = 𝐷3, (𝐷2, (𝐷1,(𝐷0))) ) compromise of a single old key breaks security of updated ciphertexts for fresh encryptio ions ns
▪ IND-ENC is not sufficient: No guarantees about updated ciphertexts! – UE. upd Δ𝑓+1, 𝐷𝑓
→ 𝐷𝑓+1
19
▪ IND-UPD
PD definitio ion n = Update Indisting nguis uisha habili lity
– Adaptive and retroactive key & token corruptions – Formalizes indirect knowledge of keys & challenge cipherexts – Covers post-compromise and forward security for updated ciphertexts
b ← {0,1} 𝐕𝐅. 𝐯𝐪𝐞 𝚬𝒇∗, 𝑫𝒄 𝐷0, 𝐷1 ෪ 𝐷𝑓∗ 𝑐 ? 𝑙𝑓𝑧/𝑢𝑝𝑙𝑓𝑜(𝑓) 𝑙𝑓 / Δ𝑓
Corrupt Return key 𝑙𝑓
Challenge
20
IND-ENC + IND-UPD UPD = S Secure Updatable Encryptio ion
2ENC (folklore) XOR-KEM (EPRS17) BLMR (BLMR13) Enc 𝐹𝑜𝑑(𝑙𝑓
𝑝, 𝐹𝑜𝑑(𝑙𝑗, 𝑛))
𝑙𝑓 ⊕ 𝑦 , 𝐹𝑜𝑑(𝑦, 𝑛) 𝑄𝑆𝐺 𝑙𝑓, 𝑂 ⊗ 𝑛, 𝑂 Tok Δ𝑓+1 (𝑙𝑓
𝑝, 𝑙𝑓+1 𝑝
) 𝑙𝑓 ⊕ 𝑙𝑓+1 𝑙𝑓 ⊕ 𝑙𝑓+1 IND-ENC
(with limitations) Key-homomorph PRF
IND-UPD
(with limitations)
RISE
DDH DDH Key-homomorphic PRF: 𝑄𝑆𝐺 𝑙1, 𝑂 ⊗ 𝑄𝑆𝐺 𝑙2, 𝑂 = 𝑄𝑆𝐺 𝑙1 ⊕ 𝑙2, 𝑂 Also crucial building block in ReEnc [EPRS17] = ciphertext-dependent UE Known instantiations either DL or lattice-based Re-Randomizable Ciphertext-Independent Symmetric ElGamal see paper
21
▪ RISE is more efficient than existing solutions ▪ Summary – Security notions for Ciphertext-Independent Updatable Encryption – Existing schemes do not guarantee the desirable (post-compromise) security – RISE = fully secure scheme based on ElGamal encryption
22
Scheme Encryptio ion TokenGen Update BLMR
Only IND-ENC secure
2 exp 2 exp 2n exp RISE 2 2 exp 1 1 exp 2n 2n exp ReEnc [EPRS17]
Ciphertext Dependent
2 exp 2n exp 2n exp
n = number of ciphertexts
anj@zurich.ibm.com