improving speed and security in updatable encryption systemssaba/slides/uae.pdf · 2020. 9. 29. ·...
TRANSCRIPT
![Page 1: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/1.jpg)
Improving Speed and Security in Updatable Encryption Systems
Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems
![Page 2: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/2.jpg)
Key Rotation
![Page 3: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/3.jpg)
Key Rotation
![Page 4: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/4.jpg)
Good Reasons to Rotate Keys
1. Recommended by NIST (Special Publication 800-57)
![Page 5: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/5.jpg)
Good Reasons to Rotate Keys
1. Recommended by NIST (Special Publication 800-57)
2. Recommended by Google (cloud.google.com/kms/docs/key-rotation)
![Page 6: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/6.jpg)
Good Reasons to Rotate Keys
1. Recommended by NIST (Special Publication 800-57)
2. Recommended by Google (cloud.google.com/kms/docs/key-rotation)
3. Required by PCI DSS (PCI DSS 3.6.4)
![Page 7: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/7.jpg)
Good Reasons to Rotate Keys
1. Recommended by NIST (Special Publication 800-57)
2. Recommended by Google (cloud.google.com/kms/docs/key-rotation)
3. Required by PCI DSS (PCI DSS 3.6.4)
…But Why?
![Page 8: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/8.jpg)
Good Reasons to Rotate Keys
Reasons to rotate keys for data stored in the cloud:
- Compromised keys need to be taken out of use
- Proactive refresh of keys
- Access control enforcement
![Page 9: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/9.jpg)
How to Rotate Keys in the Cloud?
Idea 1: send keys to cloud
![Page 10: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/10.jpg)
How to Rotate Keys in the Cloud?
Idea 1: send keys to cloud
![Page 11: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/11.jpg)
How to Rotate Keys in the Cloud?
Idea 1: send keys to cloud
![Page 12: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/12.jpg)
How to Rotate Keys in the Cloud?
Idea 1: send keys to cloud
No Security!!
![Page 13: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/13.jpg)
How to Rotate Keys in the Cloud?
Idea 2: download, re-encrypt, upload
![Page 14: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/14.jpg)
How to Rotate Keys in the Cloud?
Idea 2: download, re-encrypt, upload
![Page 15: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/15.jpg)
How to Rotate Keys in the Cloud?
Idea 2: download, re-encrypt, upload
![Page 16: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/16.jpg)
How to Rotate Keys in the Cloud?
Idea 2: download, re-encrypt, upload
![Page 17: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/17.jpg)
How to Rotate Keys in the Cloud?
Idea 2: download, re-encrypt, upload
![Page 18: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/18.jpg)
How to Rotate Keys in the Cloud?
Idea 2: download, re-encrypt, upload
Note: cloud must be trusted not to keep old ciphertexts
![Page 19: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/19.jpg)
How to Rotate Keys in the Cloud?
Idea 2: download, re-encrypt, upload
High communication and client computation cost!
![Page 20: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/20.jpg)
How to Rotate Keys in the Cloud?
Idea 2: download, re-encrypt, upload
High communication and client computation cost!
Can we do better?
![Page 21: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/21.jpg)
Updatable Encryption [BLMR13, EPRS17, LT18, KLR19, BDGJ19]
Client sends small update token
Server updates ciphertext without learning key or data
![Page 22: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/22.jpg)
Our Contributions & Roadmap
Improvements over prior security definitions● Additional requirements for security
Two new constructions of updatable encryption● From Nested AES: very fast, only supports bounded updates
● From KH-PRF based on RLWE: ~500x faster than prior work
Performance evaluation and comparison to prior work
Recommendations for usage
![Page 23: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/23.jpg)
Security and Functionality Goals
1. Adversary without access to any key does not learn data
![Page 24: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/24.jpg)
Security and Functionality Goals
1. Adversary without access to any key does not learn data
2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying
![Page 25: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/25.jpg)
Security and Functionality Goals
1. Adversary without access to any key does not learn data
2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying
3. Client-server communication small
![Page 26: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/26.jpg)
Security and Functionality Goals
1. Adversary without access to any key does not learn data
2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying
3. Client-server communication small
4. Client computation small
![Page 27: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/27.jpg)
Security and Functionality Goals
1. Adversary without access to any key does not learn data
2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying
3. Client-server communication small
4. Client computation small
Limitations
1. Server computation will be linear
![Page 28: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/28.jpg)
Security and Functionality Goals
1. Adversary without access to any key does not learn data
2. Adversary with access to the current key/data cannot get more data than it has already exfiltrated after rekeying
3. Client-server communication small
4. Client computation small
Limitations
1. Server computation will be linear
2. Adversary with ongoing access to key updates will still get data
![Page 29: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/29.jpg)
Defining Security [EPRS17]
Four properties to achieve:
- Correctness
- Compactness
- Confidentiality
- Integrity
![Page 30: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/30.jpg)
Defining Security [EPRS17]
Four properties to achieve:
- Correctness
- Compactness
- Confidentiality
- Integrity
![Page 31: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/31.jpg)
Confidentiality
Key 1 Key 2 Key 3 Key 4
Update Token 1-2
Update Token 2-3
Update Token 3-4
Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext
![Page 32: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/32.jpg)
Confidentiality
Key 1 Key 2 Key 3 Key 4
Update Token 1-2
Update Token 2-3
Update Token 3-4
Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext
![Page 33: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/33.jpg)
Confidentiality
Key 1 Key 2 Key 3 Key 4
Update Token 1-2
Update Token 2-3
Update Token 3-4
Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext
![Page 34: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/34.jpg)
Confidentiality
Key 1 Key 2 Key 3 Key 4
Update Token 1-2
Update Token 2-3
Update Token 3-4
Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext
![Page 35: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/35.jpg)
Confidentiality
Key 1 Key 2 Key 3 Key 4
Update Token 1-2
Update Token 2-3
Update Token 3-4
Attacker cannot control keys/update tokens that give a path to key used to encrypt a ciphertext
![Page 36: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/36.jpg)
Confidentiality
Key 1 Key 2 Key 3 Key 4
Update Token 1-2
Update Token 2-3
Update Token 3-4
Our definitions additionally require hiding ciphertext age from attacker
![Page 37: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/37.jpg)
Confidentiality
Key 1 Key 2 Key 3 Key 4
Update Token 1-2
Update Token 2-3
Update Token 3-4
Our definitions additionally require hiding ciphertext age from attacker
![Page 38: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/38.jpg)
Building Updatable Encryption [BLMR13, EPRS17]
![Page 39: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/39.jpg)
Building Updatable Encryption [BLMR13, EPRS17]
Ciphertext header
Ciphertext Body header
Body
header
Body
...
![Page 40: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/40.jpg)
Building Updatable Encryption [BLMR13, EPRS17]
Ciphertext header
Ciphertext BodyHeader
header
Body
header
Body
...
![Page 41: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/41.jpg)
Building Updatable Encryption [BLMR13, EPRS17]
Ciphertext header
Ciphertext Body
Rekey Token
Header
header
Body
header
Body
...
![Page 42: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/42.jpg)
Building Updatable Encryption [BLMR13, EPRS17]
Ciphertext header
Ciphertext Body
Rekey Token
Header
header
Body
header
Body
...
![Page 43: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/43.jpg)
Building Updatable Encryption [BLMR13, EPRS17]
Ciphertext header
Ciphertext Body
Rekey Token
Header
header
Body
header
Body
...
![Page 44: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/44.jpg)
Building Updatable Encryption [BLMR13, EPRS17]
Ciphertext header
Ciphertext Body
Rekey Token
Header
“Ciphertext-dependent” model
header
Body
header
Body
...
![Page 45: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/45.jpg)
Updatable Encryption from Nested AES
Very fast, simple scheme
Only requires authenticated encryption (AES-GCM) and a PRG
![Page 46: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/46.jpg)
Updatable Encryption from Nested AES
Very fast, simple scheme
Only requires authenticated encryption (AES-GCM) and a PRG
Caveats:
- Only works for a bounded number of re-encryptions, decided at encryption time
- Decryption time will be linear in the number of re-encryptions
![Page 47: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/47.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Header key
![Page 48: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/48.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Body key used for this lock held in ciphertext header
Header key
![Page 49: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/49.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Header key
![Page 50: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/50.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext BodyCiphertext header
Body key
Header key
![Page 51: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/51.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Ciphertext header
Header key
![Page 52: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/52.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext header
Header key
Body key
![Page 53: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/53.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext header
Header key
![Page 54: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/54.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext headerRe-Encryption: wrap previous layer
Decryption: unwrap all layers
![Page 55: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/55.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext headerRe-Encryption: wrap previous layer
Decryption: unwrap all layers
Issue: leaks ciphertext age
![Page 56: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/56.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext headerRe-Encryption: wrap previous layer
Decryption: unwrap all layers
Issue: leaks ciphertext age
Note: this satisfies prior definitions
![Page 57: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/57.jpg)
Updatable Encryption from Nested AES
How to hide ciphertext age?
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext header
![Page 58: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/58.jpg)
Updatable Encryption from Nested AES
How to hide ciphertext age?
Idea 1: pad up to fixed max size with random data
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext header
![Page 59: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/59.jpg)
Updatable Encryption from Nested AES
How to hide ciphertext age?
Idea 1: pad up to fixed max size with random data
But this ruins integrity
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext header
![Page 60: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/60.jpg)
Updatable Encryption from Nested AES
How to hide ciphertext age?
Idea 1: pad up to fixed max size with random data
But this ruins integrity
Idea 2: generate random data from PRG, include seed in header
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext header
![Page 61: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/61.jpg)
Updatable Encryption from Nested AES
Ciphertext header
Ciphertext Body
Ciphertext header
Ciphertext headerHow to hide ciphertext age?
Idea 1: pad up to fixed max size with random data
But this ruins integrity
Idea 2: generate random data from PRG, include seed in header
See paper for full scheme
![Page 62: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/62.jpg)
Updatable Encryption from KH-PRFs [BLMR13, EPRS17]
Supports as many re-encryptions as you want
Decryption time does not depend on number of re-encryptions
Still fast, but slower than nested scheme
New caveat: somewhat weaker integrity and age-hiding guarantee
![Page 63: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/63.jpg)
Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99]
Standard PRF (e.g. AES): F(k, x) looks random if not given k
![Page 64: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/64.jpg)
Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99]
Standard PRF (e.g. AES): F(k, x) looks random if not given k
Key-Homomorphic PRF: Same security property, new functionality
![Page 65: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/65.jpg)
Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99]
Standard PRF (e.g. AES): F(k, x) looks random if not given k
Key-Homomorphic PRF: Same security property, new functionality
F(k1, x) ⊞ F(k2, x) = F(k1+ k2, x)
![Page 66: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/66.jpg)
Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99]
Standard PRF (e.g. AES): F(k, x) looks random if not given k
Key-Homomorphic PRF: Same security property, new functionality
F(k1, x) ⊞ F(k2, x) = F(k1+ k2, x)
Example: F(k,x) = H(x)k
![Page 67: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/67.jpg)
Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99]
Standard PRF (e.g. AES): F(k, x) looks random if not given k
Key-Homomorphic PRF: Same security property, new functionality
F(k1, x) ⊞ F(k2, x) = F(k1+ k2, x)
Example: F(k,x) = H(x)k
F(k1, x) * F(k2, x) = H(x)k1 * H(x)k2 = H(x)k1+k2 = F(k1+ k2, x)
![Page 68: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/68.jpg)
Updatable Encryption from KH-PRFs [EPRS17]
Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k1
![Page 69: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/69.jpg)
Updatable Encryption from KH-PRFs [EPRS17]
Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k1
Ciphertext body: Encryption of msg in counter mode using KH-PRF
![Page 70: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/70.jpg)
Updatable Encryption from KH-PRFs [EPRS17]
Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k1
Ciphertext body: Encryption of msg in counter mode using KH-PRF
c0 = m0 + F(k1, 0)c1 = m1 + F(k1, 1)…cn = mn + F(k1, n)
![Page 71: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/71.jpg)
Updatable Encryption from KH-PRFs [EPRS17]
Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k1
Ciphertext body: Encryption of msg in counter mode using KH-PRF
c0 = m0 + F(k1, 0)c1 = m1 + F(k1, 1)…cn = mn + F(k1, n)
Update process:1. Download/decrypt header2. Pick key k23. Upload new header and kup = k2- k1
Server updates body encryptions with kup
![Page 72: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/72.jpg)
Updatable Encryption from KH-PRFs [EPRS17]
Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k1
Ciphertext body: Encryption of msg in counter mode using KH-PRF
c0’ = c0 + F(kup, 0) c1’ = c1 + F(kup, 1)…cn’ = cn + F(kup, n)
Update process:1. Download/decrypt header2. Pick key k23. Upload new header and kup = k2- k1
Server updates body encryptions with kup
![Page 73: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/73.jpg)
Updatable Encryption from KH-PRFs [EPRS17]
Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k1
Ciphertext body: Encryption of msg in counter mode using KH-PRF
c0’ = c0 + F(kup, 0) = m0 + F(k2, 0)c1’ = c1 + F(kup, 1) = m1 + F(k2, 1)…cn’ = cn + F(kup, n) = mn + F(k2, n)
Update process:1. Download/decrypt header2. Pick key k23. Upload new header and kup = k2- k1
Server updates body encryptions with kup
![Page 74: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/74.jpg)
Almost KH-PRFs [BLMR13]
EPRS17 uses a KH-PRF based on the DDH assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x)
*In Random Oracle model
![Page 75: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/75.jpg)
Almost KH-PRFs [BLMR13]
EPRS17 uses a KH-PRF based on the DDH assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x)
We use a new almost KH-PRF based on the Ring-LWE assumption*
*In Random Oracle model
![Page 76: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/76.jpg)
Almost KH-PRFs [BLMR13]
EPRS17 uses a KH-PRF based on the DDH assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x)
We use a new almost KH-PRF based on the Ring-LWE assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x) + e (where e is small in Zqn)
*In Random Oracle model
![Page 77: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/77.jpg)
Almost KH-PRFs [BLMR13]
EPRS17 uses a KH-PRF based on the DDH assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x)
We use a new almost KH-PRF based on the Ring-LWE assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x) + e (where e is small in Zqn)
See paper for construction
*In Random Oracle model
![Page 78: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/78.jpg)
Almost KH-PRFs [BLMR13]
EPRS17 uses a KH-PRF based on the DDH assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x)
We use a new almost KH-PRF based on the Ring-LWE assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x) + e (where e is small in Zqn)
See paper for construction
Result: ~500x faster performance
*In Random Oracle model
![Page 79: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/79.jpg)
Almost KH-PRFs [BLMR13]
EPRS17 uses a KH-PRF based on the DDH assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x)
We use a new almost KH-PRF based on the Ring-LWE assumption*
F(k1, x) + F(k2, x) = F(k1+ k2, x) + e (where e is small in Zqn)
See paper for construction
Result: ~500x faster performance …but how to handle the noise?
*In Random Oracle model
![Page 80: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/80.jpg)
Updatable Encryption from Almost KH-PRFs
F(k1, x) + F(k2, x) = F(k1+ k2, x) + e (where e is small)
Issue: noisy KH-PRF corrupts message
![Page 81: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/81.jpg)
Updatable Encryption from Almost KH-PRFs
F(k1, x) + F(k2, x) = F(k1+ k2, x) + e (where e is small)
Issue: noisy KH-PRF corrupts message
General solution: error correcting codes
![Page 82: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/82.jpg)
Updatable Encryption from Almost KH-PRFs
F(k1, x) + F(k2, x) = F(k1+ k2, x) + e (where e is small)
Issue: noisy KH-PRF corrupts message
General solution: error correcting codes
Observation: noise is always on low-order bits
![Page 83: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/83.jpg)
Updatable Encryption from Almost KH-PRFs
F(k1, x) + F(k2, x) = F(k1+ k2, x) + e (where e is small)
Issue: noisy KH-PRF corrupts message
General solution: error correcting codes
Observation: noise is always on low-order bits
Simple solution: pad low-order bits of each block with zeros
![Page 84: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/84.jpg)
Evaluation
![Page 85: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/85.jpg)
Encryption and Re-encryption
Throughput for encrypting/re-encrypting 32KB messages (MB/sec)
ReCrypt [EPRS17] Almost KH-PRF Nested (128 layers)
Encrypt 0.12 61.90 1836.9
Re-encrypt 0.15 83.06 2606.8
![Page 86: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/86.jpg)
Encryption and Re-encryption
Throughput for encrypting/re-encrypting 32KB messages (MB/sec)
Almost KH-PRF is ~500x faster than ReCrypt
Nested AES is ~30x faster than almost KH-PRF
ReCrypt [EPRS17] Almost KH-PRF Nested (128 layers)
Encrypt 0.12 61.90 1836.9
Re-encrypt 0.15 83.06 2606.8
![Page 87: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/87.jpg)
Decryption
![Page 88: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/88.jpg)
Decryption
![Page 89: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/89.jpg)
Decryption
Nested construction faster for up to 50 re-encryptions
ReCrypt (not shown) 500x slower than KH-PRF construction
![Page 90: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/90.jpg)
Decryption
Nested construction faster for up to 50 re-encryptions
ReCrypt (not shown) 500x slower than KH-PRF construction
RecommendationsUse nested AES construction for infrequent, routine re-keying
Use KH-PRF for frequent re-keying
![Page 91: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/91.jpg)
Ciphertext Expansion
Nested AES and ReCrypt have smallest ciphertext expansion
![Page 92: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/92.jpg)
Ciphertext Expansion
Nested AES and ReCrypt have smallest ciphertext expansion
RecommendationsUse nested AES construction for infrequent, routine re-keying
If space is costly and computation is cheap, use ReCrypt for frequent rekeying
![Page 93: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/93.jpg)
Can we do Better?
Speed: Not by much
- Nested scheme: already close to AES throughput- Almost KH-PRF: KH-PRF implies key exchange [AMP19]
![Page 94: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/94.jpg)
Can we do Better?
Speed: Not by much
- Nested scheme: already close to AES throughput- Almost KH-PRF: KH-PRF implies key exchange [AMP19]
Ciphertext expansion: Good place for improvement
One potential approach: more elaborate error-correction to reduce bits wasted by padding
![Page 95: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/95.jpg)
Improving Updatable EncryptionImproved security definitions for updatable encryption
Two new constructions -- from Nested AES and RLWE-based KH-PRF
Orders of magnitude performance improvement over prior work
Paper: eprint.iacr.org/2020/222.pdf
Source Code: https://github.com/moshih/UpdateableEncryption_Code
Contact: [email protected]
![Page 96: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/96.jpg)
Encryption and Re-encryption
![Page 97: Improving Speed and Security in Updatable Encryption Systemssaba/slides/UAE.pdf · 2020. 9. 29. · Updatable Encryption from Nested AES Ciphertext header Ciphertext Body Ciphertext](https://reader033.vdocuments.us/reader033/viewer/2022060915/60a900dd2db0c15a92611b39/html5/thumbnails/97.jpg)
Where Rq = Zq[X]/(Xn+1)