improving speed and security in updatable encryption
play

Improving Speed and Security in Updatable Encryption Schemes Dan - PowerPoint PPT Presentation

Oct 26, 2023 •99 likes •1.2k views

Improving Speed and Security in Updatable Encryption Schemes Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems Key Rotation Key Rotation Good Reasons to

  1. Updatable Encryption from Nested AES How to hide ciphertext age? Ciphertext header Ciphertext header Idea 1: pad up to fixed max size Ciphertext header with random data But this ruins integrity Ciphertext Body Idea 2: generate random data from PRG, include seed in header See paper for full scheme

  2. Updatable Encryption from KH-PRFs [BLMR13, EPRS17] Supports as many re-encryptions as you want Decryption time does not depend on number of re-encryptions Still fast, but slower than nested scheme New caveat: somewhat weaker integrity and age-hiding guarantee

  3. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k

  4. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k Key-Homomorphic PRF: Same security property, new functionality

  5. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k Key-Homomorphic PRF: Same security property, new functionality F(k 1 , x) ⊞ F(k 2 , x) = F(k 1 + k 2 , x)

  6. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k Key-Homomorphic PRF: Same security property, new functionality F(k 1 , x) ⊞ F(k 2 , x) = F(k 1 + k 2 , x) Example: F(k,x) = H(x) k

  7. Tool: Key-Homomorphic PRFs (KHPRFs) [NPR99] Standard PRF (e.g. AES): F(k, x) looks random if not given k Key-Homomorphic PRF: Same security property, new functionality F(k 1 , x) ⊞ F(k 2 , x) = F(k 1 + k 2 , x) Example: F(k,x) = H(x) k F(k 1 , x) * F(k 2 , x) = H(x) k1 * H(x) k2 = H(x) k1+k2 = F(k 1 + k 2 , x)

  8. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1

  9. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF

  10. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF c 0 = m 0 + F(k 1 , 0) c 1 = m 1 + F(k 1 , 1) … c n = m n + F(k 1 , n)

  11. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF Update process: c 0 = m 0 + F(k 1 , 0) 1. Download/decrypt header c 1 = m 1 + F(k 1 , 1) 2. Pick key k 2 … 3. Upload new header and k up = k 2 - k 1 c n = m n + F(k 1 , n) Server updates body encryptions with k up

  12. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF Update process: c 0 ’ = c 0 + F(k up , 0) 1. Download/decrypt header c 1 ’ = c 1 + F(k up , 1) 2. Pick key k 2 … 3. Upload new header and k up = k 2 - k 1 c n ’ = c n + F(k up , n) Server updates body encryptions with k up

  13. Updatable Encryption from KH-PRFs [EPRS17] Ciphertext header: Authenticated Encryption of H(msg) and KH-PRF key k 1 Ciphertext body: Encryption of msg in counter mode using KH-PRF Update process: c 0 ’ = c 0 + F(k up , 0) = m 0 + F(k 2 , 0) 1. Download/decrypt header c 1 ’ = c 1 + F(k up , 1) = m 1 + F(k 2 , 1) 2. Pick key k 2 … 3. Upload new header and k up = k 2 - k 1 c n ’ = c n + F(k up , n) = m n + F(k 2 , n) Server updates body encryptions with k up

  14. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) *In Random Oracle model

  15. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* *In Random Oracle model

  16. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* n ) F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small in Z q *In Random Oracle model

  17. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* n ) F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small in Z q See paper for construction *In Random Oracle model

  18. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* n ) F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small in Z q See paper for construction Result: ~500x faster performance *In Random Oracle model

  19. Almost KH-PRFs [BLMR13] EPRS17 uses a KH-PRF based on the DDH assumption* F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) We use a new almost KH-PRF based on the Ring-LWE assumption* n ) F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small in Z q See paper for construction Result: ~500x faster performance …but how to handle the noise? *In Random Oracle model

  20. Updatable Encryption from Almost KH-PRFs F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small) Issue: noisy KH-PRF corrupts message

  21. Updatable Encryption from Almost KH-PRFs F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small) Issue: noisy KH-PRF corrupts message General solution: error correcting codes

  22. Updatable Encryption from Almost KH-PRFs F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small) Issue: noisy KH-PRF corrupts message General solution: error correcting codes Observation: noise is always on low-order bits

  23. Updatable Encryption from Almost KH-PRFs F(k 1 , x) + F(k 2 , x) = F(k 1 + k 2 , x) + e (where e is small) Issue: noisy KH-PRF corrupts message General solution: error correcting codes Observation: noise is always on low-order bits Simple solution: pad low-order bits of each block with zeros

  24. Evaluation

  25. Encryption and Re-encryption Throughput for encrypting/re-encrypting 32KB messages (MB/sec) ReCrypt [EPRS17] Almost KH-PRF Nested (128 layers) Encrypt 0.12 61.90 1836.9 Re-encrypt 0.15 83.06 2606.8

  26. Encryption and Re-encryption Throughput for encrypting/re-encrypting 32KB messages (MB/sec) ReCrypt [EPRS17] Almost KH-PRF Nested (128 layers) Encrypt 0.12 61.90 1836.9 Re-encrypt 0.15 83.06 2606.8 Almost KH-PRF is ~500x faster than ReCrypt Nested AES is ~30x faster than almost KH-PRF

  27. Decryption

  28. Decryption

  29. Decryption Nested construction faster for up to 50 re-encryptions ReCrypt (not shown) 500x slower than KH-PRF construction

  30. Decryption Nested construction faster for up to 50 re-encryptions ReCrypt (not shown) 500x slower than KH-PRF construction Recommendations Use nested AES construction for infrequent, routine re-keying Use KH-PRF for frequent re-keying

  31. Ciphertext Expansion Nested AES and ReCrypt have smallest ciphertext expansion

  32. Ciphertext Expansion Nested AES and ReCrypt have smallest ciphertext expansion Recommendations Use nested AES construction for infrequent, routine re-keying If space is costly and computation is cheap, use ReCrypt for frequent rekeying

  33. Can we do Better? Speed: Not by much - Nested scheme: already close to AES throughput - Almost KH-PRF: KH-PRF implies key exchange [AMP19]

  34. Can we do Better? Speed: Not by much - Nested scheme: already close to AES throughput - Almost KH-PRF: KH-PRF implies key exchange [AMP19] Ciphertext expansion: Good place for improvement One potential approach: more elaborate error-correction to reduce bits wasted by padding

  35. Improving Updatable Encryption Improved security definitions for updatable encryption Two new constructions -- from Nested AES and RLWE-based KH-PRF Orders of magnitude performance improvement over prior work Paper: eprint.iacr.org/2020/222.pdf Source Code: https://github.com/moshih/UpdateableEncryption_Code Contact: saba@cs.stanford.edu

  36. Encryption and Re-encryption

  37. Where R q = Z q [X]/(X n +1)

  38. Confidentiality Security Game [EPRS17] Adversary Challenger Setup Send dishonest keys Generate h “honest keys” and d “dishonest keys” Game

  39. Confidentiality Security Game [EPRS17] Adversary Challenger Setup Send dishonest keys Generate h “honest keys” and d “dishonest keys” Game Encrypt message m under key i Encrypt Enc( k i , m )

  40. Confidentiality Security Game [EPRS17] Adversary Challenger Setup Send dishonest keys Generate h “honest keys” and d “dishonest keys” Game Encrypt message m under key i Encrypt Enc( k i , m ) Encrypt message m 0 or m 1 under honest key i Enc( k i , m b ) Challenge Adversary wins if it guesses b correctly. Guess b A scheme is secure if the adversary has negligible advantage in guessing b .

  41. Confidentiality Security Game [EPRS17] Adversary Challenger Setup Send dishonest keys Generate h “honest keys” and d “dishonest keys” Game Encrypt Adversary wins if it guesses b correctly. A scheme is secure if the adversary has negligible Challenge advantage in guessing b .

Recommend

Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian

Improving Speed and Security in Updatable Encryption Systems Dan Boneh Saba Eskandarian Sam Kim Maurice Shih Stanford University Stanford University Stanford University Cisco Systems Key Rotation Key Rotation Good Reasons to

1.5k views • 97 slides
Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure

Updatable Encryption & Key Rotation Anja Lehmann IBM Research Zurich (R)CCA Secure Updatable Encryption with Integrity Protection. EUROCRYPT 2019 M Klooss, A Lehmann, A Rupp Updatable Encryption with Post-Compromise Security. EUROCRYPT

1.08k views • 46 slides
Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM

Updatable Encryption with Post-Compromise Security Anja Lehmann & Bjrn Tackmann IBM Research Zurich Motivation | Outsourced Storage Data owner stores encrypted data at (untrusted) data host symmetric encryption Proactive

763 views • 24 slides
Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and

Fast and Secure Updatable Encryption August 10, 2020 1 Norwegian University of Science and Technology (NTNU), Norway 2 Bergische Universitt Wuppertal, Germany 1 Colin Boyd 1 Gareth T. Davies 2 Kristian Gjsteen 1 Yao Jiang 1 Table of contents

578 views • 46 slides
Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better

Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency ASIACRYPT 2013 Kwangsu Lee, Seung Geol Choi, Dong Hoon Lee, Jong Hwan Park and Moti Yung Korea University, US Naval Academy, Korea

993 views • 26 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang,

HICAMP Bitmap A Space-Efficient Updatable Bitmap Index for In-Memory Databases Bo Wang, Heiner Litz, David R. Cheriton Stanford University DAMON14 Database Indexing Databases use precomputed indexes to speed up processing avoid

518 views • 18 slides
Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania

Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania

Updatable Security Views Nate Foster Benjamin Pierce Steve Zdancewic University of Pennsylvania IBM PLDay 09 2 2 Pennsylvania yanks voter site after data leak Passport applicant finds massive privacy breach Privacy issue

728 views • 40 slides
Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance

Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance

Do you care about Fast Software Encryption (and Decryption)? Rumpsession FSE 2007 SPEED Software Performance Enhancement for Encryption and Decryption June 11. & 12. 2007 Amsterdam An ECRYPT/VAMPIRE workshop on software speeds for

300 views • 4 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should

Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security A Good disguise should not reveal the persons height Shafi Goldwasser and Silvio Micali, 1982 1 Design of Encryption Algorithms Encryption algorithms are

421 views • 7 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
5/15/2019 Improving the Agenda speed of payment Speed of Payment Introduction under the

5/15/2019 Improving the Agenda speed of payment Speed of Payment Introduction under the

5/15/2019 Improving the Agenda speed of payment Speed of Payment Introduction under the new Prompt Payment Applicability of Prompt Payment Construction Act The Proper Invoice Payment Terms Certification of

357 views • 9 slides
TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals

TLS for MySQL at Large Scale Jaime Crespo Things we Security and encryption fundamentals are *NOT* At rest encryption Best practices for web/HTTP going to encryption How perfectly and good we are- we made

529 views • 18 slides
Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at

Mariana Raykova Data Security: Encryption and Digital Signatures Beyond security of data at rest and communication channels Security of Computation on Sensitive Inputs Secure multiparty computation (MPC) Differential privacy methods

595 views • 43 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective

New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko Brent Waters Roots of Attribute-Based Encryption Moving beyond Public Key Encryption: CEO Manager 1 Manager 2 Bob

341 views • 19 slides
The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0

The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0

The Encryption Standards Appendix F Computer Security: Art and Science, 2 nd Edition Version 1.0 Slide F - 1 Outline Data Encryption Standard Algorithm Advanced Encryption Standard Background mathematics Algorithm Computer

499 views • 31 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

619 views • 20 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

1.45k views • 98 slides
Encryption and Network Security Cryptography is widely used to protect networks Relies on

Encryption and Network Security Cryptography is widely used to protect networks Relies on

Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols discussed previously Can be applied at different places in the network stack With different effects and

525 views • 21 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides

More recommend