Paper 2017/527

Key Rotation for Authenticated Encryption

Adam Everspaugh, Kenneth Paterson, Thomas Ristenpart, and Sam Scott


A common requirement in practice is to periodically rotate the keys used to encrypt stored data. Systems used by Amazon and Google do so using a hybrid encryption technique which is eminently practical but has questionable security in the face of key compromises and does not provide full key rotation. Meanwhile, symmetric updatable encryption schemes (introduced by Boneh et al. CRYPTO 2013) support full key rotation without performing decryption: ciphertexts created under one key can be rotated to ciphertexts created under a different key with the help of a re-encryption token. By design, the tokens do not leak information about keys or plaintexts and so can be given to storage providers without compromising security. But the prior work of Boneh et al. addresses relatively weak confidentiality goals and does not consider integrity at all. Moreover, as we show, a subtle issue with their concrete scheme obviates a security proof even for confidentiality against passive attacks. This paper presents a systematic study of updatable Authenticated Encryption (AE). We provide a set of security notions that strengthen those in prior work. These notions enable us to tease out real-world security requirements of different strengths and build schemes that satisfy them efficiently. We show that the hybrid approach currently used in industry achieves relatively weak forms of confidentiality and integrity, but can be modified at low cost to meet our stronger confidentiality and integrity goals. This leads to a practical scheme that has negligible overhead beyond conventional AE. We then introduce re-encryption indistinguishability, a security notion that formally captures the idea of fully refreshing keys upon rotation. We show how to repair the scheme of Boneh et al., attaining our stronger confidentiality notion. We also show how to extend the scheme to provide integrity, and we prove that it meets our re- encryption indistinguishability notion. Finally, we discuss how to instantiate our scheme efficiently using off-the-shelf cryptographic components (AE, hashing, elliptic curves). We report on the performance of a prototype implementation, showing that fully secure key rotations can be performed at a throughput of approximately 116 kB/s.

Note: The original version of this work that appeared at Advances in Cryptology – Crypto 2017 had a number of flaws. While the majority of the core concepts remain unaltered, this version constitutes a significant rewrite. We highlight the most significant changes with footnotes throughout the paper.

Available format(s)
Publication info
Published by the IACR in CRYPTO 2017
Updatable encryptioncloud storagekey rotationkey-homomorphic PRF
Contact author(s)
ristenpart @ cornell edu
2018-09-03: last of 6 revisions
2017-06-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Adam Everspaugh and Kenneth Paterson and Thomas Ristenpart and Sam Scott},
      title = {Key Rotation for Authenticated Encryption},
      howpublished = {Cryptology ePrint Archive, Paper 2017/527},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.