Paper 2021/268

Revisiting Updatable Encryption: Controlled Forward Security, Constructions and a Puncturable Perspective

Daniel Slamanig, AIT Austrian Institute of Technology
Christoph Striecks, AIT Austrian Institute of Technology
Abstract

Updatable encryption (UE) allows a third party to periodically rotate encryption keys from one epoch to another without the need to download, decrypt, re-encrypt and upload already encrypted data by a client. Updating those outsourced ciphertexts is carried out via the use of so-called update tokens which in turn are generated during key rotation and can be sent (publicly) to the third party. The arguably most efficient variant of UE is ciphertext-independent UE as the key rotation does not depend on the outsourced ciphertexts which makes it particularly interesting in scenarios where access to (information of the) ciphertexts is not possible during key rotation. Available security notions for UE cannot guarantee any form of forward security (i.e., old ciphertexts are in danger after key leakage). Counter-intuitively, forward security would violate correctness, as ciphertexts should be updatable ad-infinitum given the update token. In this work, we investigate if we can have at least some form of "controlled" forward security to mitigate the following shortcoming: an adversary would record available information (i.e., some ciphertexts, all update tokens) and simply would wait for a single key leakage to decrypt all data ever encrypted. Our threefold contribution is as follows: a) First, we introduce an epoch-based UE CPA security notion to allow fine-grained updatability. It covers the concept of expiry epochs, i.e., ciphertexts can lose the ability of being updatable via a token after a certain epoch has passed. This captures the above mentioned shortcoming as the encrypting party can decide how long a ciphertext can be updatable (and, hence, decryptable). b) Second, we introduce a novel approach of constructing UE which significantly departs from previous ones and in particular views UE from the perspective of puncturable encryption (Green and Miers, S&P'15). We define tag-inverse puncturable encryption as a new variant that generalizes UE and may be of independent interest. c) Lastly, we present and prove secure the first UE scheme with the aforementioned properties. It is constructed via tag-inverse puncturable encryption and instantiated from standard assumptions. As it turned out, constructing such puncturing schemes is not straightforward and we require adapted proof techniques. Surprisingly, as a special case, this yields the first backwards-leak UE scheme with sub-linear ciphertexts from standard assumptions (an open problem posted in two recent works by Jiang Galteland and Pan & Miao et al., PKC'23).

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in TCC 2023
Keywords
Updatable EncryptionPuncturable EncryptionDual-System Groups
Contact author(s)
Daniel Slamanig @ ait ac at
Christoph Striecks @ ait ac at
History
2023-10-03: last of 4 revisions
2021-03-03: received
See all versions
Short URL
https://ia.cr/2021/268
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/268,
      author = {Daniel Slamanig and Christoph Striecks},
      title = {Revisiting Updatable Encryption: Controlled Forward Security, Constructions and a Puncturable Perspective},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/268},
      year = {2021},
      url = {https://eprint.iacr.org/2021/268}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.