Updatable Public Key Encryption in the Standard Model

Forward security (FS) ensures that corrupting the current secret key in the system preserves the privacy or integrity of the prior usages of the system. Achieving forward security is especially hard in the setting of public-key encryption (PKE), where time is divided into periods, and in each period the receiver derives the next-period secret key from their current secret key, while the public key stays constant. Indeed, all current constructions of FS-PKE are built from hierarchical identity-based encryption (HIBE) and are rather complicated. Motivated by applications to secure messaging, recent works of Jost et al. (Eurocrypt’19) and Alwen et al. (CRYPTO’20) consider a natural relaxation of FS-PKE, which they term updatable PKE (UPKE). In this setting, the transition to the next period can be initiated by any sender, who can compute a special update ciphertext. This ciphertext directly produces the next-period public key and can be processed by the receiver to compute the next-period secret key. If done honestly, future (regular) ciphertexts produced with the new public key can be decrypted with the new secret key, but past such ciphertexts cannot be decrypted with the new secret key. Moreover, this is true even if all other previous-period updates were initiated by untrusted senders. Both papers also constructed a very simple UPKE scheme based on the CDH assumption in the random oracle model. However, they left open the question of building such schemes in the standard model, or based on other (e.g., post-quantum) assumptions, without using the heavy HIBE techniques. In this work, we construct two efficient UPKE schemes in the standard model, based on the DDH and LWE assumptions, respectively. Somewhat interestingly, our constructions gain their efficiency (compared to prior FS-PKE schemes) by using tools from the area of circular-secure and leakage resilient public-key encryption schemes (rather than HIBE). ∗Partially supported by gifts from VMware Labs and Google, and NSF grants 1619158, 1319051, 1314568. †Partially supported by NSF grants CNS-1413964, CNS-1750795 and the Alfred P. Sloan Research Fellowship.

[1]  Moni Naor,et al.  Public-Key Cryptosystems Resilient to Key Leakage , 2009, SIAM J. Comput..

[2]  Moti Yung,et al.  Efficient Circuit-Size Independent Public Key Encryption with KDM Security , 2011, EUROCRYPT.

[3]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[4]  Anja Lehmann,et al.  Updatable Encryption with Post-Compromise Security , 2018, IACR Cryptol. ePrint Arch..

[5]  Paul Rösler,et al.  Towards Bidirectional Ratcheted Key Exchange , 2018, CRYPTO.

[6]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[7]  Chris Peikert,et al.  Noninteractive Zero Knowledge for NP from (Plain) Learning With Errors , 2019, IACR Cryptol. ePrint Arch..

[8]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[9]  Dan Boneh,et al.  Improving Speed and Security in Updatable Encryption Schemes , 2020, IACR Cryptol. ePrint Arch..

[10]  Anja Lehmann,et al.  (R)CCA Secure Updatable Encryption with Integrity Protection , 2019, IACR Cryptol. ePrint Arch..

[11]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[12]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[13]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[14]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[15]  Ueli Maurer,et al.  Efficient Ratcheting: Almost-Optimal Guarantees for Secure Messaging , 2019, IACR Cryptol. ePrint Arch..

[16]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[17]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[18]  Ben Lynn,et al.  Toward Hierarchical Identity-Based Encryption , 2002, EUROCRYPT.

[19]  Yael Tauman Kalai,et al.  Black-Box Circular-Secure Encryption beyond Affine Functions , 2011, TCC.

[20]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[21]  Kenneth G. Paterson,et al.  Key Rotation for Authenticated Encryption , 2017, CRYPTO.

[22]  Yevgeniy Dodis,et al.  Security Analysis and Improvements for the IETF MLS Standard for Group Messaging , 2020, IACR Cryptol. ePrint Arch..

[23]  Igors Stepanovs,et al.  Optimal Channel Security Against Fine-Grained State Compromise: The Safety of Messaging , 2018, IACR Cryptol. ePrint Arch..

[24]  Ron Rothblum,et al.  Fiat-Shamir: from practice to theory , 2019, STOC.

[25]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[26]  Vinod Vaikuntanathan,et al.  Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions , 2018, IACR Cryptol. ePrint Arch..

[27]  Yevgeniy Dodis,et al.  Efficient Public-Key Cryptography in the Presence of Key Leakage , 2010, ASIACRYPT.

[28]  Dan Boneh,et al.  Efficient Lattice (H)IBE in the Standard Model , 2010, EUROCRYPT.

[29]  Zvika Brakerski,et al.  Circular and Leakage Resilient Public-Key Encryption Under Subgroup Indistinguishability (or: Quadratic Residuosity Strikes Back) , 2010, IACR Cryptol. ePrint Arch..

[30]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[31]  Vinod Vaikuntanathan,et al.  Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE , 2012, EUROCRYPT.

[32]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[33]  Zhengzhong Jin,et al.  Non-Interactive Zero Knowledge from Sub-exponential DDH , 2021, IACR Cryptol. ePrint Arch..

[34]  Vinod Vaikuntanathan,et al.  Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[35]  Benny Applebaum,et al.  Key-Dependent Message Security: Generic Amplification and Completeness , 2011, Journal of Cryptology.

[36]  Nico Döttling,et al.  Identity-Based Encryption from the Diffie-Hellman Assumption , 2017, CRYPTO.

[37]  Yael Tauman Kalai,et al.  A Survey of Leakage-Resilient Cryptography , 2019, IACR Cryptol. ePrint Arch..

[38]  Leonid Reyzin,et al.  Forward-Secure Signatures with Fast Key Update , 2002, SCN.

[39]  Jonathan Katz,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[40]  Yuval Ishai,et al.  Bounded Key-Dependent Message Security , 2010, IACR Cryptol. ePrint Arch..

[41]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004, JACM.

[42]  Craig Gentry,et al.  Hierarchical ID-Based Cryptography , 2002, ASIACRYPT.

[43]  Tal Malkin,et al.  Efficient Generic Forward-Secure Signatures with an Unbounded Number Of Time Periods , 2002, EUROCRYPT.

[44]  Ron Rothblum,et al.  Reusable Designated-Verifier NIZKs for all NP from CDH , 2019, IACR Cryptol. ePrint Arch..

[45]  R. Nicoll,et al.  Invited lecture , 1997, Neuroscience Research.

[46]  Chris Peikert,et al.  Circular and KDM Security for Identity-Based Encryption , 2012, Public Key Cryptography.

[47]  Yael Tauman Kalai,et al.  Public-Key Encryption Schemes with Auxiliary Inputs , 2010, TCC.

[48]  Colin Boyd,et al.  Fast and Secure Updatable Encryption , 2020, CRYPTO.

[49]  Nico Döttling,et al.  From Selective IBE to Full IBE and Selective HIBE , 2017, TCC.

[50]  Dan Boneh,et al.  Key Homomorphic PRFs and Their Applications , 2013, CRYPTO.

[51]  Gene Itkis,et al.  Forward-Secure Signatures with Optimal Signing and Verifying , 2001, CRYPTO.

[52]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[53]  Leonid Reyzin,et al.  A New Forward-Secure Digital Signature Scheme , 2000, ASIACRYPT.