Key Rotation for Authenticated Encryption

A common requirement in practice is to periodically rotate the keys used to encrypt stored data. Systems used by Amazon and Google do so using a hybrid encryption technique which is eminently practical but has questionable security in the face of key compromises and does not provide full key rotation. Meanwhile, symmetric updatable encryption schemes (introduced by Boneh et al. CRYPTO 2013) support full key rotation without performing decryption: ciphertexts created under one key can be rotated to ciphertexts created under a different key with the help of a re-encryption token. By design, the tokens do not leak information about keys or plaintexts and so can be given to storage providers without compromising security. But the prior work of Boneh et al. addresses relatively weak confidentiality goals and does not consider integrity at all. Moreover, as we show, a subtle issue with their concrete scheme obviates a security proof even for confidentiality against passive attacks.

[1]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[2]  Pooya Farshim,et al.  Security of Symmetric Primitives under Incorrect Usage of Keys , 2017, IACR Cryptol. ePrint Arch..

[3]  Matthew Green,et al.  New Definitions and Separations for Circular Security , 2012, Public Key Cryptography.

[4]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[5]  Yevgeniy Dodis,et al.  Proxy Cryptography Revisited , 2003, NDSS.

[6]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[7]  Dan Boneh,et al.  Key Homomorphic PRFs and Their Applications , 2013, CRYPTO.

[8]  Kenneth G. Paterson,et al.  On Symmetric Encryption with Distinguishable Decryption Failures , 2013, FSE.

[9]  Ran Canetti,et al.  Chosen-ciphertext secure proxy re-encryption , 2007, CCS '07.

[10]  Bas Edixhoven,et al.  On the Computation of the Coefficients of a Modular Form , 2006, ANTS.

[11]  Chanathip Namprempre,et al.  Reconsidering Generic Composition , 2014, IACR Cryptol. ePrint Arch..

[12]  Nicholas D. Matsakis,et al.  The rust language , 2014, HILT '14.

[13]  Yevgeniy Dodis,et al.  Proxy cryptography revisted , 2003 .

[14]  Kenneth G. Paterson,et al.  Robust Encryption, Revisited , 2013, Public Key Cryptography.

[15]  Andrey Bogdanov,et al.  How to Securely Release Unverified Plaintext in Authenticated Encryption , 2014, ASIACRYPT.

[16]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[17]  Brent Waters,et al.  Separations in Circular Security for Arbitrary Length Key Cycles , 2015, TCC.

[18]  Angelos D. Keromytis,et al.  Conversion and proxy functions for symmetric key ciphers , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[19]  Yevgeniy Dodis,et al.  Fast Message Franking: From Invisible Salamanders to Encryptment , 2018, CRYPTO.

[20]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[21]  Thomas Ristenpart,et al.  Message Franking via Committing Authenticated Encryption , 2017, CRYPTO.

[22]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[23]  Elaine B. Barker Recommendation for Key Management - Part 1 General , 2014 .

[24]  Phillip Rogaway,et al.  Formalizing Human Ignorance , 2006, VIETCRYPT.

[25]  Hovav Shacham,et al.  Careful with Composition: Limitations of the Indifferentiability Framework , 2011, EUROCRYPT.

[26]  Burton S. Kaliski,et al.  PKCS #7: Cryptographic Message Syntax Version 1.5 , 1998, RFC.

[27]  Jean-Sébastien Coron,et al.  Efficient Indifferentiable Hashing into Ordinary Elliptic Curves , 2010, CRYPTO.

[28]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[29]  Thomas Icart,et al.  How to Hash into Elliptic Curves , 2009, IACR Cryptol. ePrint Arch..

[30]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[31]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[32]  David Cash,et al.  Cryptographic Agility and Its Relation to Circular Encryption , 2010, EUROCRYPT.

[33]  Mihir Bellare,et al.  Robust Encryption , 2010, Journal of Cryptology.

[34]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[35]  Moni Naor,et al.  Distributed Pseudo-random Functions and KDCs , 1999, EUROCRYPT.

[36]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.