Skip to main content
SpringerLink
Log in

Puncturable Key Wrapping and Its Applications

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2022 (ASIACRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13792))

Abstract

We introduce puncturable key wrapping (PKW), a new cryptographic primitive that supports fine-grained forward security properties in symmetric key hierarchies. We develop syntax and security definitions, along with provably secure constructions for PKW from simpler components (AEAD schemes and puncturable PRFs). We show how PKW can be applied in two distinct scenarios. First, we show how to use PKW to achieve forward security for TLS 1.3 0-RTT session resumption, even when the server’s long-term key for generating session tickets gets compromised. This extends and corrects a recent work of Aviram, Gellert, and Jager (Journal of Cryptology, 2021). Second, we show how to use PKW to build a protected file storage system with file shredding, wherein a client can outsource encrypted files to a potentially malicious or corrupted cloud server whilst achieving strong forward-security guarantees, relying only on local key updates.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A broad analogy that readers may find useful: PKW is to PPRFs as AEAD is to block ciphers.

  2. 2.

    To focus on forward security, we separate confidentiality (with forward security) and integrity (below) into distinct notions, contrasting with the combined notion in [47]. We give a combined notion in the full version [5], also capturing CCA-style active attacks, and show that it is equivalent to the junction of our separate notions.

  3. 3.

    We note that a stronger formalization is possible where tag reuse is allowed: by storing and checking the whole tuple \((\textit{T}, \textit{H}, \textit{K})\) in the sets \(\mathcal {S}_{\textit{T},i}\) instead of only \(\textit{T}\), one can demand wraps to look random except when this is impossible due to entirely repeating inputs. This could cater to applications interested in “batch puncturing” [31], i.e., revoking access to multiple wrapped keys via a single puncturing call. Such stronger notions would also require stronger building blocks, as we will see below.

  4. 4.

    The last assumption is necessary for the reduction to simulate a \(\textsc {Ro\$}\text {-}\textsc {Wrap}\) challenge query on an already punctured tag in the game.

  5. 5.

    E.g., when setting up new pre-shared keys, their model takes the identifier psid of the key as an adversary-provided input, while psid in fact corresponds to the ticket (honestly) output by the protocol’s ticketing mechanism. This means that their model is actually unable to capture how tickets are generated by (honest) servers.

  6. 6.

    Our construction leaves the PKW header empty. In practice, this field may be used to authenticate control data of the DEK, such as expiration date or permitted usage.

  7. 7.

    Our construction only uses a single AEAD nonce \(\textit{N}\) per any one data encryption key DEK, which would allow using a fixed nonce. We still sample a random nonce to enable file updates/re-encryption as a potential extension to our construction.

References

  1. Aviram, N., Gellert, K., Jager, T.: Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11477, pp. 117–150. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17656-3_5

    Chapter  Google Scholar 

  2. Aviram, N., Gellert, K., Jager, T.: Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. J. Cryptol. 34(3), 1–57 (2021). https://doi.org/10.1007/s00145-021-09385-0

    Article  MathSciNet  MATH  Google Scholar 

  3. Avoine, G., Canard, S., Ferreira, L.: Symmetric-key authenticated key exchange (SAKE) with perfect forward secrecy. In: Jarecki, S. (ed.) CT-RSA 2020. LNCS, vol. 12006, pp. 199–224. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40186-3_10

    Chapter  Google Scholar 

  4. AWS: Protecting data using client-side encryption. http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html

  5. Backendal, M., Günther, F., Paterson, K.G.: Puncturable key wrapping and its applications. Cryptology ePrint Archive, Paper 2022/1209 (2022). https://eprint.iacr.org/2022/1209

  6. Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_18

    Chapter  MATH  Google Scholar 

  7. Bellare, M., Ng, R., Tackmann, B.: Nonces are noticed: AEAD revisited. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 235–265. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_9

    Chapter  Google Scholar 

  8. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25

    Chapter  Google Scholar 

  9. Bellare, M., Stepanovs, I., Waters, B.: New negative results on differing-inputs obfuscation. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 792–821. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_28

    Chapter  Google Scholar 

  10. Blaze, M.: A cryptographic file system for UNIX. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 1993, pp. 9–16. ACM Press (1993). https://doi.org/10.1145/168588.168590

  11. Boneh, D., Lewi, K., Wu, D.J.: Constraining pseudorandom functions privately. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 494–524. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54388-7_17

    Chapter  Google Scholar 

  12. Boneh, D., Lipton, R.J.: A revocable backup system. In: USENIX Security 1996. USENIX Association (1996)

    Google Scholar 

  13. Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_15

    Chapter  Google Scholar 

  14. Boxcryptor: Boxcryptor security for your cloud. https://www.boxcryptor.com/

  15. Boyd, C., Davies, G.T., de Kock, B., Gellert, K., Jager, T., Millerjord, L.: Symmetric key exchange with full forward security and robust synchronization. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 681–710. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_23

    Chapter  Google Scholar 

  16. Boyd, C., Gellert, K.: A modern view on forward security. Comput. J. 64(4), 639–652 (2021). https://doi.org/10.1093/comjnl/bxaa104

    Article  MathSciNet  Google Scholar 

  17. Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_29

    Chapter  Google Scholar 

  18. Brier, E., Peyrin, T.: A forward-secure symmetric-key derivation protocol. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 250–267. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_15

    Chapter  Google Scholar 

  19. Chen, W., Hoang, T., Guajardo, J., Yavuz, A.A.: Titanium: A metadata-hiding file-sharing system with malicious security. In: NDSS 2022. The Internet Society (2022). https://doi.org/10.14722/ndss.2022.24161

  20. Chen, W., Popa, R.A.: Metal: a metadata-hiding file-sharing system. In: NDSS 2020. The Internet Society (2020)

    Google Scholar 

  21. Cohn-Gordon, K., Cremers, C.J.F., Garratt, L.: On post-compromise security. In: Hicks, M., Köpf, B. (eds.) CSF 2016 Computer Security Foundations Symposium, pp. 164–178. IEEE Computer Society Press (2016). https://doi.org/10.1109/CSF.2016.19

  22. Derler, D., Jager, T., Slamanig, D., Striecks, C.: Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 425–455. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_14

    Chapter  Google Scholar 

  23. Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2(2), 107–125 (1992)

    Article  MathSciNet  Google Scholar 

  24. Dworkin, M.: Recommendation for block cipher modes of operation: methods for key wrapping. NIST Special Publication SP 800–38F (2012). https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf

  25. Everspaugh, A., Paterson, K., Ristenpart, T., Scott, S.: Key rotation for authenticated encryption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 98–129. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_4

    Chapter  Google Scholar 

  26. Feldman, A.J., Zeller, W.P., Freedman, M.J., Felten, E.W.: Sporc: group collaboration using untrusted cloud resources. In: OSDI 20210 (2010)

    Google Scholar 

  27. Fischlin, M., Günther, F.: Multi-stage key exchange and the case of Google’s QUIC protocol. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014, pp. 1193–1204. ACM Press (2014). https://doi.org/10.1145/2660267.2660308

  28. Fuchsbauer, G., Konstantinov, M., Pietrzak, K., Rao, V.: Adaptive security of constrained PRFs. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 82–101. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_5

    Chapter  Google Scholar 

  29. Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: 25th FOCS, pp. 464–479. IEEE Computer Society Press (1984). https://doi.org/10.1109/SFCS.1984.715949

  30. Google: Encryption at rest in Google Cloud. https://cloud.google.com/security/encryption/default-encryption

  31. Green, M.D., Miers, I.: Forward secure asynchronous messaging from puncturable encryption. In: 2015 IEEE Symposium on Security and Privacy, pp. 305–320. IEEE Computer Society Press (2015). https://doi.org/10.1109/SP.2015.26

  32. Günther, C.G.: An identity-based key-exchange protocol. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_5

    Chapter  Google Scholar 

  33. Günther, F., Hale, B., Jager, T., Lauer, S.: 0-RTT key exchange with full forward secrecy. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 519–548. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56617-7_18

    Chapter  Google Scholar 

  34. IBM: Protecting data with envelope encryption. https://cloud.ibm.com/docs/key-protect?topic=key-protect-envelope-encryption

  35. Jaeger, J., Tyagi, N.: Handling adaptive compromise for practical encryption schemes. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12170, pp. 3–32. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_1

    Chapter  Google Scholar 

  36. Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 669–684. ACM Press (2013). https://doi.org/10.1145/2508859.2516668

  37. Klooß, M., Lehmann, A., Rupp, A.: (R)CCA secure updatable encryption with integrity protection. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 68–99. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_3

    Chapter  Google Scholar 

  38. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34

    Chapter  Google Scholar 

  39. Lau, B., Chung, S.P., Song, C., Jang, Y., Lee, W., Boldyreva, A.: Mimesis aegis: a mimicry privacy shield-a system’s approach to data privacy on public cloud. In: Fu, K., Jung, J. (eds.) USENIX Security 2014, pp. 33–48. USENIX Association (2014)

    Google Scholar 

  40. Lehmann, A., Tackmann, B.: Updatable encryption with post-compromise security. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 685–716. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_22

    Chapter  Google Scholar 

  41. Mahajan, P., Setty, S., Lee, S., Clement, A., Alvisi, L., Dahlin, M., Walfish, M.: Depot: cloud storage with minimal trust. ACM Trans. Comput. Syst. 29(4) (2011). https://doi.org/10.1145/2063509.2063512

  42. Microsoft: Azure Data Encryption at rest. https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest

  43. Miller, E., Long, D., Freeman, W., Reed, B.: Strong security for distributed file systems. In: Conference Proceedings of the 2001 IEEE International Performance, Computing, and Communications Conference, pp. 34–40 (2001). https://doi.org/10.1109/IPCCC.2001.918633

  44. Nichols, S.: Dropbox: Oops, yeah, we didn’t actually delete all your files this bug kept them in the cloud (2017). https://www.theregister.com/2017/01/24/dropbox_brings_old_files_back_from_dead/

  45. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (Proposed Standard) (2018). https://www.rfc-editor.org/rfc/rfc8446.txt

  46. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press (2002). https://doi.org/10.1145/586110.586125

  47. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23

    Chapter  Google Scholar 

  48. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 475–484. ACM Press (2014). https://doi.org/10.1145/2591796.2591825

  49. Salowey, J., Zhou, H., Eronen, P., Tschofenig, H.: Transport Layer Security (TLS) Session Resumption without Server-Side State. RFC 5077 (Proposed Standard) (2008). https://www.rfc-editor.org/rfc/rfc5077.txt, obsoleted by RFC 8446, updated by RFC 8447

  50. Slamanig, D., Striecks, C.: Puncture ’em all: updatable encryption with no-directional key updates and expiring ciphertexts. Cryptology ePrint Archive, Report 2021/268 (2021). https://eprint.iacr.org/2021/268

  51. Sun, S.F., et al.: Practical non-interactive searchable encryption with forward and backward privacy. In: NDSS 2021. The Internet Society (2021)

    Google Scholar 

  52. Sun, S., et al.: Practical backward-secure searchable encryption from symmetric puncturable encryption. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 763–780. ACM Press (2018). https://doi.org/10.1145/3243734.3243782

  53. Sy, E., Burkert, C., Federrath, H., Fischer, M.: Tracking users across the web via TLS session resumption. In: ACSAC 2018, pp. 289–299. ACM (2018). https://doi.org/10.1145/3274694.3274708

  54. Tyagi, N., Mughees, M.H., Ristenpart, T., Miers, I.: BurnBox: self-revocable encryption in a world of compelled access. In: Enck, W., Felt, A.P. (eds.) USENIX Security 2018, pp. 445–461. USENIX Association (2018)

    Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers for their helpful comments. Felix Günther has been supported in part by Research Fellowship grant GU 1859/1-1 of the German Research Foundation (DFG).

Author information

Authors and Affiliations

  1. Department of Computer Science, ETH Zurich, Zurich, Switzerland

    Matilda Backendal, Felix Günther & Kenneth G. Paterson

Authors
  1. Matilda Backendal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Felix Günther
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kenneth G. Paterson
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Matilda Backendal .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Madras, Chennai, India

    Shweta Agrawal

  2. Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Backendal, M., Günther, F., Paterson, K.G. (2022). Puncturable Key Wrapping and Its Applications. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13792. Springer, Cham. https://doi.org/10.1007/978-3-031-22966-4_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22966-4_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22965-7

  • Online ISBN: 978-3-031-22966-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation