Advertisement

Generic Construction of Audit Logging Schemes with Forward Privacy and Authenticity

Conference paper
  • 1k Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9543)

Abstract

In this paper, audit logging schemes with forward privacy and authenticity are formalized in the symmetric-key setting. Then, two generic audit logging schemes with forward privacy and authenticity are proposed. One consists of an authenticated encryption scheme with associated data. The other consists of a symmetric encryption scheme and a MAC function. Both of them also uses a forward-secure pseudorandom generator to achieve forward security. Finally, the forward privacy and authenticity of the schemes are confirmed in the manner of provable security. The security properties of the proposed schemes are reduced to the standard security properties of the underlying primitives.

Keywords

Audit logging Forward security Privacy Authenticity 

1 Introduction

Background and Our Motivation. Audit logging is an important technique to secure the systems. Audit logs record the events on systems to give a view of system activities. Any tampering with records including deletion and reordering should at least be detectable. Audit logs may contain sensitive information to be kept secret from attackers. Cryptographic techniques are useful to guarantee such authenticity and privacy of log files. Once an attacker gets the key, however, he can tamper with the records or decrypt the ciphertexts of sensitive information. To thwart these attacks, forward security is often incorporated in secure audit logging schemes [5, 12, 18].

Forward security prevents attackers having got the current key, for example, by intrusion from tampering with records or decrypting ciphertexts generated in the past by updating keys. Two settings for updating keys are found in literature of secure audit logging. We will call them time-driven setting and event-driven setting. In the time-driven setting, the time is divided into intervals, and secret keys are updated at the end of every interval. Thus, multiple records may be generated with the same key assigned to an interval. In the event-driven setting, on the other hand, secret keys are updated after every event. Each record is generated with a new secret key.

In spite of the importance of forward-secure audit logging with privacy and authenticity, it has not been provided formal treatment and its security has been discussed informally.

Our Contribution. First, audit logging schemes and their security are formally defined in the symmetric-key setting. The security properties are called forward privacy and forward authenticity. Then, two generic constructions of audit logging schemes with forward privacy and authenticity are presented. One assumes the time-driven setting and is constructed with an AEAD (authenticated encryption with associated data) scheme. The other assumes the event-driven setting and is constructed with a symmetric-key encryption scheme and a MAC function. For the first scheme, as far as the authors know, application of AEAD to secure audit logging has not been discussed before. Both schemes also use a forward-secure pseudorandom generator to get forward security. Finally, it is shown that the proposed schemes are provably secure. The forward privacy and authenticity of the proposed schemes are reduced to the standard security properties of their components.

Related Work. Schneier and Kelsey [18, 19] proposed a forward-secure audit logging scheme with privacy and authenticity in the symmetric-key setting. Actually, they also considered a communication protocol between an untrusted machine creating its log files and a trusted machine which stores log files. We will focus on the creation of log files in this paper.

Forward security was first introduced for key exchange protocols [10]. Bellare and Yee [6] formalized forward-secure symmetric-key primitives and their security notions. They treated pseudorandom generators, message authentication schemes, and encryption schemes. They also provided their generic constructions and discussed their security.

Audit logging schemes with authenticity can also be found in literature. Bellare and Yee [5] initiated the study to secure audit logging with cryptographic techniques. Ma and Tsudik [12] introduced the notion of forward-secure sequential aggregate message authentication, which can be used for audit logging with authenticity [13]. They also presented a scheme using a collision-resistant hash function as well as a MAC function. Hirose and Kuwakado [11] formalized the notion and proposed a provably secure scheme without a collision-resistant hash function.

Among the audit logging schemes mentioned above, the Bellare-Yee scheme [5] and the Hirose-Kuwakado scheme [11] assume the time-driven setting for key update. The Schneier-Kelsey scheme [18, 19] and the Ma-Tsudik scheme [13], on the other hand, assume the event-driven setting.

Accorsi [1] made a brief survey of secure logging schemes. It also includes the schemes in the public-key setting, which are out of scope of the paper.

Recently, due to the CAESAR project [8], authenticated encryption has been attracting much interest. AEAD is formalized in [15]. Generic composition of an encryption scheme and a MAC function for AEAD is discussed in [3, 14].

Waters et al. [20] presented a scheme to construct encrypted audit log searchable with keywords in the public-key setting.

Organization. Section 2 gives notations and definitions of cryptographic primitives used in the proposed schemes. Section 3 presents definitions of audit logging schemes and their forward privacy and authenticity. Section 4 describes the proposed generic constructions. Section 5 shows that the generic constructions are secure if their components are secure. Section 6 concludes the paper.

2 Preliminaries

Notation. For sequences x and y, \(x\Vert y\) represents their concatenation. An empty sequence is denoted by \(\varepsilon \).

Let \(\varvec{F}(\mathcal {X},\mathcal {Y})\) be the set of all functions with domain \(\mathcal {X}\) and range \(\mathcal {Y}\). For keyed function \(F:\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\) with key space \(\mathcal {K}\), \(F(K,\cdot )\) is often denoted by \(F_{K}(\cdot )\).

For set S, let \(s\twoheadleftarrow S\) denote that an element s is chosen uniformly at random from S. For a pair of elements \(e_1\) and \(e_2\) of a totally ordered set, let \([e_1,e_2]=\{e\,|\,e_1\le e\le e_2\}\). If \(e_1\) and \(e_2\) are integers, then \([e_1,e_2]\) represents the set of integers from \(e_1\) to \(e_2\) inclusive.

Pseudorandom Generator. A pseudorandom generator (PRG) [7] is a function with its range larger than its domain. Let \(G:\mathcal {S}\rightarrow \mathcal {S}'\) such that \(|\mathcal {S}'|>|\mathcal {S}|\). G is called PRG if it is intractable to distinguish G(S) with \(S\twoheadleftarrow \mathcal {S}\) and \(S'\twoheadleftarrow \mathcal {S}'\).

Adversary \(\mathsf {A}\) against G takes an element of \(\mathcal {S}'\) and outputs 0 or 1. The advantage of \(\mathsf {A}\) is defined by
$$ \mathrm {Adv}_{G}^{\mathrm {prg}}(\mathsf {A})= \Bigl |\Pr [\mathsf {A}(G(S))\Rightarrow 1]-\Pr [\mathsf {A}(S')\Rightarrow 1]\Bigr |, $$
where \(S\twoheadleftarrow \mathcal {S}\) and \(S'\twoheadleftarrow \mathcal {S}'\).

Pseudorandom Function. A pseudorandom function (PRF) [9] is a keyed function. \(F:\mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}\) is called PRF if it is intractable to distinguish \(F_{K}\) with \(K\twoheadleftarrow \mathcal {K}\) and a function chosen uniformly at random from \(\varvec{F}(\mathcal {X},\mathcal {Y})\).

Adversary \(\mathsf {A}\) against F is given a function in \(\varvec{F}(\mathcal {X},\mathcal {Y})\) as an oracle. \(\mathsf {A}\) makes adaptive queries to the oracle, and then outputs 0 or 1. The advantage of \(\mathsf {A}\) is defined by
$$ \mathrm {Adv}_{F}^{\mathrm {prf}}(\mathsf {A})= \Bigl |\Pr \left[ \mathsf {A}^{F_{K}}\Rightarrow 1\right] - \Pr \left[ \mathsf {A}^{\rho }\Rightarrow 1\right] \Bigr |, $$
where \(K\twoheadleftarrow \mathcal {K}\) and \(\rho \twoheadleftarrow \varvec{F}(\mathcal {X},\mathcal {Y})\).
The definition can be extended to adversaries with independent multiple oracles:
$$ \mathrm {Adv}_{F}^{m\text {-}\mathrm {prf}}(\mathsf {A})=\Bigl | \Pr \left[ \mathsf {A}^{F_{K_1},\ldots ,F_{K_m}}\Rightarrow 1\right] - \Pr \left[ \mathsf {A}^{\rho _{1},\ldots ,\rho _{m}}\Rightarrow 1\right] \Bigr |, $$
where \((K_1, K_2,\ldots , K_m)\twoheadleftarrow \mathcal {K}^{m}\) and \((\rho _1,\rho _2,\ldots ,\rho _m)\twoheadleftarrow \varvec{F}(\mathcal {X},\mathcal {Y})^{m}\).

Theorem 1

[2]. For any adversary \(\mathsf {A}\) against F with access to m oracles, there exists an adversary \(\mathsf {A}'\) against F with access to a single oracle such that
$$ \mathrm {Adv}_{F}^{m\text {-}\mathrm {prf}}(\mathsf {A})=m\cdot \mathrm {Adv}_{F}^{\mathrm {prf}}(\mathsf {A}'). $$
The run time of \(\mathsf {A}'\) is not larger than the sum of the run time of \(\mathsf {A}\) and the time to compute F for the queries by \(\mathsf {A}\). The number of the queries by \(\mathsf {A}'\) is not larger than \(\max \{q_i\,|\,1\le i\le m\}\), where \(q_i\) is the number of the queries by \(\mathsf {A}\) to its i-th oracle.

Rogaway and Shrimpton [17] introduced a vector-input PRF. It is a PRF which takes as input a vector of strings as well as a key. They also showed how to construct a vector-input PRF from a regular PRF which takes as input a string as well as a key.

Forward-Secure Pseudorandom Generator. A forward-secure pseudorandom generator (FSPRG) [6] is a stateful generator. A stateful generator is defined by \(\mathsf {Gen}=(G,n)\), where \(G:\mathcal {S}\rightarrow \mathcal {K}\times \mathcal {S}\) such that \((K_{i},S_{i+1})\leftarrow G(S_{i})\) for \(1\le i\le n\) and \(S_{1}\in \mathcal {S}\). It is depicted in Fig. 1.

The security of an FSPRG is formalized as indistinguishability against adaptive attacks with experiment \(\mathtt {Exp}^{{\mathrm {fsprg}\text {-}}b}_{\mathsf {Gen},\mathsf {A}}\) given in Fig. 2. Adversary \(\mathsf {A}\) works in two phases. First, in the query phase, \(\mathsf {A}\) gets \(K_{1},K_{2},\ldots ,K_{i'}\) for some \(i'\le n\) chosen by \(\mathsf {A}\). \(K_{1},K_{2},\ldots ,K_{i'}\) are generated by G if \(b=0\), and chosen uniformly at random if \(b=1\). Then, in the try phase, \(\mathsf {A}\) receives \(S_{i'+1}\) and outputs 0 or 1. The advantage of \(\mathsf {A}\) against \(\mathsf {Gen}\) is defined by
$$ \mathrm {Adv}^{\mathrm {fsprg}}_{\mathsf {Gen}}(\mathsf {A})= \left| \Pr \left[ \mathtt {Exp}^{{\mathrm {fsprg}\text {-}}0}_{\mathsf {Gen},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{{\mathrm {fsprg}\text {-}}1}_{\mathsf {Gen},\mathsf {A}}\Rightarrow 1\right] \right| . $$
The following theorem shows that \(\mathsf {Gen}\) is an FSPRG if G is a PRG.

Theorem 2

[6]. For any adversary \(\mathsf {A}\) against \(\mathsf {Gen}\), there exists an adversary \(\mathsf {A}'\) against G such that
$$ \mathrm {Adv}^{\mathrm {fsprg}}_{\mathsf {Gen}}(\mathsf {A})\le 2n\cdot \mathrm {Adv}^{\mathrm {prg}}_{G}(\mathsf {A}') $$
and the run time of \(\mathsf {A}'\) is about the run time of \(\mathtt {Exp}^{{\mathrm {fsprg}\text {-}}1}_{\mathsf {Gen},\mathsf {A}}\).
Fig. 1.

\(\mathsf {Gen}=(G,n)\)

Fig. 2.

Experiment \(\mathtt {Exp}^{{\mathrm {fsprg}\text {-}}b}_{\mathsf {Gen},\mathsf {A}}\) for \(b\in \{0,1\}\)

Symmetric-Key Encryption. A symmetric-key encryption scheme is defined by \(\mathsf {SE}=(E,D)\), where \(E:\mathcal {K}\times \mathcal {M}\rightarrow \mathcal {C}\) is an encryption algorithm and \(D:\mathcal {K}\times \mathcal {C}\rightarrow \mathcal {M}\cup \{\bot \}\) is a decryption algorithm. \(\mathcal {K}\) is the key space, \(\mathcal {M}\) is the message space and \(\mathcal {C}\) is the ciphertext space. For any \(K\in \mathcal {K}\), if \(C\leftarrow E_K(M)\) for some \(M\in \mathcal {M}\), then \(M\leftarrow D_K(C)\). Otherwise, \(\bot \leftarrow D_K(C)\).

The security requirement for a symmetric-key encryption scheme is privacy. It is indistinguishability of the outputs of E from sequences of the same lengths chosen uniformly at random. Adversary \(\mathsf {A}\) is given either \(E_K\) or \(\varpi \) as an oracle and makes an adaptive chosen message attack. For any \(M\in \mathcal {M}\), \(\varpi \) simply produces a sequence of the same lengths as the output of \(E_K(M)\) chosen uniformly at random. The advantage of \(\mathsf {A}\) against \(\mathsf {SE}\) is defined by
$$ \mathrm {Adv}^{\mathrm {priv}}_{\mathsf {SE}}(\mathsf {A})= \left| \Pr \left[ \mathsf {A}^{E_K}\Rightarrow 1\right] - \Pr \left[ \mathsf {A}^{\varpi }\Rightarrow 1\right] \right| , $$
where \(K\twoheadleftarrow \mathcal {K}\).

Authenticated Encryption with Associated Data. We will define nonce-based authenticated encryption with associated data (AEAD) [15, 16]. An AEAD scheme is defined by \(\mathsf {AEAD}=(\mathsf {en},\mathsf {de})\). \(\mathsf {en}:\mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {M}\rightarrow \mathcal {C}\times \mathcal {T}\) is an encryption algorithm and \(\mathsf {de}:\mathcal {K}\times \mathcal {N}\times \mathcal {A}\times \mathcal {C}\times \mathcal {T}\rightarrow \mathcal {M}\cup \{\bot \}\) is a decryption algorithm. \(\mathcal {K}\) is the key space, \(\mathcal {N}\) is the nonce space, \(\mathcal {A}\) is the associated-data space, \(\mathcal {M}\) is the message space, \(\mathcal {C}\) is the ciphertext space, and \(\mathcal {T}\) is the tag space. For any \(K\in \mathcal {K}\), if \((C,T)\leftarrow \mathsf {en}_K(N,A,M)\) for some \((N,A,M)\in \mathcal {N}\times \mathcal {A}\times \mathcal {M}\), then \(M\leftarrow \mathsf {de}_K(N,A,C,T)\). Otherwise, \(\bot \leftarrow \mathsf {de}_K(N,A,C,T)\). The security requirements for AEAD is privacy and authenticity. Messages require both privacy and authenticity, while associated data require only authenticity.

The privacy of AEAD is indistinguishability of the outputs of \(\mathsf {en}\) from sequences of the same lengths chosen uniformly at random. Adversary \(\mathsf {A}\) is given either \(\mathsf {en}_K\) or \(\$\) as an oracle and makes an adaptive chosen message attack. For any \((N,A,M)\in \mathcal {N}\times \mathcal {A}\times \mathcal {M}\), \(\$\) simply produces a sequence of the same lengths as the output of \(\mathsf {en}_K(N,A,M)\) chosen uniformly at random. The advantage of \(\mathsf {A}\) against \(\mathsf {AEAD}\) with respect to privacy is defined by
$$ \mathrm {Adv}^{\mathrm {priv}}_{\mathsf {AEAD}}(\mathsf {A})= \left| \Pr \left[ \mathsf {A}^{\mathsf {en}_K}\Rightarrow 1\right] - \Pr \left[ \mathsf {A}^{\$}\Rightarrow 1\right] \right| , $$
where \(K\twoheadleftarrow \mathcal {K}\).
The authenticity of AEAD is formalized by existential unforgeability. Adversary \(\mathsf {A}\) is given oracle access to \(\mathsf {en}_K\) and \(\mathsf {de}_K\). \(\mathsf {A}\) is not allowed to use the same sequence for nonce in distinct queries to \(\mathsf {en}_K\), nor to ask any reply from \(\mathsf {en}_K\) to \(\mathsf {de}_K\). We say that \(\mathsf {A}^{\mathsf {en}_K,\mathsf {de}_K}\) forges if \(\mathsf {A}^{\mathsf {en}_K,\mathsf {de}_K}\) asks a query to \(\mathsf {de}_K\) such that the corresponding reply is not \(\bot \). The advantage of \(\mathsf {A}\) against \(\mathsf {AEAD}\) with respect to authenticity is defined by
$$ \mathrm {Adv}^{\mathrm {auth}}_{\mathsf {AEAD}}(\mathsf {A})= \Pr \left[ \mathsf {A}^{\mathsf {en}_K,\mathsf {de}_K}\; \text {forges}\right] , $$
where \(K\twoheadleftarrow \mathcal {K}\).

3 Audit Logging Scheme with Privacy and Authenticity

3.1 Scheme

An audit logging scheme is a stateful scheme defined by \(\mathsf {ALG}=(\mathsf {U},\mathsf {E},\mathsf {D},n)\), where \(\mathsf {U}:\mathcal {S}\rightarrow \mathcal {K}\times \mathcal {S}\) is a key-update algorithm, \(\mathsf {E}:\mathcal {K}\times \mathcal {T}\times \mathcal {A}\times \mathcal {M}\rightarrow \mathcal {C}\times \mathcal {T}\) is an encryption algorithm, \(\mathsf {D}:\mathcal {K}^{+}\times \mathcal {T}\times (\mathcal {A}\times \mathcal {C}\times \mathcal {T})^{+}\rightarrow \mathcal {M}^{+}\cup \{\bot \}\) is a decryption algorithm, and n is the number of the stages. The algorithms are described below.

  • Key Update \((K_{i},S_{i+1})\leftarrow \mathsf {U}(S_{i})\) for \(1\le i\le n\), where \(S_{1}\twoheadleftarrow \mathcal {S}\).

    The key-update algorithm takes as input the secret master key \(S_{i}\) for the i-th stage. It then outputs the secret key \(K_{i}\) for the current stage and the new secret master key \(S_{i+1}\) for the next stage.

  • Encryption \((C_{i,j},\tau _{i,j})\leftarrow \mathsf {E}(K_{i},\tau _{i,j-1},A_{i,j},M_{i,j})\) for \(1\le i\le n\) and \(j\ge 1\).

    In the i-th stage, the encryption algorithm takes encryption key \(K_{i}\), previous tag \(\tau _{i,j-1}\), associated data \(A_{i,j}\) and message \(M_{i,j}\) as input. \(\tau _{i,0}\) is an initial state of the i-th stage. It then outputs ciphertext \(C_{i,j}\) for \(M_{i,j}\), and tag \(\tau _{i,j}\) for \((A_{i,j}, M_{i,j})\). \((A_{i,j}, M_{i,j})\) is called an event. \((A_{i,j},C_{i,j},\tau _{i,j})\) is called a record.

  • Decryption Let \(\varvec{R}=(\varvec{R}_1,\varvec{R}_2,\ldots ,\varvec{R}_n)\) be the ordered sequence of the records, where \(\varvec{R}_i=(R_{i,1},R_{i,2},\ldots ,R_{i,\sigma _i})\) and \(R_{i,j}=(A_{i,j},C_{i,j},\tau _{i,j})\) for \(1\le i\le n\) and \(1\le j\le \sigma _i\). \(\sigma _i\) is the total number of the records in the i-th stage. For \(1\le i\le n\) and \(1\le j\le \sigma _i\), let (ij) be a pair of integers such that \((i,j)\le (i',j')\) if and only if \(i<i'\), or \(i=i'\) and \(j\le j'\). The decryption algorithm is defined as follows:
    $$ \alpha \leftarrow \mathsf {D}(\varvec{K}_{[i_1,i_2]},\tau _{i_1,j_1-1},\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}), $$
    where \((1,1)\le (i_1,j_1)\le (i_2,j_2)\le (n,\sigma _n)\), \(\varvec{K}_{[i_1,i_2]}\) is the subsequence of \(K_1,K_2,\ldots ,K_n\) from \(K_{i_1}\) to \(K_{i_2}\) inclusive, and \(\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}\) is the subsequence of \(\varvec{R}\) from the \((i_1,j_1)\)-th record to the \((i_2,j_2)\)-th record inclusive. \(\mathsf {D}\) outputs \(M_{i_1,j_1},\ldots ,M_{i_2,j_2}\) if \(\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}\) is valid with respect to \(\tau _{i_1,j_1-1}\). Otherwise, it outputs \(\bot \).

We consider two kinds of settings for key update: time-driven setting and event-driven setting. In the time-driven setting, time is divided into intervals, and the key is updated at the end of each interval. In the event-driven setting, on the other hand, the key is updated after every event. A stage corresponds to an interval in the time-driven setting and to an event in the event-driven setting.

For event \((A_{i,j},M_{i,j})\), it is assumed that \(A_{i,j}\) includes the index i of the current stage. For the time-driven setting, it is assumed that \(A_{i,j}\) also includes a flag representing whether the event is the last one in the i-th stage or not. The flag is a countermeasure against truncation attacks [5, 13]. A truncation attack simply deletes the tail of a sequence of records and the corresponding tags. Thus, it cannot be detected without any kind of end-marker such as the flag assumed in the scheme.

3.2 Security

The forward privacy and authenticity of \(\mathsf {ALG}=(\mathsf {U},\mathsf {E},\mathsf {D},n)\) is defined below. Each of them is defined by an experiment with an adversary. The adversary works in two phases: The first phase is the query phase, and the second phase is the try phase.

Forward Privacy. The forward privacy of \(\mathsf {ALG}\) is indistinguishability of a ciphertext and a tag in each record from a sequence of the same length chosen uniformly at random. Let \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}b}_{\mathsf {ALG},\mathsf {A}}\) be the experiment given in Fig. 3. In the query phase, adversary \(\mathsf {A}\) makes adaptive queries to its oracle. \(\mathsf {A}\) should respect the state: \(\mathsf {A}\) should ask a new query involving the current state (the previous tag). The oracle is either \(\mathsf {E}_{K_{i}}\) or \(\$_{i}\). \(K_{i}\) is chosen uniformly at random from \(\mathcal {K}\). For each query, \(\$_{i}\) returns a uniformly distributed random sequence of the same length as the sequence returned by \(\mathsf {E}_{K_{i}}\). \(\mathsf {A}\) is allowed to decide when to break into the system. In the time-driven setting, \(\mathsf {A}\) is also allowed to control when to proceed to the next stage. If \(\mathsf {A}\) decides to break into the system during the a-th stage, then \(\mathsf {A}\) enters into the try phase. In this phase, \(\mathsf {A}\) receives \(S_{a+1}\) and outputs 0 or 1. The advantage of \(\mathsf {A}\) against \(\mathsf {ALG}\) with respect to forward privacy is defined by
$$ \mathrm {Adv}^{\mathrm {fpriv}}_{\mathsf {ALG}}(\mathsf {A})= \left| \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}0}_{\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}1}_{\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| . $$
Forward Authenticity. The forward authenticity of \(\mathsf {ALG}\) is existential unforgeability against adaptive attacks. Let \(\mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {ALG},\mathsf {A}}\) be the experiment given in Fig. 4. In the query phase, \(\mathsf {A}\) makes adaptive queries to \(\mathsf {E}_{K_{i}}\). \(\mathsf {A}\) should respect the state. \(\mathsf {A}\) is allowed to decide when to break into the system. In the time-driven setting, \(\mathsf {A}\) is also allowed to decide when to proceed to the next stages. If \(\mathsf {A}\) decides to break into the system during the a-th stage, then \(\mathsf {A}\) receives \(S_{a+1}\) and enters into the try phase. In this phase, \(\mathsf {A}\) tries to forge. Let \(\varvec{R}=(\varvec{R}_1,\varvec{R}_2,\ldots ,\varvec{R}_{a})\) be the ordered sequence of records obtained in the query phase. For \(1\le i_1\le i_2\le a\), let \(\varvec{V}(\varvec{R},i_1,i_2)\) be the set of \((\tau _{i_1,u_1-1},\varvec{R}_{[(i_1,u_1),(i_2,u_2)]})\) such that \(1\le u_1\le \sigma _{i_1}\) and \(1\le u_2\le \sigma _{i_2}\) if \(i_1<i_2\), and \(1\le u_1\le u_2\le \sigma _{i_1}\) if \(i_1=i_2\). The forgery \((\tau _{i_1,j_1-1}',\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}')\) is successful if
  • \(1\le i_1\le i_2\le a\), \( (\tau _{i_1,j_1-1}',\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}') \not \in \varvec{V}(\varvec{R},i_1,i_2) \), and

  • the output of \(\mathsf {D}(\varvec{K}_{[i_1,i_2]},\tau _{i_1,j_1-1}',\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}')\) is not \(\bot \).

The advantage of \(\mathsf {A}\) against \(\mathsf {ALG}\) with respect to authenticity is defined by
$$ \mathrm {Adv}_{\mathsf {ALG}}^{\mathrm {fauth}}(\mathsf {A})= \Pr \left[ \mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] . $$
Fig. 3.

Experiment \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}b}_{\mathsf {ALG},\mathsf {A}}\) for \(b\in \{0,1\}\). \(\mathcal {O}_i^0=\mathsf {E}_{K_{i}}\) and \(\mathcal {O}_i^1=\$_{i}\).

Fig. 4.

Experiment \(\mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {ALG},\mathsf {A}}\). \( forgery =(\tau _{i_1,j_1-1}',\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}')\).

4 Generic Construction

For each of the time-driven setting and the event-driven setting, an audit logging scheme with forward privacy and authenticity is proposed. The FSPRG \(\mathsf {Gen}\) with PRG \(G:\mathcal {S}\rightarrow \mathcal {K}\times \mathcal {S}\) is used for key update in both of the settings.

4.1 Time-Driven Setting

An audit logging scheme in the time-driven setting is composed with an AEAD scheme \(\mathsf {AEAD}=(\mathsf {en},\mathsf {de})\) and the FSPRG \(\mathsf {Gen}=(G,n)\). It is called \(\mathsf {t}\mathsf {ALG}\). \(\mathsf {t}\mathsf {ALG}\) requires some injective encoding from the tag space to the nonce space of \(\mathsf {AEAD}\). In the following, it is assumed for the simplicity of the description that the tag space is included in the nonce space.

  • Key update \((K_{i},S_{i+1})\leftarrow G(S_{i})\) for \(1\le i\le n\).

  • Encryption \( (C_{i,j},\tau _{i,j})\leftarrow \mathsf {en}_{K_{i}}(\tau _{i,j-1},A_{i,j},M_{i,j}) \) for \(1\le i\le n\) and \(1\le j\le \sigma _i\), where \(\sigma _{i}\) is the total number of the events in the i-th stage, \(\tau _{1,0}\) is an initial constant, and \(\tau _{i,0}=\tau _{i-1,\sigma _{i-1}}\) for \(i\ge 2\).

  • Decryption For \((\tau _{i_1,j_1-1},\varvec{R}_{[(i_1,j_1),(i_2,j_2)]})\), if \(\mathsf {de}_{K_{i}}(\tau _{i,j-1},A_{i,j},C_{i,j},\tau _{i,j})\ne \bot \) for all \((i,j)\in [(i_1,j_1),(i_2,j_2)]\), then output \(\mathsf {de}_{K_{i}}(\tau _{i,j-1},A_{i,j},C_{i,j},\tau _{i,j})\) for all \((i,j)\in [(i_1,j_1),(i_2,j_2)]\). Otherwise, it outputs \(\bot \).

Figure 5 depicts the encryption procedure for a sequence of events.
Fig. 5.

Encryption of the generic scheme in the time-driven setting

4.2 Event-Driven Setting

Let \(\mathsf {SE}=(E,D)\) be an encryption scheme such that \(E:\mathcal {K}_{\mathrm {e}}\times \mathcal {M}\rightarrow \mathcal {C}\) and \(D:\mathcal {K}_{\mathrm {e}}\times \mathcal {C}\rightarrow \mathcal {M}\). Let \(F:\mathcal {K}_{\mathrm {t}}\times (\mathcal {T}\times \mathcal {A}\times \mathcal {C})\rightarrow \mathcal {T}\) be a vector-input PRF. For \(\mathsf {Gen}=(G,n)\) with \(G:\mathcal {S}\rightarrow \mathcal {K}\times \mathcal {S}\), let \(\mathcal {K}=\mathcal {K}_{\mathrm {e}}\times \mathcal {K}_{\mathrm {t}}\).

An audit logging scheme in the event-driven setting is composed with \(\mathsf {SE}\), F and \(\mathsf {Gen}\). It is an Encrypt-then-MAC scheme [3, 4, 14]. It is called \(\mathsf {e}\mathsf {ALG}\). In this setting, only a single record is generated in each stage. Thus, in the following description, the index (ij) of an event or a record is simply replaced with i.

  • Key update \((K_{i},L_{i},S_{i+1})\leftarrow G(S_{i})\) for \(1\le i\le n\).

  • Encryption For a new event \((A_i,M_i)\), \(C_i\leftarrow E_{K_{i}}(M_i)\) and \(\tau _{i}\leftarrow F_{L_{i}}(\tau _{i-1},A_i,C_i)\), where \(1\le i\le n\) and \(\tau _0\) is an initial constant.

  • Decryption For \((\tau _{i_1-1}, \varvec{R}_{[i_1,i_2]})\), compute \(\tau '_{i}\leftarrow F_{L_{i}}(\tau _{i-1},A_{i},C_{i})\) for \(i_1\le i\le i_2\). If \(\tau '_{i_2}=\tau _{i_2}\), then return \(M_{i}\leftarrow D_{K_{i}}(C_{i})\) for \(i_1\le i\le i_2\). Otherwise, return \(\bot \).

Figure 6 depicts the encryption procedure for a sequence of events.

Remark 1

The decryption algorithm only checks the validity of the final tag \(\tau _{i_2}\). It does not check the validity of intermediate tags. This allows \(\mathsf {e}\mathsf {ALG}\) aggregation of the tags.

Fig. 6.

Encryption of the generic scheme in the event-driven setting

5 Provable Security of Generic Construction

The forward privacy and authenticity of the proposed schemes are analyzed in the manner of provable security.

5.1 Time-Driven Setting

The following theorem asserts that \(\mathsf {t}\mathsf {ALG}\) satisfies forward privacy if the underlying AEAD scheme satisfies privacy and the function G is a PRG:

Theorem 3

(Forward Privacy of \(\mathsf {t}\mathsf {ALG}\)). For any adversary \(\mathsf {A}\) against \(\mathsf {t}\mathsf {ALG}\), there exist an adversary \(\mathsf {A}_1\) against \(\mathsf {AEAD}\) and an adversary \(\mathsf {A}_2\) against G such that
$$ \mathrm {Adv}_{\mathsf {t}\mathsf {ALG}}^{\mathrm {fpriv}}(\mathsf {A})\le n\cdot \mathrm {Adv}_{\mathsf {AEAD}}^{\mathrm {priv}}(\mathsf {A}_1)+2n\cdot \mathrm {Adv}_{G}^{\mathrm {prg}}(\mathsf {A}_2). $$
Each of the run times of \(\mathsf {A}_1\) and \(\mathsf {A}_2\) is about the run time of \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\). \(\mathsf {A}_1\) makes at most \(\max \{q_i\,|\,1\le i\le n\}\) queries to its oracle, where \(q_i\) is the number of the queries by \(\mathsf {A}\) in the i-th stage.

It is assumed that the run time of an experiment includes the run time of the adversary and the time required when the oracles of the adversary are simulated.

Proof

For any adversary \(\mathsf {A}\), let \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(b_0,b_1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) be the experiment given in Fig. 7. Notice that \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}b_0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) is the experiment \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(b_0,b_1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) without the lines from 5 to 7. Then,
$$\begin{aligned} \mathrm {Adv}_{\mathsf {t}\mathsf {ALG}}^{\mathrm {fpriv}}(\mathsf {A})&= \left| \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| \nonumber \\&= \left| \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(0,0)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(0,1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| + \nonumber \\&\quad \qquad \left| \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(0,1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(1,1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| . \end{aligned}$$
(1)
For the term in the second line of Eq. (1), let \(\mathtt {Exp}^{{\mathrm {fsprg}\text {-}}b_1}_{\mathsf {Gen},\mathsf {A}'}\) be the experiment given in Fig. 8. It is different from \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(b_0,b_1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) only in the lines 8 and 11. \(\mathsf {A}'(\mathtt {query},K_{i}, his )\) runs \(\mathsf {A}\) with input \((\mathtt {query}, his )\) and simulates \(\mathsf {en}_{K_{i}}\) to answer to the queries made by \(\mathsf {A}\). \(\mathsf {A}'(\mathtt {try},S_{i}, his )\) simply runs \(\mathsf {A}\) with input \((\mathtt {try},S_{i}, his )\). Then, \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(0,b_1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) is equivalent to \(\mathtt {Exp}^{{\mathrm {fsprg}\text {-}}b_1}_{\mathsf {Gen},\mathsf {A}'}\). Thus,
$$ \left| \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(0,0)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(0,1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| = \mathrm {Adv}^{\mathrm {fsprg}}_{\mathsf {Gen}}(\mathsf {A}'), $$
where the run time of \(\mathsf {A}'\) is about the sum of the run time of \(\mathsf {A}\) and the time to compute \(\mathsf {en}\) to answer to the queries made by \(\mathsf {A}\). From Theorem 2, there exists \(\mathsf {A}_2\) such that
$$ \mathrm {Adv}^{\mathrm {fsprg}}_{\mathsf {Gen}}(\mathsf {A}')\le 2n\cdot \mathrm {Adv}^{\mathrm {prg}}_{G}(\mathsf {A}_2) $$
and the run time of \(\mathsf {A}_2\) is about the run time of \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\).
For the term in the last line of Eq. (1), the hybrid argument is used in the standard way. Adversary \(\mathsf {A}_1\) against \(\mathsf {AEAD}\) is given in Fig. 9. \(\mathsf {A}_1\) has oracle \(\mathcal {O}\), which is either \(\mathsf {en}\) with \(K\twoheadleftarrow \{0,1\}^l\) or \(\$\). Notice that \(\mathsf {A}_1\) is equivalent to \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(0,1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) if \(i^{*}=n\) and \(\mathcal {O}=\mathsf {en}_{K}\), and to \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(1,1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) if \(i^{*}=1\) and \(\mathcal {O}=\$\). Thus,
$$\begin{aligned} \mathrm {Adv}^{\mathrm {priv}}_{\mathsf {AEAD}}(\mathsf {A}_1)&= \left| \Pr \left[ \mathsf {A}_1^{\mathsf {en}_K}\Rightarrow 1\right] - \Pr \left[ \mathsf {A}_1^{\$}\Rightarrow 1\right] \right| \\&=\frac{1}{n} \left| \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(0,1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(1,1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| . \end{aligned}$$
The run time of \(\mathsf {A}_1\) is about the run time of \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\).    \(\square \)
Fig. 7.

\(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}(b_0,b_1)}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) for \((b_0,b_1)\in \{0,1\}^2\). \(\mathcal {O}_i^0=\mathsf {en}_{K_{i}}\) and \(\mathcal {O}_i^1=\$_{i}\).

Fig. 8.

\(\mathtt {Exp}^{{\mathrm {fsprg}\text {-}}b_1}_{\mathsf {Gen},\mathsf {A}'}\) for \(b_1\in \{0,1\}\).

Fig. 9.

Adversary \(\mathsf {A}_1\). \(\mathcal {O}\) is the oracle of \(\mathsf {A}_1\). \(\mathcal {O}\) is either \(\mathsf {en}_K\) with \(K\twoheadleftarrow \mathcal {K}\) or \(\$\).

The following theorem asserts that \(\mathsf {t}\mathsf {ALG}\) satisfies forward authenticity if the underlying AEAD scheme satisfies both privacy and authenticity and the function G is a PRG:

Theorem 4

(Forward Authenticity of \(\mathsf {t}\mathsf {ALG}\)). Let \(\mathsf {A}\) be any adversary against \(\mathsf {t}\mathsf {ALG}\). Suppose that \(\mathsf {A}\) makes at most \(\sigma _{i}\) queries to its encryption oracle during the i-th stage in the query phase and outputs a forgery with at most \(\mu \) records. Then, there exist adversaries \(\mathsf {A}_1\), \(\mathsf {A}_2\) against \(\mathsf {AEAD}\), and \(\mathsf {A}_3\) against G such that
$$\begin{aligned} \mathrm {Adv}_{\mathsf {t}\mathsf {ALG}}^{\mathrm {fauth}}(\mathsf {A})&\le n\cdot \mathrm {Adv}_{\mathsf {AEAD}}^{\mathrm {auth}}(\mathsf {A}_1)+ n\cdot \mathrm {Adv}_{\mathsf {AEAD}}^{\mathrm {priv}}(\mathsf {A}_2)+ 2n\cdot \mathrm {Adv}_{G}^{\mathrm {prg}}(\mathsf {A}_3)\\&\qquad {}+\frac{1}{2\,|\mathcal {T}|}\sum _{i=1}^{n}\sigma _{i}(\sigma _{i}-1). \end{aligned}$$
Each of the run times of \(\mathsf {A}_1\), \(\mathsf {A}_2\) and \(\mathsf {A}_3\) is about the run time of \(\mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\). \(\mathsf {A}_1\) makes at most \(\max \{\sigma _{i}\,|\,1\le i\le n\}\) queries to its encryption oracle and at most \(\mu \) queries to its decryption oracle. \(\mathsf {A}_2\) makes at most \(\max \{\sigma _{i}\,|\,1\le i\le n\}\) queries to its oracle.
Fig. 10.

\(\mathtt {Exp}^{\mathrm {fauth}\text {-}b}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) for \(b\in \{0,1\}\). \( forgery =(\tau _{i_1,j_1-1}',\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}')\).

Fig. 11.

\(\mathtt {Exp}^{\mathrm {fsprg}\text {-}b}_{\mathsf {Gen},\mathsf {A}'}\) for \(b\in \{0,1\}\)

Proof

Let \(\mathtt {Exp}^{\mathrm {fauth}\text {-}b}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) for \(b\in \{0,1\}\) be the experiment given in Fig. 10. Then, \(\mathtt {Exp}^{\mathrm {fauth}\text {-}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) is equivalent to \(\mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\). Thus,
$$ \mathrm {Adv}_{\mathsf {t}\mathsf {ALG}}^{\mathrm {fauth}}(\mathsf {A})= \Pr \left[ \mathtt {Exp}^{\mathrm {fauth}\text {-}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}} \Rightarrow 1\right] . $$
Let \(\mathtt {Exp}^{\mathrm {fsprg}\text {-}b}_{\mathsf {Gen},\mathsf {A}'}\) be the experiment given in Fig. 11. \(\mathtt {Exp}^{\mathrm {fsprg}\text {-}b}_{\mathsf {Gen},\mathsf {A}'}\) is different from \(\mathtt {Exp}^{\mathrm {fauth}\text {-}b}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) in the line 8 and in the lines from 11 to 16. In \(\mathtt {Exp}^{\mathrm {fsprg}\text {-}b}_{\mathsf {Gen},\mathsf {A}'}\), \(\mathsf {A}'(\mathtt {query},K_{i}, his )\) runs \(\mathsf {A}\) with input \((\mathtt {query}, his )\) and simulates \(\mathsf {en}_{K_{i}}\) to answer to the queries made by \(\mathsf {A}\). \(\mathsf {A}'(\mathtt {try},S_{i}, his )\) executes the lines from 11 to 16 of \(\mathtt {Exp}^{\mathrm {fauth}\text {-}b}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\). Then,
$$ \mathrm {Adv}^{\mathrm {fsprg}}_{\mathsf {Gen}}(\mathsf {A}')= \left| \Pr \left[ \mathtt {Exp}^{\mathrm {fauth}\text {-}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{\mathrm {fauth}\text {-}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| . $$
Thus,
$$\begin{aligned} \mathrm {Adv}_{\mathsf {t}\mathsf {ALG}}^{\mathrm {fauth}}(\mathsf {A})&\le \Pr \left[ \mathtt {Exp}^{\mathrm {fauth}\text {-}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] +\mathrm {Adv}^{\mathrm {fsprg}}_{\mathsf {Gen}}(\mathsf {A}'). \end{aligned}$$
The run time of \(\mathsf {A}'\) is about the sum of the run time of \(\mathsf {A}\) and time to simulate \(\mathsf {en}_{K_{i}}\) and verify whether \((\tau _{i_1,j_1-1}',\varvec{R}_{[(i_1,j_1),(i_2,j_2)]}')\) is a successful forgery or not. It is at most the run time of \(\mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\). From Theorem 2, there exists an adversary \(\mathsf {A}_3\) such that
$$ \mathrm {Adv}^{\mathrm {fsprg}}_{\mathsf {Gen}}(\mathsf {A}')\le 2n\cdot \mathrm {Adv}^{\mathrm {prg}}_{G}(\mathsf {A}_3), $$
where the run time of \(\mathsf {A}_3\) is also about the run time of \(\mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\).
For \(\mathtt {Exp}^{\mathrm {fauth}\text {-}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\), if \(\mathsf {A}\) succeeds in forgery, then \(\mathsf {A}\) succeeds in forgery for \(\mathsf {AEAD}\) with some \(K_{i}\) or \(\mathsf {A}\) finds a collision among tags during some stage in the query phase. Let \(\mathtt {forge}_i\) be the event that \(\mathsf {A}\) succeeds in forgery for \(\mathsf {AEAD}\) with \(K_{i}\). Let \(\mathtt {collision}\) be the event that \(\mathsf {A}\) finds a collision among tags in the query phase. Then,
$$ \Pr \left[ \mathtt {Exp}^{\mathrm {fauth}\text {-}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \le \Pr \left[ \bigvee _{i=1}^n\mathtt {forge}_{i}\right] + \Pr \left[ \mathtt {collision}\right] . $$
Let \(\mathsf {A}_1\) be the adversary given in Fig. 12. \(\mathsf {A}_1\) has oracle access to \(\mathsf {en}_{K}\) and \(\mathsf {de}_{K}\). Then,
$$ \Pr \left[ \bigvee _{i=1}^n\mathtt {forge}_{i}\right] \le n\cdot \mathrm {Adv}_{\mathsf {AEAD}}^{\mathrm {auth}}(\mathsf {A}_1). $$
The run time of \(\mathsf {A}_1\) is about the run time of \(\mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\).
Fig. 12.

Adversary \(\mathsf {A}_1\) against \(\mathsf {AEAD}\). \(R'_{i^{*},j}=(A'_{i^{*},j},C'_{i^{*},j},\tau '_{i^{*},j})\). For the line 15, “\((\tau '_{i^{*},j-1},R'_{i^{*},j})\) is new” means that \((\tau '_{i^{*},j-1},R'_{i^{*},j})\) is not obtained in the query phase.

Let \(\mathtt {Exp}^{\mathrm {fpriv}'\text {-}b}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) be an experiment given in Fig. 13. Then,
$$\begin{aligned}&\Pr \left[ \mathtt {collision}\right] =\Pr \left[ \mathtt {Exp}^{\mathrm {fpriv}'\text {-}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \\&\qquad \quad {}\le \left| \Pr \left[ \mathtt {Exp}^{\mathrm {fpriv}'\text {-}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{\mathrm {fpriv}'\text {-}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| + \Pr \left[ \mathtt {Exp}^{\mathrm {fpriv}'\text {-}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \\&\qquad \quad {}\le \left| \Pr \left[ \mathtt {Exp}^{\mathrm {fpriv}'\text {-}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{\mathrm {fpriv}'\text {-}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| + \frac{\sum _{i=1}^{n}\sigma _{i}(\sigma _{i}-1)}{2\,|\mathcal {T}|}. \end{aligned}$$
Fig. 13.

\(\mathtt {Exp}^{\mathrm {fpriv}'\text {-}b}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) for \(b\in \{0,1\}\). \(\mathcal {O}_i^0=\mathsf {en}_{K_{i}}\) and \(\mathcal {O}_i^1=\$_{i}\).

Fig. 14.

Adversary \(\mathsf {A}_2\)

Let \(\mathsf {A}_2\) be an adversary against \(\mathsf {AEAD}\) given in Fig. 14. \(\mathsf {A}_2\) has oracle access to \(\mathcal {O}\), which is either \(\mathsf {en}_K\) with \(K\twoheadleftarrow \mathcal {K}\) or \(\$\). Notice that \(\mathsf {A}_2\) is equivalent to \(\mathtt {Exp}^{\mathrm {fpriv}'\text {-}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) if \(i^{*}=n\) and \(\mathcal {O}=\mathsf {en}_{K}\), and to \(\mathtt {Exp}^{\mathrm {fpriv}'\text {-}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\) if \(i^{*}=1\) and \(\mathcal {O}=\$\). Then,
$$ \left| \Pr \left[ \mathtt {Exp}^{\mathrm {fpriv}'\text {-}0}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] - \Pr \left[ \mathtt {Exp}^{\mathrm {fpriv}'\text {-}1}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\Rightarrow 1\right] \right| =n\cdot \mathrm {Adv}_{\mathsf {AEAD}}^{\mathrm {priv}}(\mathsf {A}_2). $$
The run time of \(\mathsf {A}_2\) is at most the run time of \(\mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {t}\mathsf {ALG},\mathsf {A}}\).    \(\square \)

5.2 Event-Driven Setting

The forward privacy of \(\mathsf {e}\mathsf {ALG}\) is reduced to the privacy of encryption function E, the PRF property of keyed function F and the PRG property of function G:

Theorem 5

(Forward Privacy of \(\mathsf {e}\mathsf {ALG}\)). For any adversary \(\mathsf {A}\) against \(\mathsf {e}\mathsf {ALG}\), there exist adversaries \(\mathsf {A}_1\) against E, \(\mathsf {A}_2\) against F and \(\mathsf {A}_3\) against G such that
$$ \mathrm {Adv}_{\mathsf {e}\mathsf {ALG}}^{\mathrm {fpriv}}(\mathsf {A})\le n\cdot \mathrm {Adv}_{E}^{\mathrm {priv}}(\mathsf {A}_1)+ n\cdot \mathrm {Adv}_{F}^{\mathrm {prf}}(\mathsf {A}_2)+2n\cdot \mathrm {Adv}_{G}^{\mathrm {prg}}(\mathsf {A}_3). $$
Each of \(\mathsf {A}_1\) and \(\mathsf {A}_2\) makes at most a single query to its oracle. Each of the run times of \(\mathsf {A}_1\), \(\mathsf {A}_2\) and \(\mathsf {A}_3\) is about the run time of \(\mathtt {Exp}^{{\mathrm {fpriv}\text {-}}0}_{\mathsf {e}\mathsf {ALG},\mathsf {A}}\).

The forward authenticity of \(\mathsf {e}\mathsf {ALG}\) is reduced to the PRF property of keyed function F and the PRG property of function G:

Theorem 6

(Forward Authenticity of \(\mathsf {e}\mathsf {ALG}\)). Let \(\mathsf {A}\) be any adversary against \(\mathsf {e}\mathsf {ALG}\). Then, there exist adversaries \(\mathsf {A}_1\), \(\mathsf {A}_2\) against \(\mathsf {AEAD}\), and \(\mathsf {A}_3\) against G such that
$$ \mathrm {Adv}_{\mathsf {e}\mathsf {ALG}}^{\mathrm {fauth}}(\mathsf {A})\le n\cdot \mathrm {Adv}_{F}^{\mathrm {prf}}(\mathsf {A}_1)+ 2n\cdot \mathrm {Adv}_{G}^{\mathrm {prg}}(\mathsf {A}_2) +\frac{n+1}{|\mathcal {T}|}. $$
Each of the run times of \(\mathsf {A}_1\) and \(\mathsf {A}_2\) is about the run time of \(\mathtt {Exp}^{\mathrm {fauth}}_{\mathsf {e}\mathsf {ALG},\mathsf {A}}\). \(\mathsf {A}_1\) makes at most two queries.

The proofs of Theorems 5 and 6 are omitted due to the page limit.

Remark 2

The security of \(\mathsf {e}\mathsf {ALG}\) requires the underlying encryption scheme to be secure only against single-query adversaries. Thus, to construct \(\mathsf {e}\mathsf {ALG}\), we can use naive modes of operations for encryption such as CBC and CTR in textbooks.

6 Conclusion

In this paper, audit logging schemes with forward privacy and secrecy have been formalized first. Then, two generic schemes have been proposed. Finally, it has been proved that the proposed schemes meet the security requirements.

Notes

Acknowledgments

The author would like to thank Hidenori Kuwakado for valuable discussions. This work was partially supported by JSPS KAKENHI Grant Number 25330150.

References

  1. 1.
    Accorsi, R.: Safe-keeping digital evidence with secure logging protocols: state of the art and challenges. In: Goebel, O., Ehlert, R., Frings, S., Günther, D., Morgenstern, H., Schadt, D. (eds.) IMF 2009, Fifth International Conference on IT Security Incident Management and IT Forensics, pp. 94–110 (2009)Google Scholar
  2. 2.
    Bellare, M., Canetti, R., Krawczyk, H.: Pseudorandom functions revisited: the cascade construction and its concrete security. In: Proceedings of the 37th IEEE Symposium on Foundations of Computer Science, pp. 514–523 (1996)Google Scholar
  3. 3.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptology 21(4), 469–491 (2008)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Bellare, M., Yee, B.S.: Forward integrity for secure audit logs. Technical report, University of California, San Diego (1997)Google Scholar
  6. 6.
    Bellare, M., Yee, B.S.: Forward-security in private-key cryptography. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 1–18. Springer, Heidelberg (2003). the full version is IACR Cryptology ePrint Archive: Report 2001/035 at http://eprint.iacr.org/ CrossRefGoogle Scholar
  7. 7.
    Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984)MathSciNetCrossRefGoogle Scholar
  8. 8.
    CAESAR: Competition for authenticated encryption: security, applicability, and robustness, http://competitions.cr.yp.to/caesar.html
  9. 9.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Günther, C.G.: An identity-based key-exchange protocol. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 29–37. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  11. 11.
    Hirose, S., Kuwakado, H.: Forward-secure sequential aggregate message authentication revisited. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 87–102. Springer, Heidelberg (2014)Google Scholar
  12. 12.
    Ma, D., Tsudik, G.: Extended abstract: forward-secure sequential aggregate authentication. In: IEEE Symposium on Security and Privacy, pp. 86–91. IEEE Computer Society (2007), also published as IACR Cryptology ePrint Archive: Report 2007/052 at http://eprint.iacr.org/
  13. 13.
    Ma, D., Tsudik, G.: A new approach to secure logging. ACM Trans. Storage 5(1), 2:1–2:21 (2009)CrossRefGoogle Scholar
  14. 14.
    Namprempre, C., Rogaway, P., Shrimpton, T.: Reconsidering generic composition. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 257–274. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  15. 15.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security, pp. 98–107 (2002)Google Scholar
  16. 16.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: ACM Conference on Computer and Communications Security, pp. 196–205 (2001)Google Scholar
  17. 17.
    Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Schneier, B., Kelsey, J.: Cryptographic support for secure logs on untrusted machines. In: Rubin, A.D. (ed.) Proceedings of the 7th USENIX Security Symposium. USENIX Association (1998)Google Scholar
  19. 19.
    Schneier, B., Kelsey, J.: Secure audit logs to support computer forensics. ACM Trans. Inf. Syst. Secur. 2(2), 159–176 (1999)CrossRefGoogle Scholar
  20. 20.
    Waters, B.R., Balfanz, D., Durfee, G., Smetters, D.K.: Building an encrypted and searchable audit log. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2004, The Internet Society (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Graduate School of EngineeringUniversity of FukuiFukuiJapan

Personalised recommendations