Updatable Encryption from Group Actions

Updatable Encryption (UE) allows to rotate the encryption key in the outsourced storage setting while minimizing the bandwith used. The server can update ciphertexts to the new key using a token provided by the client. UE schemes should provide strong confidentiality guarantees against an adversary that can corrupt keys and tokens. This paper studies the problem of building UE in the group action framework. We introduce a new notion of Mappable Effective Group Action (MEGA) and show that we can build CCA secure UE from a MEGA by generalizing the SHINE construction of Boyd et al. at Crypto 2020. Unfortunately, we do not know how to instantiate this new construction in the post-quantum setting. Doing so would solve the open problem of building a CCA secure post-quantum UE scheme. Isogeny-based group actions are the most studied post-quantum group actions. Unfortunately, the resulting group actions are not mappable. We show that we can still build UE from isogenies by introducing a new algebraic structure called Effective Triple Orbital Group Action (ETOGA). We prove that UE can be built from an ETOGA and show how to instantiate this abstract structure from isogeny-based group actions. This new construction solves two open problems in ciphertext-independent post-quantum UE. First, this is the first post-quantum UE scheme that supports an unbounded number of updates. Second, our isogeny-based UE scheme is the first post-quantum UE scheme not based on lattices

A Composable Look at Updatable Encryption

Updatable Encryption (UE), as originally defined by Boneh et al. in 2013, addresses the problem of key rotation on outsourced data while maintaining the communication complexity as low as possible. The security definitions for UE schemes have been constantly updated since then. However, the security notion that is best suited for a particular application remains unclear. To solve this problem in the ciphertext-independent setting, we use the Constructive Cryptography (CC) framework defined by Maurer et al. in 2011. We define and construct a resource that we call Updatable Server-Memory Resource USMR, and study the confidentiality guarantees it achieves when equipped with a UE protocol, that we also model in this framework. With this methodology, we are able to construct resources tailored for each security notion. In particular, we prove that IND-UE-RCCA is the right security notion for many practical UE schemes. As a consequence, we notably rectify a claim made by Boyd et al. , namely that their IND-UE security notion is better than the IND-ENC+UPD notions, in that it hides the age of ciphertexts. We show that this is only true when ciphertexts can leak at most one time per epoch. We stress that UE security is thought of in the context of adaptive adversaries, and UE schemes should thus bring post-compromise confidentiality guarantees to the client. To handle such adversaries, we use an extension of CC due to Jost et al. and give a clear, simple and composable description of the post-compromise security guarantees of UE schemes. We also model semi-honest adversaries in CC. Our adaption of the CC framework to UE is generic enough to model other interactive protocols in the outsourced storage setting

Modélisation et construction de protocoles cryptographiques interactifs pour le stockage distant

This thesis deals with the security of the storage, the access and the maintenance of outsourced data. Indeed, outsourced storage raises new threats for users. We focus on the three following protocols. First, Proofs of Retrievability (PoR) allows a user who rarely accesses its data to be sure that it is stored on the server and that it did not suffer any alterations. Second, Updatable Encryption (UE) permits the user of an encrypted database to rotate its cryptographic keys with low bandwith usage. Third, Private Information Retrieval (PIR) allows a user to make the way it accesses outsourced data confidential. The goal of this thesis can be summarized in three steps. In step one, we develop modular security notions and models that closely match the security expectations of real-world solutions for the three above problems. Then, in step two, we check if existing security definitions are sufficient, and sometimes also necessary, to provide the security guarantees identified in step one. Finally, we determine if existing cryptographic schemes reach our security definitions and, if not, we improve them or propose new constructions that do. Our security statements are phrased in the Constructive Cryptography (CC) model of Maurer. The contributions made in this thesis are the following. We study the problem of building UE in the group action framework. First, we propose the first post-quantum UE scheme that supports an unbounded number of key updates. Second, our new scheme is the first post-quantum UE scheme whose security does not rely on lattice-based problems. We also show how to obtain a post-quantum UE scheme secure against chosen ciphertexts attacks using group actions. Unfortunately, we do not have any practical instantiation for this last scheme currently. As for PoRs, we show that the security of a PoR of Lavauzelle and Levy-dit-Vehel was overestimated. We propose a framework for the design of secure and efficient PoR schemes based on Locally Correctable Codes. We use our framework to give a secure generalization of the previously mentioned PoR. Furthermore, we use expander codes to design another PoR scheme with better parameters. We also extend CC so as to handle interactive protocols which delegate computations to an adversary. We use it to model UE and PIR. As for UE, we give the first composable modeling of UE by circumventing an impossibility result known as the commitment problem. We use this modeling to understand which security notion for UE is best suited for different real-world applications. As for PIR, we give a composable and unified treatment of many PIR variants.Cette thèse porte sur la sécurité du stockage, de l'accès et de la maintenance de données distantes. En effet, le stockage distant fait émerger de nouvelles menaces pour ses utilisateurs. Nous nous intéressons aux trois protocoles suivants. Tout d'abord, les Preuves de Récupérabilité (PoR) permettent à un utilisateur qui accède rarement à ses données de vérifier qu'elles sont bien toujours stockées et intactes sur le serveur. Ensuite, le Chiffrement avec Mise à Jour (UE) rend possible la rotation de clés potentiellement compromises en utilisant peu de bande passante. Enfin, la Récupération Privée d'Information (PIR) rend les requêtes d'un client confidentielles. Le but de cette thèse peut être résumé en trois étapes. En premier lieu, nous développons des notions de sécurité modulaires qui expriment les garanties de sécurité attendues par des applications concrètes. Ensuite, nous vérifions si les définitions de sécurité existantes sont suffisantes, voire nécessaires, pour apporter nos garanties. Finalement, si les schémas cryptographiques existants n'atteignent pas nos nouvelles définitions, nous les améliorons ou proposons de nouveaux schémas qui le font. Nos définitions de sécurité sont données dans le modèle Cryptographie Constructive. Voici les contributions de cette thèse. Nous montrons comment construire des schémas UE avec des actions de groupe. Tout d'abord, nous proposons le premier schéma UE post-quantique permettant un nombre illimité de mises à jour. Il s'agit du premier schéma UE post-quantique dont la sécurité ne repose pas sur des problèmes de réseaux. Enfin, nous montrons comment il pourrait être possible d'obtenir le premier schéma d'UE post-quantique résistant aux attaques à chiffrés choisis. Malheureusement, ce schéma ne dispose pas d'instanciations pratiques pour le moment. Pour les PoRs, nous montrons qu'un schéma de Lavauzelle et Levy-dit-Vehel n'est pas aussi sûr que l'on pouvait le croire. Nous proposons un cadre pour concevoir des PoRs efficaces et sûrs en utilisant des codes localement corrigibles. Avec notre cadre, nous donnons une généralisation sûre du schéma précédent. De plus, nous utilisons des codes expanseurs pour construire un PoR avec de meilleurs paramètres. Nous étendons également CC aux protocoles interactifs qui délèguent des calculs à un adversaire. Nous donnons la première modélisation composable d'UE en évitant un résultat d'impossibilité classique. Nous utilisons notre modèle pour comprendre quelles notions de sécurité d'UE sont adaptées aux applications concrètes. Concernant le PIR, nous en donnons un modèle composable et unifié

Updatable Encryption from Group Actions

Updatable Encryption (UE) allows to rotate the encryption key in the outsourced storage setting while minimizing the bandwith used. The server can update ciphertexts to the new key using a token provided by the client. UE schemes should provide strong confidentiality guarantees against an adversary that can corrupt keys and tokens. This paper studies the problem of building UE in the group action framework. We introduce a new notion of Mappable Effective Group Action (MEGA) and show that we can build CCA secure UE from a MEGA by generalizing the SHINE construction of Boyd et al. at Crypto 2020. Unfortunately, we do not know how to instantiate this new construction in the post-quantum setting. Doing so would solve the open problem of building a CCA secure post-quantum UE scheme. Isogeny-based group actions are the most studied post-quantum group actions. Unfortunately, the resulting group actions are not mappable. We show that we can still build UE from isogenies by introducing a new algebraic structure called Effective Triple Orbital Group Action (ETOGA). We prove that UE can be built from an ETOGA and show how to instantiate this abstract structure from isogeny-based group actions. This new construction solves two open problems in ciphertext-independent post-quantum UE. First, this is the first post-quantum UE scheme that supports an unbounded number of updates. Second, our isogeny-based UE scheme is the first post-quantum UE scheme not based on lattices. The security of this new scheme holds under an extended version of the weak pseudorandomness of the standard isogeny group action

Updatable Encryption from Group Actions

Updatable Encryption (UE) allows to rotate the encryption key in the outsourced storage setting while minimizing the bandwith used. The server can update ciphertexts to the new key using a token provided by the client. UE schemes should provide strong confidentiality guarantees against an adversary that can corrupt keys and tokens. This paper studies the problem of building UE in the group action framework. We introduce a new notion of Mappable Effective Group Action (MEGA) and show that we can build CCA secure UE from a MEGA by generalizing the SHINE construction of Boyd et al. at Crypto 2020. Unfortunately, we do not know how to instantiate this new construction in the post-quantum setting. Doing so would solve the open problem of building a CCA secure post-quantum UE scheme. Isogeny-based group actions are the most studied post-quantum group actions. Unfortunately, the resulting group actions are not mappable. We show that we can still build UE from isogenies by introducing a new algebraic structure called Effective Triple Orbital Group Action (ETOGA). We prove that UE can be built from an ETOGA and show how to instantiate this abstract structure from isogeny-based group actions. This new construction solves two open problems in ciphertext-independent post-quantum UE. First, this is the first post-quantum UE scheme that supports an unbounded number of updates. Second, our isogeny-based UE scheme is the first post-quantum UE scheme not based on lattices. The security of this new scheme holds under an extended version of the weak pseudorandomness of the standard isogeny group action

Efficient Proofs of Retrievability using Expander Codes

International audienceProofs of Retrievability (PoR) protocols ensure that a client can fully retrieve a large outsourced file from an untrusted server. Good PoRs should have low communication complexity, small storage overhead and clear security guarantees. We design a good PoR based on a family of graph codes called expander codes. We use expander codes based on graphs derived from point-line incidence relations of finite affine planes. Høholdt et al. showed that, when using Reed-Solomon codes as inner codes, these codes have good dimension and minimum distance over a relatively small alphabet. Moreover, expander codes possess very efficient unique decoding algorithms. We take advantage of these results to design a PoR scheme that extracts the outsourced file in quasi-linear time and features better concrete parameters than state-of-the-art schemes w.r.t storage overhead and size of the outsourced file

A Framework for the Design of Secure and Efficient Proofs of Retrievability

International audienceProofs of Retrievability (PoR) protocols ensure that a client can fully retrieve a large outsourced file from an untrusted server. Good PoRs should have low communication complexity, small storage overhead and clear security guarantees with tight security bounds. The focus of this work is to design good PoR schemes with simple security proofs. To this end, we propose a framework for the design of secure and efficient PoR schemes that is based on Locally Correctable Codes, and whose security is phrased in the Constructive Cryptography model by Maurer. We give a first instantiation of our framework using the high rate lifted codes introduced by Guo et al. This yields an infinite family of good PoRs. We assert their security by solving a finite geometry problem, giving an explicit formula for the probability of an adversary to fool the client. Moreover, we show that the security of a PoR of Lavauzelle and Levy-dit-Vehel was overestimated and propose new secure parameters for it. Finally, using the local correctability properties of Tanner codes, we get another instantiation of our framework and derive an analogous formula for the success probability of the audit

A Framework for the Design of Secure and Efficient Proofs of Retrievability

International audienceProofs of Retrievability (PoR) protocols ensure that a client can fully retrieve a large outsourced file from an untrusted server. Good PoRs should have low communication complexity, small storage overhead and clear security guarantees with tight security bounds. The focus of this work is to design good PoR schemes with simple security proofs. To this end, we propose a framework for the design of secure and efficient PoR schemes that is based on Locally Correctable Codes, and whose security is phrased in the Constructive Cryptography model by Maurer. We give a first instantiation of our framework using the high rate lifted codes introduced by Guo et al. This yields an infinite family of good PoRs. We assert their security by solving a finite geometry problem, giving an explicit formula for the probability of an adversary to fool the client. Moreover, we show that the security of a PoR of Lavauzelle and Levy-dit-Vehel was overestimated and propose new secure parameters for it. Finally, using the local correctability properties of Tanner codes, we get another instantiation of our framework and derive an analogous formula for the success probability of the audit