CryptoDB
CCA Updatable Encryption Against Malicious Re-Encryption Attacks
Authors: | |
---|---|
Download: | |
Abstract: | Updatable encryption (UE) is an attractive primitive, which allows the secret key of the outsourced encrypted data to be updated to a fresh one periodically. Several elegant works exist studying various security properties. We notice several major issues in existing security models of (ciphertext dependent) updatable encryption, in particular, integrity and CCA security. The adversary in the models is only allowed to request the server to re-encrypt {\em honestly} generated ciphertext, while in practice, an attacker could try to inject arbitrary ciphertexts into the server as she wishes. Those malformed ciphertext could be updated and leveraged by the adversary and cause serious security issues. In this paper, we fill the gap and strengthen the security definitions in multiple aspects: most importantly our integrity and CCA security models remove the restriction in previous models and achieve standard notions of integrity and CCA security in the setting of updatable encryption. Along the way, we refine the security model to capture post-compromise security and enhance the re-encryption indistinguishability to the CCA style. Guided by the new models, we provide a novel construction \recrypt, which satisfies our strengthened security definitions. The technical building block of homomorphic hash from a group may be of independent interests. We also study the relations among security notions; and a bit surprisingly, the folklore result in authenticated encryption that IND-CPA plus ciphertext integrity imply IND-CCA security does {\em not} hold for ciphertext dependent updatable encryption. |
Video from ASIACRYPT 2020
BibTeX
@article{asiacrypt-2020-30730, title={CCA Updatable Encryption Against Malicious Re-Encryption Attacks}, booktitle={Advances in Cryptology - ASIACRYPT 2020}, publisher={Springer}, doi={10.1007/978-3-030-64840-4_20}, author={Long Chen and Ya-Nan Li and Qiang Tang}, year=2020 }