Forward-Secure Encryption with Fast Forwarding

Yevgeniy Dodis, Daniel Jost, Harish Karthikeyan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Forward-secure encryption (FSE) allows communicating parties to refresh their keys across epochs, in a way that compromising the current secret key leaves all prior encrypted communication secure. We investigate a novel dimension in the design of FSE schemes: fast-forwarding (FF). This refers to the ability of a stale communication party, that is “stuck” in an old epoch, to efficiently “catch up” to the newest state, and frequently arises in practice. While this dimension was not explicitly considered in prior work, we observe that one can augment prior FSEs—both in symmetric- and public-key settings—to support fast-forwarding which is sublinear in the number of epochs. However, the resulting schemes have disadvantages: the symmetric-key scheme is a security parameter slower than any conventional stream cipher, while the public-key scheme inherits the inefficiencies of the HIBE-based forward-secure PKE. To address these inefficiencies, we look at the common real-life situation which we call the bulletin board model, where communicating parties rely on some infrastructure—such as an application provider—to help them store and deliver ciphertexts to each other. We then define and construct FF-FSE in the bulletin board model, which addresses the above-mentioned disadvantages. In particular, Our FF-stream-cipher in the bulletin-board model has: (a) constant state size; (b) constant normal (no fast-forward) operation; and (c) logarithmic fast-forward property. This essentially matches the efficiency of non-fast-forwardable stream ciphers, at the cost of constant communication complexity with the bulletin board per update.Our public-key FF-FSE avoids HIBE-based techniques by instead using so-called updatable public-key encryption (UPKE), introduced in several recent works (and more efficient than public-key FSEs). Our UPKE-based scheme uses a novel type of “update graph” that we construct in this work. Our graph has constant in-degree, logarithmic diameter, and logarithmic “cut property” which is essential for the efficiency of our schemes. Combined with recent UPKE schemes, we get two FF-FSEs in the bulletin board model, under DDH and LWE.

Original languageEnglish (US)
Title of host publicationTheory of Cryptography - 20th International Conference, TCC 2022, Proceedings
EditorsEike Kiltz, Vinod Vaikuntanathan
PublisherSpringer Science and Business Media Deutschland GmbH
Pages3-32
Number of pages30
ISBN (Print)9783031223648
DOIs
StatePublished - 2022
Event20th Theory of Cryptography Conference, TCC 2022 - Chicago, United States
Duration: Nov 7 2022Nov 10 2022

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13748 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference20th Theory of Cryptography Conference, TCC 2022
Country/TerritoryUnited States
CityChicago
Period11/7/2211/10/22

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Forward-Secure Encryption with Fast Forwarding'. Together they form a unique fingerprint.

Cite this