Updatable Encryption from Group Actions

Abstract

Updatable Encryption (UE) allows to rotate the encryption key in the outsourced storage setting while minimizing the bandwith used. The server can update ciphertexts to the new key using a token provided by the client. UE schemes should provide strong confidentiality guarantees against an adversary that can corrupt keys and tokens.

This paper studies the problem of building UE in the group action framework. We introduce a new notion of Mappable Effective Group Action (MEGA) and show that we can build CCA secure UE from a MEGA by generalizing the SHINE construction of Boyd et al. at Crypto 2020. Unfortunately, we do not know how to instantiate this new construction in the post-quantum setting. Doing so would solve the open problem of building a CCA secure post-quantum UE scheme.

Isogeny-based group actions are the most studied post-quantum group actions. Unfortunately, the resulting group actions are not mappable. We show that we can still build UE from isogenies by introducing a new algebraic structure called Effective Triple Orbital Group Action (ETOGA). We prove that UE can be built from an ETOGA and show how to instantiate this abstract structure from isogeny-based group actions. This new construction solves two open problems in ciphertext-independent post-quantum UE. First, this is the first post-quantum UE scheme that supports an unbounded number of updates. Second, our isogeny-based UE scheme is the first post-quantum UE scheme not based on lattices. The security of this new scheme holds under an extended version of the weak pseudorandomness of the standard isogeny group action.

Appendices

Appendix A Computing Leakage Sets

Following [25], extended epoch leakage sets \(\mathcal {C}^*\), \(\mathcal {K}^*\) and \(\mathcal {T}^*\) are computed as follows:

$$\begin{aligned} \mathcal {K}^* & \leftarrow \lbrace \textsf{e}\in \lbrace 0, \ldots , n \rbrace \mid \textsf{CorrK}(\textsf{e}) = \textsf{true}\rbrace \\ & \textsf{true}\leftarrow \textsf{CorrK}(\textsf{e}) \Leftrightarrow (\textsf{e}\in \mathcal {K}) \vee (\textsf{CorrK}(\textsf{e}- 1) \wedge \textsf{e}\in \mathcal {T}) \vee (\textsf{CorrK}(\textsf{e}+ 1)\wedge \textsf{e}+ 1 \in \mathcal {T}) \\ \mathcal {T}^* & \leftarrow \lbrace \textsf{e}\in \lbrace 0, \ldots , n \rbrace \mid (\textsf{e}\in \mathcal {T})\vee (\textsf{e}\in \mathcal {K}^* \wedge \textsf{e}- 1\in \mathcal {K}^*)\rbrace \\ \mathcal {C}^* & \leftarrow \lbrace \textsf{e}\in \lbrace 0, \ldots , n \rbrace \mid \textsf{ChallEq}(\textsf{e}) = \textsf{true}\rbrace \\ & \textsf{true}\leftarrow \textsf{ChallEq}(\textsf{e}) \Leftrightarrow (\textsf{e}= \tilde{\textsf{e}}) \vee (\textsf{e}\in \mathcal {C})\vee (\textsf{ChallEq}(\textsf{e}- 1) \wedge \textsf{e}\in \mathcal {T}^*) \,\vee \\ &\quad \quad \quad \quad \quad \quad \quad \quad \quad \, (\textsf{ChallEq}(\textsf{e}+ 1)\wedge \textsf{e}+ 1 \in \mathcal {T}^*) \end{aligned}$$

Likewise, we extend \(\mathcal {I}\) into \(\mathcal {I}^*\):

$$\begin{aligned} \mathcal {I}^* & \leftarrow \lbrace \textsf{e}\in \lbrace 0, \ldots , n \rbrace \mid \textsf{ChallInpEq}(\textsf{e}) = \textsf{true}\rbrace \\ & \textsf{true}\leftarrow \textsf{ChallInpEq}(\textsf{e}) \Leftrightarrow (\textsf{e}\in \mathcal {I}) \vee (\textsf{ChallInpEq}(\textsf{e}- 1) \wedge \textsf{e}\in \mathcal {T}^*) \vee \\ & \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \,\,(\textsf{ChallInpEq}(\textsf{e}+ 1)\wedge \textsf{e}+ 1 \in \mathcal {T}^*) \end{aligned}$$

Appendix B The \(\textsf{Check}\) Algorithm

In our proofs, reductions play hybrid games and guess the location of the i-th insulated region. If the adversary sends a corrupt query inside this insulated region, the guess is wrong and reductions have to abort. We use the algorithm \(\textsf{Check}\) of [8], described in Fig. 9, to check if this event happens.

Fig. 9.

Algorithm \(\textsf{Check}\) of [8] used in our proofs. \(\hat{\textsf{e}}\) is the epoch in the adversary’s request and \(\textsf{e}\) is the current epoch.