Fine-Grained Forward Secrecy: Allow-List/Deny-List Encryption and Applications

Abstract

Forward secrecy is an important feature for modern cryptographic systems and is widely used in secure messaging such as Signal and WhatsApp as well as in common Internet protocols such as TLS, IPSec, or SSH. The benefit of forward secrecy is that the damage in case of key-leakage is mitigated. Forward-secret encryption schemes provide security of past ciphertexts even if a secret key leaks, which is interesting in settings where cryptographic keys often reside in memory for quite a long time and could be extracted by an adversary, e.g., in cloud computing. The recent concept of puncturable encryption (PE; Green and Miers, IEEE S&P’15) provides a versatile generalization of forward-secret encryption: it allows to puncture secret keys with respect to ciphertexts to prevent the future decryption of these ciphertexts.

We introduce the abstraction of allow-list/deny-list encryption schemes and classify different types of PE schemes using this abstraction. Based on our classification, we identify and close a gap in existing work by introducing a novel variant of PE which we dub Dual-Form Puncturable Encryption (DFPE). DFPE significantly enhances and, in particular, generalizes previous variants of PE by allowing an interleaved application of allow- and deny-list operations.

We present a construction of DFPE in prime-order bilinear groups, discuss a direct application of DPFE for enhancing security guarantees within Cloudflare’s Geo Key Manager, and show its generic use to construct forward-secret IBE and forward-secret digital signatures.

Author list in alphabetical order. See https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf.

A Notation, Pairings and q-wBDHI Assumption

Notation. For \(n\in \mathbb {N}\), let \([n]:=\{1,\ldots ,n\}\), and let \(\kappa \in \mathbb {N}\) be the security parameter. For a finite set \(S\), we denote by \(s\leftarrow S\) the process of sampling \(s\) uniformly from \(S\). For an algorithm \(A\), let \(y\leftarrow A(\kappa ,x)\) be the process of running \(A\) on input \((\kappa ,x)\) with access to uniformly random coins and assigning the result to \(y\). (If not given explicitly, we assume that \(\kappa \) is implicitly given as input.) To make the random coins \(r\) explicit, we write \(A(\kappa ,x;r)\). We say an algorithm \(A\) is probabilistic polynomial time (PPT) if the running time of \(A\) is polynomial in \(\kappa \). A function \(f\) is negligible if its absolute value is smaller than the inverse of any polynomial (i.e., if \(\forall c\exists k_0\forall \kappa \ge k_0:|f(\kappa )|<1/ \kappa ^c\)). We may write \(q=q(\kappa )\) if we mean that the value \(q\) depends polynomially on \(\kappa \).

Pairings. Let \(G_1, G_2, G_T\) be cyclic groups of order \(p\). A pairing \(e:G_1\,\times \,G_2\rightarrow G_T\) is a map that is bilinear (i.e., for all \(g_1, g'_2\in G_1\) and \(g_2, g'_2\in G_2\), we have \(e(g_1\cdot g'_1, g_2)=e(g_1, g_2)\cdot e(g'_1,g_2)\) and \(e(g_1, g_2\cdot g'_2)=e(g_1, g_2)\cdot e(g_1, g'_2)\), non-degenerate (i.e., for generators \(g_1\in G_1, g_2\in G_2\), we have that \(e(g_1, g_2)\in G_T\) is a generator), and efficiently computable. Let \(\mathsf {BGen}\) be a PPT algorithm that, on input a security parameter \(\kappa \), outputs \(\mathsf{BG}=(p, G_1, G_2, G_T, e, g_1, g_2)\) for generators \(g_1\) and \(g_2\) of \(G_1\) and \(G_2\), respectively, and \(\varTheta (\kappa )\)-bit prime p.

q-wBDHI Assumption. We recall the q-wBDHI [8] assumptions ported to Type-3 groups [13]. We define the advantage of an adversary \(D \) with respect to \(q\)-wBDHI as

where \(\mathsf{BG} \leftarrow \mathsf{BGen}(1^\kappa )\), and \(pp=(\mathsf{BG},g_1^{\alpha },g_1^{\alpha ^2},\ldots ,g_1^{\alpha ^q},g_2^\alpha ,g_1^r, g^r_2\)), for \(\alpha ,r,u \leftarrow \mathbb {Z}_p\). We say the q-wBDHI assumption holds if \(\mathbf{Adv}^{\mathsf {q\text {-}wBDHI}}_{{\mathsf {BGen}},{A}}\) is a negligible function in the security parameter \(\kappa \) for all PPT adversaries \(A \).