Updatable ElGamal Encryption Scheme with Forward and Backward Security for Cloud Storage

Abstract

Updatable encryption plays an important role in cloud storage scenario due to providing update functionality for ciphertext data and resisting key compromise attacks. However, most of updatable encryption schemes adopted a type of partitioning strategy: leakage sets or firewalls technique, which prohibited the adversary from querying the key at the challenge-equal epochs and hardly captured forward and backward security. In this paper, we enhance the existing security model by considering a corruption oracle that allows any secret key query and overcomes the dependence on leakage sets, and then present the first updatable public-key encryption scheme with no-directional key updates and uni-directional ciphertext updates on the basis of the classical ElGamal encryption scheme. The proposed scheme can minimize the information leakage of update tokens by using the indistinguishable obfuscation technique of the punctured program. Moreover, under the framework of the enhanced security model, the proposed scheme is proven to be IND-CPA. Finally, compared with the existing updatable encryption schemes, the proposed scheme eliminates leakage sets and firewalls to capture forward and backward security.

Supported by the Natural Science Basic Research Plan in Shaanxi Province of China under Grant No.2022JZ-38, the National Natural Science Foundation of China under Grants No.61807026, the Plan for Scientific Innovation Talent of Henan Province under Grant No.184100510012, and the Postgraduate Innovation Fund of Xidian University under Grant No.YJS2215.

Appendices

A Security Proof of Theorem 1

Proof

In order to ensure that the proof process is clear, the proof of experimental sequence method is given here. Let \(\mathcal {A}\) be a probabilistic polynomial-time adversary and the challenge epoch be \(e^{*}\). Note that the successful events of the adversary \(\mathcal {A}\) in experiment Expt\(_i\) are denoted as \(Suc_{i} (i=0,1,2,3)\).

Expt\(_0\): The first experiment corresponds to the original IND-ENC-CPA security experiment.

1. 1)

   \(K_{e^{*}}\) is picked as the key for a puncturable pseudorandom function F. A distinguished tag \(t^*_{e^{*}}\!=\!P\!RG_1(s^*_{e^{*}})\) is set as the punctured point, where \(s^*_{e^{*}}\!\in \!\{0,1\}^{\lambda }\) is chosen at random. The public key \(P\!K_{e^{*}}\) is implied by the obfuscation program \(i\mathcal {O}\big (C_{enc}[K_{e^{*}}]\big )\). The secret key \(S\!K_{e^{*}}\) is \(K_{e^{*}}\).

2. 2)

   After receiving \(P\!K_{e^{*}}\), the adversary \(\mathcal {A}\) can access a series of oracles \(\mathcal {O}. N\!ext\), \(\mathcal {O}.C\!orr\) and \(\mathcal {O}.U\!pd(C_{e-1})\), and then output a pair of messages \(m_{0}, m_{1}\in \mathbb {G}\) with the same length to the challenger.

3. 3)

   The challenger runs the obfuscation program \(i\mathcal {O}\big (C_{enc}[K_{e^{*}}]\big )\) on input a seed \(s^{*}_{e^{*}}\!\in \!\{0,1\}^{\lambda }\) and a message \(m_{b}\in \mathbb {G}\) to generate a challenge ciphertext \(C_{e^{*}}^{*}\), where \(b\!\in \!\{0,1\}\) is chosen at random. Then \(C_{e^{*}}^{*}\) is given to the adversary \(\mathcal {A}\).

4. 4)

   The adversary \(\mathcal {A}\) can continue to access the \(\mathcal {O}.N\!ext\), \(\mathcal {O}.C\!orr\), \(\mathcal {O}.U\!pd(C_{e-1})\) and \(\mathcal {O}.U\!pd(l,C_{e^{*}}^{*})\) oracles. Finally, \(\mathcal {A}\) outputs a bit \(b'\in \{0,1\}\).

Expt\(_1\): This experiment is identical to the experiment Expt\(_{0}\) except for one difference. The only difference is that the first part of the challenge ciphertext \(C_{e^{*}\!,1}\!=\!t^*_{e^{*}}\), i.e., \(t_{e^{*}}^{*}\)=\(P\!RG_1(s^*_{e^{*}})\) is replaced by \(t^{*}_{e^{*}}\) chosen randomly in \(\{0,1\}^{2\lambda }\). The following fact can be obtained and will be proved subsequently.

Fact 1. The difference in probability between the event \(Suc_{0}\) and the event \(Suc_{1}\) is a negligible function.

Expt\(_2\): This experiment is identical to the experiment Expt\(_{1}\) except for one difference. The only difference is that the second element of the challenge ciphertext \(C_{e^{*}\!,2}\!=\!g^{r^*_{e^{*}}}\), i.e., \(r^*_{e^{*}}\!=\!P\!RG_2(s^*_{e^{*}})\) is replaced by \(r^*_{e^{*}}\! \in \!\mathbb {Z}_{q}\). Note that \(s^*_{e^{*}}\) no longer appears in the adversary’s view and does not need to be generated. The following fact can be obtained and will be proved subsequently.

Fact 2. The difference in probability between the event \(Suc_{1}\) and the event \(Suc_{2}\) is a negligible function.

Table 7. The description of program \(\widetilde{C}_{enc}\big [K_{e^{*}}\big (\{t_{e^{*}}^{*}\}\big )\big ]\)

Expt\(_{3}\): This experiment is identical to the experiment Expt\(_{2}\) except for one difference. The difference is that the public key \(P\!K_{e^{*}}\) is simply replaced with \(\widetilde{P\!K}_{e^{*}}\) implicitly in the obfuscation program \(i\mathcal {O} \big (\widetilde{C}_{enc}\big [K_{e^{*}}\big (\{t_{e^{*}}^{*}\}\big )\big ]\big )\), where the program \(\widetilde{C}_{enc}[K_{e^{*}}\big (\{t_{e^{*}}^{*}\}\big )\big ]\) is described in Table 7. Note that, the program \(\widetilde{C}_{enc}\big [K_{e^{*}}\big (\{t_{e^{*}}^{*}\}\big )\big ]\) in Table 7 has the same functionality as the program \(C_{enc}[K_{e^{*}}]\) in Table 5, except that the fixed constant \(K_{e^{*}}\) is replaced by \(K_{e^{*}}\big (\{t_{e^{*}}^{*}\}\big )\). The following fact can be obtained and will be proved subsequently.

Fact 3. The difference in probability between the event \(Suc_2\) and the event \(Suc_3\) is a negligible function.

Expt\(_{4}\): This experiment is identical to the experiment Expt\(_{3}\) except for one difference. The difference is that the third part of the challenge ciphertext \(C_{e^{*}}^{*}\!=\!(C^{*}_{e^{*},1}\!=\!t_{e^{*}}^{*}, C^{*}_{e^{*},2}\!=\!g^{r_{e^{*}}^{*}}, C^{*}_{e^{*},3}\!=\!g^{z\cdot r_{e^{*}}^{*}}\cdot m_{b})\) is modified, where \(z{\mathop {\leftarrow }\limits ^{r}} \mathbb {G}\). The following facts can be obtained and will be proved subsequently.

Fact 4. The difference in probability between event \(Suc_{3}\) and event \(Suc_{4}\) is a negligible function.

Fact 5. The probability of the event \(Suc_{4}\) is \(\frac{1}{2}\).

The combination of all the above facts leads to the desired conclusion. Let’s start proving each of these facts.

Proof of Fact 1. We argue that the probability difference between the event \(Suc_{0}\) and the event \(Suc_{1}\) is a negligible function. Otherwise, an algorithm \(\mathcal {B}_1\) can be constructed to break the security of the pseudorandom generator \(P\!RG_1\). \(\mathcal {B}_1\) runs the experiment Expt\(_{0}\) as a challenger and receives a \(P\!RG_1\) challenge a. Except for setting \(t_{e^{*}}^{*}=a\), it continues to run the rest of experiment Expt\(_{0}\). There exist two cases to be considered:

1. 1)

   If a is the output of \(P\!RG_{1}\), the random variables observed by \(\mathcal {A}\) in the algorithm \(\mathcal {B}_1\) are distributed identically with those observed in Expt\(_{0}\).

2. 2)

   If a is a random string, the random variables observed by \(\mathcal {A}\) in the algorithm \(\mathcal {B}_1\) are distributed identically with those observed in Expt\(_{1}\).

\(\mathcal {B}_1\) outputs exactly 1 when the output \(b'\) of \(\mathcal {A}\) is equal to b. Since \(P\!RG_1\) is a secure pseudorandom generator, there exists a negligible function \(negl_{1}(\lambda )\) such that

$$\begin{aligned} \big |\Pr [Suc_{0}]-\Pr [Suc_{1}]\big |=Adv^{P\!RG_1}_{\mathcal {B}_1}\le negl_{1}(\lambda ). \end{aligned}$$

(1)

Proof of Fact 2. Similar to the proof of Fact 1, we argue that the probability difference between events \(Suc_{1}\) and \(Suc_{2}\) is a negligible function. Otherwise, an algorithm \(\mathcal {B}_2\) can be constructed to break the security of the pseudorandom generator \(P\!RG_2\). Therefore, there exists a negligible function \(negl_{2}(\lambda )\) such that

$$\begin{aligned} \big |\Pr [Suc_1]-\Pr [Suc_2]\big |=Adv^{P\!RG_2}_{\mathcal {B}_2}\le negl_{2}(\lambda ). \end{aligned}$$

(2)

Proof of Fact 3. When \(t_{e^{*}}^{*}\) is selected randomly, the input and output behaviors of \(P\!K_{e^{*}}\) and \(\widetilde{P\!K}_{e^{*}}\) are almost identical. Note that, \(t_{e^{*}}^{*}\) is in the range of \(P\!RG_1\) with probability at most \(1/2^{\lambda }\). If \(t_{e^{*}}^{*}\) is not in the range of \(P\!RG_1\), the programs \(P\!K_{e^{*}}\) and \(\widetilde{P\!K}_{e^{*}}\) have identical functionality. Therefore, the probabilities of the event \(Suc_2\) and the event \(Suc_3\) must be negligibly close. Otherwise, we can construct an algorithm \(B_3\) that breaks the indistinguishable security of obfuscator. \(\mathcal {B}_3\) runs the experiment as a challenger and receives an obfuscation program as a challenge. There exist two cases to be considered:

1. 1)

   If the challenger chooses \(P\!K_{e^{*}}\), the observation of \(\mathcal {A}\) in the algorithm \(\mathcal {B}_3\) and that of \(\mathcal {A}\) in experiment Expt\(_2\) are identically distributed.

2. 2)

   If the challenger chooses \(\widetilde{P\!K}_{e^{*}}\), the observation of \(\mathcal {A}\) in the algorithm \(\mathcal {B}_3\) and that of \(\mathcal {A}\) in experiment Expt\(_3\) are identically distributed.

\(\mathcal {B}_3\) outputs exactly 1 when the output \(b'\) of \(\mathcal {A}\) is equal to b. Since \(i\mathcal {O}\) is a secure indistinguishable obfuscator, there exists a negligible function \(negl_3(\lambda )\) such that

$$\begin{aligned} \big |\Pr [Suc_{2}]-\Pr [Suc_{3}]\big |=Adv^{i\mathcal {O}}_{\mathcal {B}_3}\le negl_3(\lambda ). \end{aligned}$$

(3)

Proof of Fact 4. If \(\mathcal {A}\) can distinguish Expt\(_3\) from Expt\(_4\), then we can build an algorithm \(\mathcal {B}_4\) to break the selective security of the puncturable pseudorandom function F at the punctured points. \(\mathcal {B}_4\) runs the experiment Expt\(_3\) as a challenger and receives a challenge c. It continues to run the rest of experiment Expt\(_3\) in addition to creating the challenge ciphertext as \(C_{e^{*}}^{*}=(t_{e^{*}}^{*},g^{r_{e^{*}}^{*}},g^{c\cdot r_{e^{*}}^{*}}\cdot m_{b})\). There are two cases to be considered:

1. 1)

   If c is the output of F at point \(t_{e^{*}}^{*}\), the random variables observed by \(\mathcal {A}\) in the algorithm \(\mathcal {B}_4\) are identically distributed as those seen in Expt\(_3\).

2. 2)

   If c is chosen at random, the ciphertext obtained by \(\mathcal {A}\) in the algorithm \(\mathcal {B}_4\) is distributed identically with that in Expt\(_4\).

\(\mathcal {B}_4\) outputs exactly 1 when the output \(b'\) of \(\mathcal {A}\) is equal to b. Note that, we are able to reduce to selective security since \(t_{e^{*}}^{*}\) is randomly selected by the challenger before the adversary receives the puncturable key \(K_{e^{*}}\big (\{t_{e^{*}}^{*}\}\big )\), which is not controlled by the adversary. Since F is a secure puncturable pseudorandom function, there exists a negligible function \(negl_{4}(\lambda )\) such that

$$\begin{aligned} \big |\Pr [Suc_{3}]-\Pr [Suc_{4}]\big |=Adv^{F}_{\mathcal {B}_4}\le negl_{4}(\lambda ). \end{aligned}$$

(4)

Proof of Fact 5. In the experiment Expt\(_{4}\), the challenge ciphertext received by the adversary is a random element, which is independent of \(m_{b}\). Therefore, the success probability of the adversary in this experiment is 1/2. That is,

$$\begin{aligned} \Pr [Suc_{4}]=\frac{1}{2}. \end{aligned}$$

(5)

Combining with equations (1)–(5), we have

$$\begin{aligned} \begin{aligned} Adv_{U\!P\!K\!E,\mathcal {A}}^{I\!N\!D\!-\!E\!N\!C\!-\!C\!P\!A}(\lambda )=&\big |\Pr [Suc_{0}]-\frac{1}{2}\big |\\ \le&\sum _{i=0}^{3}\Big |\Pr [Suc_{i}]-\Pr [Suc_{i+1}]\Big |\\ \le&~negl_{1}(\lambda )+negl_{2}(\lambda )+negl_{3}(\lambda )+negl_{4}(\lambda ).\\ \end{aligned} \end{aligned}$$

B Security Proof of Theorem 2

Proof

We construct an adversary \(\mathcal {B}\) running the IND-UE-CPA experiment, which is used to simulate the response of queries made by the IND-ENC-CPA adversary \(\mathcal {A}\). In order to provide a valid challenge query, \(\mathcal {B}\) must keep \(\mathcal {A}\) out of step with his game. As far as \(\mathcal {A}\) is concerned, the epoch 1 is actually the epoch 2 of \(\mathcal {B}\), and so on. The configuration of \(\mathcal {B}\) is as follows:

1. 1)

   \(\mathcal {B}\) receives the setup parameters from its own challenger, chooses a message m from the message space \(\mathbb {G}\), and encrypts this message with \(P\!K_{1}\) to obtain a ciphertext \(C_{1}\). Then \(\mathcal {B}\) calls \(\mathcal {O}.N\!ext\) oracle to advance for an epoch and finally sends the setup parameters to \(\mathcal {A}\).

2. 2)

   When \(\mathcal {A}\) queries \(\mathcal {O}.U\!pd(C_{e-1})\) and \(\mathcal {O}.C\!orr\) oracles, \(\mathcal {B}\) sends these queries to its own challenger and returns the corresponding results to \(\mathcal {A}\). Whenever \(\mathcal {O}.N\!ext\) oracle is called by \(\mathcal {A}\), \(\mathcal {B}\) randomly chooses a message \(m\in \mathbb {G}\) and encrypts this message with \(P\!K_{e}\) to receive a ciphertext \(C_{e}\), and then calls \(\mathcal {O}.N\!ext\) oracle.

3. 3)

   At the epoch \(e^{*}\), \(\mathcal {A}\) issues a challenge query \((m_{0}, m_{1})\). \(\mathcal {B}\) randomly selects \(b{\mathop {\leftarrow }\limits ^{r}}\{0,1\}\) and sends \((m_{b}, C_{e^{*}-1})\) to its challenger as its challenge query. After receiving the challenge ciphertext \(C_{e^{*}}^{*}\) from its challenger, \(\mathcal {B}\) then sends it to \(\mathcal {A}\).

4. 4)

   \(\mathcal {B}\) continues to answer \(\mathcal {A}\)’s queries using its own oracles, now including \(\mathcal {O}.U\!pd(l,C_{e^{*}}^{*})\) oracle.

5. 5)

   Finally, \(\mathcal {A}\) makes a guess and outputs the guess \(b'\) to the adversary \(\mathcal {B}\). If \(b=b'\), \(\mathcal {B}\) returns \(\delta '=0\). Otherwise \(\mathcal {B}\) outputs \(\delta '=1\).

\(\mathcal {B}\) runs in polynomial time since \(\mathcal {A}\) does. Here \(\delta \!\in \!\{0,1\}\) represents the bit selected when generating the challenge ciphertext in the IND-UE-CPA experiment. There exist two cases to be considered.

1. 1)

   If the challenge ciphertext \(C_{e^{*}-1}^{*}\) received by \(\mathcal {B}\) is the encryption of message \(m_{b}\), i.e., \(\delta =0\), \(\mathcal {B}\) succeeds if and only if \(\mathcal {A}\) succeeds.

2. 2)

   If the challenge ciphertext \(C_{e^{*}}^{*}\) received by \(\mathcal {B}\) is an update of the ciphertext \(C_{e^{*}-1}\), i.e., \(\delta =1\), \(\mathcal {B}\) wins with a probability of 1/2.

Furthermore, we can easily bound the success probability of the adversary \(\mathcal {B}\) in the experimental IND-UE-CPA.

$$\begin{aligned} \begin{aligned} Adv_{U\!P\!K\!E,\mathcal {B}}^{I\!N\!D\!-\!U\!E\!-\!C\!P\!A}(\lambda )=&\Big |\Pr [Exp^{I\!N\!D\!-\!U\!E\!-\!C\!P\!A}_{U\!P\!K\!E,\mathcal {B}}=1]-\frac{1}{2}\Big |=\Big |\Pr [\delta '=\delta ]-\frac{1}{2}\Big |\\ =&\Big |\Pr \big [(\delta '\!=\delta )\wedge \delta =0\big ]+Pr\big [(\delta '\!=\delta )\wedge \delta =1\big ]-\frac{1}{2}\Big |\\ =&\frac{1}{2}\cdot \Big |\Pr [\delta '\!=\delta |\delta =0]+\Pr [\delta '\!=\delta |\delta =1]-1\Big |\\ =&\frac{1}{2}\cdot \Big |\Pr [b'\!=b |\delta =0]+\Pr [b'\!\ne b |\delta =1]-1\Big |\\ =&\frac{1}{2}\cdot \Big |\Pr [b'\!=b |\delta =0]-\Pr [b'\!=b |\delta =1]\Big |\\ =&\frac{1}{2}\cdot Adv_{U\!P\!K\!E,\mathcal {A}}^{I\!N\!D\!-\!E\!N\!C\!-\!C\!P\!A}.\\ \end{aligned} \end{aligned}$$