Searchable symmetric encryption (SSE) allows a client to encrypt its data in such a way that this data can still be searched. The most immediate application of SSE is to cloud storage, where it enables a client to securely outsource its data to an untrusted cloud provider without sacrificing the ability to search over it.SSE has been the focus of active research and a multitude of schemes that achieve various levels of security and efficiency have been proposed. Any practical SSE scheme, however, should (at a minimum) satisfy the following properties: sublinear search time, security against adaptive chosen-keyword attacks, compact indexes and the ability to add and delete files efficiently. Unfortunately, none of the previously-known SSE constructions achieve all these properties at the same time. This severely limits the practical value of SSE and decreases its chance of deployment in real-world cloud storage systems.To address this, we propose the first SSE scheme to satisfy all the properties outlined above. Our construction extends the inverted index approach (Curtmola et al., CCS 2006) in several non-trivial ways and introduces new techniques for the design of SSE. In addition, we implement our scheme and conduct a performance evaluation, showing that our approach is highly efficient and ready for deployment.

Dynamic searchable symmetric encryption

Searchable symmetric encryption (SSE) allows a client to encrypt its data in such a way that this data can still be searched. The most immediate application of SSE is to cloud storage, where it enables a client to securely outsource its data to an untrusted cloud provider without sacrificing the ability to search over it. SSE has been the focus of active research and a multitude of schemes that achieve various levels of security and efficiency have been proposed. Any practical SSE scheme, however, should (at a minimum) satisfy the following properties: sublinear search time, security against adaptive chosenkeyword attacks, compact indexes and the ability to add and delete files efficiently. Unfortunately, none of the previously-known SSE constructions achieve all these properties at the same time. This severely limits the practical value of SSE and decreases its chance of deployment in real-world cloud storage systems. To address this, we propose the first SSE scheme to satisfy all the properties outlined above. Our construction extends the inverted index approach (Curtmola et al., CCS 2006 ) in several non-trivial ways and introduces new techniques for the design of SSE. In addition, we implement our scheme and conduct a performance evaluation, showing that our approach is highly efficient and ready for deployment.

/pdf/dynamic-searchable-symmetric-encryption-2pmsqxw4k3.pdf

Dynamic Searchable Symmetric Encryption.

Garbled circuits, a classical idea rooted in the work of Yao, have long been understood as a cryptographic technique, not a cryptographic goal. Here we cull out a primitive corresponding to this technique. We call it a garbling scheme. We provide a provable-security treatment for garbling schemes, endowing them with a versatile syntax and multiple security definitions. The most basic of these, privacy, suffices for two-party secure function evaluation (SFE) and private function evaluation (PFE). Starting from a PRF, we provide an efficient garbling scheme achieving privacy and we analyze its concrete security. We next consider obliviousness and authenticity, properties needed for private and verifiable outsourcing of computation. We extend our scheme to achieve these ends. We provide highly efficient blockcipher-based instantiations of both schemes. Our treatment of garbling schemes presages more efficient garbling, more rigorous analyses, and more modularly designed higher-level protocols.

/pdf/foundations-of-garbled-circuits-f3gqwxe1v8.pdf

Foundations of garbled circuits

Suppose we are given a perfect n+ c-to-nbit compression function fand we want to construct a larger m+ s-to-sbit compression function Hinstead. What level of security, in particular collision resistance, can we expect from Hif it makes rcalls to f? We conjecture that typically collisions can be found in 2(nr+ cri¾? m)/(r+ 1)queries. This bound is also relevant for building a m+ s-to-sbit compression function based on a blockcipher with k-bit keys and n-bit blocks: simply set c= k, or c= 0 in case of fixed keys.

We also exhibit a number of (conceptual) compression functions whose collision resistance is close to this bound. In particular, we consider the following four scenarios: 1 A 2n-to-nbit compression function making two calls to an n-to-nbit primitive, providing collision resistance up to 2n/3/nqueries. This beats a recent bound by Rogaway and Steinberger that 2n/4queries to the underlying random n-to-nbit function suffice to find collisions in any rate-1/2 compression function. In particular, this shows that Rogaway and Steinberger's recent bound of 2(nri¾? mi¾? s/2)/r)queries (for c= 0) crucially relies upon a uniformity assumption; a blanket generalization to arbitrary compression functions would be incorrect.
 1 A 3n-to-2nbit compression function making a single call to a 3n-to-nbit primitive, providing collision resistance up to 2nqueries.
 1 A 3n-to-2nbit compression function making two calls to a 2n-to-nbit primitive, providing collision resistance up to 2nqueries.
 1 A single call compression function with parameters satisfying m≤ n+ c, n≤ s, c≤ m. This result provides a tradeoff between how many bits you can compress for what level of security given a single call to an n+ c-to-nbit random function.

/pdf/beyond-uniformity-better-security-efficiency-tradeoffs-for-1tbtt7yeep.pdf

Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions

We advocate schemes based on fixed-key AES as the best route to highly efficient circuit-garbling. We provide such schemes making only one AES call per garbled-gate evaluation. On the theoretical side, we justify the security of these methods in the random-permutation model, where parties have access to a public random permutation. On the practical side, we provide the Just Garble system, which implements our schemes. Just Garble evaluates moderate-sized garbled-circuits at an amortized cost of 23.2 cycles per gate (7.25 nsec), far faster than any prior reported results.

/pdf/efficient-garbling-from-a-fixed-key-blockcipher-2pc03c60uq.pdf

Efficient Garbling from a Fixed-Key Blockcipher

A t-round key-alternating cipher (also called iterated Even-Mansour cipher) can be viewed as an abstraction of AES. It defines a cipher E from t fixed public permutations P 1,..., P t : {0,1} n → {0,1} n and a key k = k 0 ∥ ... ∥ k t ∈ {0,1} n(t + 1) by setting E k (x) = k t ⊕ P t (k t − 1 ⊕ P t − 1( ⋯ k 1 ⊕ P 1(k 0 ⊕ x) ⋯ )). The indistinguishability of E k from a truly random permutation by an adversary who also has oracle access to the (public) random permutations P 1, …, P t was investigated in 1997 by Even and Mansour for t = 1 and for higher values of t in a series of recent papers. For t = 1, Even and Mansour proved indistinguishability security up to 2 n/2 queries, which is tight. Much later Bogdanov et al. (2011) conjectured that security should be \(2^{\frac{t}{t+1}n}\) queries for general t, which matches an easy distinguishing attack (so security cannot be more). A number of partial results have been obtained supporting this conjecture, besides Even and Mansour’s original result for t = 1: Bogdanov et al. proved security of \(2^{\frac{2}{3}n}\) for t ≥ 2, Steinberger (2012) proved security of \(2^{\frac{3}{4}n}\) for t ≥ 3, and Lampe, Patarin and Seurin (2012) proved security of \(2^{\frac{t}{t+2}n}\) for all even values of t, thus “barely” falling short of the desired \(2^{\frac{t}{t+1}n}\).

/pdf/tight-security-bounds-for-key-alternating-ciphers-vbe69o9tn7.pdf

Tight Security Bounds for Key-Alternating Ciphers

We present new techniques for deriving preimage resistance bounds for block cipher based double-block-length, double-call hash functions. We give improved bounds on the preimage security of the three "classical" double-block-length, double-call, block cipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose's scheme. For Hirose's scheme, we show that an adversary must make at least 22n−5 block cipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least 22n−10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2n) queries, and are optimal up to a constant factor since the compression functions in question have range of size 22n.

/pdf/the-preimage-security-of-double-block-length-compression-2dojow3iyf.pdf

The preimage security of double-block-length compression functions

We give improved bounds on the preimage security of the three “classical” double-block-length, doublecall, blockcipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose’s scheme. For Hirose’s scheme, we show that an adversary must make at least 22n−5 blockcipher queries to achieve chance 0.5 of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least 22n−10 queries are necessary. These bounds improve upon the previous best bounds of Ω(2) queries, and are optimal up to a constant factor since the compression functions in question have range of size 2.

/pdf/the-preimage-security-of-double-block-length-compression-3swrmbjazi.pdf

The preimage security of double-block-length compression functions.

We propose a family of compression functions built from fixed-key blockciphers and investigate their collision and preimage security in the ideal-cipher model. The constructions have security approaching and in many cases equaling the security upper bounds found in previous work of the authors [24]. In particular, we describe a 2n-bit to n-bit compression function using three n-bit permutation calls that has collision security N0.5, where N= 2n, and we describe 3n-bit to 2n-bit compression functions using five and six permutation calls and having collision security of at least N0.55and N0.63.

/pdf/constructing-cryptographic-hash-functions-from-fixed-key-mplur11xfw.pdf

Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers

We provide attacks and analysis that capture a tradeoff, in the ideal-permutation model, between the speed of a permutation-based hash function and its potential security. We show that any 2n-bit to n-bit compression function will have unacceptable collision resistance it makes fewer than three n-bit permutation invocations, and any 3n-bit to 2n-bit compression function will have unacceptable security if it makes fewer than five n-bit permutation invocations. Any rate-a hash function built from n-bit permutations can be broken, in the sense of finding preimages as well as collisions, in about N1-α queries, where N = 2n. Our results provide guidance when trying to design or analyze a permutation-based hash function about the limits of what can possibly be done.

/pdf/security-efficiency-tradeoffs-for-permutation-based-hashing-1biabsvntc.pdf

John P. Steinberger

Papers

Tight Security Bounds for Key-Alternating Ciphers

The preimage security of double-block-length compression functions

The preimage security of double-block-length compression functions.

Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers

Security/efficiency tradeoffs for permutation-based hashing