Talk by Christoph Striecks: „Efficient Puncturable Encryption – From Bloom Filters to Forward Security“
Location: big seminar room at our chair (Fürther Str 246c/Entry 5/ 2. floor)
“Forward security is an essential design goal of modern cryptographic protocols with a long body of literature in several application domains such as interactive key-establishment protocols (prominently, in TLS 1.3), digital signatures, search on encrypted data, updatable cryptography, mobile Cloud backups, decentralized contact tracing, new approaches to Tor, and even novel distributed protocols such as Dfinity’s Internet Computer, among others.
The well-known benefit of forward security is the mitigation of key leakage by evolving secret keys over epochs and thereby revoking access to prior-epoch ciphertexts. Such a strong security guarantee is highly recognized by industry to be included into security products (e.g., by companies such as Google, Apple, Meta, Microsoft, and Cloudflare). Green and Miers (S&P 2015) initiated the studies of puncturable encryption (PE) as a new cryptographic primitive towards the strong form of non-interactive forward-secure encryption (in particular, without the need of any pre-shared key material).
Already several follow-up works showed the versatility of PE yielding a rich abstraction of forward security investigated in a variety of (data-in-transit and data-at-rest) application domains such as 0-RTT key exchange with replay protection for TLS (Eurocrypt’17, Eurocrypt’18, Asiacrypt’20, JoC’21), Google’s QUIC (Cans’20), Searchable Encryption (CCS’17, CCS’18, NDSS’21), mobile Cloud backups (OSDI’20), Content Distribution Networks (Financial Crypto’21), Tor (PoPETS’20), and Updatable Encryption (ePrint’21).
This talk deals with efficiency considerations of puncturable encryption to ensure zero round-trip time (0-RTT) for key exchange protocols such as TLS 1.3, where a client is able to send cryptographically protected payload data along with the very first key exchange message. For a long time, it was unclear whether protocols that simultaneously achieve 0-RTT and (full) forward secrecy exist. Günther, Hale, Jager, and Lauer (Eurocrypt’17) proposed a first solution where forward secrecy is achieved by “puncturing” the secret key after each decryption operation, such that a given ciphertext can only be decrypted once. However, their contribution only achieved very inefficient puncturing. In this talk, a primitive termed Bloom Filter Encryption (BFE) is presented, which is derived from the probabilistic Bloom filter data structure. BFE allows for puncturable encryption mechanisms with extremely efficient puncturing. Most importantly, a puncturing operation only involves a small number of very efficient computations, plus the deletion of certain parts of the secret key, which outperforms previous constructions by orders of magnitude.”
About the speaker:
Christoph Striecks is a cryptography researcher in the Cyber Security team at AIT
Austrian Institute of Technology in Vienna, Austria’s largest Research and Technology Organization (RTO).
His professional focus lies in cryptographic technologies (such as end-to-end encryption, attributed-based/functional encryption, as well as forward-secure primitives) with strong provable security guarantees and
applications to concrete real-world problems (such as Big Data, Cloud, and transition to post-quantum systems).
In 2015, Christoph received his PhD (Dr.rer.nat.) in cryptography from the Karlsruhe Institute of Technology (KIT) in Germany under the supervision of Prof. Dennis Hofheinz on scalable identity-based encryption, short digital signatures, and modular revocation schemes. In 2010, he received his Diploma in computer science from the Technical University of Braunschweig in Germany with a major in cryptography and software engineering. In 2008, he worked as an intern for Siemens USA in Princeton, New Jersey.