This section contains the detailed proofs of the weakIND-ENCand weakIND-UPD security of the2ENCscheme presented in Section 5.1.
B.1 Proof of Theorem 2 (weak IND-ENC Security of 2ENC)
The updatable encryption scheme 2ENC as defined in Section 5.1 isIND-ENC- secure if SE is an IND-CPA-secure encryption scheme and for adversaries with the following restriction: IfAmakes a queryOcorrupt(token, e0) wheree0ore0−1
are challenge-equal, thenAmust not makeany query toOcorrupt(key,·). Proof. LetA be an adversary against the IND-ENC security of 2ENC, then we construct from it adversariesBin=Bin(A) andBout=Bout(A) such that at least
one ofBinandBoutbreaks the CPA security ofSE. We can then combineBin and
Bout into a single adversaryBthat chooses one of those strategies at random to
break the CPA security of SE. Intuitively,Bout can be seen as dealing with the
cases whereBmakes a query of the typeOcorrupt(key,·), whereasBin can be seen
as dealing with the cases whereB does not make such a query.
AdversaryBinattacks the inner encryption and emulates theIND-ENCgame
to A as follows. Initially, it sets e ←0, L ← ∅, generates the outer key ko
0
r ← SE.kgen(λ), and runs A on empty input. It then emulates the oracles Oenc,
Onext, Oupd, and Ocorrupt as follows. Upon Oenc(m), adversary Bin queries m to
its own Oenc oracle and obtains as a result a ciphertext Ci. Using the key koe, Bin computesCo
r
←SE.enc(ko
e, Ci), sets L ← L ∪ {(Co, e)}, and returns Co to A. UponOnext, adversaryBin generates a newkoe+1
r
←SE.kgen(λ) and sets e←
e+ 1. Upon Oupd(Ce−1), adversaryBin checks that (Ce−1, e−1)∈ L, computes
Ce ← SE.enc(koe,SE.dec(k o
e−1, Ce−1)), L ← L ∪ {(C, e)}, and returns Ce to A. UponOcorrupt(token, e∗), ife∗≤e, then return (koe−1, koe). UponOcorrupt(key, e∗),
ife∗≤e, then fail (i.e., output a uniformly random bit in the game).
WhenAoutputsm0, m1in epoch ˜e, adversaryBinoutputs the same messages
m0, m1 and obtains challenge ciphertext ˜C0. It computes ˜C
r
← SE.enc(keo˜,C˜0), sets ˜L ← {( ˜C,e˜)}, and provides ˜CtoA. Furthermore,Bincontinues to provide or-
to additionally set ˜L ←L ∪ {˜ ( ˜C, e)}with ˜Ce←SE.enc(koe,SE.dec(keo−1,C˜e−1)).
Furthermore,Bin providesAwith an oracleOupd˜C that returns the current chal-
lenge ciphertext ˜Ce.
Observe that ifAdoes not make any query of the typeOcorrupt(key, e∗), then
all computations performed byBinare exactly the same as in theIND-ENCgame,
and therefore the advantage ofAis retained.
AdversaryBoutattacks the outer encryption and emulates theIND-ENCgame
toA. Initially, it setse←0,L ← ∅, and guesses the challenge epoche0uniformly random from{0, . . . ,eˆ}, where ˆeis an upper bound on the number of epochs for A. AdversaryBout then runs the strategyBe
0
out, which generates the initial outer
key ko
0
r
← SE.kgen(λ) and inner key ki r
← SE.kgen(λ), and runs A on empty input. It then emulates the oracles Oenc, Onext, Oupd, and Ocorrupt as follows.
Upon Oenc(m), adversary Bout computes Ci
r
← SE.enc(ki, m). If e 6= e0, then
adversaryBout computesCo
r
←SE.enc(ko
e,), else it queries Ci to its own oracle Oenc to obtainCo. Then,Be
0
out sets L ← L ∪ {(Co, Ci, e)}and returns Co to A.
Oracles Onext and Ocorrupt are dealt with exactly as in the case of Bin above.6
Oracle Oupd behaves (apart from the format of L) as in Bin for e6=e0, but for
e=e0 adversaryBe0
out uses itsOenc oracle to compute the updated ciphertexts.
Let now e0 denote the epoch in which A outputs m0, m1; adversary Be
0
out
computes ˜Cb r
←SE.enc(ki, mb) forb∈ {0,1}. Ife0<e˜, thenBe0
out computes ˜C r ← SE.enc(ko e0,C˜0); ife0 = ˜ethenBe 0
out outputs ˜C0,C˜1to obtain challenge ciphertext
˜
C; and if e0 > ˜e, then computes ˜C ←r SE.enc(keo0,C˜0). Then, Be
0
out sets ˜L ←
{( ˜C,˜e)}, and provides ˜C to A. Furthermore, Bout continues to provide oracles
Oenc, Oupd, and Ocorrupt as before. Oracle Onext is modified (as in IND-ENC)
to additionally set ˜L ←L ∪ {˜ ( ˜C, e)} where ˜Ce is computed analogously to the challenge ciphertext ˜Cdepending on whethere <e˜,e= ˜e, ore >˜e. Furthermore, as Bin,Be
0
out provides Awith an oracleOupd˜C that returns the current challenge
ciphertext ˜Ce.
Assume, for now and hypothetically, thatBe0
outemulates the embeddedIND-CPA
game and can open the respective keykeo0for theOcorrupt(token,·) orOcorrupt(key,·)
queries, if necessary. (We will later explain why this assumption is not a prob- lem.) Note that withe0= 0 and challenge bit 0 in the embeddedIND-CPAgame, the view ofAis exactly the same as in IND-ENCwith challenge bit 0, and that withe0 = ˆeand challenge bit 1 in the embeddedIND-CPAgame, the view ofAis
exactly the same as inIND-ENCwith challenge bit 1. The hybrid argument then states that there is onee0∈ {0, . . . ,ˆe}in whichBout wins with advantage at least
ε/ˆe; denote byBe0
out the adversary that always embeds theIND-CPAchallenge in
epoche0.
6
QueriesOcorrupt(key, e∗) fore∗=e0, andOcorrupt(token, e∗) fore∗=e0 ore∗=e0+ 1 cannot be answered, andBe0
outaborts the emulation and outputs a random bit. Indeed, we argue below that in these casesBe0
out may fail. All other cases can be dealt with becauseBe0
out chose all keyski and koe fore 6=e 0
internally, and the oracles return (koe∗, ki) and (koe∗−1, koe∗), respectively.
What remains to be shown is how we deal with the fact that the reduction may fail; for this, we first further consider the case where Be0
out can obtain the
key from theIND-CPAgame. Indeed, wheneverAdoes not obtain the challenge ciphertext in epoche0, then the entire view is independent of the challenge bit. Therefore, in cases where A does not obtain the challenge in round e0, which means A may make queries of the types Ocorrupt(token,·) or Ocorrupt(key,·), we
can safely randomize the output ofBe0
out without decreasing its advantage—this
is whyBe0
out may abort here, without decreasing its advantage!
On the other hand, ifAobtains the challenge ciphertext in rounde0, either because it is the challenge oracle or through theOupd˜Coracle, then the condition stated in the lemma ensures that A does not make any query of the types Ocorrupt(token, e0),Ocorrupt(token, e0+ 1), orO(key, e0), which means in particular
thatBe0
out as described above does not fail. Therefore, the advantage ofBe
0
out is at
least 1/eˆtimes the advantage ofA.
As the emulation ofBin is perfect, and by the above arguments forBout, the
sum of the advantage ofBinand ˆetimes the advantage ofBoutis at least as large
as the advantage ofA. Together, this concludes the proof. ut
B.2 Proof of Theorem 3 (weak IND-UPD Security of 2ENC)
Our updatable encryption scheme2ENCdefined in Section 5.1 isIND-UPD-secure ifSEis anIND-CPA-secure encryption scheme, and adversaryAmakes at most one queryOcorrupt(token, e) fore, e−1∈ C∗.
Proof. LetAbe an adversary that achieves advantage at leastε >0 against the unlinkability of 2ENC, then we construct from it an adversary B =B(A) that breaks the IND-CPAsecurity of SE. Adversary B uses one of two strategiesB1
and B2 at random, where B1 works for the case in which A makes the query
Ocorrupt(token, e) fore, e−1∈ C∗fore <e˜andB2 makes fore >˜e.
AdversaryB1initially generates keyski r
←SE.kgen(λ) andko0
r
←SE.kgen(λ), sets e←0,L ← ∅, and guesses the challenge epoch e0 uniformly random from {0, . . . ,eˆ}, where ˆeis an upper bound on the number of epochs forA. Adversary B1 then runs A on empty input and emulates oracles O
enc, Onext, Oupd, and
Ocorrupt as follows. Upon Oenc(m), computeCi
r
←SE.enc(ki, m). Ife=e0, then
B1 queries Ci to its own oracle O
enc to obtain a ciphertext Co, otherwise B1
computes Co r
← SE.enc(ko
e, Ci). Subsequently, set L ← L ∪ {(Co, Ci, e)}, and returnCotoA. UponO
next, generate keykoe+1
r
←SE.kgen(λ) and sete←e+ 1. Upon inputOupd(Ce−1), adversaryB1checks that (Ce−1, Ci, e−1)∈ L, computes
Ce ← SE.enc(koe, Ci) if e 6= e0 or obtains Ce by querying Ci to its own Oenc
oracle, setsL ← L ∪ {(Ce, Ci, e)}, and returns CetoA. UponOcorrupt(token, e∗)
with 1 ≤e∗ ≤e, return (ko
e∗−1keo∗). Upon Ocorrupt(key, e∗) withe∗ ≤e, output
(ko
e, ki). These two operations may fail since we only knowe∗6= ˜e,e˜+ 1 but not
e∗6=e0, e0+ 1, as would be required for B1 to not have to open in epoche0. We
ignore this issue for now and explain how this is dealt with below.
IfAoutputsC0, C1, of which we know that they have been obtained either
1) ∈ L. If e < e0, then compute ˜C ←r SE.enc(ko
e, C0i); if e= e0, then obtain ˜C
by providing C0, C1 as challenge messages in the IND-CPA game for SE (here
we require that |C0| = |C1|); if e > e0, then compute ˜C
r
← SE.enc(koe, C1i). Subsequently, provide A with ˜C and access to the oracles as before as well as Oupd˜C. OraclesOencandOupdare as before. OracleOnextmust now also transfer
the challenge ciphertext into the next epoch. This is done analogously to the computation of the challenge above, namely fore < e0 by encrypting C
0 under
ko
e, fore=e0using the CPA game forSE, and fore > e0by encryptingC1under
ko
e. Oracle Oupd˜C returns the current challenge ciphertext ˜Ce computed during Onext.
The proof now proceeds by concluding the hybrid argument. First, ife0 = ˆe
and theIND-CPAgame forSEhas its challenge bit set to 0, then the view ofAis exactly as in theIND-UPDgame with challenge bit 0. This can be seen since the encryption and update of the challenge ciphertext are consistently done with respect to C0. By contrast, if e0 = 0 and the IND-CPA game for SE has its
challenge bit set to 1, then the view of Ais the same as in theIND-UPDgame with challenge bit 1. All operations are consistently done withC1. Furthermore,
for anye0∈ {0, . . . ,eˆ−1}, the view ofAwhene=e0 and theIND-CPAchallenge bit is 0 is the same as the view whene=e0+ 1 and the challenge bit is 1. This is so because in all rounds prior to and including e0, the challenge ciphertext contains C0, whereas in all rounds starting with e0 + 1 it contains C1. The
hybrid argument then states that there is onee0 ∈ {0, . . . ,eˆ} in whichB1 wins
with advantage at least ε/eˆ; denote by B1
e0 the adversary that always embeds
theIND-CPAchallenge in epoche0.
What remains to be shown is how we deal with the fact that the reduction may fail. Assume, hypothetically, that B1
e0 could obtain the key used in the
IND-CPAgame, in which case the emulation would always work. Whenever A does not obtain the challenge ciphertext in epoch e0, however, the entire view is independent of the challenge bit. Therefore, in such rounds B1
e0 can safely
randomize its output without decreasing the advantage. The condition on the challenge and token queries ensures that B1
e0 will never actually need to get the
key in the modified game.
AdversaryB2behaves similarly to B1, with two major differences. First,B2
has to guess theOenc(m) query during which one of the challenge ciphertexts is
first encrypted. Then, it encrypts either this nonce or a random one; this reduces to the Real-or-Random variant of IND-CPA and requires an additional hybrid argument. In epochs e > e0 it will then encrypt under the respective epoch key.
This completes the proof. ut