Message-locked Encryption with File Update

Suyash Kandele[0000−0002−5887−2907] and Souradyuti Paul[0000−0001−5404−9975]

Indian Institute of Technology Bhilai, C.G., India

{suyashk,souradyuti}@iitbhilai.ac.in

Abstract. Message-locked encryption (MLE) (formalized by Bellare, Keelveedhi and Ristenpart, 2013) is an important cryptographic primi-tive that supports deduplication in thecloud.Updatable block-level message-locked encryption (UMLE)(formalized by Zhao and Chow, 2017) adds the update functionality to the MLE. In this paper, we formalize and extensively study a new cryptographic primitivefile-updatable message-locked encryption (FMLE).FMLE can be viewed as a generalization of theUMLE, in the sense that unlike the latter, the former does not require the existence ofBL-MLE (block-level message-locked encryption).FMLE

allows more flexibility and efficient methods for updating the ciphertext and tag.

Our second contribution is the design of two efficientFMLE construc-tions, namely,RevD-1andRevD-2, whose design principles are inspired from the very unique reverse decryption functionality of the FP hash function (designed by Paul, Homsirikamol and Gaj, 2012) and theAPE

authenticated encryption (designed by Andreevaet al., 2014). With re-spect toUMLE– which provides so far the most efficient update function –RevD-1andRevD-2reduce the total update time by at least 50%, on av-erage. Additionally, our constructions are storage efficient; in particular,

ciphertext expansionandtag storage for our constructions are constant, while they are logarithmic and linear for theUMLE, making it difficult to implement in various practical applications. We also provide detailed proofs of security for our constructions and give extensive comparison between our and the existing constructions. Being randomized, our con-structions are secure againstdictionary attacks. On the other hand, they are vulnerable to strong tag consistency (STC) attacks (as is the case with any randomizedMLE).

1

Introduction

MLE.Message-locked encryption (MLE)is a special type of encryption, where

the decryption key is derived from the message itself. The main application of

MLEis in the secure deduplication of data in thecloud, whereMLEremoves the need for storing multiple copies of identical data, without compromising their privacy and, thereby, helps to reduce the storage costs. Given the cloud services being on the rise, this primitive is gaining importance.

(CE). Bellare, Keelveedhi and Ristenpart [6] studied this subject in a formal way and named it message-locked encryption (MLE). They also gave efficient constructions ofMLE.

UMLE. As seen before, MLE does not inherently support the file-update and

the proof of ownership functionalities in its definition. UMLE solves this issue by adding three functionalities – file-update, PoW algorithms for prover and verifier – to the existing definition of MLE. The main drawback of UMLE is that the functionalities are constructed from another cryptographic primitive, namely, BL-MLE, which is nothing but MLE executed on a fixed-sized block. Such aBL-MLE-basedUMLE entails degradation of performance for encryption and decryption [20]. Another drawback of UMLE is that the update of file-tag is an expensive operation.

Motivation for studying FMLE. From the high level, both UMLE and

FMLE have identical functionalities; the main difference, however, is that the former is necessarily based onBL-MLE, but the latter may or may not be. There-fore, the definition ofFMLE can be viewed as a generalisation ofUMLE, where we remove the constraint of usingBL-MLE. The motivation for studyingFMLE

is clear from the drawbacks ofUMLE mentioned above. These motivations are:

Does there exist anFMLE scheme which is not based on BL-MLE? If such a construction exists, is it more efficient than UMLE?

StudyingFMLE is a futile exercise, if both the answers are in the negative. A moment’s reflection suggests that the answer to the first question is actually ‘Yes’. A trivial FMLE construction – not based on BL-MLE – always exists, where the file-update function is designed the following way: apply decryption to the ciphertext to recover the original plaintext; edit/modify the original mes-sage; and finally encrypt the updated message. Note that this trivial file-update function does not need any BL-MLE, therefore, it is an FMLE, but certainly not a UMLE scheme. The main drawback of thisFMLE scheme is that this is several orders of magnitude slower than a UMLE scheme. Therefore, the main challenge is:

Does there exists an FMLEscheme more efficient than UMLE?

Searching for such a construction is the main motivation of this paper.

Our Contribution. Our first contribution is formalizing the new crypto-graphic notion file-updatable message-locked encryption (FMLE). We also pro-pose two efficient FMLE constructionsRevD-1 and RevD-2: their update func-tions are at least 50% faster (on average).1 Also, our constructions are more space efficient than the so-far best MLE variants; in particular, theciphertext expansion and tag storage in RevD-1 and RevD-2 are constant, while they are logarithmic and linear (or may be worse) for other similar time-efficient cases. In

1

order to obtain this improvement in the performance, our constructions critically exploit a very unique feature – what we call reverse decryption – of the hash functionFP and the authenticated encryptionAPE. We also present proofs of security of our constructions. Extensive comparison of our constructions with the others – in terms of time complexity, storage requirements and security proper-ties – have also been provided (see Table 1). Being randomized, our constructions are secure against the dictionary attacks, however, they lack STCsecurity, like all other randomized MLEs.

Related Work. We now describe various pieces of work done by several

re-searchers that are related toFMLE. Douceuret al.are the first to come up with the idea ofConvergent Encryption (CE)in 2002, where the key was calculated as a hash of the message, and then this key was used for encryption [15]. Bel-lare, Keelveedhi and Ristenpart formalized CE in the form of message-locked encryption (MLE) [6]. They also provided a systematic discussion of various

MLE schemes. In a separate paper, these authors also designed a new system DupLESSthat supports deduplication even if the message entropy is low [5].

Beelare and Keelveedhi extended message-locked encryption to interactive message-locked encryption, and have addressed the cases when the messages are correlated as well as dependent on the public parameters, leading to weak-ened privacy [4]. Abadiet al.gave two new constructions for thei-MLE; these fully randomized schemes also supported equality-testing algorithm for finding ciphertexts derived from identical messages [1]. Jiang et al. gave an efficient logarithmic-time deduplication scheme that substantially reduces the equality-testing in thei-MLE schemes [17].

Canard, Laguillaumie and Paindavoine introduceddeduplication consistency

– a new security property – that prevents the clients from bypassing the dedu-plication protocol. This is accomplished by introducing a new feature named

verifiability (of the well-formation) of ciphertext at the server [13]. They also proposed a new ElGamal-based construction satisfying this property. Wang et al. proposed a stronger security notion PRV-CDA3 and showed that their new constructionME is secure in this model [19].

Chen et al. proposed the block-level message-locked encryption (BL-MLE), which is nothing but breaking a big message into smaller chunks – calledblocks– and then applyingMLE on the individualblocks [14]. Huang, Zhang and Wang showed how to integrate the functionality proof of storage (PoS)with MLE by using a new data structure Quadruple Tags [16]. Zhao and Chow proposed the use ofBL-MLE to designEfficiently Updatable Block-Level Message-Locked En-cryption (UMLE)scheme which has an additional functionality of updating the ciphertext that costs sub-linear time [20].

Organization of the paper. In Sect. 2, we discuss the preliminaries

includ-ing the notation and basic definitions. In Sect. 3, we give the formal definition of

FMLE. Section 4 describes the application ofFMLE in the deduplication proto-col. In Sects. 5 and 6, we construct theFMLEschemes by tweaking the existing

schemes and we compare them with the various FMLE schemes and conclude our paper in Sect. 8.

2

Preliminaries

2.1 Notation

The expression M := x denotes that the value of x is assigned to M, and

M := D(x) denotes that the value returned by function D(·), on input x, is assigned toM.M =xdenotes the equality comparison of the two variables M

and x, andM =D(x) denotes the equality comparison of the variableM with the output ofD(·), on inputx. TheXORor⊕denotes the bit-by-bit exclusive-or operation on two binary strings of same length. The concatenation operation of p ≥ 1 strings s1, s2,· · · , sp and assignment to the variable s is denoted by s := s1||s2|| · · · ||sp. The parsing of string s into p ≥1 strings s1, s2,· · ·, sp is

denoted by s1||s2|| · · · ||sp:=s. The length of stringM is denoted by|M|. The

set of all binary strings of length ` is denoted by{0,1}`_{. The set of all binary}

strings of any length is denoted by {0,1}∗_{. A vector of strings is denoted by} M and i-th string in M is denoted by M(i). The number of strings in M is denoted by kMk. The infinite set of all binary strings of any length is denoted by {0,1}∗∗_{. The set of all Natural numbers is denoted by}

N. We denote that

M is assigned a binary string of length k chosen randomly and uniformly by

M ← {0$ ,1}k_{. To mark any invalid string (may be input string or output string),}

the symbol⊥is used. (M, Z)← S$ (1λ_{) denotes the assignment of outputs given}

randomly and uniformly byS toM and Z.

2.2 Dictionary Attack

A dictionary attack is defined to be a brute-force attack, where the adversary first builds a dictionary off-line, and then processes every element of the dictio-nary to determine the correct solution against an online challenge. For example, suppose that the hash of a message is given as a challenge to the adversary for her to determine the correct message. If the entropy of the message is low, then the adversary generates the dictionary of all possible messages and their cor-responding hash values off-line; and given the online challenge, she selects the message whose hash value matches the challenge. Any deterministic MLE with low message entropy is broken by dictionary attack.

2.3 Proof of Ownership

storage provider generates a challenge Q and sends it to the client, along with some other information. The client computes the proofP corresponding to the given challengeQand sends it back to the cloud. The cloud verifies it and if the verification is successful, then the client is granted access, otherwise the access is denied.

2.4 Ideal Permutation

Letπ/π−1_:{0,1}n _{7→ {0,1}}n _{be a pair of oracles. The pair π/π}−1 _{is called an}

ideal permutation if the following three properties are satisfied. 1.π−1(π(x)) =xandπ(π−1(x)) =x, for allx∈ {0,1}n_.

2. Suppose, xk is the k-th query (k ≥1), submitted to the oracle π, and y ∈

{0,1}n_{. Then, for the current queryx} i:

Prhπ(xi) =y

π(x1) =y1, π(x2) =y2,· · ·, π(xi−1) =yi−1 i

=



   

   

1, ifxi=xj, y=yj, j < i.

0, ifxi=xj, y6=yj, j < i,

0, ifxi6=xj, y=yj, j < i, 1

2n_−i+1, ifxi6=xj, y6=yj, j < i.

3. Suppose, yk is the k-th query (k ≥ 1), submitted to the oracle π−1, and x∈ {0,1}n_{. Then, for the current queryy}

i:

Prhπ−1(yi) =x

π

−1_{(y1) =x1, π}−1_{(y2) =x2,· · ·, π}−1_(y

i−1) =xi−1

i

=



   

   

1, ifyi=yj, x=xj, j < i.

0, ifyi=yj, x6=xj, j < i,

0, ifyi6=yj, x=xj, j < i, 1

2n_−i+1, ifyi6=yj, x6=xj, j < i.

2.5 Random Function

Let rf: {0,1}n _{7→ {0,1}}n_{. Then rf is called a random function if the following}

property is satisfied. Suppose,xk is thek-th query (k≥1), submitted to therf,

andy∈ {0,1}n_{. Then, for the current queryx} i:

Prhrf(xi) =y

rf(x1) =y1,rf(x2) =y2,· · · ,rf(xi−1) =yi−1 i

=



 

 

1, ifxi=xj, y=yj, j < i.

0, ifxi=xj, y6=yj, j < i, 1

2.6 Unpredictable Sources

We are modelling the security based on an unpredictable message source which is a PT algorithm, denotedS(·), that returns (M, Z) on input 1λ_{, wherevector of} messagesM ∈ {0,1}∗∗_{andauxiliary informationZ ∈ {0,1}}∗_{. We consider that} S(·) is a Public source, that is, it is known to all the parties including the adver-sary. Here,M hasm(1λ_{) number of strings, i.e.,kMk=m(1}λ_{) and the length of}

each stringM(i)isl(1λ, i), i.e.,|M(i)|=l(1λ, i) fori∈ {1,2,· · ·, m(1λ)}. Here,

m andl are two functions. We require that the two stringsM(i1)_6=M(i2)_{, for}

i1 6=i2 andi1, i2 ∈ {1,2,· · · , m(1λ_{)}. Associated with the source S(·) is a real}

numberGPS, namely, theGuessing Probability of source, which is the maximum of all the probabilities of guessing a single string inM, given the auxiliary infor-mation. The formal definition is GPS(1λ)

def

= maxi∈{1,2,···,m(1λ_)}GP(M(i)|Z). The sourceS(·) is said to be unpredictable if the value ofGPS is negligible. We now define themin-entropyµS(·) of the sourceS(·) asµS(1λ) =−log(GPS(1λ)). The source S(·) is said to be a valid source for an MLE scheme Π if M(i) ∈ M,∀i∈ {1,2,· · · , m(1λ_)}.

2.7 Message-locked Encryption

The definition ofmessage-locked encryption (MLE)has already been described in [6]. We briefly re-discuss it below, with a few suitable changes in the notation to suit the present context.

Syntax. Suppose λ ∈ N is the security parameter. An MLE scheme Π =

(Π.E, Π.D) is a pair of algorithms over a PPT setup Π.Setup.Π satisfies the following conditions.

1. The PPT setup algorithm Π.Setup(1λ_{) outputs the parameter params}(Π)

and the setsK(Π)_,M(Π)_,C(Π)_andT(Π)_{, denoting thekey,message,}

cipher-textandtag spacesrespectively.

2. The PPT encryption algorithm Π.E takes as inputsparams(Π) _{and M ∈}

M(Π)_{, and returns a 3-tuple (K, C, T) :=Π.E(params}(Π)_{, M), where K∈}

K(Π)_{,C∈ C}(Π)_{andT ∈ T}(Π)_.

3. The decryption algorithmΠ.Dis a deterministic algorithm that takes as in-putsparams(Π)_{,K∈ K}(Π)_{,C∈ C}(Π)_{andT ∈ T}(Π)_{, and returnsΠ.D(para} -ms(Π)_{, K, C, T)∈ M}(Π)_{∪ {⊥}. The decryption algorithmΠ.Dreturns⊥if}

the keyK, ciphertextC and tagT are not generated from a valid message. 4. We restrict |C|to be a linear function of|M|.

Key Correctness.LetM, M0∈ M(Π). Suppose:

•(K, C, T) :=Π.E(params(Π)_{, M), and}

•(K0, C0, T0) :=Π.E(params(Π)_{, M}0_).

Decryption Correctness.LetM ∈ M(Π). Suppose:

•(K, C, T) :=Π.E(params(Π), M).

Thendecryption correctnessofΠrequires thatΠ.D(params(Π)_{, K, C,} T) =M, for allλ∈_Nand allM ∈ M(Π)_.

Tag Correctness.LetM, M0∈ M(Π)_{. Suppose:}

•(K, C, T) :=Π.E(params(Π)_{, M), and}

•(K0, C0, T0) :=Π.E(params(Π), M0).

Thentag correctness ofΠ requires thatif M =M0, thenT =T0, for allλ∈_Nand allM, M0 ∈ M(Π)_.

The two security games are written in the form of a challenger-adversary framework.

GamePRV$-CDAS_Π,A(1λ, b) (M, Z)← S$ (1λ_);

for(i:= 1,2,· · ·m(1λ))

(K(₁i),C₁(i),T₁(i)) :=Π.E(params(Π)_,M(i)_);

K(₀i)← {$ 0,1}|K(1i)|;

C(₀i)← {$ 0,1}|C

(i) 1 |;

T(₀i)← {$ 0,1}|T(1i)|; b0:=A(1λ,Cb,Tb, Z); returnb0;

GameSTCA_Π(1λ) TCA_Π(1λ) (M, C0, T0) :=A(1λ);

If(M=⊥)∨(C0=⊥)

return 0;

(K, C, T) :=Π.E(params(Π)_{, M);}

M0:=Π.D(params(Π), K, C0, T0); If(T=T0_{)∧(M=6 M}0_{) ∧(M}0_6=⊥)

return 1; Elsereturn 0;

Fig. 1. Games defining PRV$-CDA, STC and TC security of MLE scheme Π = (Π.E, Π.D).

Privacy. Let Π = (Π.E, Π.D) be an MLE scheme. Since, no MLE scheme can providePRV$-CDA security for predictable messages (even if the scheme is randomized), we use an unpredictable message sourceS, as defined in Sect. 2.6, to design our security notion. For anMLEscheme, we design theprivacy against chosen distribution attack PRV$-CDA security game in Fig. 1. Here, the chal-lenger generates a vector of messagesM and some auxiliary informationZusing the source S(1λ_{), encrypts the string M}(i)_{, where i∈ {1,2,· · · , m(1}λ_{)}, using} Π.E to obtain (K(₁i),C(₁i),T₁(i)), computes the random strings K(₀i), C(₀i) and T(₀i)of length|K(₁i)|,|C₁(i)|and|T₁(i)|respectively, and sends (Cb,Tb, Z) to the

adversary. The adversary has to return a bitb0indicating whether the ciphertext Cb and tagTbcorresponds to messageM or is it a collection of random strings.

If the values ofb andb0 coincide, then the adversary wins the game.

AdvPRV$-CDA_Π,S,A (1λ)def=

Pr[PRV$-CDA

A

Π,S(1λ, b= 1) = 1]

−Pr[PRV$-CDAA_Π,S(1λ_{, b= 0) = 1]} .

AnMLE scheme Π is said to be PRV$-CDA secure over a set of valid PT sources for MLE scheme Π, S = {S0,S1,· · · }, for all PT adversaries A and for all Si ∈ S, if AdvΠ,PRV$-CDASi,A (·) is negligible. AnMLE scheme Π is said to be PRV$-CDA secure, for all PT adversaries A, ifAdvPRV$-CDA

Π,S,A (·) is negligible, for all valid PT sourceS forΠ.

Tag Consistency. Let Π = (Π.E, Π.D) be an MLE scheme. For an MLE

scheme, we design the STC and TC security games in Fig. 1, which aims to provide security against duplicate faking attacks. In a duplicate faking attack, two unidentical messages – one fake message produced by an adversary and a legitimate one produced by an honest client – produce the same tag, thereby causing loss of message and hampers the integrity. In an erasure attack, the adversary replaces the ciphertext with a fake message that decrypts successfully. The adversary returns a message M, a ciphertext C0 _{and a tag T}0_{. If the} message or ciphertext is invalid, the adversary loses the game. Otherwise, the challenger computes encryption key K, ciphertext C and tagT corresponding to message M using Π.E, and computes the message M0 corresponding to key

K, ciphertextC0 and tag T0 usingΠ.D. If the two tags are equal, i.e.T =T0, the message M0 is valid, i.e. M0 6=⊥, and the two messages are unequal, i.e.

M 6=M0, then the adversary wins theTCgame.

Now, we define the advantage of aTCadversaryAagainstΠ as:

AdvTC_Π,A(1λ)def= Pr[TCA_Π(1λ) = 1].

Now, we define the advantage of anSTCadversaryAagainstΠ as:

AdvSTC_Π,A(1λ)def= Pr[STCA_Π(1λ) = 1].

AnMLE scheme Π is said to beTC(or STC) secure, for all PT adversaries A, ifAdvTC

Π,A(·) (orAdvΠ,STCA(·)) is negligible.

2.8 Updatable block-level message-locked encryption

The definition of updatable block-level message-locked encryption (UMLE) has already been described in [20]. We briefly re-discuss it below, with a few suitable changes in the notation to suit the present context.

Syntax. Suppose λ ∈ N is the security parameter. A UMLE scheme Π =

1. The PPT setup algorithm Π.Setup(1λ_{) outputs the parameter params}(Π)

and the setsK(Π)_,M(Π)_,C(Π)_andT(Π)_{, denoting thekey,message,}

cipher-textandtag spacesrespectively.

2. The PPT key-generation algorithm Π.KeyGen takes as inputs params(Π)

andM ∈ M(Π)_{, and returns a set of keys (k}

mas, k1, k2,· · ·, kn) :=Π.KeyGe

-n(params(Π)_{, M), where k}

mas, k1, k2,· · ·, kn ∈ K(Π). It uses two routines: Π.B-KeyGenthat takes as inputi-th block of messageM[i], and returns the block keyki; andΠ.M-KeyGenthat takes as input messageM, and returns

the master keykmas.

3. The PPT encryption algorithm Π.Enc takes as inputs params(Π)_{, a set of}

keyskmas, k1, k2,· · ·, kn∈ K(Π)andM ∈ M(Π), and returns the ciphertext C:=Π.Enc(params(Π)_,(k

mas, k1, k2,· · · , kn), M), whereC ∈ C(Π). It uses

two routines:Π.B-Enc that takes as input i-th block of messageM[i] and corresponding keyki, and returns the block ciphertextC[i]; and Π.BK-Enc

that takes as input block keysk1, k2,· · · , knand returns the encrypted block

keysC[n+ 1], C[n+ 2],· · · , C[n0], wheren0∈ O(n).

4. The PPT tag-generation algorithm Π.TagGen takes as inputs params(Π)

and C ∈ C(Π)_{, and returns the tag T := Π.TagGen(params}(Π)_{, C), where} T ∈ T(Π)_{. It uses two routines:Π.B-TagGenthat takes as inputi-th block of}

ciphertextC[i] and returns the block tagT[i]; andΠ.M-TagGenthat takes as input ciphertextCand returns the file tagT[0]. ThenT =T[0]||T[1]||T[2] || · · · ||T[n0_].

5. The decryption algorithmΠ.Decis a deterministic algorithm that takes as inputsparams(Π)_,k

mas∈ K(Π)andC∈ C(Π), and returns theΠ.Dec(param s(Π)_{, k}

mas, C)∈ M(Π)∪ {⊥}. It uses two routines:Π.BK-Decthat takes as

input master keykmasand encrypted block keysC[n+1], C[n+2],· · · , C[n0],

and returns a set of block keys k1, k2,· · · , kn; and Π.B-Dec that takes as

input ciphertext C[i] and corresponding key ki and returns the file block M[i]

6. The update-ciphertext algorithmΠ.Updatetakes as inputsparams(Π), mas-ter key kmas ∈ K(Π), block number to be updated i ∈ N, new message

block Mnew ∈ M(Π) and the ciphertext C ∈ C(Π), and returns the pair

(K0, C0) :=Π.Update(params(Π)_,(k

mas, i, Mnew), C), whereK0 ∈ K(Π)and C0 ∈ C(Π)_.

7. The update-tag algorithm Π.UpdateTag takes as inputs params(Π)_{, T ∈}

T(Π)_{, and C, C}0 _{∈ C}(Π)_{, and returns T}0 _{:=Π.UpdateTag(params}(Π)_{, T, C,} C0), where T0 ∈ T(Π)_.

8. The PPT PoW algorithm for prover Π.PoWPrftakes as inputsparams(Π), challengeQandM ∈ M(Π)_{, and returns the proofP :=Π.PoWPrf(param} -s(Π), Q, M).

9. The PPT PoW algorithm for verifierΠ.PoWVertakes as inputsparams(Π)_,

challengeQ,T ∈ T(Π)_{and proofP, and returns the valueval:=Π.PoWVe}

-r(params(Π)_{, Q, T, P), whereval∈ {TRUE,FALSE}.}

10. We restrict|C|to be a linear function of|M|.

Decryption Correctness. LetM =M[1]||M[2]|| · · · ||M[n]. For block

•ki:=Π.B-KeyGen(M[i]), and

•C[i] :=Π.B-Enc(ki, M[i]).

Then decryption correctness of Π requires that Π.B-Dec(ki, C[i]) = M[i], for allλ∈Nand allM[i]∈ M(Π)_.

Block Key Retrieval Correctness.LetM =M[1]||M[2]|| · · · ||M[n]. Sup-pose:

•ki:=Π.B-KeyGen(M[i]), for block messageM[i], where 1≤i≤n,

•kmas:=Π.M-KeyGen(M), and

•(C[n+ 1], C[n+ 2],· · ·, C[n0_{]) :=Π.BK-Enc(k}

1, k2,· · · , kn).

Thenblock key retrieval correctnessofΠrequires thatΠ.BK-Dec(kmas, C[n+ 1], C[n+ 2],· · · , C[n0]) = (k1, k2,· · · , kn).

Tag Correctness.LetM, M0∈ M(Π), Suppose:

•kmas:=Π.KeyGen(params(Π), M),

•C:=Π.Enc(params(Π)_{, k}

mas, M),

•T :=Π.TagGen(params(Π)_{, C)}

•k0mas:=Π.KeyGen(params(Π), M0),

•C0:=Π.Enc(params(Π)_{, k}0

mas, M0), and

•T0:=Π.TagGen(params(Π), C0).

Thentag correctness ofΠ requires thatif M =M0, thenT =T0, for allλ∈_Nand allM, M0 ∈ M(Π)_.

Update Correctness.LetM =M[1]||M[2]|| · · · ||M[n]. Suppose: •kmas:=Π.KeyGen(params(Π), M),

•C:=Π.Enc(params(Π), kmas, M), and

•(K0, C0) :=Π.Update(params(Π)_,(k

mas, i, M0[i]), C).

Thenupdate correctnessofΠrequires thatΠ.Dec(params(Π)_{, K}0_{, C}0_{) =}

M[1]||M[2]|| · · · ||M[i−1]||M0[i]||M[i+ 1]|| · · · ||M[n].

PoW Correctness.LetM =M[1]||M[2]|| · · · ||M[n]. Suppose:

•kmas:=Π.KeyGen(params(Π), M),

•C:=Π.Enc(params(Π)_{, k}

mas, M), and

•T :=Π.TagGen(params(Π)_{, C).}

ThenPoW correctnessofΠ requires that for any challengeQ, and for the proofP :=Π.PoWPrf(params(Π)_{, Q, M), we have the probability Pr[Π.Po}

-WVer(params(Π)_{, Q, T, P) =TRUE] = 1.}

The four security games are written in the form of a challenger-adversary framework.

Privacy.LetΠ = (Π.KeyGen, Π.Enc, Π.TagGen, Π.Dec, Π.Update, Π.Updat

GamePRV$-CDAS_Π,A(1λ, b) (M, Z)← S$ (1λ_);

for(i:= 1,2,· · ·, m(1λ₎₎

K(₁i):=Π.KeyGen(params(Π)_,M(i)_);

C(₁i):=Π.Enc(params(Π)_,K(i) 1 ,M

(i)_);

T(₁i):=Π.TagGen(params(Π)_,C(i) 1 );

K(₀i)← {$ 0,1}|K(1i)|;

C(₀i)← {$ 0,1}|C(1i)|;

T(₀i)← {$ 0,1}|T

(i) 1 |; b0:=A(1λ_,C

b,Tb, Z);

returnb0;

GameSTCA_Π(1λ) TCA_Π(1λ) (M, C0, T0) :=A(1λ);

If (M=⊥)∨(C0=⊥),thenreturn 0; If (T06=Π.TagGen(params(Π)_{, C}0₎₎

return 0;

K:=Π.KeyGen(params(Π), M); C:=Π.Enc(params(Π), K, M); T :=Π.TagGen(params(Π)_{, C);}

M0:=Π.Dec(params(Π)_{, K, C}0_);

If (T=T0)∧(M=6 M0) ∧(M06=⊥) return 1;

Elsereturn 0;

GameCXHA_Π(1λ, b) (M0, M1, i) :=A1(1λ);

Determine blocki0whereM0andM1differ;

Ifi6=i0,thenreturn 0;

K0:=Π.KeyGen(params(Π), M0);

C0:=Π.Enc(params(Π), K0, M0);

K1:=Π.KeyGen(params(Π), M1);

C1:=Π.Enc(params(Π), K1, M1);

(K0

1, C10) :=Π.Update(params(Π),

(K1, i, M0[i]), C1);

Ifb= 0,thenC∗:=C0;

ElseC∗:=C₁0; b0_:=A

2(1λ, C∗);

returnb0_;

GameUNC-CDAA_Π(1λ)

S(·) :=A1(1λ);

(M, Z)← S$ (1λ_);

K:=Π.KeyGen(params(Π)_{, M);}

C:=Π.Enc(params(Π), K, M); T:=Π.TagGen(params(Π), C); P∗:=A2(1λ, Q, Z);

P:=Π.PoWPrf(params(Π), Q, M);

If(Π.PoWVer(params(Π)_{, Q, T , P}∗_{) =TRUE)}

∧(P∗6=P) return 1; Elsereturn 0;

Fig. 2. Games defining PRV$-CDA, STC, TC, CXH and UNC-CDA security of

UMLE scheme Π = (Π.KeyGen, Π.Enc, Π.TagGen, Π.Dec, Π.Update, Π.UpdateTag, Π.PoWPrf, Π.PoWVer). In CXHandUNC-CDAgames, adversaryA= (A1,A2).

thePRV$-CDA game, as in Fig. 2, the challenger gets a vector of messages,M and the auxiliary informationZ, from the sourceS(·). The challenger does the following operations: computes the decryption keyK(₁i), ciphertextC(₁i)and tag T(₁i) for each message string M(i), where i ∈ {1,2,· · ·, m(1λ)}; computes the random stringsK(₀i),C₀(i)andT(₀i)of length|K(₁i)|,|C₁(i)|and|T(₁i)|respectively; and returns (Cb,Tb, Z) to the adversary. The adversary has to return a bitb0

indicating whether the ciphertextCband tagTb corresponds to messageM or

is it a collection of random strings. If the values of b and b0 coincide, then the adversary wins the game.

We define the advantage of aPRV$-CDAadversaryAagainstΠ for the mes-sage sourceS(·) as:

AdvPRV$-CDA

Π,S,A (1λ)

def

=

Pr[PRV$-CDA

A

Π,S(1λ, b= 1) = 1]

−Pr[PRV$-CDAAΠ,S(1λ, b= 0) = 1]

.

for all Si∈ S, if AdvΠ,PRV$-CDASi,A (·) is negligible. AUMLE schemeΠ is said to be PRV$-CDA secure, for all PT adversaries A, ifAdv_Π,PRV$-CDA_S,A (·) is negligible, for all valid PT sourceS forΠ.

Tag Consistency.LetΠ= (Π.KeyGen, Π.Enc, Π.TagGen, Π.Dec, Π.Update, Π.UpdateTag, Π.PoWPrf, Π.PoWVer) be aUMLEscheme. For aUMLEscheme, we have designed the STCand TCsecurity game in Fig. 2, which aims to pro-vide security against duplicate faking attacks. In addition,STCprovides guards against erasure attack. In a duplicate faking attack, two unidentical messages – one fake message produced by an adversary and a legitimate one produced by an honest client – produce the same tag, thereby causing loss of message and hampers the integrity. In an erasure attack, the adversary replaces the ciphertext with a fake message that decrypts successfully.

The adversary returns a message M, a ciphertext C0 and a tag T0. If the message or ciphertext is invalid, the adversary looses the game. If the tag T0 is not computed fromC0, then also, the adversary loses the game. Otherwise, the challenger computes key K, ciphertextC and tag T corresponding to message

M, and computes the messageM0 corresponding to ciphertextC0 using keyK. If the two tags are equal, i.e.T =T0, the messageM0 is valid, i.e.M06=⊥, and the two messages are unequal, i.e. M 6= M0, then the adversary wins the TC game.

Now, we define the advantage of aTCadversaryAagainstΠ as:

AdvTC_Π,A(1λ)def= Pr[TCA_Π(1λ) = 1].

Now, we define the advantage of anSTCadversaryAagainstΠ as:

AdvSTC_Π,A(1λ)def= Pr[STCA_Π(1λ) = 1].

AUMLE schemeΠ is said to beTC(orSTC) secure, for all PT adversaries A, ifAdvTC

Π,A(·) (orAdvΠ,STCA(·)) is negligible.

Context Hiding. Let Π = (Π.KeyGen, Π.Enc, Π.TagGen, Π.Dec, Π.Update, Π.UpdateTag, Π.PoWPrf, Π.PoWVer) be a UMLE scheme. For a UMLE, we have designed the CXHgame in Fig. 2, which aims to provide security against distinguishing between an updated ciphertext and a ciphertext encrypted from scratch, to ensure that the level of privacy is not compromised during update process.

According to theCXHgame, as in Fig. 2, the adversary returns two messages

M0 andM1 such thatM0 andM1 are identical for all bits except block i. The

challenger determines the messages block i0 where M0 and M1 differ, and the

adversary loses if the messages M0 and M1 differ at any place other than i

-th block, i.e. i 6=i0. The challenger encrypts the two messages M0 andM1 to

generate K0 & C0 and K1 &C1 and updates the i-th block of C1 with M0[i]

whether the ciphertext is built from scratch or is an updated ciphertext. If the values ofbandb0 coincide, then the adversary wins the game.

Now, we define the advantage of aCXH adversary Afor 1-block update in message, againstΠ as:

AdvCXHΠ,A(1λ)

def

=

Pr[CXH

A

Π(1λ, b= 1) = 1]−Pr[CXH

A

Π(1λ, b= 0) = 1]

.

AUMLE schemeΠ is said to beCXHsecure, for 1-block update in message, for all PT adversariesA, ifAdvCXH

Π,A(·) is negligible.

Proof of ownership.LetΠ = (Π.KeyGen, Π.Enc, Π.TagGen, Π.Dec, Π.Up -date, Π.UpdateTag, Π.PoWPrf, Π.PoWVer) be a UMLE scheme. For a UMLE, we have designed the UNC-CDAgame in Fig. 2, which aims to provide security against the adversary in proving that they possess the entire file when they actually have only a partial information about the file. This is to block the unauthorised ownership of the file.

According to the UNC-CDA game, as in Fig. 2, the adversary returns an unpredictable message source S(·). The challenger gets a message M and the auxiliary information Z, from this source. The challenger then send the chal-lenge Q and the auxiliary information Z to the adversary and the adversary returns a proof P∗. The challenger generates the proof P for the same chal-lenge. If P∗ is successfully verified by the PoW verifier algorithm Π.PoWVer, i.e. Π.PoWVer(params(Π)_{, Q, T, P}∗_{) = TRUE, and P is different from P}∗_{, i.e.}

P∗6=P, then the adversary wins the game.

Now, we define the advantage of aUNC-CDAadversaryAagainst an uncheat-able chosen distribution attack againstΠ for a message source sourceS(·) as:

AdvUNC-CDA_Π,A (1λ)def= Pr[UNC-CDAA_Π(1λ) = 1].

AUMLE schemeΠ is said to beUNC-CDAsecure, for all PT adversariesA, ifAdvUNC-CDA

Π,A (·) is negligible. 2.9 Hash Function

Syntax. Suppose λ ∈ _N is the security parameter. A hash function H is an algorithmH.Hover a PPT setupH.Setup.Hsatisfies the following conditions.

1. The PPT setup algorithm H.Setup(1λ) outputs the parameter params(H)

and the setsM(H)_andT(H)_{denoting themessageanddigest spaces}

respec-tively.

2. The deterministic hash algorithmH.Htakes as inputsparams(H) _{andM ∈}

M(H)_{, and returnsh:=H.H(params}(H)_{, M), whereh∈ T}(H)_. Correctness.LetM, M0 ∈ M(H). Suppose:

•h:=H.H(params(H)_{, M), and}

Then correctness of Hrequires that if M =M0, thenh =h0, for all

λ∈_N and allM, M0 ∈ M(H)_.

The security game is written in the form of a challenger-adversary framework.

GameCRHFAH(1λ) (M0, M1) :=A(1λ);

If (H.H(params(H), M0) =H.H(params(H), M1))∧(M06=M1)

return 1;

Elsereturn 0;

Fig. 3.Game definingCRHFsecurity of Hash FunctionH=H.H.

Collision-Resistance. Let H = H.H be a hash function. We design the Collision-Resistance security game in Fig. 3. According to the CRHF game, the adversary sends two messages M0 and M1 to the challenger. The

chal-lenger checks, if the hash value of the two messages M0 and M1 are equal,

i.e.H.H(params(H)_{, M}

0) =H.H(params(H), M1) underM06=M1.

Now, we define the advantage of aCRHFadversaryAagainstHas:

AdvCRHFH,A (1

λ

)def= Pr[CRHFAH(1

λ

) = 1].

A hash functionHis said to be CRHFsecure, for all PPT adversaries A, if

AdvCRHF

H,A (·) is negligible.

2.10 One-time Symmetric Encryption

Syntax. Supposeλ∈ N is the security parameter. Aone-time symmetric

en-cryption scheme SE = (SE.GEN,SE.SE,SE.SD) is three-tuple of algorithms over a PPT setupSE.Setup.SE satisfies the following conditions.

1. The PPT setup algorithm SE.Setup(1λ_{) outputs the parameterparams}(SE)

and the setsK(SE)_,M(SE)_andC(SE)_{denoting thekey,messageandciphertext}

spaces respectively.

2. The PPT key generation algorithm SE.GEN takes as inputs params(SE), and returns keyK:=SE.GEN(params(SE)_{), whereK∈ K}(SE)_.

3. The encryptionSE.SEis a deterministic algorithm takes as inputsparams(SE)_,

encryption keyK∈ K(SE) _{and the message M ∈ M}(SE)_{, returns ciphertext} C := SE.SE(params(SE)_{, K, M), where C ∈ C}(SE)_{. In order to make this}

schemeone-timesymmetric encryption, each execution ofSE.SE(·) requires that the key be freshly generated usingSE.GEN(·).

4. The decryption SE.SD is a deterministic algorithm that takes as inputs

params(SE)_{, key K∈ K}(SE) _{and ciphertextC ∈ C}(SE)_{, and returns the}

5. We restrict |C|to be a linear function of|M|.

Correctness.LetM ∈ M(SE)_{. Suppose:}

•K:=SE.GEN(params(SE)), and •C:=SE.SE(params(SE)_{, K, M).}

Then correctness of SErequires thatSE.SD(params(SE)_{, K, C) =M,}

for allλ∈_Nand allM ∈ M(SE)_.

The two security games are written in the form of a challenger-adversary framework.

GameKRASE(1 λ

)

M :=A1(1λ);

K:=SE.GEN(params(SE)_);

C:=SE.SE(params(SE), K, M);

K0:=A2(1λ, C);

If K0=K,thenreturn 1; Elsereturn 0;

GameIND-PRVASE(1 λ

, b)

M :=A1(1λ);

K:=SE.GEN(params(SE)_);

C0:=SE.SE(params(SE), K, M);

C1

$

← {0,1}|C0|_;

b0:=A2(1λ, Cb); returnb0;

Fig. 4. Game defining KR and IND-PRV security of one-time symmetric encryption

SE= (SE.GEN,SE.SE,SE.SD). Here,A= (A1,A2).

Key Recovery.LetSE= (SE.GEN,SE.SE,SE.SD) be a one-time symmetric encryption scheme. We design Key-Recovery security game in Fig. 4. Accord-ing to the KR game, the adversary sends a message M to the challenger. The challenger generates a key K := SE.GEN(params(SE)_{), encrypts M using K}

to obtain the ciphertext C := SE.SE(params(SE)_{, K, M) and sends C to the}

adversary. The adversary has to return a key K0 as the encryption key of M

that resulted intoC. If the values ofK and K0 coincide, i.e.K=K0, then the adversary wins the game.

Now, we define the advantage of aKRadversaryAagainstSEas:

AdvKR_SE,A(1λ)def= Pr[KRA_SE(1λ) = 1].

A one-time symmetric encryption schemeSEis said to beKRsecure, for all PT adversariesA, ifAdvKR

SE,A(·) is negligible.

Privacy. Let SE = (SE.GEN,SE.SE,SE.SD) be a one-time symmetric

en-cryption scheme. We design the Privacy security game in Fig. 4. According to the IND-PRV game, the adversary sends a message M to the challenger. The challenger generates a keyK:=SE.GEN(params(SE)_{), encryptsM usingK to}

obtain the ciphertext C0 := SE.SE(params(SE)_{, K, M), computes the random}

return a bitb0 indicating whether the ciphertext Cb corresponds to message M

or is it a random string. If the values of b and b0 coincide, then the adversary wins the game.

Now, we define the advantage of aIND-PRVadversaryAagainstSEas:

AdvIND-PRV_SE,A (1λ)def=

Pr[IND-PRV

A SE(1

λ_{, b= 1) = 1]}

−Pr[IND-PRVA_SE(1λ_{, b= 0) = 1]} .

A one-time symmetric encryption schemeSEis said to beIND-PRV secure, for all PT adversariesA, ifAdvIND-PRV

SE,A (·) is negligible. 2.11 Sponge hash function

The pictorial and algorithmic descriptions of Spongeconstruction [3, 8–12] are given in Figs. 5 and 6; all wires areλ-bit long. Let M denote the message to be hashed,M[i] denote thei-th block of message. Below we describe the algorithm H.HforSpongehash function in detail.

0

0 r0

0

s0 0

π π

r1

s1

r0 1

s0 1

r2

s2

M[1] M[2]

r0 2

s0 2

r3

s3 M[3]

π

r0 3

s0 3

π

r`

s`

M[`]

h

r0 `

s0 `

r0 `−1

s0 `−1

Fig. 5. Diagrammatic description of Sponge hash function h :=H.H(1λ, M), where M :=M[1]||M[2]|| · · · ||M[`], andM[1], M[2],· · ·M[`] are theλ-bit message blocks.

H.H(1λ_{, M)}

`:=|M|/λ,r00:= 0λ,s

0

0:= 0λ; M[1]||M[2]|| · · · ||M[`] :=M; for(j:= 1,2,· · ·, `)

rj:=M[j]⊕r0j−1,sj:=s0j−1; r0j||s

0

j:=π(rj||sj);

h:=r`0; returnh;

Fig. 6.Algorithmic description of Spongehash functionh:=H.H(1λ, M).

sequence. Two variables r0₀ and s0₀ are assigned 0λ_{. Now we give the details of}

how the message blockM[j], forj:= 1,2,· · ·`is hashed:rjis assigned theXOR

of M[j] and r0_j−1; sj is assigned the value of s0j−1; and we compute (rj0||s0j) as π(rj||sj). We assignr`0 as the hashh.

Security of Sponge construction Sponge construction is already proven to beCRHF secure.CRHFgame is given in Fig. 3.

3

FMLE

: A New Cryptographic Primitive

The File-updatable Message-Locked Encryption (FMLE) is a generalisation of

Efficiently Updatable Block-Level Message-Locked Encryption (UMLE)as given by Zhao and Chow[20]. The difference between the definitions of UMLE and

FMLE is that the former requires the existence of a BL-MLE scheme, while the latter does not.2 _{Therefore, anyUMLE scheme can be viewed as anFMLE}

scheme too, not the other way round.

Below we elaborately discuss the syntax, correctness and security definition of the new notionFMLE.

3.1 Syntax

Supposeλ∈_N is the security parameter. An FMLE scheme Π = (Π.E, Π.D, Π.U, Π.P, Π.V) is five-tuple of algorithms over a PPT setupΠ.Setup. Π sat-isfies the following conditions.

1. The PPT setup algorithm Π.Setup(1λ) outputs the parameter params(Π)

and the setsK(Π)_,M(Π)_,C(Π)_andT(Π)_{, denoting thekey,message,}

cipher-textandtag spacesrespectively.

2. The PPT encryption algorithm Π.E takes as inputsparams(Π) and M ∈ M(Π)_{, and returns a 3-tuple (K, C, T) :=Π.E(params}(Π)_{, M), where K∈}

K(Π)_{,C∈ C}(Π)_{andT ∈ T}(Π)_.

3. The decryption algorithmΠ.Dis a deterministic algorithm that takes as in-putsparams(Π),K∈ K(Π)_{,C∈ C}(Π)_{andT ∈ T}(Π)_{, and returnsΠ.D(para} -ms(Π), K, C, T)∈ M(Π)_{∪ {⊥}. The decryption algorithmΠ.Dreturns⊥if}

the keyK, ciphertextC and tagT are not generated from a valid message. 4. The PPT update algorithm Π.U takes as inputs params(Π), the index of starting and ending bits ist and iend, new message bits Mnew ∈ M(Π),

the decryption key K ∈ K(Π)_{, the ciphertext to be updated C ∈ C}(Π)_,

the tag to be updated T ∈ T(Π) _{and the bit app ∈ {0,1} indicating}

change in length of new message, and returns a 3-tuple (K0, C0, T0) :=

Π.U(params(Π)_{, i}

st, iend, Mnew, K, C, T, app), where K0 ∈ K(Π), C0 ∈ C(Π)

andT0 ∈ T(Π)_.

2

5. The PPT proof-of-ownership (PoW) algorithm for prover Π.P takes as in-puts parameterparams(Π)_{, challenge Q, a file M ∈ M}(Π)_{, the decryption}

keyK∈ K(Π)_{, the ciphertextC∈ C}(Π)_{, the tagT ∈ T}(Π)_{, and returns the}

proofP:=Π.P(params(Π)_{, Q, M, K, C, T).}

6. The PPT proof-of-ownership (PoW) algorithm for verifier Π.V takes as in-puts parameterparams(Π), challengeQ, ciphertextC∈ C(Π)_{, tagT ∈ T}(Π)

and proof P, and returns the value val := Π.V(params(Π)_{, Q, C, T, P),}

whereval∈ {TRUE,FALSE}.

7. We restrict |C|to be a linear function of|M|.

3.2 Correctness

Key Correctness.LetM, M0∈ M(Π). Suppose:

•(K, C, T) :=Π.E(params(Π)_{, M), and}

•(K0, C0, T0) :=Π.E(params(Π)_{, M}0_).

Thenkey correctnessofΠ requires thatif M =M0, thenK=K0, for allλ∈_Nand allM, M0 ∈ M(Π)_.

Decryption Correctness.LetM ∈ M(Π)_{. Suppose:}

•(K, C, T) :=Π.E(params(Π)_{, M).}

Then decryption correctness of Π requires that Π.D(params(Π), K, C, T) =M, for allλ∈_N and allM ∈ M(Π)_.

Tag Correctness.LetM, M0_{∈ M}(Π)_{. Suppose:}

•(K, C, T) :=Π.E(params(Π)_{, M), and}

•(K0, C0, T0) :=Π.E(params(Π)_{, M}0_).

Thentag correctness ofΠ requires thatif M =M0, thenT =T0, for allλ∈_Nand allM, M0 ∈ M(Π)_.

Update Correctness.LetM ∈ M(Π). Suppose:

•`=|M|,

•(K, C, T) :=Π.E(params(Π)_{, M), and}

•(K0, C0, T0) :=Π.U(params(Π)_{, i}

st, iend, Mnew, K, C, T, app).

Then update correctness of Π requires that, for all λ ∈ _N, all M ∈ M(Π)_{, 1≤i}

st≤`and ist< iend:

• for app = 1, Π.D(params(Π), K0, C0, T0) = M[1] ||M[2] || · · · || M[ist −1]

||Mnew, and

• for app = 0, Π.D(params(Π), K0, C0, T0) = M[1] ||M[2] || · · · || M[ist −1]

||Mnew ||M[iend+ 1]||M[iend+ 2]|| · · · ||M[`].

PoW Correctness.LetM ∈ M(Π). Suppose:

•(K, C, T) :=Π.E(params(Π)_{, M),}

•Qis any challenge, and

•P :=Π.P(params(Π)_{, Q, M, K, C, T).}

ThenPoW correctnessofΠrequires that Pr[Π.V(params(Π)_{, Q, C, T, P) =}

3.3 Security Definitions

Security definitions of FMLE are naturally adapted from those of UMLE. For the sake of completeness, we describe them below in full detail. As usual, all the games are written in the form of challenger-adversary framework.

GamePRV$-CDAS_Π,A(1λ_{, b)}

(M, Z)← S$ (1λ); for(i:= 1,2,· · ·, m(1λ))

(K(₁i),C₁(i),T₁(i)) :=Π.E(params(Π)_,M(i)_);

K(₀i)← {$ 0,1}|K

(i) 1 |;

C(₀i)← {$ 0,1}|C(1i)|;

T(₀i)← {$ 0,1}|T( i) 1 |; b0:=A(1λ_,C

b,Tb, Z);

returnb0;

GameSTCA_Π(1λ_{) TC}A

Π(1λ)

(M, C0_{, T}0_{) :=A(1}λ_);

If (M=⊥)∨(C0=⊥),thenreturn 0; (K, C, T) :=Π.E(params(Π), M); M0:=Π.D(params(Π), K, C0, T0); If (T=T0)∧(M=6 M0) ∧(M06=⊥)

return 1; Elsereturn 0;

GameCXHA_Π(1λ_{, σ, b)}

(M0, M1) :=A1(1λ, σ);

Determine bit-positionsi1, i2,· · ·, iρ

whereM0andM1differ;

Ifρ > σ,thenreturn 0;

(K0, C0, T0) :=Π.E(params(Π), M0);

(K1, C1, T1) :=Π.E(params(Π), M1);

(K0

1, C

0

1, T

0

1) :=Π.U(params (Π)_{, i}

1, iρ,

M0[i1, i1+ 1,· · ·, iρ], K1, C1, T1,0);

Ifb= 0,thenC∗_:=C

0;

ElseC∗:=C0₁; b0:=A2(1λ, C∗);

returnb0_;

GameUNC-CDAA_Π(1λ)

S:=A1(1λ), (M, Z) $

← S(1λ_);

(K, C, T) :=Π.E(params(Π), M) P∗_:=A

2(1λ, Q, Z);

P:=Π.P(params(Π), Q, M, K, C, T); If(Π.V(params(Π)_{, Q, C, T , P}∗_{) =TRUE)}

∧(P∗6=P) return 1;

Elsereturn 0;

Fig. 7.Games defining PRV$-CDA,STC,TC,CXH andUNC-CDA security ofFMLE

scheme Π = (Π.E, Π.D, Π.U, Π.P, Π.V). InCXH and UNC-CDA games, adversary A= (A1,A2)

Privacy.LetΠ= (Π.E, Π.D, Π.U, Π.P, Π.V) be anFMLEscheme. Since, no

FMLE scheme can provide security for predictable messages, we are modelling the security based on the unpredictable message source S(·). According to the PRV$-CDA game, as in Fig. 7, the challenger gets a vector of messages, M and the auxiliary informationZ, from the sourceS(·). The challenger does the following operations: computes the decryption key K(₁i), ciphertext C(₁i) and tagT(₁i) for each message string M(i) using Π.E, wherei∈ {1,2,· · · , m(1λ_)};

computes the random strings K(₀i), C₀(i) and T₀(i) of length |K(₁i)|, |C(₁i)| and |T(₁i)|respectively; and returns (Cb,Tb, Z) to the adversary. The adversary has

to return a bitb0 indicating whether the ciphertextCb and tagTb corresponds

to message M or is it a collection of random strings. If the values of b and b0

We define the advantage of an PRV$-CDA adversary A against Π for the message sourceS(·) as:

AdvPRV$-CDA_Π,S,A (1λ₎def₌

Pr[PRV$-CDA

A

Π,S(1λ, b= 1) = 1]

−Pr[PRV$-CDAA_Π,S(1λ_{, b= 0) = 1]} .

AnFMLE schemeΠ is said to bePRV$-CDA secure over a set of valid PT sources for FMLE scheme Π, S = {S1,S2,· · · }, for all PT adversaries A and

for allSi∈ S, ifAdvΠ,PRV$-CDASi,A (·) is negligible. AnFMLE schemeΠ is said to be PRV$-CDA secure, for all PT adversaries A, ifAdv_Π,PRV$-CDA_S,A (·) is negligible, for all valid PT sourceS forΠ.

Tag Consistency.LetΠ = (Π.E, Π.D, Π.U, Π.P, Π.V) be anFMLEscheme. For anFMLEscheme, we have designed theSTCandTCsecurity games in Fig. 7, which aim to provide security against duplicate faking attacks. In addition,STC provides safeguards against erasure attack. In a duplicate faking attack, two unidentical messages – one fake message produced by an adversary and a legit-imate one produced by an honest client – produce the same tag, thereby cause loss of message and hamper the integrity. In an erasure attack, the adversary replaces the ciphertext with a fake message that decrypts successfully.

The adversary returns a message M, a ciphertext C0 and a tag T0. If the message or ciphertext is invalid, the adversary loses the game. Otherwise, the challenger computes decryption key K, ciphertext C and tagT corresponding to message M, and computes the message M0 corresponding to ciphertext C0

and tagT0 using key K. If the two tags are equal, i.e.T =T0, the messageM0

is valid, i.e. M0 6=⊥, and the two messages are unequal, i.e. M 6=M0, then the adversary wins theTCgame.

Now, we define the advantage of aTCadversaryAagainstΠ as:

AdvTC_Π,A(1λ)def= Pr[TCA_Π(1λ) = 1].

Now, we define the advantage of anSTCadversaryAagainstΠ as:

AdvSTC_Π,A(1λ)def= Pr[STCA_Π(1λ) = 1].

AnFMLE schemeΠ is said to beTC(orSTC) secure, for all PT adversaries A, ifAdv_Π,TC_A(·) (orAdv_Π,STC_A(·)) is negligible.

Context Hiding.LetΠ = (Π.E, Π.D, Π.U, Π.P, Π.V) be anFMLEscheme. For anFMLE, we have designed theCXHgame in Fig. 7, which aims to provide security against distinguishing between an updated ciphertext and a ciphertext encrypted from scratch, to ensure that the level of privacy is not compromised during update process.

According to theCXHgame, as in Fig. 7, the adversary returns two messages

the adversary loses ifρ > σ. The challenger encrypts the two messages M0 and M1to generate (K0, C0, T0) and (K1, C1, T1) and updates theC1withM0[i1, i1+

1,· · · , iρ] to obtain (K10, C10, T10). The challenger then sends either C0 or C10,

depending on the value of b, to the adversary. The adversary has to return a bit b0 indicating whether the ciphertext is built from scratch or is an updated ciphertext. If the values ofbandb0 are equal, then the adversary wins the game. Now, we define the advantage of a CXH adversary A for σ-bit update in message, againstΠ as:

AdvCXH_Π,A(1λ, σ)def=

Pr[CXH

A

Π(1

λ_{, σ, b= 1) = 1]−Pr[CXH}A

Π(1

λ_{, σ, b= 0) = 1]} .

AnFMLE schemeΠ is said to beCXHsecure, forσ-bit update in message, for all PT adversariesA, ifAdv_Π,CXH_A(·,·) is negligible.

Proof of ownership. Let Π = (Π.E, Π.D, Π.U, Π.P, Π.V) be an FMLE

scheme. For an FMLE, we have designed the UNC-CDA game in Fig. 7, which aims to provide security against the adversary in proving that they possess the entire file when they actually have only a partial information about the file. This is to block the unauthorised ownership of the file.

According to the UNC-CDA game, as in Fig. 7, the adversary returns an unpredictable message source S(·). The challenger gets a message M and the auxiliary informationZ, from this source. The challenger then send the challenge

Qand the auxiliary informationZ to the adversary and the adversary returns a proofP∗. The challenger generates the proofP for the same challenge. IfP∗ is successfully verified by the PoW verifier algorithmΠ.V andP is different from

P∗, then the adversary wins the game.

Now, we define the advantage of aUNC-CDAadversaryAagainst an uncheat-able chosen distribution attack againstΠ for a message source sourceS(·) as:

AdvUNC-CDA_Π,A (1λ)def= Pr[UNC-CDAA_Π(1λ) = 1].

AnFMLE scheme Π is said to be UNC-CDA secure, for all PT adversaries A, ifAdv_Π,UNC-CDA_A (·) is negligible.

4

Deduplication: An Application of

FMLE

Deduplication is a mechanism by which a protocol removes the requirement for storing multiple copies of an identical file in memory. This is highly beneficial for the better utilization of space in thecloud, where multiple users often store identical files. Loosely speaking, it does so, by identifying the identical files, re-moving all the copies except one, and then attaching a special file called thelist of ownersto it. In Fig. 8, we give the details of the deduplication protocol support-ingfile-update andproof of ownership (PoW)functionalities, implemented using