## Key Regression: Enabling Efficient Key Distribution for Secure Distributed Storage (2006)

### Cached

### Download Links

- [eprint.iacr.org]
- [homes.cs.washington.edu]
- [www.sysnet.ucsd.edu]
- [www.isoc.org]
- DBLP

### Other Repositories/Bibliography

Venue: | in Proc. Network and Distributed Systems Security Symposium (NDSS |

Citations: | 18 - 3 self |

### BibTeX

@INPROCEEDINGS{Fu06keyregression:,

author = {Kevin Fu and Seny Kamara and Tadayoshi Kohno},

title = {Key Regression: Enabling Efficient Key Distribution for Secure Distributed Storage},

booktitle = {in Proc. Network and Distributed Systems Security Symposium (NDSS},

year = {2006}

}

### OpenURL

### Abstract

The Plutus file system introduced the notion of key rotation as a means to derive a sequence of temporally-related keys from the most recent key. In this paper we show that, despite natural intuition to the contrary, key rotation schemes cannot generically be used to key other cryptographic objects; in fact, keying an encryption scheme with the output of a key rotation scheme can yield a composite system that is insecure. To address these shortcomings, we introduce a new cryptographic object called a key regression scheme, and we propose three constructions that are provably secure under standard cryptographic assumptions. We implement key regression in a secure file system and empirically show that key regression can significantly reduce the bandwidth requirements of a content publisher under realistic workloads using lazy revocation. Our experiments also serve as the first empirical evaluation of either a key rotation or key

### Citations

2908 | A method for obtaining digital signatures and public key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...e an error. We use AESK(M) to denote the process of running the AES block cipher with key K on input block M. We use SHA1(M) to denote the process of running the SHA1 hash function on input M. An RSA =-=[44]-=- key generator for some security parameter k is a randomized algorithm Krsa that returns a triple (N,e,d). Since our analyses are in the concrete setting, we write (N,e,d) $ ← Krsa rather than (N,e,d)... |

2709 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...ith k = l = 128 and, for all X ∈ {0,1} 128 , with H1(X) defined as AESX(0 128 ) and H2(X) defined as AESX(1 128 ); Diffie and Hellman suggest using a block cipher as a hash function in this manner in =-=[17]-=-. We choose to prove the security of KR-AES directly in Section 8, rather than instantiate KR-RO, because we desire a proof of security for KR-AES in the standard model. 10 The security of KR-RSA In o... |

1332 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols - Bellare, Rogaway - 1993 |

1174 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...ions, we prove under reasonable assumptions that all three are secure key regression schemes. Our security proofs use the reduction-based provable security approach pioneered by Goldwasser and Micali =-=[28]-=- and lifted to the concrete setting by Bellare, Kilian, and Rogaway [8]. For KR-RSA, our proof is based on the assumption that RSA is one-way. For the proof of both KR-RSA and KR-SHA1, we assume that ... |

892 | The Design and Implementation of a Log-Structured File System
- Rosenblum, Ousterhout
- 1992
(Show Context)
Citation Context ...he performance of Chefs with the small-file, large-file, and emacs-compilation benchmarks described in the SFSRO paper [24]. The small-file benchmark consists of the read phases of the LFS benchmarks =-=[46]-=- — sequentially reading 1000 files each 1 Kbyte in size spread across ten directories. The small-file benchmark helps to understand the performance of a single client accessing a single server. The la... |

774 | Incentives build robustness in bittorrent
- Cohen
(Show Context)
Citation Context ...11.3 Secure content distribution on untrusted storage . . . . . . . . . . . . . . . . . . . . 33 12 Conclusions 35 2s1 Introduction Content distribution networks (CDNs) such as Akamai [3], BitTorrent =-=[15]-=-, and Coral [21] enable content publishers with low-bandwidth connections to make single-writer, many-reader content available at high throughput. When a CDN is untrusted and the content publisher can... |

599 |
How to generate cryptographically strong sequences of pseudo-random bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...1. As with KR-FSPRG from Section 6, we believe that KR-PRG will be of independent interest. 7.1 FSPRGs from pseudorandom bit generators Pseudorandom bit generators. A pseudorandom bit generator (PRG) =-=[11, 12, 54]-=- is a function G: {0,1} k → {0,1} k+l that takes as input a k-bit seed and returns a string that is longer than the seed by l bits, k,l ≥ 1. The standard security notion for a PRG is as follows. If A ... |

510 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...generator (FSPRG) [11]; we call our construction KR-FSPRG. We then recall one of Bellare and Yee’s [11] methods (FSPRG-PRG) for building secure FSPRGs from standard pseudorandom bit generators (PRGs) =-=[11, 12, 54]-=-. Instantiating KR-FSPRG with FSPRG-PRG yields a secure PRG-based key regression scheme that we call KR-PRG. KR-AES is then an instantiation of KR-PRG with a PRG that, on input a 128-bit string stm, o... |

390 | Dummynet: a simple approach to the evaluation of network protocols
- Rizzo
- 1997
(Show Context)
Citation Context ...4 MB chunks and using TCP send and receive buffers of size 69 632 KB. When writing in 8 KB chunks (the block size in Chefs), the peak TCP throughput was 66 Mbit/sec. The experiments used the dummynet =-=[45]-=- driver in FreeBSD to simulate cable modem and analog modem network conditions. For the cable modem on the publisher machine, the round-trip delay was set to 20 msec and the download and upload bandwi... |

372 |
Password Authentication with Insecure Communication
- Lamport
- 1981
(Show Context)
Citation Context ... ,KMW〉 Return (Ki,sk ′ ) Figure 3: A hash chain-based key rotation scheme. Alg. unwndkey(K,pk) // ignore pk K ′ ← SHA1(K) Return K ′ Shenhav, and Wool also observe [42], one familiar with hash chains =-=[35]-=- and S/KEY [30] might design the key rotation scheme in Figure 3. Such a scheme is more efficient than the scheme in Figure 2, but is limited because it can only produce MW (“max wind”) keys, where MW... |

352 | A concrete security treatment of symmetric encryption: Analysis of DES modes of operation
- Bellare, Desai, et al.
(Show Context)
Citation Context ...e describe a key rotation scheme and a symmetric encryption scheme that individually meet their desired security properties (property (2) for key rotation and IND-CPA privacy for symmetric encryption =-=[7]-=-), but when combined (e.g., when a content publisher uses the keys from the key rotation scheme to key the symmetric encryption 3s© � � � ¡ ¢ £s¡ ¢ £s¡ ¢ £ � � � © � � � © © � � � � � ¢s¡ ¢ £ ¤ ¢s¡ ¢ ... |

281 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ... assumption that RSA is one-way. For the proof of both KR-RSA and KR-SHA1, we assume that SHA1 is a random oracle [9]. For the proof of KR-AES, we assume that AES is a secure pseudorandom permutation =-=[8, 36]-=-. Implementation and evaluation. We integrated key regression into a secure file system to measure the performance characteristics of key regression in a real application. Our measurements show that k... |

276 | Democratizing content publication with Coral
- Freedman, Freudenthal, et al.
- 2004
(Show Context)
Citation Context ...ent distribution on untrusted storage . . . . . . . . . . . . . . . . . . . . 33 12 Conclusions 35 2s1 Introduction Content distribution networks (CDNs) such as Akamai [3], BitTorrent [15], and Coral =-=[21]-=- enable content publishers with low-bandwidth connections to make single-writer, many-reader content available at high throughput. When a CDN is untrusted and the content publisher cannot rely on the ... |

249 | Broadcast encryption
- Fiat, Naor
- 1993
(Show Context)
Citation Context ...constructions is a FSPRG. As pointed out by Boneh et al. [14], one possible mechanism for distributing updated content encryption keys for a secure file system is to use a broadcast encryption scheme =-=[18, 19, 20, 41]-=-. Indeed, one of the main challenges faced by an encrypted file system is the distribution of the encryption keys to the remaining (not evicted) set of users, and broadcast encryption provides an idea... |

219 | Practical techniques for searches on encrypted data
- Song, Wagner, et al.
- 2000
(Show Context)
Citation Context ...uses the client machine to fetch all the content keys. We further motivate our example workload as follows. While there is promising research in enabling a third party server to search encrypted data =-=[2, 13, 27, 29, 50, 53]-=-, current approaches for searchable encryption do not prevent the server from outputting false negatives. Because Chefs extends the SFS read-only file system, it inherits the property that the client ... |

200 | Public key encryption with keyword search
- Boneh, Crescenzo, et al.
(Show Context)
Citation Context ...uses the client machine to fetch all the content keys. We further motivate our example workload as follows. While there is promising research in enabling a third party server to search encrypted data =-=[2, 13, 27, 29, 50, 53]-=-, current approaches for searchable encryption do not prevent the server from outputting false negatives. Because Chefs extends the SFS read-only file system, it inherits the property that the client ... |

199 | Available at rfc1760: The s/key one-time password system
- Haller
- 1995
(Show Context)
Citation Context ...Ki,sk ′ ) Figure 3: A hash chain-based key rotation scheme. Alg. unwndkey(K,pk) // ignore pk K ′ ← SHA1(K) Return K ′ Shenhav, and Wool also observe [42], one familiar with hash chains [35] and S/KEY =-=[30]-=- might design the key rotation scheme in Figure 3. Such a scheme is more efficient than the scheme in Figure 2, but is limited because it can only produce MW (“max wind”) keys, where MW is a parameter... |

193 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
- 2000
(Show Context)
Citation Context ...y regression schemes. Our security proofs use the reduction-based provable security approach pioneered by Goldwasser and Micali [28] and lifted to the concrete setting by Bellare, Kilian, and Rogaway =-=[8]-=-. For KR-RSA, our proof is based on the assumption that RSA is one-way. For the proof of both KR-RSA and KR-SHA1, we assume that SHA1 is a random oracle [9]. For the proof of KR-AES, we assume that AE... |

175 | Fast and secure distributed read-only file system
- Fu, Kaashoek, et al.
- 2002
(Show Context)
Citation Context ...led content distribution. Chefs [23] is a secure, single-writer, manyreader file system for access-controlled content distribution using untrusted servers. Chefs extends the SFS read-only file system =-=[24]-=- to provide access control. Chefs uses lazy revocation [22, 33] and KR-SHA1 key regression to reduce the amount of out-of-band communication necessary for group key distribution. 30sThree modules comp... |

174 | Revocation and tracing schemes for stateless receivers
- Naor, Naor, et al.
(Show Context)
Citation Context ...constructions is a FSPRG. As pointed out by Boneh et al. [14], one possible mechanism for distributing updated content encryption keys for a secure file system is to use a broadcast encryption scheme =-=[18, 19, 20, 41]-=-. Indeed, one of the main challenges faced by an encrypted file system is the distribution of the encryption keys to the remaining (not evicted) set of users, and broadcast encryption provides an idea... |

168 | Finding collisions in the full SHA-1
- Wang, Yin, et al.
- 2005
(Show Context)
Citation Context ...publisher must transmit to members. For instance, it is desirable to have constant-sized metadata in file systems. On the use of SHA1. We completed the bulk of our research prior to Wang, Yin, and Yu =-=[52]-=- showing how to find collisions in SHA1 faster than brute force. The result of Wang, Yin, and Yu raises the question of whether one should continue to use SHA1 in real constructions, including KR-SHA1... |

121 | Plutus: Scalable Secure File Sharing on Untrusted Storage
- Kallahalla, Riedel, et al.
- 2003
(Show Context)
Citation Context ...her cannot rely on the network to enforce proper access control, the content publisher can achieve access control by encrypting the content and distributing the cryptographic keys to legitimate users =-=[23, 26, 31, 33, 40, 43]-=-. Under the lazy revocation model for access control [23, 33], following the eviction of a user from the set of members, the content publisher will encrypt future content with a new cryptographic key ... |

120 | Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys
- Boneh, Gentry, et al.
- 2005
(Show Context)
Citation Context ... not encrypt security-critical patches. 5sand Bellare formally analyze methods for rekeying symmetric encryption schemes [1], and one of their constructions is a FSPRG. As pointed out by Boneh et al. =-=[14]-=-, one possible mechanism for distributing updated content encryption keys for a secure file system is to use a broadcast encryption scheme [18, 19, 20, 41]. Indeed, one of the main challenges faced by... |

114 | Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332 (2004), available at http://eprint
- Shoup
(Show Context)
Citation Context ...Pr g $ ← Func(128,128) : C g(·) � = 1 = Adv prp +Pr AES,C � g $ ← Perm(128) : C g(·) = 1 � � − Pr g $ ← Func(128,128) : C g(·) � = 1 Using the standard PRF/PRP switching result from [8], re-proven in =-=[10, 48]-=-, and the fact that C makes only two oracle queries, the above simplifies to Equation (11), completing the proof. 9 The security of KR-SHA1 Although we derived KR-SHA1 from the key rotation scheme in ... |

93 |
Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions
- Joux
- 2004
(Show Context)
Citation Context ... Yin, and Yu raises the question of whether one should continue to use SHA1 in real constructions, including KR-SHA1 and KR-RSA. This concern is well justified, particularly because other researchers =-=[32, 34]-=- have shown how to extend certain types of collision-finding attacks against hash functions to break cryptosystems that, at first glance, appear to depend only on a weaker property of the underlying h... |

91 |
Controlling access to published data using cryptography
- Miklau, Suciu
- 2003
(Show Context)
Citation Context ...her cannot rely on the network to enforce proper access control, the content publisher can achieve access control by encrypting the content and distributing the cryptographic keys to legitimate users =-=[23, 26, 31, 33, 40, 43]-=-. Under the lazy revocation model for access control [23, 33], following the eviction of a user from the set of members, the content publisher will encrypt future content with a new cryptographic key ... |

89 |
Cryptographic Solution to a Problem of Access Control in a Hierarchy
- Akl, Taylor
- 1983
(Show Context)
Citation Context ...ression schemes, some of which are simple variants of the more general constructions that we present in subsequent sections (KR-FSPRG, KR-PRG, KR-RO, and KR-RSA-RO). Using advanced tree-based schemes =-=[4, 6, 37, 39]-=-, a publisher could give access to any contiguous sequence of keys using only a logarithmic number of nodes from a key tree. We do not consider key trees here because one of our primary design goals i... |

81 | Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions
- Abdalla, Bellare, et al.
- 2005
(Show Context)
Citation Context ...uses the client machine to fetch all the content keys. We further motivate our example workload as follows. While there is promising research in enabling a third party server to search encrypted data =-=[2, 13, 27, 29, 50, 53]-=-, current approaches for searchable encryption do not prevent the server from outputting false negatives. Because Chefs extends the SFS read-only file system, it inherits the property that the client ... |

74 | Merkle-Damg˚ard revisited: How to construct a hash function
- Coron, Dodis, et al.
- 2005
(Show Context)
Citation Context ...replace the use of SHA1 in our constructions with another hash function, perhaps a hash function that behaves like a random oracle assuming that the underlying compression function is a random oracle =-=[16]-=-. 6 Key regression from FSPRGs Toward proving the security of KR-AES, we first show how to construct a key regression scheme from a forward-secure pseudorandom bit generator (FSPRG) [11]. We call our ... |

73 | NetPIPE: A Network Protocol Independent Performace Evaluator
- Snell, Mikler, et al.
- 1996
(Show Context)
Citation Context ... Dual Gigabit Ethernet card, and a Hitachi 320 GB SCSI-3 hard drive with a 320 MB/sec transfer rate. The machines were connected on a 100 Mbit/sec local area network and all used FreeBSD 4.9. NetPipe =-=[49]-=- measured the round-trip latency between the pairs of machines at 249 µsec, and the maximum sustained TCP throughput of the connection at 88 Mbit/sec when writing data in 4 MB chunks and using TCP sen... |

64 | Building an encrypted and searchable audit log
- Waters, Balfanz, et al.
- 2004
(Show Context)
Citation Context |

52 |
Cepheus: Group sharing and random access in cryptographic file systems
- Fu
- 1999
(Show Context)
Citation Context ...iter, manyreader file system for access-controlled content distribution using untrusted servers. Chefs extends the SFS read-only file system [24] to provide access control. Chefs uses lazy revocation =-=[22, 33]-=- and KR-SHA1 key regression to reduce the amount of out-of-band communication necessary for group key distribution. 30sThree modules comprise the Chefs file system. An untrusted server makes encrypted... |

48 |
Secure indexes,” Cryptology ePrint Archive
- Goh
(Show Context)
Citation Context |

43 | Secure conjunctive keyword search over encrypted data
- Golle, Staddon, et al.
(Show Context)
Citation Context |

39 | Public Key Broadcast Encryption for Stateless Receivers
- Dodis, Fazio
- 2002
(Show Context)
Citation Context ...constructions is a FSPRG. As pointed out by Boneh et al. [14], one possible mechanism for distributing updated content encryption keys for a secure file system is to use a broadcast encryption scheme =-=[18, 19, 20, 41]-=-. Indeed, one of the main challenges faced by an encrypted file system is the distribution of the encryption keys to the remaining (not evicted) set of users, and broadcast encryption provides an idea... |

39 | Self-healing key distribution with revocation
- Staddon, Miner, et al.
- 2002
(Show Context)
Citation Context ...ion algorithm. Key regression simply assumes the existence of a secure distribution channel, of which broadcast encryption is one possible instantiation. Self-healing key distribution with revocation =-=[51]-=- protocols are resilient even when broadcasts are lost on the network. One can view key regression as having the self-healing property in perpetuity. In concurrent work, and also motivated by the key ... |

38 |
SWALLOW: A distributed data storage system for a local network
- Reed, Svobodova
- 1981
(Show Context)
Citation Context ...her cannot rely on the network to enforce proper access control, the content publisher can achieve access control by encrypting the content and distributing the cryptographic keys to legitimate users =-=[23, 26, 31, 33, 40, 43]-=-. Under the lazy revocation model for access control [23, 33], following the eviction of a user from the set of members, the content publisher will encrypt future content with a new cryptographic key ... |

25 | Herding Hash Functions and the Nostradamus Attack
- Kelsey, Kohno
- 2005
(Show Context)
Citation Context ... Yin, and Yu raises the question of whether one should continue to use SHA1 in real constructions, including KR-SHA1 and KR-RSA. This concern is well justified, particularly because other researchers =-=[32, 34]-=- have shown how to extend certain types of collision-finding attacks against hash functions to break cryptosystems that, at first glance, appear to depend only on a weaker property of the underlying h... |

23 | Secure key-updating for lazy revocation
- ackes, Cachin, et al.
(Show Context)
Citation Context ...ng property in perpetuity. In concurrent work, and also motivated by the key rotation scheme in Plutus [33], Backes, Cachin, and Oprea formalize the notion of key-updating for lazy revocation schemes =-=[6]-=- and consider the composition of key-updating for lazy revocation schemes with other cryptographic objects [5]. The notion of a key-updating for lazy revocation scheme in [6] is essentially identical ... |

19 | Cryptographic Access Control in a Distributed File System
- Harringto, Jensen
- 2003
(Show Context)
Citation Context |

14 |
Forward security in private key cryptography
- Bellare, Yee
- 2003
(Show Context)
Citation Context ...05/303 (http://eprint.iacr.org/). Part of this work also appears as Chapter 4 of [23]. 1.2 Related work The key rotation scheme in Plutus [33] inspired our research in key regression. Bellare and Yee =-=[11]-=- introduce the notion of a forward-secure pseudorandom bit generator (FSPRG). One can roughly view forward-secure pseudorandom bit generation as the mirror image of key regression. Whereas a key regre... |

14 |
public-key cryptosystems
- Fair
- 1992
(Show Context)
Citation Context ...ression schemes, some of which are simple variants of the more general constructions that we present in subsequent sections (KR-FSPRG, KR-PRG, KR-RO, and KR-RSA-RO). Using advanced tree-based schemes =-=[4, 6, 37, 39]-=-, a publisher could give access to any contiguous sequence of keys using only a logarithmic number of nodes from a key tree. We do not consider key trees here because one of our primary design goals i... |

12 |
Cryptographic Sealing |or Information Secrecy and Authentication
- Gifford
- 1981
(Show Context)
Citation Context |

11 |
Public key broadcast encryption secure against adaptive chosen ciphertext attack
- Dodis, Fazio
- 2003
(Show Context)
Citation Context |

10 | Lazy revocation in cryptographic file systems
- Backes, Cachin, et al.
- 2005
(Show Context)
Citation Context ...ackes, Cachin, and Oprea formalize the notion of key-updating for lazy revocation schemes [6] and consider the composition of key-updating for lazy revocation schemes with other cryptographic objects =-=[5]-=-. The notion of a key-updating for lazy revocation scheme in [6] is essentially identical to our notion of a key regression scheme. Using our parlance, in [6] they also propose several ways of buildin... |

10 |
Integrity and access control in untrusted content distribution networks
- Fu
- 2005
(Show Context)
Citation Context |

8 | Toward securing untrusted storage without public-key operations
- Naor, Shenhav, et al.
- 2005
(Show Context)
Citation Context ...W return (⊥,sk) sk ′ ← 〈i + 1,K1,... ,KMW〉 Return (Ki,sk ′ ) Figure 3: A hash chain-based key rotation scheme. Alg. unwndkey(K,pk) // ignore pk K ′ ← SHA1(K) Return K ′ Shenhav, and Wool also observe =-=[42]-=-, one familiar with hash chains [35] and S/KEY [30] might design the key rotation scheme in Figure 3. Such a scheme is more efficient than the scheme in Figure 2, but is limited because it can only pr... |

7 |
Increasing the lifetime of a key: A comparitive analysis of the security of rekeying techniques
- Abdalla, Bellare
- 1976
(Show Context)
Citation Context ...he time period to which the patch is first applicable, or Mandriva could simply not encrypt security-critical patches. 5sand Bellare formally analyze methods for rekeying symmetric encryption schemes =-=[1]-=-, and one of their constructions is a FSPRG. As pointed out by Boneh et al. [14], one possible mechanism for distributing updated content encryption keys for a secure file system is to use a broadcast... |

5 |
The game-playing technique. Cryptology ePrint Archive: Report 2004/331
- Bellare, Rogaway
- 2004
(Show Context)
Citation Context ...Pr g $ ← Func(128,128) : C g(·) � = 1 = Adv prp +Pr AES,C � g $ ← Perm(128) : C g(·) = 1 � � − Pr g $ ← Func(128,128) : C g(·) � = 1 Using the standard PRF/PRP switching result from [8], re-proven in =-=[10, 48]-=-, and the fact that C makes only two oracle queries, the above simplifies to Equation (11), completing the proof. 9 The security of KR-SHA1 Although we derived KR-SHA1 from the key rotation scheme in ... |

4 |
New Key Generation Algorithms for Multilevel Security
- MacKinnon, Akl
- 1983
(Show Context)
Citation Context ...ression schemes, some of which are simple variants of the more general constructions that we present in subsequent sections (KR-FSPRG, KR-PRG, KR-RO, and KR-RSA-RO). Using advanced tree-based schemes =-=[4, 6, 37, 39]-=-, a publisher could give access to any contiguous sequence of keys using only a logarithmic number of nodes from a key tree. We do not consider key trees here because one of our primary design goals i... |