6. PROPUESTA DE ENSEÑANZA PARA NIÑOS
6.2. CONTENIDOS Y SUJERENCIAS METODOLOGICAS
6.2.4. PENSAMIENTO MUSICAL
We additionally analyze a scheme that can be considered as a symmetric key- encapsulation mechanism (KEM) together with a standard symmetric encryp- tion scheme. The KEM has one key ke per epoche, and for each ciphertext it wraps an “inner” keyxunder which the actual message is encrypted. During an update, where the token is given by two keys (ke, ke+1) of subsequent epochs,
all inner keys are simply un-wrapped using ke and re-wrapped under the new keyke+1.
This scheme is used in practical data-at-rest protection at cloud storage providers. The keys are, however, managed within the cloud storage systems. Not all nodes are equal; there are nodes that have access to the keys, and nodes that store the encrypted data.4 In this scenario, it is acceptable to have the
proxy nodes perform the updates. We stress that the scheme is not applicable for outsourcing encrypted data, as it fully reveals the secret keys in the update procedure!
We describe the algorithms in a slightly different way to considerSE-KEM as a ciphertext-independent updatable encryption scheme. The algorithms are described in more detail as the schemeSE-KEMas follows.
SE-KEM.setup(λ): returnk0
r ←SE.kgen(λ) SE-KEM.next(ke): ke+1 r ←SE.kgen(λ),∆e+1←(ke, ke+1), return (ke+1, ∆e+1) SE-KEM.enc(ke, m): x r
←SE.kgen(λ), returnCe←(SE.enc(ke, x),SE.enc(x, m)) SE-KEM.upd(∆e+1, Ce): parseCe= (C1, C2), and∆e+1= (ke, ke+1),
returnCe+1←(SE.enc(ke+1,SE.dec(ke, C1)), C2)
SE-KEM.dec(ke, Ce): parseCe= (C1, C2), returnSE.dec(SE.dec(k, C1), C2)
4 In OpenStack Swift, for instance, the “proxy server” nodes have access to the keys,
While this scheme is very similar to the hybrid AE as described by Ev- erspaugh el al. [14], our description differs in that the token is independent of the ciphertext, and consists of the keys (ke, ke+1) used for encryption in epochs
eande+ 1. In cloud storage systems where the keys for data-at-rest encryption are managed within the cloud, this is a faithful description of the real behavior. The security that can be offered by such a solution is necessarily limited. First, if the adversary obtains a challenge in epoch e and also sees one of the tokens in epochse or e+ 1, the IND-ENCsecurity is immediately broken. Fur- thermore, as the ciphertext update does not re-encrypt the second component, the ciphertexts are linkable through the epochs, i.e., SE-KEM cannot achieve any form ofIND-UPDsecurity. Still, we show that under the described (strict) constraints, the scheme guarantees a mild form of IND-ENCsecurity.
Theorem 8 (SE-KEM is weakly IND-ENC secure). Let SE be an IND-CPA- secure encryption scheme, then SE-KEM is (weakly) IND-ENC-secure if the fol- lowing additional condition holds: For any challenge-equal epoche∈ C∗,Amust
not callOcorrupt(token,·)for epochse ore+ 1.
The proof is very similar to the one of Theorem 2 and is provided in the following.
Proof. Given an adversary Aagainst theIND-ENCsecurity of SE-KEM, we de- scribe two adversaries Bin = Bin(A) and Bout = Bout(A) against the IND-CPA
security ofSE. To that end, we first describe an additional game in which the challenge ciphertext is generated by choosing two keys x, x0←r SE.kgen(λ), and computing the ciphertexts asCb
r
←(SE.enc(ke, x),SE.enc(x0, mb)). We then first show that this game is difficult to win, and then that the adversary advantages in that game and in the original one differ only by a negligible amount.
AdversaryBin attacks the inner encryption and emulates the modified game
described above to A as follows. Initially, it sets e ← 0, L ← ∅, generates the outer key ko
0
r
←SE.kgen(λ), and runs Aon empty input. It then emulates the oracles Oenc, Onext, Oupd, and Ocorrupt as follows. UponOenc(m), adversary
Bin chooses ki
r
← SE.kgen(λ), and computes Ci ←r SE.enc(ki, m) and Co ←r SE.enc(keo, ki), sets C ← (Ci, Co) and L ← L ∪ {(C, e)}, and returns C to A. Upon Onext, adversary Bin generates a new koe+1
r
← SE.kgen(λ) and sets
e←e+ 1. UponOupd(Ce−1), adversaryBin checks that (Ce−1, e−1)∈ L, parses
(Co
e−1, Ci)←Ce−1, computesCeo ←SE.enc(koe,SE.dec(keo−1, Ceo−1)), sets Ce← (Co
e, Ci) andL ← L ∪ {(Ce, e)}, and returnsCeto A. Upon Ocorrupt(token, e∗),
ife∗≤e, then return (ko
e−1, keo). UponOcorrupt(key, e∗), withe∗≤e, returnkeo. WhenA outputs m0, m1 in epoch ˜e, adversary Bin outputs the same mes-
sages m0, m1 and obtains challenge ciphertext ˜Ci. It chooses x
r
← SE.kgen(λ), computes ˜Co r
← SE.enc(ko
˜
e, x), and sets ˜C ← ( ˜Co,C˜i) and ˜L ← {( ˜C,e˜)}, and provides ˜C to A. Furthermore,Bin continues to provide oraclesOenc,Oupd, and
Ocorrupt as before. Oracle Onext is modified (as inIND-ENC) to additionally set
˜
L ←L∪{˜ ( ˜C, e)}with ( ˜Co
e−1,C˜i)←C˜e−1; ˜Ceo←SE.enc(koe,SE.dec(koe−1,C˜e0−1))
; ˜Ce←( ˜Ceo,C˜i). Furthermore,Bin providesAwith an oracleOupd˜Cthat returns
Observe that all computations performed byBin are exactly the same as in
the game described above, and therefore the advantage ofAis retained. We next show that the advantages of A in that game and in IND-ENCdiffer only by a negligible amount.
AdversaryBout attacks the outer encryption and emulates either the above-
described game or theIND-ENCgame toA. Initially, it setse←0,L ← ∅, guesses the challenge epoch e0 uniformly random from {0, . . . ,eˆ}, where ˆeis an upper
bound on the number of epochs for A, and then uses Be0
out which is described
as follows. Initially, it chooses d ← {r 0,1}. Adversary Be0
out then generates the
initial outer keyko
0
r
←SE.kgen(λ) and runsAon empty input. It then emulates the oracles Oenc, Onext, Oupd, and Ocorrupt as follows. UponOenc(m), adversary
Be0
out choosesx
r
←SE.kgen(λ) and computes Ci r
←SE.enc(x, m). If e6=e0, then adversaryBe0
out computesCo
r
←SE.enc(ko
e, x), else it queriesxto its own oracle Oenc to obtain Co. Then, Be
0
out sets C ← (Co, Ci) and L ← L ∪ {(C, e)} and
returnsC to A. OraclesOnext and Ocorrupt are dealt with exactly as in the case
of Bin above.5 Oracle Oupd behaves (apart from the format of L) as in Bin for
e6=e0, but fore=e0adversaryBe0
out uses itsOencoracle to compute the updated
ciphertexts.
Let now e0 denote the epoch in which A outputs m
0, m1; adversary Be 0 out computes ˜C ←r SE.enc(ki, m d), and selects x0 r ← SE.kgen(λ). If e0 < ˜e, then Be0 out computes ˜Co r ←SE.enc(ko e0, x0); if e0 = ˜e thenBe 0
out outputsx, x0 to obtain
challenge ciphertext ˜Co; and ife0>˜e, then computes ˜C r
←SE.enc(ko
e0, x). In any case,Be0
outoutputs ˜C= ( ˜Co,C˜i) as the challenge ciphertext. Then,Be
0
outsets ˜L ←
{( ˜C,˜e)}, and provides ˜C to A. Furthermore, Be0
out continues to provide oracles
Oenc, Oupd, and Ocorrupt as before. Oracle Onext is modified (as in IND-ENC)
to additionally set ˜L ←L ∪ {˜ ( ˜C, e)} where ˜Ce is computed analogously to the challenge ciphertext ˜Cdepending on whethere <e˜,e= ˜e, ore >˜e. Furthermore, as Bin,Be
0
out provides Awith an oracleOupd˜C that returns the current challenge
ciphertext ˜Ce.
Note that with ˜e= 0 and challenge bit 0 in the embedded IND-CPA game, the view ofAis exactly the same as in theIND-ENCgame with challenge bit 0, and that with ˜e = ˆe and challenge bit 1 in the embedded IND-CPA game, the view ofAis exactly the same as in theIND-ENCgame with challenge bit 1. The hybrid argument then states that there is onee0 ∈ {0, . . . ,eˆ}in whichBout wins
with advantage at least ε/eˆ; denote by Be0
out the adversary that always embeds
theIND-CPAchallenge in epoche0.
We now have to deal with the fact that the reduction may fail. Assume, hypothetically, that Be0
out could obtain the key used in the IND-CPA game, in
which case the emulation would always be perfect. WheneverAdoes not obtain the challenge ciphertext in epoche0, however, the entire view is independent of
5
QueriesOcorrupt(key, e∗) fore∗=e0, andOcorrupt(token, e∗) fore∗=e0 ore∗=e0+ 1 cannot be answered, in that case Be0
out aborts and outputs a random bit. We argue below that in these cases Bout may fail. All other cases can be dealt with because
Be0
out chose all keys ki and koe fore 6=e 0
internally, and the oracles return (ko e∗, ki)
the challenge bit. Therefore, in such roundsBe0
outcan safely randomize its output
without decreasing the advantage. The condition on the challenge and token queries ensures thatBe0
out will never actually need to get the key in the modified
game.
On the other hand, ifAdoes not make any query of the typeOcorrupt(token, e0),
Ocorrupt(token, e0+ 1), orOcorrupt(key, e0) for anye0 being challenge-equal, which
means in particular thatBout as described above does not fail.
As Bout perfectly emulates the two games, based on the challenge bit, a
noticeable advantage ofAtranslates into a noticeable advantage of Bout in dis-
tinguishing the two cases. This concludes the proof. ut