| Abstract: |
Forward security is an essential design goal of modern cryptographic protocols with a long body of literature in several application domains such as interactive key-exchange protocols (prominently in TLS 1.3 & Double Ratcheting), digital signatures, search on encrypted data, updatable cryptography, mobile Cloud backups, decentralized contact tracing, new approaches to Tor, and even novel decentralized protocols such as the Dfinity's Internet Computer or Algorand's consensus multi-signatures, among others. The well-known benefit of forward security is the mitigation of key leakage by evolving secret keys over epochs and thereby revoking access to prior-epoch ciphertexts or signing capabilities. Such a strong security guarantee is highly recognized by industry to be included into security products (e.g., by companies such as Google, Apple, Facebook, Microsoft, and Cloudflare), particularly resulting in over 99% of Internet sites surveyed by Qualys SSL Labs (https://www.ssllabs.com/ssl-pulse/) support at least some form of forward security at the time of writing.
Green and Miers (S&P 2015) initiated the studies of puncturable encryption (PE) as a new cryptographic primitive towards the strong form of asynchronous forward-secure encryption (in particular, without the need of any pre-shared key material). Already several follow-up works showed the versatility of such a concept yielding a rich abstraction of forward security investigated in a variety of (data-in-transit and data-at-rest) application domains such as 0-RTT key exchange for TLS (Eurocrypt'17, Eurocrypt'18, Asiacrypt'20, JoC'21), Google's QUIC (Cans'20), searchable encryption (CCS'17), mobile Cloud backups (OSDI'20), Cloudflare's Geo Key Manager (Financial Crypto'21), Tor (PoPETS'20), and updatable encryption (ePrint'21).
Loosely speaking, PE is a promising variant of public-key encryption that allows realizing the property of fine-grained and non-interactive forward security with several useful applications. This talk provides an exhausting overview to the concept of PE, presents state-of-the-art research on PE schemes and discusses cryptographic deployment challenges in several aspects, e.g., parameter choices, applications (such as 0-RTT key exchange using Bloom-Filter Encryption, forward security for Cloudflare's Geo Key Manager, and mobile Cloud backups using SafetyPin) as well as open problems and challenges towards real-world deployment. The overall goal is to make PE more accessible to the general audience and industry in a developer-friendly way and also presenting new insights and results.
The presentation builds on an existing blog post with the same title (https://profet.at/blog/pe_part1/). |
