 Hello everyone and welcome to this virtual presentation, I'm Yao Jiang. This talk is about analyzing the security notions based on unique and bidirectional updates and constructing a post-content updateable encryption scheme. I will first talk about what updateable encryption is and offer a motivational example to show a use case of updateable encryption. Let's consider a cloud problem. A cloud user Alice wishes to outsource some data to the cloud storage provider. She has a key K0 which can be used to encrypt data. Alice encrypts data in locally and sends the ciphertext C0 to the cloud. The cloud will store this ciphertext. However, Alice's key might become compromised. The adversary who has this key and the ciphertext stored in the cloud could recover the encrypted data. The standard technique for mitigating key compromise is to regularly rotate the encryption keys. That is generate new ones and switch the ciphertext to encryption under the new keys. A cloud user can do key rotation by downloading, decrypting, re-encrypting and uploading its data. This is a very expensive approach. Updateable encryption provides a solution that allows the cloud to update ciphertext from an old key to a new key. The cloud user generates an update token and sends it to the cloud. The cloud server uses this update token to update ciphertext. The cloud user will delete the old key and the token when she sends out the update token. An honest cloud server will delete all the old ciphertext and the update token after it has finished all the updates. It is reasonable to expect that fresh encryptions, updated ciphertexts and the tokens shouldn't reveal anything about plaintexts to an adversary. The time period when a key is valid is called an epoch. An updateable encryption scheme operates in epochs. The update token can be used to move ciphertext from epoch i to epoch i plus 1. The main benefit of using an updateable encryption scheme is that it offers an efficient way for key rotation, where an update token can be used to update ciphertext. However, this property is a double-edged sword. The update token can potentially be used to derive ciphertexts and keys in the adjacent epochs and elix additional information. If an updateable encryption scheme has unidirectional key updates, the update token can be used to infer the new key from the old key. It can't be used to derive the old key from the new key. If an updateable encryption scheme has unidirectional ciphertexts updates, the update token can only move ciphertexts from the old key to the new key, but not vice versa. If an updateable encryption scheme has bidirectional key updates, the update token can both upgrade and downgrade keys. If an updateable encryption scheme has bidirectional ciphertexts updates, the update token can be used to move ciphertexts from the old key to the new key and vice versa. Intuitively, UE skins with unidirectional updates are desirable. Such skins leak less ciphertexts and key information to an adversary compared to skins with bidirectional updates. Now we have a question. Are unidirectional updates better? We will show that the security of UE skins are not influenced by unidirectional updates. In this work, we define a new update setting for UE skins. That is no directional key update setting. In the no directional key update setting, the update token cannot be used to derive keys. It thinks that UE skins with no directional key updates are the best, since they leak no additional key information. We will show that the no directional key update variant of a security notion is strictly stronger than the union bidirectional update variant of the same security notion. Confidentiality notions have been studied in prior work. Boy et al introduced a security notion for UE skins, which is in the UE. This security notion is defined by using experiment that is running between an adversary and a challenger. In the in the UE game, the adversary may send a number of oracle queries. At some time, the adversary sends a message and a ciphertext in the previous epoch as an input to a challenger query. This challenger randomly flips a coin B and responds either a fresh encryption or message in, or an updated ciphertext of C as a challenger ciphertext. Eventually, the adversary guesses the value of B. The adversary's task is to guess whether the challenger's ciphertext is freshly created or an update of the previous provided ciphertext. At the end of an experiment, the challenger evaluates whether or not the adversary wins. If a true win condition was triggered, the adversary will always lose. Now we look at how can the adversary truly win a security game. Here we only discuss one true win condition. For the analysis of all true win conditions, please refer to our paper for the details. Record that the updated tokens can be used to gain more information, which provides the adversary more power. In this toy example, token 2, token 4, key 2, key 3, key 5 and key 6 are corrupted. C1 and C4 are known to the adversary. The adversary can use these values to infer additional information. Assume the UE skin has unidirectional updates, then the adversary can infer key 4 from key 3 and token 4, infer token 6 from key 5 and key 6, infer key 2 from key 1 and token 2. If the UE skin has bidirectional updates, the adversary can infer the value above and infer key 1 from key 2 and token 2, infer key 3 from key 4 and token 4. Notice that the adversary can use key 4 to decrypt key 4 to truly win a security game. No matter the update setting of the UE skin is unidirectional. Note that security notions defined in prior work were designed for bidirectional updates. No security notion was introduced in unidirectional update setting. We now define six variants of Confidentiality notions. These six variants are a combination of three versions of key updates and two versions of CypherTex updates. Security notions for UE skins with unidirectional updates are included. The gains for these six variants are the same. The adversary and the challenger behave the same. The only change is how the challenger evaluates the trivial win conditions. The trivial wins depend on the update settings. For example, in bidirectional update settings, the adversary gains more information and it seems more likely for the adversary to trigger the trivial win conditions. We will show that in any security game, if the trivial win conditions in the bidirectional update settings are triggered, then the same trivial win conditions in the unidirectional update settings would be triggered as well. As a result, security notions with unidirectional and bidirectional updates are equivalent. Integrity notions for updatable encryption skins have been studied in the work of clues at all. In the integrity game, an adversary attempts to provide a valid new CypherTex to the challenger. The challenger will evaluate if it is new and decrypts to a valid message. If so, the adversary wins the integrity game. Note that if a trivial win condition was triggered, the adversary will always lose. We can similarly analyze the trivial wins for integrity notions as we did for confidentiality notions. The details are shown in our paper. We again define six variants of integrity notions. Similarly, the integrity notions for these six variants are the same. The only change is how the challenger evaluates the trivial win conditions. Now we present relations among six variants of the same security notion for UE skins. We prove that confidentiality or integrity notions with unidirectional and bidirectional updates are equivalent. But security notions with no directional key updates are strictly stronger. Recall that the gains for six variants of the same security notions are the same. The only difference is how the challenger evaluates the trivial win conditions. To prove security notions with uni and bidirectional updates are equivalent. It is equivalent to prove that in any security game, if the trivial wins in the bidirectional updates are triggered, then the same trivial win conditions in the unidirectional updates settings would be triggered as well. Let's look at some motivation examples, which helps us understanding this relationship and present the proof idea. Consider a confidentiality game, where we have an adversary against some variants of the confidentiality game for a UE skin. We reuse the corruption example presented before. Information in the red and pink boxes are revealed to the adversary, no matter uni or bidirectional updates. Information in the orange boxes are revealed to the adversary, only in bidirectional updates. Notice that in both uni and bidirectional update settings, the adversary can trivial win the confidentiality game. If it asks for one of C1266, and the adversary will not trivial win the confidentiality game, if it asks for none of C12C6. For example, if the adversary asks for C1, it can influence C2 by the knowledge of token 2. If it knows C2, then it can use K2 to decrypt C2 and knows the underlying plaintext to trivial win a confidentiality game. Hence, the adversary can trivial win a confidentiality game if it asks for C1 or C2. This result holds for both uni and bidirectional update settings. Similarly, we can consider C3, C4, and C5, C6. This example implies that in a confidentiality game, the adversary either triggers trivial win conditions in both uni and bidirectional update settings or never triggers trivial win conditions of either settings. This means that uni's gains with uni-directional updates doesn't provide more security than uni's gains with bidirectional updates. Then we look at the same corruption action, but in the no-directional key update setting and uni-directional self-attacks update setting. In this example, the adversary cannot trivial win the confidentiality game in its action. Recall that the adversary can trivial win the confidentiality game with this action if the update setting is uni or bidirectional. This example implies that the security notions with no directional key updates are strictly stronger. Similarly, we can consider the integrity gains. Please refer to our paper for the details. We will now discuss our post-quantum secure UE construction. In the table of this slide, we provide a comparison of UE skins from prior literature. BLMR is an application of key homomorphic PRFs. However, the encrypted nouns in the self-attacks can be decrypted by an update token, which makes it impossible for BLMR to achieve in the UE security. The security of RISE, NEE UAE, encrypt and mark and shine are based on the hard problems in the classic setting. They cannot achieve post-quantum security. The question mark represents that we have not proved the security result for NEE UAE, encrypt and mark. We believe these security results are true. Notice that existing self-attacks independent UE skins are either vulnerable to quantum computers or not able to achieve in the UE security. In this work, we also want to solve a problem that finding a post-quantum secure UE skin. We now introduce our update for encryption skin LWE UE, which is parameterized by an LWE-based PKE skin. We use the encryption and decryption algorithm of PKE skin to encrypt the message and decrypt self-attacks. The update token is the difference over two continuous secret E4 keys. To update self-attacks, LWE use a re-randomization that is similar to the idea of RISE in the work by Leama and Takuma. The update algorithm uses the update token to update self-attacks from an older one to a new one. More precisely, the update algorithm first moves self-attacks from the older key to the new key. This newly created mid-term self-attacks is a valid self-attacks on the new E4 key. However, the mid-term self-attacks may not be independent from the older self-attacks, which is not enough to provide the security for the desired UE skin. That is why we want to do re-randomization. The update algorithm re-randomizes mid-term self-attacks to a fresh new self-attacks by adding a random self-attacks which is an encrypted self-attacks of the zero element. The final output of the update algorithm is a valid updated self-attacks and is a random self-attacks that ensures the security of this UE skin. Notice that errors in updated self-attacks increase when they are updated. Since the total number of epochs will be a comparatively small interval in practice, errors in updated self-attacks will not grow too big and the decryption will be correct with overwhelming probability. We also have the result that LWE is rendering the UE CPA secure. The security proof is not that simple. It includes a lot of technical problems. Please refer to our paper for the details. Now I conclude our contributions. We introduced six variants of security notions for UE skins. There are a combination of three versions of key updates and two versions of self-attacked updates. We proved that our security notions with UNI and bi-directional updates are equivalent. When we analyze the security, we can see that bi and unidirectional UE skins are the same. The security will not be influenced by the update direction. This means that UE skins with unidirectional updates will not provide more security than UE skins with bi-directional updates. This is a surprising result. We also demonstrated that security notions with no direction of any updates are strictly stronger. Our second major contribution is designing a post-quantum secure UE skin. There are two open problems remained to be considered. The first one is to construct UE skins with no directional key updates. Whether such UE skin exists is unknown to us as well. The second open problem is finding UE skins with chosen cyber attacks post-quantum security. Thank you for your attention and that is the end of my talk.