 Hello everyone, and welcome to this virtual presentation. I'm Yao Jiang, and this is a joint work with Colin Garris and Christian. This talk is about defining new and stronger security properties for updatable encryption and constructing secure and efficient updatable encryption schemes. I will first talk about what updatable encryption is and offer a motivational example to show a use case of updatable encryption. Then I will discuss two interesting problems of updatable encryption. The first is about understanding the security properties for updatable encryption. The second is about constructing efficient and secure updatable encryption schemes. Let's consider a cloud problem. A cloud user Alice wishes to outsource some data to the cloud storage provider. She has a key k0, which can be used to encrypt data. Alice encrypts data and locally and sends the ciphertext to the cloud. The cloud will store this ciphertext. However, Alice might lose her key at some point. The adversary who has this key and the ciphertext stored in the cloud could recover the encrypted data. The standard technique for mitigating key compromise is to regularly rotate the encryption keys. That is, generate new ones and switch the ciphertext to encryption under the new keys. A cloud user can do a key rotation by downloading, decrypting, re-encrypting, and re-uploading. It is a very expensive approach. Updatable encryption provides a solution that allows the cloud to update ciphertext from an old key to a new key. The cloud user generates an update token and sends it to the cloud. The cloud server uses this update token to update ciphertext. The cloud user will delete the old key under the token when she sends out the update token. A cloud server will delete all the old ciphertext under the update token after it has finished all the updates. It is reasonable to expect that fresh encryptions updated ciphertext and the tokens shouldn't reveal anything about plaintext to an adversary. The use case of update for encryption appears promising. We also want security for update for encryption, and it is natural to consider confidentiality and integrity. Before defining an security notion for update for encryption, it is crucial to consider what an attacker can possibly do. Security notions for update for encryption have been considered by prior work. In our paper, we present a new security notion that implies all previous existing notions, and it is strictly stronger. Except for security, efficiency is another important element to consider for update for encryption schemes. A modern database may contain large numbers of files where the users make fresh encryptions and the server updates ciphertexts for millions of users. Encryption and update must therefore be efficient. In a security game, the environment provided by the challenger attempts to give as much power as possible to an adversary. The adversary may corrupt keys and tokens. The adversary may ask for ciphertext stored in the cloud. These are information the adversary can directly obtain. Additionally, the adversary can infer some information using known knowledge. For example, if the adversary knows two continuous keys, key 5 and key 6, then she can compute the update token, token 6. When we consider the win condition of a security game, we should consider all knowledge known to the adversary. Because the adversary might apply this information to trivially win the game. In terms of the confidentiality property, let's consider an example. A journalist who stores a contact list with a cloud storage provider. 10 years ago, she uses a key K0 to encrypt contact information. This year, she changes the old key to a new key K1. The cloud server will help her updating all past encrypted contact information to new ciphertext. The journalist continues storing contact information in the cloud under the new key. At some point, the storage is compromised and an adversary obtains all ciphertexts. It is desirable that the ciphertexts doesn't reveal if they are recently added. That is, it must be hard to decide if some ciphertext was recently created or if it has been updated from a ciphertext stored in an earlier epoch period. Confidentiality notions have been studied in prior work. Lea Mann and Tuckman introduced two notions for UE skins. In the ink and ink update. In the ink notion tells that an adversary shouldn't be able to determine anything about the underlying plaintext of a given ciphertext. In the ink game, the adversary sends two messages as an input of a challenge query. The challenger randomly drops a coin B and responds a fresh encryption or NB as a challenge ciphertext. Eventually, the adversary guesses the value of B. If she guesses correctly, she wins the security game. In the update notion states that an adversary shouldn't be able to tell which ciphertexts are current given ciphertexts or the updated from. In the ink update game, different from the ink game, the adversary sends two ciphertexts in the previous epoch as an input of a challenge query. The challenger responds an updated ciphertext of CB as a challenge ciphertext. Again, the adversary guesses the value of B. If she guesses correctly, she wins the security game. Note that none of the above two notions capture our generalized motivation example. Now we have a question. Can we find a security notion that ensures that a freshly created ciphertext is indistinguishable from an updated ciphertext? In our work, we introduce a new security notion for UE's games. We call it in the UE game, the adversary sends a message and a ciphertext in the previous epoch as an input of a challenge query. The challenger responds either a fresh encryption or message in or an updated ciphertext of C as a challenge ciphertext. The adversary's task is to guess whether the challenge ciphertext is a freshly created or an updated ciphertext. Note that skin that leaks epoch number of original upload can be in the ink and in the update, but not in the UE. Ciphertext's integrity for update for encryption skins have been studied in the work of clues at all. In the inked state tax game, an adversary attempts to provide a valid new ciphertext to the challenger. The challenger will evaluate if it is new and decrypt to a valid message. If so, the adversary wins the ciphertext integrity game. For semantic encryption, there is a well-known composition result. The combination of CPA security and the ciphertext integrity gives CCA security. Does this result applies to update for encryption? We will show this is true in our work. Now we look at some relations among our new notion and the previous notions for UE skins. We prove that our new notion implies in ink and in the update notions. But even the combination of in the ink and in the update notion doesn't implies our new notion. Which means our new notion is strictly stronger even than combinations of prior notions. This result holds both in the randomized and deterministic update settings under chosen plaintext attack and chosen ciphertext attack. In our work, we also prove that the generic composition result is correct for UE skins. Next, we present a new and highly efficient construction of UE skins that we collectively call SHINE. Our skin is based on a random looking permutation type combined with an exponentiation map in a cyclic group. There are three variants of SHINE skins. For convenience, we only show the construction idea. The encryption algorithm runs one permutation and one exponentiation. The decryption runs the exponentiation first and then runs the inverse of the permutation. While updating a ciphertext simply requires one exponentiation using the update token. The update token is the quotient of the current epoch key and the previous epoch key. After a simple computation, the output of the update algorithm is a valid updated ciphertext, which decrypts to the same underlying message as the older ciphertext using the new epoch key. The security proof is not that simple. Please refer to our paper for the details. I now present a high-level understanding of how the proof works. We use a method called firewall technique, which partition epoch sets into segments. We define a pair of firewalls as no key inside a firewall is crafted. Tokens on the firewalls are not crafted. All tokens inside the firewalls are crafted. We also call the epochs within a pair of firewalls as an insulated region. In this example, key 2, key 5, key 6 and the token 4 are crafted. Hence, epochs 3 and epoch 4 are a pair of firewalls. The insulated region includes epochs 3 and epoch 4. Firewalls have the property that can be used to separate keys, tokens and ciphertexts. As a consequence, cryptographic information within each insulated region is linked, and information inside and outside of each insulated region are independent from each other. Now we back to our security proof. We will use firewall technique to play hybrid games and embed the challenge in the ice insulated region. We now provide an overview to show how the hybrid argument works. In the initial game, the game responds the adversary with challenges or in the left sense. In particular, tw means if the adversary asks for a challenge ciphertext in epoch 2 or 6 or 7 etc, the trivial win condition is triggered and the adversary trivially loses the security gain. In the first game, the game responds with challenges in the right sense in the first insulated region. To the right of the first insulated region, the game responds with challenges in the left sense. In the second game, to the left of the second insulated region, the game responds with challenges in the right sense. To the right of the second insulated region, the game responds with challenges in the left sense. The hybrid games continue and in the end game, the game responds to the adversary with challenges, or in the right sense. Now we finish moving left to right across the epoch space. We further construct a reduction playing the DDH experiment in each hybrid to bound the advantage of each hybrid game to the DDH advantage. And have the results that shine is that in the UE CPA secure. To achieve the ciphertext integrity of our UE scheme, we pat a big zero block in the encryption. The decryption algorithm will check if the permutation output ends by the zero block. If not, the input is an invalid ciphertext. The probability that an adversary can create a new valid ciphertext is near-collegible. Now we have that shine is in the ciphertext secure. Combining the generic composition result, we have that shine is that in the UE CCA secure. In the table of this slide, we provide a comparison of security between our new skins and those from prior literature. The security results showed in this table are the best possible security results that each UE skin can achieve. Note that all three variants of our shine skins achieve CCA security and C-text security. In the table of this slide, we present a comparison of ciphertext expansion and efficiency between our new skins and those from prior literature. Shine zero is for small messages, mirror shine is for medium-sized messages and OCP shine is for arbitrary large messages. Shine zero CPA is shine zero with zero-length integrity text. Our UE skins are at least twice as fast as any previous skins in terms of computation on each message block. As an aside, for a cloud server that stores vast number of files, it is desirable to construct UE skins that can minimize the ciphertext expansion rate. At the same time, a client might want to upload huge files, such as images or videos. It is desirable to construct UE skins that can encrypt arbitrary large files. Our OCP shine is suitable for encrypting arbitrary large files with almost no ciphertext expansion compared to BLMR plus, which also supports encryption of arbitrary sized messages. Our OCP shine has stronger security. Now I conclude our contributions. We introduce a new security notion in the UE for UE skins. We prove that our new notion implies prior notions, and it is strictly stronger. We also demonstrate the generic composition result for UE skins. Combining these relation results, we have a nice diagram showing the relation among all existing security notions for UE skins. Our second major contribution is designing a new fast update for encryption skin shine. Let's achieve both CCA and CTAX security for UE skins. We also further the understanding of skins with deterministic update mechanisms, and show how to use firewall technique to prove the security for UE. Thank you for your attention, and that is the end of my talk.