Key Regression: Enabling Efficient Key Distribution for Secure DistributedStorage

Kevin FuU. Mass. Amherst

Seny KamaraJohns Hopkins University

Tadayoshi KohnoU.C. San Diego

Abstract

The Plutus file system introduced the notion of keyrotation as a means to derive a sequence of temporally-related keys from the most recent key. In this paperwe show that, despite natural intuition to the contrary,key rotation schemes cannot generically be used to keyother cryptographic objects; in fact, keying an encryp-tion scheme with the output of a key rotation scheme canyield a composite system that is insecure. To addressthese shortcomings, we introduce a new cryptographicobject called a key regression scheme, and we proposethree constructions that are provably secure under stan-dard cryptographic assumptions. We implement key re-gression in a secure file system and empirically showthat key regression can significantly reduce the band-width requirements of a content publisher under real-istic workloads using lazy revocation. Our experimentsalso serve as the first empirical evaluation of either akey rotation or key regression scheme.

Keywords: Key regression, key rotation, lazy revoca-tion, key distribution, content distribution network, hashchain, security proofs.

1 Introduction

Content distribution networks (CDNs) such as Aka-mai [3], BitTorrent [14], and Coral [20] enablecon-tent publisherswith low-bandwidth connections to makesingle-writer, many-reader content available at highthroughput. When a CDN is untrusted and the contentpublisher cannot rely on the network to enforce properaccess control, the content publisher can achieve accesscontrol by encrypting the content and distributing thecryptographic keys to legitimate users [22, 25, 30, 32,39, 42]. Under thelazy revocationmodel for accesscontrol [22, 32], following theevictionof a user fromthe set of members, the content publisher will encryptfuture content with a new cryptographic key and will,upon request, distribute that new key to all remainingand future members. The content publisher does not im-

mediately re-encrypt all pre-existing content since theevicted member could have already cached that content.

The content publisher can use the CDN to distributethe encrypted content, but without the aid of a trustedserver, the content publisher must distribute all the cryp-tographic keys to members directly. To prevent the pub-lisher’s connection from becoming a bottleneck, the Plu-tus file system [32] introduced a new cryptographic ob-ject called akey rotation scheme. Plutus uses the sym-metric keyKi to encrypt content during thei-th timeperiod, e.g., before thei-th eviction. If a user becomesa member during thei-th time period, then Plutus givesthat member thei-th key Ki. From [32], the criticalproperties of a key rotation scheme are that given thei-th key Ki it is (1) easy to compute the keysKj forall previous time periodsj < i, but (2) computation-ally infeasible to compute the keysKl for future timeperiodsl > i. Property (1) enables the content pub-lisher to transfer only a single small keyKi to new mem-bers wishing to access all current and past content, ratherthan the potentially large set of keys{K1, K2, . . . , Ki};this property reduces the bandwidth requirements on thecontent publisher. Property (2) is intended to prevent amember evicted during thei-th time period from access-ing (learning the contents of) content encrypted duringthel-th time period,l > i.

1.1 Overview of contributions

In this work we uncover a design flaw with the def-inition of a key rotation scheme. To address the defi-ciencies with key rotation, we introduce a new cryp-tographic object called akey regression scheme. Wepresent RSA-based, SHA1-based, and AES-based keyregression schemes. We implement and analyze the per-formance of key regression in the context of a secure filesystem. The following paragraphs summarize our con-tributions in more detail.

Negative results on key rotation.We begin by present-ing a design flaw with the definition of key rotation: forany realistic key rotation scheme, even though a mem-ber evicted during thei-th time periodcannot predict

� � � � � � � � � � � �

� � � � � � � � � � � �

� � � � � � � � � � � � � � � � � �

� �

�

� �

� �

�

� �

� �

�

� �

� �

Figure 1. Key regression overview; stpi and stmi respectively represent the i-th publisher andmember states.

(except with negligible probability) subsequent keysKl,l > i, the evicted membercan distinguishsubsequentkeysKl from random. The lack of pseudorandomnessfollows from the fact that if an evicted member is giventhe real keyKl, then by definition (i.e., by property (1))the evicted member can recover the real keyKi; butgiven a random key instead ofKl, the evicted memberwill with high probability recover a keyK ′

i 6= Ki. Thedifference between unpredictability and lack of pseudo-randomness can have severe consequences in practice.To illustrate the seriousness of this design flaw, we de-scribe a key rotation scheme and a symmetric encryp-tion scheme that individually meet their desired securityproperties (property (2) for key rotation and IND-CPAprivacy for symmetric encryption [7]), but when com-bined (e.g., when a content publisher uses the keys fromthe key rotation scheme to key the symmetric encryp-tion scheme) result in a system that fails to provide evena weak form of privacy.1

Fixing key rotation with key regression. While theabove counter example does not imply that all systemsemploying key rotation will fail just as drastically, itdoes motivate finding a key rotation-like object that stillachieves property (1) (or something similar) but (prop-erty (2′)) produces future keys that are pseudorandom toevicted members (as opposed to just unpredictable). As-suming the new object achieves pseudorandomness, onecould use it as a black box to key other cryptographicconstructs without worrying about the resulting systemfailing as drastically as the one described above. Akeyregression schemeis such a key rotation-like object.

To describe key regression, we must enact a paradigmshift: rather than give a new member thei-th keyKi di-

1We stress that the novelty here is in identifying the design flawwith key rotation, not in presenting a specific counter example. Indeed,the counter example follows naturally from our observationthat a keyrotation scheme does not produce pseudorandom keys.

rectly, the content publisher would give the member amember statestmi. From the member state, the membercould derive the encryption keyKi for thei-th time pe-riod, as well as all previous member statesstmj , j < i.By transitivity, a member given thei-th member statecould also derive all previous keysKj. By separatingthe member states from the keys, we can build key re-gression schemes where the keysKl, l > i, are pseu-dorandom to evicted members possessing only thei-thmember statestmi. Intuitively, the trick that we use inour constructions to make the keysKl pseudorandom isto ensure that given bothKl andstmi, it is still compu-tationally infeasible for the evicted member to computethe l-th member statestml. Viewed another way, thereis no path fromKl to stmi in Figure 1 and vice-versa.

Our constructions. We refer to our three preferredkey regression schemes asKR-RSA, KR-SHA1, andKR-AES. Rather than rely solely on potentially error-prone heuristic methods for analyzing the security of ourconstructions, we prove under reasonable assumptionsthat all three are secure key regression schemes. Oursecurity proofs use the reduction-based provable secu-rity approach pioneered by Goldwasser and Micali [27]and lifted to the concrete setting by Bellare, Kilian, andRogaway [8]. ForKR-RSA, our proof is based on theassumption that RSA is one-way. For the proof of bothKR-RSA andKR-SHA1, we assume that SHA1 is a ran-dom oracle [9]. For the proof ofKR-AES, we assumethat AES is a secure pseudorandom permutation [8, 35].

Implementation and evaluation.We integrated key re-gression into a secure file system to measure the per-formance characteristics of key regression in a real ap-plication. Our measurements show that key regressioncan significantly reduce the bandwidth requirements ofa publisher distributing decryption keys to members.On a simulated cable modem, a publisher using keyregression can distribute 1 000 keys to 181 clients/sec

whereas without key regression the cable modem limitsthe publisher to 20 clients/sec. The significant gain inthroughput conservation comes at no observable cost toclient latency, even though key regression requires moreclient-side computation. Our measurements show thatkey regression actually reduces client latency in casesof highly dynamic group membership. Our study rep-resents the first empirical measurements of either a keyregression or key rotation scheme.

Contrary to conventional wisdom, on our testbed wefind thatKR-AES can perform more than four times asmany unwinds/sec thanKR-SHA1. Our measurementscan assist developers in selecting the most appropriatekey regression scheme for particular applications.

Applications. Key regression benefits publishers ofpopular content who have limited bandwidth to theirtrusted servers, or who may not always be online, butwho can use an untrusted CDN to distribute encryptedcontent at high throughput. Our experimental resultsshow that a publisher using key regression on a low-bandwidth connection can serve more clients than thestrawman approach of having the publisher distribute allkeys{K1, K2, . . . , Ki} directly to members. Moreover,our experimental results suggest that key regression canbe significantly better than the strawman approach wheni is large, as might be the case if the publisher has ahigh membership turnover rate. Such a publisher mightbe an individual, a startup, or a cooperative with popu-lar content but with few network resources. The possi-bilities for such content range from blogs and amateurpress to operating systems and various forms of multi-media. To elaborate on one such form of content, operat-ing systems, Mandriva Linux currently uses the BitTor-rent CDN to distribute its latest Linux distributions to itsMandriva Club members [37]. Mandriva controls accessto these distributions by only releasing the.torrentfiles to its members. Using key regression and encryp-tion for access control, Mandriva could exercise finer-grained access control over its distributions, allowingmembers through time periodi to access all versions ofthe operating system including patches, minor revisionsand new applications added through time periodi, butno additions to the operating system after thei-th timeperiod.2

Versions. This is an extended abstract. The full versionof this paper appears on the IACR ePrint Archive [24].Part of this work also appears as Chapter 4 of [22].

2While Mandriva may wish to exercise access control over non-security-critical patches and upgrades, Mandriva would likely wish toallow all Mandriva users, including evicted Mandriva Club members,access to all security-critical patches. To enable such access, Mandrivacould encrypt all security-critical patches with the key for the timeperiod to which the patch is first applicable, or Mandriva could simplynot encrypt security-critical patches.

1.2 Related work

The key rotation scheme in Plutus [32] inspired ourresearch in key regression. Bellare and Yee [10] in-troduce the notion of a forward-secure pseudorandombit generator (FSPRG). One can roughly view forward-secure pseudorandom bit generation as the mirror im-age of key regression. Whereas a key regression schemeis designed to prevent an evicted member in possessionof stmi from distinguishingsubsequentencryption keysKl, l > i, from random, a FSPRG is designed to pre-vent an adversary who learns the state of the FSPRGat some point in time from distinguishingpreviousout-puts of the FSPRG from random. In our security prooffor KR-AES, we make the relationship between key re-gression and FSPRGs concrete by first proving that onecan build a secure key regression scheme from any se-cure FSPRG by essentially running the FSPRG back-wards. Abdalla and Bellare formally analyze methodsfor rekeying symmetric encryption schemes [1], and oneof their constructions is a FSPRG.

As pointed out by Boneh et al. [13], one possiblemechanism for distributing updated content encryptionkeys for a secure file system is to use a broadcast en-cryption scheme [17, 18, 19, 40]. Indeed, one of themain challenges faced by an encrypted file system is thedistribution of the encryption keys to the remaining (notevicted) set of users, and broadcast encryption providesan ideal solution. We note, however, that key distribu-tion is orthogonal to the specific problem addressed bykey regression; a key regression scheme is a keygen-eration algorithm as opposed to a keydistribution al-gorithm. Key regression simply assumes the existenceof a secure distribution channel, of which broadcast en-cryption is one possible instantiation. Self-healing keydistribution with revocation [48] protocols are resilienteven when broadcasts are lost on the network. One canview key regression as having the self-healing propertyin perpetuity.

In concurrent work, and also motivated by the key ro-tation scheme in Plutus [32], Backes, Cachin, and Opreaformalize the notion ofkey-updating for lazy revoca-tion schemes[6] and consider the composition of key-updating for lazy revocation schemes with other cryp-tographic objects [5]. The notion of a key-updating forlazy revocation scheme in [6] is essentially identical toour notion of a key regression scheme. Using our par-lance, in [6] they also propose several ways of buildingkey regression schemes; one of their proposals is identi-cal to ourKR-PRG construction (Construction 7.3), andanother proposal is a natural extension of our construc-tion KR-RSA-RO (Construction 10.1). Although we re-mark on the existence of a tree-based key regressionscheme in Section 5, [6] take the idea of a tree-basedkey regression scheme further by formally defining and

proving the security of a slightly different tree-basedconstruction. In [6] the authors also observe that onecan use the keys output by a key regression schemeas the randomness source for thesetup algorithm of a(possibly different) key regression scheme; this observa-tion enables the composition of multiple key regressionschemes.

2 Notation

If x andy are strings, then|x| denotes the length ofx in bits andx‖y denotes their concatenation. Ifx andy are two variables, we usex← y to denote the assign-ment of the value ofy to x. If Y is a set, we denote theselection of a random element inY and its assignment tox asx

$

← Y . If f is a deterministic (resp., randomized)function, thenx ← f(y) (resp.,x

$

← f(y)) denotes theprocess of runningf on inputy and assigning the resultto x. We use the special symbol⊥ to denote an error.

We use AESK(M) to denote the process of runningthe AES block cipher with keyK on input blockM .We use SHA1(M) to denote the process of runningthe SHA1 hash function on inputM . An RSA [43]key generator for some security parameterk is a ran-domized algorithmKrsa that returns a triple(N, e, d).Since our analyses are in the concrete setting, we write(N, e, d)

$

← Krsa rather than(N, e, d)$

← Krsa(k). ThemodulusN is the product of two distinct odd primesp, q

such that2k−1 ≤ N < 2k; the encryption exponente ∈Z∗ϕ(N) and the decryption exponentd ∈ Z

∗ϕ(N) are such

thated ≡ 1 mod ϕ(N), whereϕ(N) = (p− 1)(q− 1).Section 10 describes what it means for an RSA key gen-erator to be one-way.

3 Problems with key rotation

A key rotation scheme [32] consists of three al-gorithms: setup, wndkey, and unwndkey. Figure 2shows the original (RSA-based) Plutus key rotationscheme [32]. Following Plutus, and as Naor, Shen-hav, and Wool also observe [41], one familiar with hashchains [34] and S/KEY [29] might design the key rota-tion scheme in Figure 3. Such a scheme is more effi-cient than the scheme in Figure 2, but is limited becauseit can only produceMW (“max wind”) keys, whereMW

is a parameter chosen by the implementor or at con-figuration time. A content publisher runs thesetup al-gorithm to initialize a key rotation scheme; the resultis public informationpk for all users and a secretsk1

for the content publisher. The content publisher in-vokeswndkey(ski) to obtain the keyKi and a new secretski+1. Any user in possession ofKi, i > 1, andpk caninvoke unwndkey(Ki, pk) to obtainKi−1. Informally,

the desired security property of a key rotation scheme isthat, given onlyKi andpk, it should be computation-ally infeasible for an evicted member (the adversary) tocomputeKl, for any l > i. The Plutus construction inFigure 2 has this property under the RSA one-waynessassumption (defined in Section 10), and the constructionin Figure 3 has this property if one replaces SHA1 witha random oracle [9].

The problem. In Section 1 we observed that thel-th keyoutput by a key rotation scheme cannot be pseudoran-dom, i.e., will be distinguishable from a random string,to an ex-member in possession of the keyKi for someprevious time periodi < l.3 We consider the followingexample to emphasize how this lack of pseudorandom-ness might impact the security of a real system that com-bines a key rotation scheme and a symmetric encryptionscheme as a black box.

For our example, we first present a key rotationschemeKO and an encryption schemeSE that individu-ally satisfy their respective security goals (unpredictabil-ity for the key rotation scheme and IND-CPA privacy [7]for the symmetric encryption scheme). To buildKO, westart with a secure key rotation schemeKO; KO out-puts keys twice as long asKO. TheKO winding algo-rithmwndkey invokesKO’s winding algorithm to obtaina keyK; wndkey then returnsK‖K as its key. On inputa keyK‖K, unwndkey invokesKO’s unwinding algo-rithm with inputK to obtain a keyK ′; unwndkey thenreturnsK ′‖K ′ as its key. If the keys output bywndkey

are unpredictable to evicted members, then so must bethe keys output bywndkey. To buildSE , we start with asecure symmetric encryption schemeSE ; SE uses keysthat are twice as long asSE . TheSE encryption anddecryption algorithms take the keyK, split it into twohalvesK = L1‖L2, and run the respective algorithmsof SE with keyL1⊕L2. If the keyK is random, then thekey L1⊕L2 is random andSE runs theSE encryptionalgorithm with a uniformly selected random key. Thismeans thatSE satisfies the standard IND-CPA securitygoal if SE does.

Despite the individual security of bothKO andSE ,when the keys output byKO are used to keySE , SEwill always runSE with the all-zero key; i.e., the con-tent publisher will encrypt all content under the sameconstant key. An adversary can thus trivially compro-mise the privacy of all encrypted data, including data

3Technically, there may be pathological examples where thel-thkey is pseudorandom to a member given thei-th key, but these exam-ples seem to have other problems of their own. For example, considera key rotation scheme like the one in Figure 3, but where SHA1 is re-placed with a function mapping all inputs to some constant string C,e.g., the all 0 key. Now setMW = 2, i = 1, andl = 2. In this patho-logical exampleK2 is clearly random to the evicted member, meaning(better than) pseudorandom. But this construction still clearly lacksour desired pseudorandomness property since the keyK1 is alwaysthe constant stringC.

Alg. setup

(N, e, d)$

← Krsa ; K$

← Z∗N

pk← 〈N, e〉 ; sk← 〈K, N, d〉Return(pk, sk)

Alg. wndkey(sk = 〈K, N, d〉)K ′ ← Kd mod N

sk′ ← 〈K ′, N, d〉Return(K, sk′)

Alg. unwndkey(K, pk = 〈N, e〉)ReturnKe mod N

Figure 2. The Plutus key rotation scheme; Krsa is an RSA key generator.

Alg. setup

KMW$

← {0, 1}160 ; pk← ε

For i = MW downto2 doKi−1 ← SHA1(Ki)

sk← 〈1, K1, . . . , KMW〉Return(pk, sk)

Alg. wndkey(sk = 〈i, K1, . . . , KMW〉)If i > MW return(⊥, sk)sk′ ← 〈i + 1, K1, . . . , KMW〉Return(Ki, sk

′)

Alg. unwndkey(K, pk)// ignorepk

K ′ ← SHA1(K)ReturnK ′

Figure 3. A hash chain-based key rotation scheme.

encrypted during time periodsl > i after being evicted.Although the construction ofKO and SE may seemsomewhat contrived (though we hope less contrived thansome other possible counter examples), this exampleshows that combining a key rotation scheme and anencryption scheme may have undesirable consequencesand, therefore, that it is not wise to use (even a secure)key rotation scheme as a black box to directly key othercryptographic objects.

4 Key Regression

The negative result in Section 3 motivates our questto find a new cryptographic object, similar to key rota-tion, but for which the keys generated at time periodsl > i are pseudorandom to any adversary evicted attime i. Here we formalize such an object: a key regres-sion scheme. Following the reduction-based practice-oriented provable security approach [8, 27], our for-malisms involve carefully defining the syntax, correct-ness requirements, and security goal of a key regressionscheme. These formalisms enable us to, in Sections 8–10, prove that our preferred constructions are secure un-der reasonable assumptions. We desire provable securityover solelyad hocanalyses since, underad hocmeth-ods alone, one can never be completely convinced thata cryptographic construction is secure even if one as-sumes that the underlying components (e.g., block ci-phers, hash functions, RSA) are secure.

Overview of key regression.Figure 1 gives an abstractoverview of a key regression scheme. The content pub-lisher has content publisher statesstpi from which itderives future publisher and member states. When us-ing a key regression scheme, instead of giving a newmember thei-th key Ki, the content publisher wouldgive the member thei-th member statestmi. As the ar-

rows in Figure 1 suggest, givenstmi, a member can effi-ciently compute all previous member states and the keysK1, . . . , Ki. Although it would be possible for an ex-member to distinguish future member statesstml, l > i,from random (the ex-member would extend our obser-vation on the lack of pseudorandomness in key rotationschemes), because there is no efficient path between thefuture keysKl and the ex-member’s last member statestmi, it is possible for a key regression scheme to pro-duce future keysKl that are pseudorandom (indistin-guishable from random). We present some such con-structions in Section 5.

On an alternative: Use key rotation carefully.Figure 1 might suggest an alternative approach for fix-ing the problems with key rotation. Instead of usingthe keysKi from a key rotation scheme to directly keyother cryptographic objects, use a function ofKi, likeSHA1(Ki), instead. If one models SHA1 as a randomoracle and if the key rotation scheme produces unpre-dictable future keysKl, then it might seem reasonableto conclude that an ex-member givenKi should not beable to distinguish future values SHA1(Kl), l > i, fromrandom. While this reasoning may be sound for somespecific key rotation schemes (this reasoning actuallyserves as the basis for our derivative of the construc-tion in Figure 2,KR-RSA in Construction 5.3) we dis-like this approach for several reasons. First, we believethat it is unreasonable to assume that every engineer willknow to or remember to use the hash function. Further,even if the engineer knew to hash the keys, the engineermight not realize that simply computing SHA1(Kl) maynot work with all key rotation schemes, which meansthat the engineer cannot use a key rotation scheme as ablack box. For example, while SHA1(Kl) would workfor the scheme in Figure 2, it would cause problems forthe scheme in Figure 3. We choose to consider a new

cryptographic object, key regression, because we desirea cryptographic object that is not as prone to acciden-tal misuse. Additionally, by focusing attention on a newcryptographic object, we allow ourselves greater flexi-bility in how we construct objects that meet our require-ments. For example, one of our preferred constructions(KR-AES, Construction 5.2) does not use a hash func-tion and is therefore secure in the standard model in-stead of the random oracle model; see alsoKR-FSPRG

(Construction 6.1) andKR-PRG (Construction 7.3).

4.1 Syntax and correctness requirements

Syntax. Here we formally define the syntax of a key re-gression schemeKR = (setup, wind, unwind, keyder).Let H be a random oracle; for notational consistency,all four algorithms are given access to the random ora-cle, though the algorithms for some constructions maynot use the random oracle in their computations. Viastp

$

← setupH , the randomized setup algorithm returnsa publisher state. Via(stp′, stm)

$

← windH(stp), therandomized winding algorithm takes a publisher statestp and returns a pair of publisher and member statesor the error code(⊥,⊥). Via stm′ ← unwindH(stm)the deterministic unwinding algorithm takes a memberstatestm and returns a member state or the error code⊥.Via K ← keyderH(stm) the deterministic key deriva-tion algorithm takes a member statestm and returns akey K ∈ DK, whereDK is thederived key spaceforKR. LetMW ∈ {1, 2, . . .}∪{∞} denote the maximumnumber of derived keys thatKR is designed to produce.We do not define the behavior of the algorithms wheninput the error code⊥.

Correctness.Our first correctness criterion for a key re-gression scheme is that the firstMW times thatwind isinvoked, it always outputs valid member states, i.e., theoutputs are never⊥. Our second correctness require-ment ensures that ifstmi is the i-th member state out-put by wind, and if i > 1, then fromstmi, one canderive all previous member statesstmj , 0 < j < i.

Formally, let stp0$

← setup and, for i = 1, 2, . . .,let (stpi, stmi)

$

← windH(stpi−1). For eachi ∈{1, 2, . . . , MW}, we require thatstmi 6= ⊥ and that,for i ≥ 2, unwindH(stmi) = stmi−1.

Remarks. Although we allowwind to be randomized,the wind algorithms in all of our constructions are de-terministic. We allowwind to return(⊥,⊥) since weonly require thatwind return non-error states for its firstMW invocations. We use the pair(⊥,⊥), rather thansimply⊥, to denote an error fromwind since doing somakes our pseudocode cleaner. We allowunwind toreturn⊥ since the behavior ofunwind may be unde-fined when input the first member state. A construc-

tion may use multiple random oracles, but since onecan always obtain multiple random oracles from a sin-gle random oracle [9], our definitions assume just one.It is straightforward to modify our syntax, correctnessrequirements, and (subsequent) security definition to ac-commodate key regression schemes for which the ran-dom oracle depends on the output ofsetup. We stressthatMW is a correctness parameter ofKR, not a secu-rity parameter, meaning that even though the correctnesscriteria must hold forMW invocations ofwind, the se-curity goal may not. One can also further generalize ourdefinition and allowunwind andkeyder to be random-ized, though we do not envision such constructions inpractice.

4.2 Security goal

For security, we desire that if a member (adversary)is evicted during thei-th time period, then the adversarywill not be able to distinguish the keys derived from anysubsequent member statestml, l > i, from randomly se-lected keys. Definition 4.1 captures this goal as follows.We allow the adversary to obtain as many member statesas it wishes (via aWindO oracle). TheWindO oracle re-turns only a member state rather than both a member andpublisher state. Once the adversary is evicted, its goal isto break the pseudorandomness of subsequently derivedkeys. To model this, we allow the adversary to query akey derivation oracleKeyderO. The key derivation ora-cle will either return real derived keys (via internal callsto wind andkeyder) or random keys. The adversary’sgoal is to guess whether theKeyderO oracle’s responsesare real derived keys or random keys.

Definition 4.1 [Security for key regression schemes.]Let KR = (setup, wind, unwind, keyder) be a key re-gression scheme. LetA be an adversary. Considerthe experimentsExpkr-b

KR,A, b ∈ {0, 1}, and the oraclesWindO andKeyderOb below. The adversary runs in twostages,member andnon-member, and returns a bit.

Experiment Expkr-bKR,A

Pick random oracleH

i← 0 ; stp$

← setupH

st$

← AWindO,H(member)

b′$

← AKeyderOb,H(non-member, st)

Returnb′

Oracle WindO

i← i + 1 ; If i > MW then return⊥

(stp, stm)$

← windH(stp)Returnstm

Oracle KeyderOb

i← i + 1 ; If i > MW then return⊥

(stp, stm)$

← windH(stp)

If b = 1 thenK ← keyderH(stm)

If b = 0 thenK$

← DK

ReturnK

TheKR-advantageof A in breaking the security ofKRis defined as

AdvkrKR,A

= Pr[

Expkr-1KR,A = 1

]

− Pr[

Expkr-0KR,A = 1

]

.

Under the concrete security approach [8], we say thatKR is KR-secureif for any adversaryA attackingKRwith resources (running time, size of code, number oforacle queries) limited to “practical” amounts, the KR-advantage ofA is “small.”

Remarks. Since the publisher is in charge of windingand is not supposed to invoke the winding algorithmmore than the prescribed maximum number of times,MW, the WindO andKeyderO oracles in our securitydefinition only respond to the firstMW queries from theadversary. Alternatively, we could remove the condi-tional check fori > MW in the pseudocode forWindO

andKeyderO and instead ask that the underlyingwind

algorithm behave appropriately if invoked more thanMW times, e.g., by maintaining the counter internally.Since a key regression scheme will have multiple recip-ients of member keys, we must consider coalitions ofadversaries; i.e., can two or more adversaries collude toobtain additional information? Because of the propertythat given any member state one can derive all previ-ous member states, multiple colluding adversaries can-not obtain more information than a single adversary whomakes the mostWindO andKeyderO oracle queries. Inaddition to desiring that future derived keys be pseu-dorandom to evicted members, we desire that all thederived keys be pseudorandom to adversaries that arenever members. If a key regression scheme is secure un-der Definition 4.1, then the key regression scheme alsosatisfies this weaker security goal since one can viewadversaries that are never members as adversaries thatmake zeroWindO oracle queries. Unlike with key rota-tion schemes (Section 3), the pseudorandomness of fu-ture keys means that a content publisher can use thekeys output by a secure key regression scheme to keyother cryptographic objects like symmetric encryptionschemes [7] and MACs [8]; as [1, 10] do for rekeyingschemes and FSPRGs, [5] makes this reasoning formalfor key regression schemes.

5 Our preferred constructions

We are now in a position to describe our three pre-ferred key regression schemes,KR-SHA1, KR-AES and

KR-RSA. Table 1 summarizes some of their main prop-erties. KR-SHA1 is a derivative of the key rotationscheme in Figure 3 andKR-RSA is a derivative of thePlutus key rotation scheme in Figure 2. The primarydifferences between the new key regression schemesKR-SHA1 and KR-RSA and the original key rotationschemes are the addition of the new, SHA1-basedkeyder

algorithms and the adjusting of terminology (e.g., mem-ber states in these key regression schemes correspond tokeys in the original key rotation schemes).KR-AES isnew but is based on one of Bellare and Yee’s forward-secure pseudorandom bit generators (FSPRGs) [10].

5.1 TheKR-SHA1 construction

Construction 5.1 details ourKR-SHA1 construction.In the construction ofKR-SHA1, we prepend the string08 to the input to SHA1 inkeyder to ensure that theinputs to SHA1 never collide between thekeyder andunwind algorithms; note that thestm variable alwaysdenotes a 160-bit string.

Construction 5.1 [KR-SHA1.] The key regressionschemeKR-SHA1 = (setup, wind, unwind, keyder) isdefined as follows.MW is a positive integer and a pa-rameter of the construction.

Alg. setup

stmMW$

← {0, 1}160

For i = MW downto2 dostmi−1 ← unwind(stmi)

stp← 〈1, stm1, . . . , stmMW〉Returnstp

Alg. wind(stp)If stp = ⊥ then return(⊥,⊥)Parsestp as〈i, stm1, . . . , stmMW〉If i > MW return(⊥,⊥)stp′ ← 〈i + 1, stm1, . . . , stmMW〉Return(stp′, stmi)

Alg. unwind(stm)stm′ ← SHA1(stm) ; Returnstm′

Alg. keyder(stm)K ← SHA1(08‖stm) ; ReturnK

The derived key space for the schemeKR-SHA1 isDK = {0, 1}160.

In practice we assume that theMW might be some rea-sonable value like220. We give a proof of security forKR-SHA1 in Section 9. In our proof of security weview the application of SHA1(·) in unwind as one ran-dom oracle and the application of SHA1(08‖·) in keyder

as another random oracle. The proof of security forKR-SHA1 is thus in the random oracle model [9].

KR-SHA1 KR-AES KR-RSA

MW =∞ No No YesRandom oracles Yes No Yessetup cost MW SHA1 ops MW AES ops 1 RSA key generationwind cost no crypto no crypto 1 RSA decryptionunwind cost 1 SHA1 op 1 AES op 1 RSA encryptionkeyder cost 1 SHA1 op 1 AES op 1 SHA1 op

Table 1. Our preferred constructions. There are ways of impl ementing these constructions withdifferent wind costs. The “random oracles” line refers to whether our secur ity proof is in therandom oracle model or not.

5.2 TheKR-AES construction

Our next preferred construction,KR-AES, uses theAES block cipher and is provably secure in the standardmodel, meaning without random oracles but assumingthat AES is a secure pseudorandom permutation [8, 35].

Construction 5.2 [KR-AES.] The key regressionschemeKR-AES = (setup, wind, unwind, keyder) is de-fined as follows.MW is a positive integer and a param-eter of the construction.

Alg. setup

stmMW$

← {0, 1}128

For i = MW downto2 dostmi−1 ← unwind(stmi)

stp← 〈1, stm1, . . . , stmMW〉Returnstp

Alg. wind(stp)If stp = ⊥ then return(⊥,⊥)Parsestp as〈i, stm1, . . . , stmMW〉If i > MW return(⊥,⊥)stp′ ← 〈i + 1, stm1, . . . , stmMW〉Return(stp′, stmi)

Alg. unwind(stm)stm′ ← AESstm(0128) ; Returnstm′

Alg. keyder(stm)K ← AESstm(1128) ; ReturnK

The derived key space for the schemeKR-AES is DK ={0, 1}128.

As with KR-SHA1, we assume that theMW might besome reasonable value like220. We prove the secu-rity of KR-AES in stages. We first show how to build asecure key regression scheme from any forward-securepseudorandom bit generator (FSPRG) [10]; we call ourconstructionKR-FSPRG. We then recall one of Bellareand Yee’s [10] methods (FSPRG-PRG) for building se-cure FSPRGs from standard pseudorandom bit genera-tors (PRGs) [10, 11, 51]. InstantiatingKR-FSPRG withFSPRG-PRG yields a secure PRG-based key regression

scheme that we callKR-PRG. KR-AES is then an instan-tiation of KR-PRG with a PRG that, on input a 128-bitstringstm, outputs AESstm(0128)‖AESstm(1128). Sincethe constructionsKR-FSPRG andKR-PRG have mul-tiple possible instantiations, we consider them to be ofindependent interest. Details in Sections 6 through 8.

Remark. On can also viewKR-SHA1 as an instan-tiation of KR-PRG with a PRG (in the random ora-cle model) that, on input a stringstm ∈ {0, 1}160,outputs SHA1(stm)‖SHA1(08‖stm). In Section 9 weprove KR-SHA1 directly, rather than by instantiatingKR-PRG, in order to obtain tighter bounds.

5.3 TheKR-RSA construction

Our final preferred construction,KR-RSA derivesfrom the key rotation scheme in Figure 2.KR-RSA dif-fers fromKR-SHA1 and KR-AES in that MW = ∞,meaning that a content provider can invoke theKR-RSA

winding algorithm an unbounded number of times with-out violating the correctness properties of key regres-sion schemes. This ability is particularly useful be-cause it means that an implementor need not fixMW

to some finite value at implementation or configurationtime. Nevertheless, our security proof in Section 10 sug-gest that in practice a content publisher should limit thenumber of times it invokeswind to some reasonablevalue. As another motivation forKR-RSA, we note thatif MW is large, then maintaining the publisher statesfor KR-SHA1 and KR-AES may require a non-trivialamount of space (if the publisher stores the entire vectorstp) or time (if the publisher re-derivesstp during everywind operation).

Construction 5.3 [KR-RSA.] The key regressionschemeKR-RSA = (setup, wind, unwind, keyder) is de-fined as follows. LetKrsa be an RSA key generator forsome security parameterk and letm: Z2k → {0, 1}k

denote the standard big-endian encoding of the integersin Z2k to k-bit strings.

Alg. setup

(N, e, d)$

← Krsa ; S$

← Z∗N ; stp← 〈N, e, d, S〉

Returnstp

Alg. wind(stp)Parsestp as〈N, e, d, S〉 ; S′ ← Sd mod N

stp′ ← 〈N, e, d, S′〉 ; stm← 〈N, e, S〉Return(stp′, stm)

Alg. unwind(stm)Parsestm as〈N, e, S〉S′ ← Se mod N ; stm′ ← 〈N, e, S′〉Returnstm′

Alg. keyder(stm)Parsestm as〈N, e, S〉 ; K ← SHA1(m(S))ReturnK

The derived key space forKR-RSA is DK = {0, 1}160.In our experiments, we setk = 1 024, andKrsa returnse = 3 as the RSA public exponent.

The proof of security forKR-RSA is in Section 10. Theproof is in the random oracle model and assumes that theRSA key generator is one-way; we define one-waynessin Section 10.

5.4 Discussion

Alternate constructions. BesidesKR-SHA1, KR-AES,and KR-RSA, there are numerous possible ways tobuild key regression schemes, some of which are sim-ple variants of the more general constructions that wepresent in subsequent sections (KR-FSPRG, KR-PRG,KR-RO, andKR-RSA-RO). Using advanced tree-basedschemes [4, 6, 36, 38], a publisher could give access toany contiguous sequence of keys using only a logarith-mic number of nodes from a key tree. We do not con-sider key trees here because one of our primary designgoals is to minimize the size of the member states thatthe content publisher must transmit to members. For in-stance, it is desirable to have constant-sized metadata infile systems.

On the use of SHA1.We completed the bulk of our re-search prior to Wang, Yin, and Yu [49] showing how tofind collisions in SHA1 faster than brute force. The re-sult of Wang, Yin, and Yu raises the question of whetherone should continue to use SHA1 in real constructions,includingKR-SHA1 andKR-RSA. This concern is welljustified, particularly because other researchers [31, 33]have shown how to extend certain types of collision-finding attacks against hash functions to break cryp-tosystems that, at first glance, appear to depend only ona weaker property of the underlying hash function (likesecond-preimage resistance) and therefore initially ap-pear to be immune to collision-finding attacks. Still, wecurrently suspect that our constructions will resist im-mediate extensions to collision-finding attacks against

SHA1, particularly because the content publisher is theentity responsible for determining the inputs to SHA1and, under our model, the content publisher would notwish to intentionally compromise the pseudorandom-ness of its keys. Alternatively, one could replace the useof SHA1 in our constructions with another hash func-tion, perhaps a hash function that behaves like a randomoracle assuming that the underlying compression func-tion is a random oracle [15].

6 Key regression from FSPRGs

Toward proving the security ofKR-AES, we firstshow how to construct a key regression schemefrom a forward-secure pseudorandom bit generator(FSPRG) [10]. We call our constructionKR-FSPRG;see Construction 6.1. Since there are multiple pos-sible ways to instantiateKR-FSPRG, we believe thatKR-FSPRG may be of independent interest. Moreover,our result in this section suggests that future work inforward-secure pseudorandom bit generators could haveuseful applications to key regression schemes.

6.1 Forward-securepseudorandomgenerators

Bellare and Yee [10] define stateful pseudorandombit generators and describe what it means for a statefulpseudorandom bit generator to be forward-secure. Intu-itively a stateful PRG is forward-secure if even adver-saries that are given the generator’s current state cannotdistinguish previous outputs from random.

Syntax. A stateful PRG consists of two algorithms:SBG = (seed, next). The randomized setup algorithm

returns an initial state; we write this asstg$

← seed. Thedeterministic next step algorithm takes a state as inputand returns a new state and an output fromOutSpSBG ,or the pair (⊥,⊥); we write this as(stg′, K) ←next(stg). We require that the setOutSpSBG is effi-ciently samplable.MaxLenSBG ∈ {1, 2, . . .}∪ {∞} de-notes the maximum number of output blocks thatSBGis designed to produce from a correctness (not security)perspective.

Correctness. The correctness requirement for state-ful PRGs is as follows: letstg0

$

← seed and, fori = 1, 2, . . ., let (stgi, Ki)

$

← next(stgi−1). We requirethat fori ≤ MaxLenSBG , (stgi, Ki) 6= (⊥,⊥).

Security. Let SBG = (seed, next) be a stateful bit gen-erator. LetA be an adversary. Consider the experimentsExp

fsprg-bSBG,A, b ∈ {0, 1}, and the oraclesNextOb below.

The adversary runs in two stages:find andguess.

Experiment Expfsprg-bSBG,A

stg$

← seed

st$

← ANextOb(find)

b′$

← A(guess, stg, st)Returnb′

Oracle NextOb

(stg, K)← next(stg)If b = 0 then

K$

← OutSpSBG

ReturnK

TheFSPRG-advantageof A in breaking the security ofSBG is defined as

AdvfsprgSBG,A

= Pr[

Expfsprg-1SBG,A = 1

]

− Pr[

Expfsprg-0SBG,A = 1

]

.

Under the concrete security approach, the schemeSBGis said to beFSPRG-secureif the FSPRG-advantage ofall adversariesA using reasonable resources is “small.”

6.2 An FSPRG-based key regression scheme

We defineKR-FSPRG in Construction 6.1 below. Ata high level, one can viewKR-FSPRG’s setup algorithmas running the FSPRGSBG backward, meaningsetup

runsseed and the output ofseed becomesKR-FSPRG’sMW-th member state. From theMW-th member state,setup invokesnext to obtain the(MW − 1)-st memberstate;setup continues in this manner until deriving the1-st member state. Thesetup algorithm then outputs acontent publisher statestp consisting of an indexi, ini-tially 1, and theMW member states. Thewind algo-rithm, on input a publisher statestp with indexi ≤ MW,outputs thei-th member state in the vector and outputs arevised publisher statestp′ with indexi + 1. On input amember statestm, thewind andkeyder algorithms bothinvokenext onstm to obtain a pair(stm′, K); wind thenoutputs the revised member statestm′ whereaskeyder

outputs the keyK.

Construction 6.1 [KR-FSPRG.] Given a statefulgenerator SBG = (seed, next), we can con-struct a key regression schemeKR-FSPRG =(setup, wind, unwind, keyder) as follows. MW ≤MaxLenSBG is a positive integer and a parameter of theconstruction.

Alg. setup

stgMW

$

← seed

For i = MW downto2 do(stgi−1, Ki−1)← next(stgi)

stp← 〈1, stg1, . . . , stgMW〉Returnstp

Alg. wind(stp)If stp = ⊥ then return(⊥,⊥)Parsestp as〈i, stg1, . . . , stgMW〉If i > MW return(⊥,⊥)stp′ ← 〈i + 1, stg1, . . . , stgMW〉

Return(stp′, stgi)Alg. unwind(stm)

(stm′, K)← next(stm) ; Returnstm′

Alg. keyder(stm)(stm′, K)← next(stm) ; ReturnK

The derived key space forKR-FSPRG is DK =OutSpSBG .

In order forsetup andwind to be “efficient,” we assumethat MW has some “reasonable” value like220; in theasymptotic setting we would require thatMW be poly-nomial in some security parameter.

Security. The theorem below states that ifSBGis a secure forward-secure pseudorandom bit gen-erator (i.e., is FSPRG-secure), then the resultingkey regression schemeKR-FSPRG built from SBGvia Construction 6.1 will be secure (i.e., KR-secure).Specifically, Theorem 6.2 says that given an adversaryA againstKR-FSPRG, one can construct an adversaryB againstSBG such thatB uses reasonable resources(if A does and ifMW is small) and Equation (1) in thetheorem statement holds;q is the minimum ofMW andthe maximum number of wind and key derivation ora-cle queries thatA makes. These properties imply secu-rity for KR-FSPRG since, ifSBG is FSPRG-secure andif A uses reasonable resources, thenAdv

fsprgSBG,B andq

must both be small, which means thatAdvkrKR,A, the

advantage ofA in attackingKR-FSPRG, must be smallas well.

Theorem 6.2 If SBG is FSPRG-secure, thenKR builtfrom SBG via KR-FSPRG (Construction 6.1) is KR-secure. Concretely, given an adversaryA attackingKR,we can construct an adversaryB attackingSBG suchthat

AdvkrKR,A ≤ (q + 1) ·Adv

fsprgSBG,B (1)

whereq is the minimum ofMW and the maximum num-ber of wind and key derivation oracle queries thatAmakes.Bmakes up toMW queries to its oracle and useswithin a small constant factor of the other resources ofA plus the time to run thesetup algorithm.

Intuitively, Theorem 6.2 follows from the fact thatKR-FSPRG runsSBG backward, which means that ifan adversaryA againstKR-FSPRG in possession of thefirst i member states can distinguish a keyKl, l > i,from random, then an adversaryB againstSBG in pos-session of the(MW − i)-th state output ofnext coulddistinguish the(MW − l)-th key output ofnext fromrandom. The actual proof involvesB guessing the num-ber ofWindO oracle queries thatA will make. The fullproof is in [24].

7 Key regression from standard PRGs

We proceed by showing how to build secure key re-gression schemes from standard (not forward-secure)pseudorandom bit generators; we call our PRG-basedconstructionKR-PRG. Our approach capitalizes on amethod from Bellare and Yee [10] for building FSPRGsfrom standard PRGs; we recall the Bellare-Yee methodin Section 7.1. As withKR-FSPRG from Section 6, webelieve thatKR-PRG will be of independent interest.

7.1 FSPRGs from pseudorandom bit genera-tors

Pseudorandom bit generators. A pseudorandom bitgenerator (PRG) [10, 11, 51] is a functionG: {0, 1}k →{0, 1}k+l that takes as input ak-bit seed and returns astring that is longer than the seed byl bits,k, l ≥ 1. Thestandard security notion for a PRG is as follows. IfA isan adversary, we let

AdvprgF,A

= Pr[

K$

← {0, 1}k ; x← G(K) : A(x) = 1]

−Pr[

x$

← {0, 1}k+l : A(x) = 1]

denote thePRG-advantageof A in attackingG. Underthe concrete security approach,G is said to be a “securePRG” if the PRG-advantage of all adversariesA usingreasonable resources is “small.”

A PRG-based FSPRG.Bellare and Yee [10] showhow to construct an FSPRG from a standard PRG.We dub their schemeFSPRG-PRG and recall it inConstruction 7.1 below. TheFSPRG-PRG’s seed algo-rithm selects a randomk-bit initial seed. Thenext algo-rithm, on input ak-bit stringstg, computes the(k+l)-bitstringG(stg) and outputs the firstk bits ofG(stg) as thenext state and the remainingl bits as the key.

Construction 7.1 [FSPRG-PRG, Construction 2.2 of[10].] Given a PRGG : {0, 1}k → {0, 1}k+l we canconstruct a FSPRGSBG = (seed, next) as shown below

Alg. seed

stg0$

← {0, 1}k

returnstg0

Alg. next(stgi)

r$

← G(stgi)stgi+1 ← first k bits ofrK ← lastl bits ofrreturn(stgi+1, K)

The output space ofSBG is OutSpSBG = {0, 1}l andMaxLenSBG =∞.

The following lemma comes from Bellare and Yee [10]except that we treatq as a parameter of the adversary

and we allow the trivial case thatq = 0. Lemma 7.2states that ifG is a secure PRG, then the stateful bit gen-eratorFSPRG-PRG built from G via Construction 7.1will also be secure. Specifically, ifG is a secure PRG,thenAdv

prgG,B must be small for all adversariesB using

reasonable resources. Further, if an adversaryA againstFSPRG-PRG uses reasonable resources, then the num-ber of oracle queriesq that it makes must also be smallandB must also use reasonable resources. These prop-erties, coupled with Equation (2), means that the advan-tage of all adversariesA againstFSPRG-PRG that usereasonable resources must be small; i.e.,FSPRG-PRG

must be FSPRG-secure.

Lemma 7.2 [Theorem 2.3 of [10].] Let G : {0, 1}k →{0, 1}k+l be a PRG, and letSBG be the FSPRG builtusingG according to Construction 7.1. Given an adver-saryA attackingSBG that makes at mostq queries toits oracle, we can construct an adversaryB such that

AdvfsprgSBG,A ≤ 2q ·Adv

prgG,B (2)

whereB uses within a small constant factor of the re-sources ofA and computesG up toq times.

7.2 A PRG-based key regression scheme

CombiningKR-FSPRG andFSPRG-PRG in the nat-ural way yields a key regression scheme that we callKR-PRG. For concreteness we describeKR-PRG in de-tail below.

Construction 7.3 [KR-PRG.] Let G: {0, 1}k →{0, 1}k+l be a pseudorandom bit generator. Wecan construct a key regression schemeKR-PRG =(setup, wind, unwind, keyder) from G as follows. MW

is a positive integer and a parameter of the construction.

Alg. setup

stmMW$

← {0, 1}k

For i = MW downto2 dostmi−1 ← unwind(stmi)

stp← 〈1, stm1, . . . , stmMW〉Returnstp

Alg. wind(stp)If stp = ⊥ then return(⊥,⊥)Parsestp as〈i, stm1, . . . , stmMW〉If i > MW return(⊥,⊥)stp′ ← 〈i + 1, stm1, . . . , stmMW〉Return(stp′, stmi)

Alg. unwind(stm)x← G(stm) ; stm′ ← first k bits ofxReturnstm′

Alg. keyder(stm)x← G(stm) ; K ← lastl bits ofxReturnK

The derived key space forKR-PRG is DK = {0, 1}l.

In order forsetup andwind to be “efficient,” we assumethat MW has some “reasonable” value like220; in theasymptotic setting we would require thatMW be poly-nomial in some security parameter.

Security. The theorem below states that ifG is a securePRG, then the resulting key regression schemeKR-PRG

built from G via Construction 7.3 will be KR-secure.Specifically, Theorem 7.4 says that given an adversaryA againstKR-PRG that uses reasonable resources, andassuming thatMW is small, one can construct an adver-saryB againstG such thatB uses reasonable resourcesand Equation (3) in the theorem statement holds;q is theminimum ofMW and the maximum number of wind andkey derivation oracle queries thatAmakes. These prop-erties imply security forKR-PRG since, if G is PRG-secure and sinceA uses reasonable resources,Adv

prgG,B

andq must both be small, which means thatAdvkrKR,A,

the advantage ofA in attackingKR-PRG, must be smallas well.

Theorem 7.4 If G: {0, 1}k → {0, 1}k+l is a securePRG, then the key regression schemeKR built fromG via KR-PRG (Construction 7.3) is KR-secure. Con-cretely, given an adversaryA attackingKR, we canconstruct an adversaryB attackingG such that

AdvkrKR,A ≤ 2 · (q + 1)2 ·Adv

prgG,B (3)

whereq is the minimum ofMW and the maximum num-ber of queriesA makes to itsWindO andKeyderO ora-cles. AdversaryB uses within a small constant factor ofthe resources ofA, plus the time to computesetup andG MW times.

Proof of Theorem 7.4: Construction 7.3 is exactlyConstruction 6.1 built from the forward secure pseudo-random bit generator defined by Construction 7.1. Thetheorem statement therefore follows from Theorem 6.2and Lemma 7.2.

8 The security ofKR-AES

Having shown how to construct secure key regres-sion schemes from secure pseudorandom bit genera-tors (KR-PRG and Construction 7.3), we are now ableto prove the security ofKR-AES (Construction 5.2) byobserving thatKR-AES is exactlyKR-PRG with k =l = 128 and with the PRGG defined asG(X) =AESX(0128)‖AESX(1128) for all X ∈ {0, 1}128. Be-fore stating our formal result forKR-AES, we first re-call the standard notion of a pseudorandom permuta-tion [8, 35].

Pseudorandom permutations. Let E: {0, 1}k ×{0, 1}l → {0, 1}l be a block cipher and let Perm(l) de-note the set of all permutations on{0, 1}l. If A is anadversary with access to an oracle, we let

AdvprpE,A

= Pr[

K$

← {0, 1}k : AEK(·) = 1]

−Pr[

g$

← Perm(l) : Ag(·) = 1]

denote thePRP-advantageof A in attackingE. Underthe concrete security approach,E is said to be a “securePRP” if the PRP-advantage of all adversariesA usingreasonable resources is “small.”

Instantiating KR-AES from KR-PRG. As notedabove, it is straightforward to instantiateKR-AES fromKR-PRG. Numerous other instantiations exist, e.g., touse a block cipherE with k > l, one might defineGas G(X) = EX(α1)‖EX(α2)‖ . . . whereα1, α2, . . .

are distinctl-bit strings. SinceKR-AES is one of ourpreferred constructions, we state the following theoremspecifically forKR-AES; it is straightforward to extendour result to other natural instantiations ofKR-PRG.The security proof forKR-AES is in the standard modeland assumes that AES is a secure pseudorandom permu-tation.

Theorem 8.1 If AES is a secure PRP, thenKR-AES

(Construction 5.2) is KR-secure. Concretely, given anadversaryA attackingKR-AES, we can construct anadversaryB attacking AES such that

AdvkrKR,A ≤ 2 · (q +1)2 ·

(

AdvprpAES,B + 2−128

)

(4)

whereq is the minimum ofMW and the maximum num-ber of queriesA makes to itsWindO andKeyderO or-acles. AdversaryB makes 2 oracle queries and useswithin a small constant factor of the resources ofA, plusthe time to computesetup and AES2MW times.

We interpret Theorem 8.1 as follows. SupposeA isan adversary againstKR-AES that uses reasonable re-sources, and in particular makes at most a reasonablenumber of queriesq to its wind and key derivation or-acles. Then we can construct an adversaryB againstAES that also uses reasonable resources whenMW issmall. Because of the resource restrictions onB and un-der the assumption that AES is a secure PRP, it followsthatAdv

prpAES,B must be small. If bothq andAdv

prpAES,B

are small, then by Equation (4)AdvkrKR,A must also be

small, meaning thatKR-AES must be KR-secure.As a concrete example of the bound in Theorem 8.1,

consider the case whereMW andq are both220. ThenEquation (4) becomes

AdvkrKR,A ≤ 242 ·Adv

prpAES,B + 2−86 ,

which means that unlessA exploits a property of AESitself,Awill not be able to break the security ofKR-AES

with probability better than2−86. Since it is widely be-lieved that AES is secure, Theorem 8.1 tells us that it isreasonable to assume thatKR-AES is secure for reason-able choices ofMW.

To prove Theorem 8.1 we use Theorem 7.4, therelationship betweenKR-AES and KR-PRG, andthe fact that the functionG defined asG(X) =AESX(0128)‖AESX(1128), X ∈ {0, 1}128, is a securePRG if AES is a secure PRP. Details in [24].

9 The security ofKR-SHA1

Although we derivedKR-SHA1 from the key ro-tation scheme in Figure 3, we find that one canalso view KR-SHA1 as an instantiation ofKR-PRG

with k = l = 160 and G defined asG(X) =SHA1(X)‖SHA1(08‖X) for all X ∈ {0, 1}160. If weview SHA1 as a random oracle, thenG is a secure PRGin the random oracle model, and we can use this observa-tion and Theorem 7.4 to prove the security ofKR-SHA1

in the random oracle model.Here we give a direct proof of security forKR-SHA1

in order to obtain a tighter bound. The tightness is-sue with usingKR-PRG and Theorem 7.4 to prove thesecurity ofKR-SHA1 rests in the fact that the advan-tage of an adversary in attackingG in the random oraclemodel must be upper bounded by a function of the num-ber of random oracle queries that the adversary makes,and this function will percolate through the bound inTheorem 7.4.

In what follows we view SHA1(·) in KR-SHA1’sunwind algorithm and SHA1(08‖·) in KR-SHA1’skeyder algorithm as two different random oracles.Construction 9.1,KR-RO, makes this generalization ofKR-SHA1 concrete. We choose not to model SHA1(·)and SHA1(08‖·) as a single random oracle because wedo not wish to restrict our analysis to the case wherekeyder must prefix its inputs to the random oracle withthe zero byte.

Construction 9.1 [KR-RO.] Let H1: {0, 1}k →{0, 1}k and H2: {0, 1}k → {0, 1}l be random or-acles. We can construct a key regression schemeKR-RO = (setup, wind, unwind, keyder) from H1

andH2 as shown below.MW is a positive integer and aparameter of the construction.

Alg. setupH1,H2

stmMW$

← {0, 1}k

For i = MW downto2 dostmi−1 ← unwindH1,H2(stmi)

stp← 〈1, stm1, . . . , stmMW〉Returnstp

Alg. windH1,H2(stp)If stp = ⊥ then return(⊥,⊥)Parsestp as〈i, stm1, . . . , stmMW〉If i > MW return(⊥,⊥)stp′ ← 〈i + 1, stm1, . . . , stmMW〉Return(stp′, stmi)

Alg. unwindH1,H2(stm)stm′ ← H1(stm) ; Returnstm′

Alg. keyderH1,H2(stm)K ← H2(stm) ; ReturnK

The derived key space forKR-RO is DK = {0, 1}l.

In order forsetup andwind to be “efficient,” we assumethat MW has some “reasonable” value like220; in theasymptotic setting we would require thatMW be poly-nomial in some security parameter.

The following theorem states that Construction 9.1 issecure in the random oracle model for adversaries thatmake a reasonable number of queries to their randomoracles.

Theorem 9.2 The key regression scheme inConstruction 9.1 is secure in the random oraclemodel. Formally, letH1: {0, 1}k → {0, 1}k andH2: {0, 1}k → {0, 1}l be random oracles and letKRbe the key regression scheme built fromH1, H2 viaKR-RO (Construction 9.1). Then for any adversaryAwe have that

AdvkrKR,A ≤

(MW)2

2k+1+

q ·MW

2k −MW − q, (5)

whereq is the maximum number of queries total thatAmakes to itsH1 andH2 random oracles.

As a concrete example of the bound in Theorem 9.2,consider the case whereMW = 220 and an adversaryA makes at mostq = 240 queries to its random ora-cles. Then Equation (5) tells us that the advantage ofA in attackingKR-RO is upper bounded by2−98. Al-though SHA1 is not a random oracle, Theorem 9.2 givesus confidence thatKR-SHA1 may provide a reasonablelevel of security in practice; see Section 5 for additionaldiscussion.

We prove Theorem 9.2 in [24], but remark that wecould simplify the proof if, instead of definingKR-RO

as in Construction 9.1, we include the indicesi in themember states, and hence in the inputs toH1 andH2.We choose to omit the indicesi from the member statesin KR-RO because we viewKR-RO andKR-SHA1 ascloser to what developers might wish to implement inpractice.

We remark that in addition to viewingKR-SHA1 asan instantiation ofKR-PRG, one could viewKR-AES asan instantiation ofKR-RO with k = l = 128 and, forall X ∈ {0, 1}128, with H1(X) defined as AESX(0128)

and H2(X) defined as AESX(1128); Diffie and Hell-man suggest using a block cipher as a hash function inthis manner in [16]. We choose to prove the securityof KR-AES directly in Section 8, rather than instanti-ateKR-RO, because we desire a proof of security forKR-AES in the standard model.

10 The security ofKR-RSA

In our proof of security forKR-RSA we viewthe use of SHA1 inkeyder as a random oracle.Construction 10.1,KR-RSA-RO, makes this generaliza-tion concrete.

Construction 10.1 [KR-RSA-RO.] Given an RSA keygeneratorKrsa for some security parameterk and a ran-dom oracleH : Z2k → {0, 1}l, we can construct akey regression schemeKR-RSA-RO = (setup, wind,

unwind, keyder) as shown below, whereMW =∞.

Alg. setupH

(N, e, d)$

← Krsa ; S$

← Z∗N ; stp← 〈N, e, d, S〉

Returnstp

Alg. windH(stp)Parsestp as〈N, e, d, S〉 ; S′ ← Sd mod N

stp′ ← 〈N, e, d, S′〉 ; stm← 〈N, e, S〉Return(stp′, stm)

Alg. unwindH(stm)Parsestm as〈N, e, S〉S′ ← Se mod N ; stm′ ← 〈N, e, S′〉Returnstm′

Alg. keyderH(stm)Parsestm as〈N, e, S〉 ; K ← H(S)ReturnK

The derived key space for the schemeKR-RSA-RO isDK = {0, 1}l.

Toward proving KR-RSA secure, we first prove inSection 10.1 thatKR-RSA-RO is KR-secure against ad-versaries that use reasonable resources and that makeat most oneKeyderO oracle query; the result inSection 10.1 assumes that the RSA key generatorKrsa inKR-RSA-RO is one-way. We then show in Section 10.2that if a key regression scheme is secure against ad-versaries restricted to oneKeyderO oracle query, thenthe key regression scheme is secure against adver-saries making multipleKeyderO oracle queries. InSection 10.3 we combine these two results to show thatKR-RSA-RO is secure against adversaries that use rea-sonable resources but make an otherwise unrestrictednumber ofKeyderO oracle queries.

Before proceedings with Section 10.1, we first definewhat it means for an RSA key generator to be one-way.

Security for RSA key generators.LetKrsa be an RSAkey generator with security parameterk. If A is an ad-versary, we let

Advrsa-owKrsa,A

= Pr

(N, e, d)$

← Krsa ;

x$

← Z∗N ;

y ← xe mod N

: A(y, e, N) = x

denote the RSA one-way advantage ofA in invertingRSA with the key generatorKrsa. Under the concretesecurity approach,Krsa is said to be a “one-way” if theRSA one-way advantage of all adversariesA using rea-sonable resources is “small.”

10.1 Security ofKR-RSA under oneKeyderO or-acle query

Lemma 10.2 below states that if the RSA key gen-eratorKrsa is one-way, then the resulting constructionKR-RSA-RO is secure against adversaries that use rea-sonable resources and that make at most oneKeyderO

oracle query.

Lemma 10.2 If Krsa is an RSA key generator with se-curity parameterk, then the key regression schemeKRbuilt fromKrsa via KR-RSA-RO (Construction 10.1) isKR-secure in the random oracle model against adver-saries restricted to oneKeyderO oracle query assumingthatKrsa is one-way. Concretely, given an adversaryAattackingKR that makes at most one key derivation or-acle query, we can construct an adversaryB attackingKrsa such that

AdvkrKR,A ≤ (q + 1) ·Advrsa-ow

Krsa,B, (6)

where q is the maximum number of winding oraclequeries thatA makes. AdversaryB uses within a smallconstant factor of the resources asA plus performs upto q RSA encryption operations.

To prove Lemma 10.2 we observe that in order for anadversaryA in possession of thei-th member state〈N, e, Si〉 to distinguish the(i + 1)-st key from ran-dom, the adversary must query its random oracle withSi+1, where〈N, e, Si+1〉 is the(i + 1)-st member state.SinceSi = Se

i+1 mod N , querying the random oraclewith Si+1 amounts to invertingSi. The actual proof ofLemma 10.2 involvesB guessing the number ofWindO

oracle queries thatA makes. Details in [24].

10.2 Security under oneKeyderO oracle queryimplies security under many

The following lemma states that if a key regressionscheme is secure against adversaries restricted to one

KeyderO oracle query, then the key regression schemeis secure against adversaries allowed multipleKeyderO

oracle queries. The proof of Lemma 10.3 is in [24].

Lemma 10.3 If a key regression scheme is secure whenan adversary is limited to oneKeyderO oracle query,then the key regression scheme is secure when an adver-sary is allowed multipleKeyderO oracle queries. Con-cretely, letKR be a key regression scheme. Given an ad-versaryA attackingKR that makes at mostq1 queriesto WindO andq2 queries toKeyderO, we can constructan adversaryB attackingKR such that

AdvkrKR,A ≤ q2 ·Adv

krKR,B , (7)

B makes at mostq1 + q2 − 1 queries toWindO (or 0queries ifq1 + q2 = 0), B makes at most one query toKeyderO, andB has other resource requirements withina small constant factor of the resource requirementsofA.

10.3 The security ofKR-RSA under multipleKeyderO oracle queries

From Lemma 10.2 and Lemma 10.3 it follows thatKR-RSA-RO is secure in the random oracle model as-suming thatKrsa is one-way, even for adversaries al-lowed multipleKeyderO oracle queries. Theorem 10.4makes this reasoning formal. Although SHA1 is not arandom oracle, Theorem 10.4 suggests that when instan-tiated with a suitable RSA key generator,KR-RSA mayprovide a reasonable level of security in practice; seeSection 5 for additional discussion.

Theorem 10.4 If Krsa is an RSA key generator withsecurity parameterk, then KR built from Krsa viaKR-RSA-RO (Construction 10.1) is KR-secure in therandom oracle model under the RSA assumption. Con-cretely, given an adversaryA attackingKR, we canconstruct an adversaryB attackingKrsa such that

AdvkrKR,A ≤ 2q2 ·Advrsa-ow

Krsa,B,

where q is the maximum number of winding and keyderivation oracle queries thatA makes. AdversaryBuses resources within a constant factor of the resourcesof A plus the time to performq RSA encryption opera-tions.

Proof of Theorem 10.4: The proof of Theorem 10.4follows from Lemma 10.3 and Lemma 10.2. Note thatfor the application of Lemma 10.3 we setq1 = q andq2 = q, meaning the adversaryB from Lemma 10.3 maymake up to2q − 1 queries to itsWindO oracle, or2q ifq = 0.

11 Performance of key regression inaccess-controlled content distribution

We integrated key regression into the Chefs file sys-tem [22] to measure the performance characteristics ofkey regression in a real application. We first give anoverview of Chefs. Then we provide measurements toshow that key regression enables efficient key distribu-tion even for publishers with low-bandwidth and high-latency connections such as cable and analog modems.

Chefs for access-controlled content distribution.Chefs [22] is a secure, single-writer, many-reader filesystem for access-controlled content distribution usinguntrusted servers. Chefs extends the SFS read-only filesystem [23] to provide access control. Chefs uses lazyrevocation [21, 32] andKR-SHA1 key regression to re-duce the amount of out-of-band communication neces-sary for group key distribution.

Three modules comprise the Chefs file system. Anuntrusted servermakes encrypted, integrity-protectedcontent available in the form of a block store. Apub-lisher creates the encrypted, integrity-protected contentand manages key distribution. Aclient downloads con-tent from an untrusted server, then verifies integrity anddecrypts the content using keys fetched from the pub-lisher. Our publisher, e.g., a blogger, is expected to havea low-bandwidth connection.

Several types of keys guard the access control andconfidentiality of content in Chefs. Chefs uses acontentkeyto encrypt content. A member obtains a content keyby opening a lockbox that is encrypted with thegroupkey; the member derives the group key from the groupmember state. After a membership event, e.g., an evic-tion, the publisher produces a new key regression mem-ber state. The remaining group members request thismember state on-demand from the publisher; to com-municate the new member state, the publisher encryptsthe member state with each member’s 1 024-bit publicRSA key using the low exponente = 3.

11.1 Hypothesis and methodology

Performance measurements validate that (1) key re-gression allows a publisher to serve many keys persecond to clients effectively independent of the pub-lisher’s network throughput and the rate of membershipturnover, and (2) key regression does not degrade clientlatency. To test these hypotheses, we compare the per-formance of Chefs to Sous-Chefs, a version of Chefswithout key regression.

Experimental setup. The client and server containedthe same hardware: a 2.8 GHz Intel Pentium 4 with512 MB RAM. Each machine used a 100 Mbit/sec

full-duplex Intel PRO/1000 Ethernet card and a Max-tor 250 GB, Serial ATA 7 200 RPM hard drive with an8 MB buffer size, 150 MB/sec transfer rate, and lessthan 9.0 msec average seek time. The publisher wasa 3.06 GHz Intel Xeon with 2 GB RAM, a BroadcomBCM5704C Dual Gigabit Ethernet card, and a Hitachi320 GB SCSI-3 hard drive with a 320 MB/sec transferrate.

The machines were connected on a 100 Mbit/sec lo-cal area network and all used FreeBSD 4.9. NetPipe [46]measured the round-trip latency between the pairs ofmachines at 249µsec, and the maximum sustained TCPthroughput of the connection at 88 Mbit/sec when writ-ing data in 4 MB chunks and using TCP send and receivebuffers of size 69 632 KB. When writing in 8 KB chunks(the block size in Chefs), the peak TCP throughput was66 Mbit/sec.

The experiments used the dummynet [44] driver inFreeBSD to simulate cable modem and analog modemnetwork conditions. For the cable modem on the pub-lisher machine, the round-trip delay was set to 20 msecand the download and upload bandwidth to 4 Mbit/secand 384 Kbit/sec respectively. For the analog modem,the round-trip delay was set to 200 msec and the uploadand download bandwidth each to 56 Kbit/sec.

In the Chefs measurements, the inode cache has16 384 entries, a directory block cache has 512 entries,an indirect block cache has 512 entries, and a file blockcache has 64 entries. A large file block cache is unnec-essary because the NFS loopback server performs mostof the file data caching.

For each measurement, the median result of five sam-ples are reported. Errors bars in Figure 5 indicate mini-mum and maximum measurements.

11.2 Secure content distribution on untrustedstorage

A standard benchmark is not available for measuringthe effects of group membership dynamics. Therefore,we evaluate Chefs based on how a client might searchfor content in a subscription-based newspaper.

Table 2 displays the performance of basic key re-gression operations. The internal block size of thehash function matters significantly for the throughputof KR-SHA1 key regression. Because SHA1 uses aninternal 512-bit block size, hashing values smaller than512 bits results in poorer throughput than one would ex-pect from SHA1 hashing longer inputs. For this rea-son,KR-AES key regression performs significantly bet-ter thanKR-SHA1 key regression.

Searching encrypted content. The benchmarks wereinspired by the membership dynamics reported at Sa-lon.com, a subscription-based online journal [45]. Salon

announced that in the year 2003, they added 31 000 paidsubscribers (for a total of 73 000) and maintained a 71%renewal rate. Thus, a 29% eviction rate would generatean expected 21 170 evictions in one year. This suggeststhat the total number of membership events would reach52 170.

To represent a workload of searching newspaper con-tent, the experiment tests a file system containing 10 0008 KB encrypted files and the associated content keys.The experiment consists of mounting the file system andreading all the files. This causes the client machine tofetch all the content keys.

We further motivate our example workload as fol-lows. While there is promising research in enabling athird party server to search encrypted data [2, 12, 26, 28,47, 50], current approaches for searchable encryption donot prevent the server from outputting false negatives.Because Chefs extends the SFS read-only file system, itinherits the property that the client can verify whether ithas received all intended content (i.e., the whole truth)from the server. Therefore, to avoid false negatives, wedesire a client-based search in which the Chefs clientdownloads all the encrypted content and keys to performthe search itself.

Sous-Chefs. To determine the cost of key regression,Chefs is compared to a version of Chefs with key re-gression disabled. This strawman file system is calledSous-Chefs. Chefs and Sous-Chefs differ only in howthey fetch group keys from the publisher. When usingKR-SHA1 for key regression, Chefs fetches a 20-bytemember state, encrypted in the client’s public 1 024-bitRSA key with low exponente = 3. Chefs then useskey regression to unwind and derive all past versions ofthe group key. Sous-Chefs fetches all the derived groupkeys at once (each 16 bytes). The group keys them-selves are encrypted with 128-bit AES in CBC mode.The AES key is encrypted with the client’s RSA publickey. A Sous-Chefs client is allowed to request a singlebulk transfer of every version of a group key to fairlyamortize the cost of the transfer.

Reduced throughput requirements. Figure 4 showsthat a publisher can serve many more clients in Chefsthan Sous-Chefs in low-bandwidth, high-latency condi-tions. The CPU utilization for Chefs under no band-width limitation is negligible, indicating that the cost ofRSA encryptions on the publisher is not the bottleneck.

Each test asynchronously plays back 20 traces of asingle client fetching the keys for the search workload.This effectively simulates the effect of 20 clients apply-ing the same key distribution workload to the publisher.After all traces have completed, we record the effectivenumber of trace playbacks per second. The Sous-Chefstraces of fetching 10,102, 103, 104, 105, and106 keysgenerate 4, 4, 5, 24, 200, and 1 966 asynchronous remote

Key regression protocol Winds/sec Unwinds/secKR-SHA1 Not applicable 687 720KR-AES Not applicable 3 303 900KR-RSA 158 35 236

Table 2. Microbenchmarks of KR-SHA1, KR-AES, KR-RSA key regression.

10 100 1000 10000 100000 1e+06

Number of keys

1

10

100

1000

10000

Clie

nt-s

essi

ons/

sec

chefs chefs (cable modem)chefs (analog modem)souschefs souschefs (cable modem)souschefs (analog modem)

Figure 4. Aggregate publisher throughput for key distribut ion plotted on a log-log graph. Aclient-session consists of fetching key material sufficien t to generate all the keys to decryptthe published content. Key regression enables a publisher t o support many client-sessions persecond. Chefs always performs better than Sous-Chefs becau se key regression performanceis effectively independent of the rate of membership turnov er.

procedure calls from the client to the publisher respec-tively. Chefs always generates a single remote procedurecall, regardless of the number of key versions.

Improved client latency. The client latency experi-ment measures the time for a single client to executethe search workload. The untrusted server and publisherhave warm caches while the client has a cold cache.

The log-log chart in Figure 5 shows that Chefs out-performs Sous-Chefs for the search workload under sev-eral network conditions. In Sous-Chefs, the networktransfer time dominates client latency because of thesheer volume of keys transferred from the publisher tothe client. There is no measurement for Sous-Chefsdownloading 1 000 000 keys because the kernel assumesthat the mount failed after waiting 1 000 seconds. Ona 56 Kbit/sec network, Sous-Chefs is expected to takeover 2 232 seconds to download 1 000 000 keys each16 bytes. Thus, only three bars appear for the test casesinvolving 1 000 000 content keys. Key regression itself

is a small component of the Chefs benchmark. With106

keys, key regression on the client takes less than 1.5 secwith CPU utilization never exceeding of 42%.

12 Conclusions

We presented provably-secure constructions for keyregression — addressing the shortfalls of key rotation.We also provided the first measurements of either akey regression or key rotation system. Finally, we in-tegrated key regression in a content distribution appli-cation to demonstrate how key regression enables effi-cient key distribution on low-bandwidth, high-latencyconnections. Using key regression, a publisher can ef-ficiently control access to content independent of groupmembership dynamics and without needing a fast net-work connection.

1000

10000

100000

1000000

Number of keys

1

10

100

1000C

lient

late

ncy

(sec

)

chefs souschefs souschefs (cable modem)souschefs (analog modem)

Figure 5. A log-log chart of single client latency to read 10 0 00 8 KB encrypted files and theassociated content keys. Key regression maintains a consta nt client latency regardless ofthe number of keys. Under low-bandwidth, high-latency cond itions, Sous-Chefs latency isdominated my the transfer time of keys after reaching 10 000 k eys. Key regression enablesmuch better latency in Chefs.

Acknowledgments

K. Fu was supported in part by Project Oxygen andan Intel Ph.D. Fellowship. S. Kamara was supported bya Bell Labs Graduate Research Fellowship. T. Kohnowas supported by an IBM Ph.D. Fellowship, NSF CCR-0208842, NSF ANR-0129617, and NSF CCR-0093337.K. Fu performed this research while at The Johns Hop-kins University and MIT. T. Kohno performed part ofthis research while visiting UC Berkeley. We thankRon Rivest for detailed comments on this paper; DavidMazieres for suggestions on formalizing definitions ofsecurity; Mahesh Kallahalla and Ram Swaminathanfor our initial work together to define key regression;Fabian Monrose for early reviews of this paper; FransKaashoek for his guidance and unending support; andFrank Dabek, Emil Sit, and Jeremy Stribling for helpwith the testbed.

References

[1] M. Abdalla and M. Bellare. Increasing the lifetime of akey: A comparitive analysis of the security of re-keyingtechniques. In T. Okamoto, editor,Advances in Cryp-tology – ASIACRYPT, volume 1976 ofLecture Notesin Computer Science, pages 546–559, Kyoto, Japan,Dec. 3–7, 2000.

[2] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno,T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and

H. Shi. Searchable encryption revisited: Consis-tency properties, relation to anonymous IBE, and exten-sions. In V. Shoup, editor,Advances in Cryptology –CRYPTO 2005, volume 3621 ofLecture Notes in Com-puter Science, Santa Barbara, CA, USA, Aug. 14–18,2005. Springer-Verlag, Berlin, Germany.

[3] Akamai Technologies. http://www.akamai.com.[4] S. G. Akl and P. D. Taylor. Cryptographic solution to a

problem of access control in a hierarchy.ACM Transac-tions on Computer Systems, 1(3):239–248, 1983.

[5] M. Backes, C. Cachin, and A. Oprea. Lazy revocationin cryptographic file systems. In3rd International IEEESecurity in Storage Workshop, Dec. 2005.

[6] M. Backes, C. Cachin, and A. Oprea. Securekey-updating for lazy revocation. IBM Re-search Report RZ 3627, Oct. 2005. Availableat http://domino.research.ibm.com/library/cyberdig.nsf/index.html, key-word 99637; also archived as Cryptology ePrint ArchiveReport 2005/334.

[7] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway. Aconcrete security treatment of symmetric encryption. In38th Annual Symposium on Foundations of ComputerScience (FOCS ’97), pages 394–403. IEEE ComputerSociety, 1997.

[8] M. Bellare, J. Kilian, and P. Rogaway. The secu-rity of the cipher block chaining message authenticationcode. In Y. Desmedt, editor,Advances in Cryptology– CRYPTO’94, volume 839 ofLecture Notes in Com-puter Science, pages 341–358, Santa Barbara, CA, USA,Aug. 21–25, 1994. Springer-Verlag, Berlin, Germany.

[9] M. Bellare and P. Rogaway. Random oracles are prac-tical: A paradigm for designing efficient protocols. InV. Ashby, editor,ACM CCS 93: 1st Conference on Com-puter and Communications Security, Lecture Notes inComputer Science, Fairfax, Virginia, USA, Nov. 3–5,1993. ACM Press.

[10] M. Bellare and B. Yee. Forward security in private keycryptography. In M. Joye, editor,Topics in Cryptology –CT-RSA 2003, volume 2612 ofLecture Notes in Com-puter Science, pages 1–18, San Francisco, CA, USA,Apr. 13–17, 2003. Springer-Verlag, Berlin, Germany.

[11] M. Blum and S. Micali. How to generate cryptograph-ically strong sequences of pseudo-random bits. InPro-ceedings of the 23rd IEEE Symposium on Foundationsof Computer Science (FOCS ’82), 1982.

[12] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Per-siano. Public key encryption with keyword search. InC. Cachin and J. Camenisch, editors,Advances in Cryp-tology – EUROCRYPT 2004, volume 3027 ofLectureNotes in Computer Science, pages 506–522, Interlaken,Switzerland, May 2–6, 2004. Springer-Verlag, Berlin,Germany.

[13] D. Boneh, C. Gentry, and B. Waters. Collusion resis-tant broadcast encryption with short ciphertexts and pri-vate keys. In V. Shoup, editor,Advances in Cryptology –CRYPTO 2005, volume 3621 ofLecture Notes in Com-puter Science, pages 258–275, Santa Barbara, CA, USA,Aug. 14–18, 2005. Springer-Verlag, Berlin, Germany.

[14] B. Cohen. Incentives build robustness in BitTorrent. InProceedings of the First Workshop on the Economics ofPeer-to-Peer Systems, Berkeley, CA, June 2003.

[15] J.-S. Coron, Y. Dodis, C. Malinaud, and P. Puniya.Merkle-Damgard revisited: How to construct a hashfunction. In V. Shoup, editor,Advances in Cryptology –CRYPTO 2005, volume 3621 ofLecture Notes in Com-puter Science. Springer-Verlag, Berlin, Germany, 2005.

[16] W. Diffie and M. E. Hellman. New directions in cryp-tography. IEEE Transactions on Information Theory,22:644–654, 1978.

[17] Y. Dodis and N. Fazio. Public key broadcast encryp-tion for stateless receivers. InDigital Rights Manage-ment Workshop, volume 2696 ofLecture Notes in Com-puter Science, pages 61–80. Springer-Verlag, Berlin,Germany, 2002.

[18] Y. Dodis and N. Fazio. Public key broadcast encryp-tion secure against adaptive chosen ciphertext attack. InY. Desmedt, editor,PKC 2003: 6th International Work-shop on Theory and Practice in Public Key Cryptogra-phy, volume 2567 ofLecture Notes in Computer Science,pages 100–115, Miami, USA, Jan. 6–8, 2003. Springer-Verlag, Berlin, Germany.

[19] A. Fiat and M. Naor. Broadcast encryption. In D. Boneh,editor, Advances in Cryptology – CRYPTO’93, volume773 ofLecture Notes in Computer Science, pages 22–26,Santa Barbara, CA, USA, Aug. 17–21, 1993. Springer-Verlag, Berlin, Germany.

[20] M. Freedman, E. Freudenthal, and D. Mazieres. De-mocratizing content publication with coral. In1stUSENIX/ACM Symposium on Networked Systems De-sign and Implementation, San Francisco, CA, March2004. Seehttp://www.coralcdn.org/.

[21] K. Fu. Group sharing and random access in cryp-tographic storage file systems. Master’s thesis, Mas-sachusetts Institute of Technology, May 1999.

[22] K. Fu. Integrity and access control in untrusted contentdistribution networks. PhD thesis, Massachusetts Insti-tute of Technology, September 2005.

[23] K. Fu, M. F. Kaashoek, and D. Mazieres. Fast and securedistributed read-only file system. In4th Symposium onOperating Systems Design and Implementation, 2000.

[24] K. Fu, S. Kamara, and T. Kohno. Key regres-sion: Enabling efficient key distribution for secure dis-tributed storage. Cryptology ePrint Archivehttp://eprint.iacr.org/: Report 2005/303, 2005. (Fullversion of this paper.).

[25] D. K. Gifford. Cryptographic sealing for information se-crecy and authentication.Communications of the ACM,25(4):274–286, 1982.

[26] E.-J. Goh. Secure indexes. Cryptology ePrint Archivehttp://eprint.iacr.org/: Report 2003/216,2003.

[27] S. Goldwasser and S. Micali. Probabilistic encryption.Journal of Computer and System Sciences, 28(2):270–299, Apr. 1984.

[28] P. Golle, J. Staddon, and B. R. Waters. Secure conjunc-tive keyword search over encrypted data. In M. Jakobs-son, M. Yung, and J. Zhou, editors,ACNS 04: 2nd Inter-national Conference on Applied Cryptography and Net-work Security, volume 3089 ofLecture Notes in Com-puter Science, pages 31–45, Yellow Mountain, China,June 8–11, 2004. Springer-Verlag, Berlin, Germany.

[29] N. M. Haller. The S/KEY one-time password system.In ISOC Symposium on Network and Distributed SystemSecurity, February 1994.

[30] A. Harrington and C. Jensen. Cryptographic access con-trol in a distributed file system. InProceedings of 8thACM Symposium on Access Control Models and Tech-nologies (SACMAT 2003), Villa Gallia, Como, Italy,June 2003.

[31] A. Joux. Multicollisions in iterated hash functions. Ap-plication to cascaded constructions. In M. Franklin, ed-itor, Advances in Cryptology – CRYPTO 2004, volume3152 ofLecture Notes in Computer Science, pages 306–316. Springer-Verlag, Berlin, Germany, 2004.

[32] M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, andK. Fu. Plutus: Scalable secure file sharing on untrustedstorage. In2nd USENIX Conference on File and StorageTechnologies, 2003.

[33] J. Kelsey and T. Kohno. Herding hash functions andthe Nostradamus attack. Cryptology ePrint Archivehttp://eprint.iacr.org/: Report 2005/281,2005.

[34] L. Lamport. Password authentication with insecure com-munication.Communications of the ACM, 24(11):770–771, November 1981.

[35] M. Luby and C. Rackoff. How to construct pseudoran-dom permutations from pseudorandom functions.SIAMJournal on Computing, 17(2), 1988.

[36] S. MacKinnon and S. G. Akl. New key generation algo-rithms for multilevel security. InSP ’83: Proceedingsof the 1983 IEEE Symposium on Security and Privacy,

page 72, Washington, DC, USA, 1983. IEEE ComputerSociety.

[37] Mandriva Linux. http://www.mandriva.com/en/community/users/club.

[38] S. Micali. Fair public-key cryptosystems. In E. F. Brick-ell, editor,Advances in Cryptology – CRYPTO, volume740 of Lecture Notes in Computer Science, pages 113–138, Aug. 16–20, 1992.

[39] G. Miklau and D. Suciu. Controlling access to publisheddata using cryptography. InInternational Conferenceon Very Large Data Bases, pages 898–909, September2003.

[40] D. Naor, M. Naor, and J. Lotspiech. Revocation andtracing schemes for stateless receivers. In J. Kilian, edi-tor,Advances in Cryptology – CRYPTO, volume 2139 ofLecture Notes in Computer Science, pages 41–62, SantaBarbara, CA, USA, Aug. 19–23, 2001.

[41] D. Naor, A. Shenhav, and A. Wool. Toward securing un-trusted storage without public-key operations. InFirstInternational Workshop on Storage Security and Surviv-ability, november 2005.

[42] D. Reed and L. Svobodova. Swallow: A distributeddata storage system for a local network. In A. West andP. Janson, editors,Local Networks for Computer Com-munications, pages 355–373. North-Holland Publ., Am-sterdam, 1981.

[43] R. L. Rivest, A. Shamir, and L. M. Adleman. A methodfor obtaining digital signatures and public-key cryp-tosystems. Communications of the ACM, 21(2):120–126, 1978.

[44] L. Rizzo. Dummynet: a simple approach to the evalu-ation of network protocols.SIGCOMM Comput. Com-mun. Rev., 27(1):31–41, 1997.

[45] Salon.com. http://www.salon.com/press/release/.

[46] Q. Snell, A. Mikler, and J. Gustafson. Netpipe: A net-work protocol independent performace evaluator. InIASTED International Conference on Intelligent Infor-mation Management and Systems, 1996.

[47] D. X. Song, D. Wagner, and A. Perrig. Practical tech-niques for searches on encrypted data. InIEEE Sympo-sium on Security and Privacy, pages 44–55, 2000.

[48] J. Staddon, S. Miner, M. Franklin, D. Balfanz,M. Malkin, and D. Dean. Self-healing key distributionwith revocation. InProceedings of IEEE Symposium onSecurity and Privacy, 2002.

[49] X. Wang, Y. L. Yin, and H. Yu. Finding collisions inthe full SHA-1. In V. Shoup, editor,Advances in Cryp-tology – CRYPTO 2005, volume 3621 ofLecture Notesin Computer Science. Springer-Verlag, Berlin, Germany,2005.

[50] B. R. Waters, D. Balfanz, G. Durfee, and D. K. Smet-ters. Building an encrypted and searchable audit log. InISOC Network and Distributed System Security Sympo-sium (NDSS 2004), 2004.

[51] A. Yao. Theory and applications of trapdoor functions.In Proceedings of the 23rd IEEE Symposium on Founda-tions of Computer Science (FOCS ’82), 1982.