Interactivity in Constructive Cryptography : Modeling and Applications to Updatable Encryption and Private Information Retrieval

TL;DR

This paper extends the Constructive Cryptography framework to handle interactive protocols, applying it to updatable encryption and private information retrieval, and clarifies security notions and composability for these protocols.

Contribution

It introduces an Interactive Server Memory Resource in CC, providing a unified, composable model for updatable encryption and PIR, and clarifies security assumptions and guarantees.

Findings

Provides a composable security framework for UE and PIR

Clarifies security notions for UE under leakage scenarios

Models various PIR variants within the CC framework

Abstract

In this work, we extend the Constructive Cryptography (CC) framework introduced by Maurer in 2011 so as to handle interactive protocols. We design and construct a so-called {\em Interactive Server Memory Resource} (ISMR), that is an augmented version of the basic instantiation of a client-server protocol in CC, namely the Server Memory Resource. We then apply our ISMR construction to two types of interactive cryptographic protocols for remote storage : Updatable Encryption (UE) and Private Information Retrieval (PIR). Concerning UE, our results are a composable version of those protocols, clarifying the security guarantees achieved by {\em any} UE scheme. Namely, we give the relevant security notion to consider according to a given leakage context. Letting USMR denote our ISMR adapted to the UE application, we prove that $\mathsf{IND}\text{-}\mathsf{UE}\text{-}\mathsf{CPA}$ security is sufficient for a secure construction of a confidential USMR that hides the age of ciphertexts; and $\mathsf{IND}\text{-}(\mathsf{ENC}+\mathsf{UPD})\text{-}\mathsf{CPA}$ security is sufficient for a secure construction of a confidential USMR in case of unrestricted leakage. As a consequence, contrary to what was claimed before, the $\mathsf{IND}\text{-}\mathsf{UE}$ security notion is not always stronger than the $\mathsf{IND}\text{-}(\mathsf{ENC+UPD})$ one. Concerning PIR, we also give a composable version of PIR protocols, yielding a unique model that unifies different notions of PIR : IT-PIR, C-PIR, one- or multi- server PIR. Using the flexibility of CC, we are also able to model PIR variants, such as SPIR.