International Association
for Cryptologic Research

We present a system for key management and protection of data at rest. At the heart of our system is a new protocol for secure key derivation, departing from the common practice of envelope encryption. Our solution adheres to existing enterprise architecture best practices and performance requirements. Our system is implemented at industrial scale, managing tens of thousands of root keys and serving thousands of server side key derivation requests per second. Our system is not only performant in terms of latency and throughput, but also offers non-trivial monetary cost reduction. The talk will present the key derivation protocol, and discuss system’s security and scalability.

<jats:title>Abstract</jats:title> <jats:p>Homomorphic encryption () protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers? We present a -secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called , that we prove is sufficient. Additionally, we show:<jats:list list-type="bullet"> <jats:list-item> <jats:p>Homomorphic encryption schemes that have a certain type of circuit privacy—for example, schemes in which ciphertexts can be “sanitized"—are -secure.</jats:p> </jats:list-item> <jats:list-item> <jats:p>In particular, assuming certain existing schemes are -secure, they are also -secure.</jats:p> </jats:list-item> <jats:list-item> <jats:p>For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, -security implies circular security—i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption).</jats:p> </jats:list-item> </jats:list> </jats:p>

Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers? We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called \emph{funcCPA}, that we prove is sufficient. Additionally, we show: - Homomorphic encryption schemes that have a certain type of circuit privacy -- for example, schemes in which ciphertexts can be ``sanitized" -- are funcCPA-secure. - In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure. - For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security -- i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption). Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.