Cryptographic Agility and its Relation to Circular Encryption

Tolga Acar, Mira Belenkiy, Mihir Bellare, David Cash

EUROCRYPT 2010 |

Published by Springer Verlag

View Publication

We initiate a provable-security treatment of cryptographic agility. A primitive (for example PRFs, authenticated encryption schemes or digital signatures) is agile when multiple, individually secure schemes can securely share the same key. We provide a surprising connection between two seemingly unrelated but challenging questions. The first, new to this paper, is whether wPRFs (weak-PRFs) are agile. The second, already posed several times in the literature, is whether every secure (IND-R) encryption scheme is secure when encrypting cycles. We resolve the second question in the negative and thereby the first as well. We go on to provide a comprehensive treatment of agility, with definitions for various different primitives. We explain the practical motivations for agility. We provide foundational results that show to what extent it is achievable and practical constructions to achieve it to the best extent possible. On the theoretical side our work uncovers new notions and relations and settles stated open questions, and on the practical side it serves to guide developers.

Publication Downloads

Distributed Key-Manager Verification

December 2, 2010

This package contains the F# and F7 source files to aid in the verification of a distributed key-management system. This new component implements a data-protection API for groups of clients. To enable long-term data protection, it supports cryptographic agility so cryptography algorithms and policies can evolve for protecting fresh data while preserving access to old data. To verify the security of our design and production code, written in C#, we write a reference implementation in F#. Formally, we verify our F# code against a logical cryptographic model using F7, a refinement type checker coupled with a model checker. Experimentally, we test that the corresponding C# and F# code fragments are interchangeable.

Download Data