, , c, T):
(, the probabilistic key generation algorithm that takes
as input a security parameter k and the total number of
time periods N. It returns SK
(Dev)
def
= SK
(ID.Dev)
IDP
and SK
(Comp)
def
= SK
(ID.Comp)
IDP
, where SK
(ID.Dev)
and SK
(ID.Comp)
are user IDs device master key and
computer master key, respectively.

b
(, , ): It is de
ned as LR
E,
b
(t, M0, M1)
def
= c
SKt
(t, M
b
t
), where
b =
b1, . . . , bN 0, 1
N
. It models encryption requests by
the adversary on (period, message) pairs.
We may allow the adversary to have access to encryp
tion oracle c
SK
(Dev)
,SK
(Comp)
(, ) that, on input t and
M, computes and returns t, C)
def
= c
SKt
(t, M). This
models a chosenplaintext attack by the adversary.
We may also allow the adversary to have access to
decryption oracle T
SK
(Dev)
,SK
(Comp)
() that, on input
t, C), computes and returns T
SKt
(t, C)). This models
a chosenciphertext attack by the adversary.
We allow the adversary to interleave encryption requests and
key exposure requests. Moreover, key exposure requests may
be made adaptively and in any order.
Definition 2. For ID 1, dene T
ID
= t[1 t N
Exp
SK
(Dev)
,SK
(Comp) (t, ID), which corresponds to the points
in time that the computer is compromised, and T
ID
= t[1
t NDev(t, ID), which corresponds to the points in time
that the device is compromised. Dene t
ID
= max(t
ID
, t
ID
),
where t
ID
and t
ID
are dened as follows:
If T
ID
,= , dene t
ID
= t such that t T
ID
and t
ID
, t
t (i.e., t
ID
is the rst time that IDs computer
is compromised); otherwise, dene t
ID
= .
If T
ID
,= , dene t
ID
= t such that t T
ID
and t
ID
, t
t (i.e., t
ID
is the rst time that IDs device is
compromised); otherwise, dene t
ID
= .
Note that t
ID
is the earliest point in time that IDs computer
and device have been compromised. Dene TP = t
ID
[ID
1. Dene t = t such that t TP and ID 1, t t
ID
.
Note that t is the earliest point in time that IDs computer
and device have been compromised, which means that all of
the cryptographic keys have been compromised. We say that
is nevercompromised if t = , and is compromised
at time t otherwise. Dene T
P
=
S
IDP
T
ID
. We say that
a nevercompromised is unexposed at time period t if
t / T
P
.
For a nevercompromised , we require keyinsulation spec
ied below; for a that is compromised at some time t,
we require augmented keyinsulation specied below. Infor
mally, is keyinsulated if the probability that any proba
bilistic polynomialtime adversary succeeds in guessing the
value of bt for any unexposed time period t is negligibly
more than 1/2. More formally,
Definition 3. (keyinsulation) Let be a keyupdating
symmetric key scheme. For adversary /, dene:
SuccA,(k)
def
=
Pr
2
6
6
6
6
4
(SK
(Dev)
, SK
(Comp)
) ((1
k
, N);
b 0, 1
N
;
(t, b)
A
LR
E,
b
(,,),Exp
SK
(Dev)
,SK
(Comp)
(,),Dev(,),O
1
(,),O
2
()
() :
b = bt
3
7
7
7
7
5
,
where O1(, ) = for knownplaintext attack and O1(, ) =
c
SK
(Dev)
,SK
(Comp)
(, ) for chosenplaintext attack, and O2() =
meaning that the adversary has no access to the decryption
oracle and O2() = T
SK
(Dev)
,SK
(Comp)
() meaning that the
adversary has access to the decryption oracle (i.e., chosen
ciphertext attack in which case the adversary is not allowed
to query T
SK
(Dev)
,SK
(Comp)
(t, C)) if t, C) was returned by
LR
E,
b
(t, , )). Then, is (T, N)keyinsulated if for any
probabilistic polynomialtime / such that t = (i.e.,
is nevercompromised), t / T
P
(i.e. is unexposed at
period t), and [T
P
[ T, [SuccA,(k) 1/2[ is negligible.
Moreover, we say a (N 1, N)keyinsulated symmetric key
scheme achieves optimal keyinsulation.
For the notion of keyinsulation, it may be desirable to
consider an extra property called secure key updates below.
We call the following attack a keyupdate exposure at period
t on IDs computer: an adversary breaks into user IDs com
puter while a key update is taking place (i.e., the exposure
occurs between two periods t 1 and t). In this case, the
adversary receives SKt1, SK
ID.Dev
t
, SK
(ID.Comp)
, and (can
compute) SKt. Informally, we say a scheme has secure key
updates if a keyupdate exposure at period t on IDs com
puter is equivalent to key exposures at periods t 1 and t
on IDs computer and no more. More formally:
Definition 4. (secure key updates for keyinsulation) A
keyupdating symmetric key scheme has secure key up
dates if the view of any adversary / making a keyupdate
exposure request at time period t on IDs computer can be
perfectly simulated by an adversary /
b
(t, M1, M2) is neg
ligibly more than 1/2, where t < t. More formally,
Definition 5. (augmented keyinsulation) Let be a key
updating symmetric key encryption scheme. For adversary
/, dene the following:
SuccI,(k)
def
=
Pr
2
6
6
6
6
4
(SK
(Dev)
, SK
(Comp)
) ((1
k
, N);
b 0, 1
N
;
(t, t, b)
I
LR
E,
b
(,,),Exp
SK
(Dev)
,SK
(Comp)
(,),Dev(,),O
1
(,),O
2
()
() :
b = bt
3
7
7
7
7
5
,
where t < t and t / T
P
, O1(, ) = for knownplaintext at
tack and O1(, ) = c
SK
(Dev)
,SK
(Comp)
(, ) for chosenplaintext
attack, and O2() = meaning that the adversary has no ac
cess to the decryption oracle and O2() = T
SK
(Dev)
,SK
(Comp)
()
meaning that the adversary has access to the decryption or
acle (i.e., chosenciphertext attack in which case the ad
versary is not allowed to query T
SK
(Dev)
,SK
(Comp)
(t, C)) if
t, C) was returned by LR
E,
b
(t, , )). is augmented key
insulated if: (1) when t < , [SuccI,(k) 1/2[ is negli
gible for any probabilistic polynomialtime algorithm /, and
(2) when t = , is keyinsulated.
2.3 KeyInsulated Symmetric Key Scheme
Let (G, E, D) be a secure symmetric key cryptosystem,
where G is the key generation algorithm which takes as in
put a security parameter k and outputs a key K, EK()
is encryption algorithm, and DK() is the decryption al
gorithm. We refer to [12] for its security denitions. Let
fK : 0, 1
k
0, 1
0, 1
k
be a pseudorandom func
tion family keyed by K 0, 1
k
[9]. The (N 1, N)key
insulated symmetric key scheme for two party communi
cation (i.e., [1[ = 2) is specied as follows.
Key Generation. This algorithm is executed in a secure
environment. Suppose xi
1i4
are uniformly chosen
from 0, 1
k
. Alice stores (x1, x2) on her computer,
and (x3, x4) on her device; Bob stores (x1, x3) on his
computer, and (x2, x4) on his device.
Device KeyUpdate. At the beginning of period t (1
t N), Alices device sends fx
3
(t) fx
4
(t) to her
computer, and Bobs device sends fx
2
(t) fx
4
(t) to
his computer.
Computer KeyUpdate. The secret key for period t is
SKt = fx
1
(t) fx
2
(t) fx
3
(t) fx
4
(t), which can be
derived by Alices computer and Bobs computer.
Encryption. For period t, set c
SK
t
(t, M) = E
SK
t
(M).
Decryption. For period t, set T
SK
t
(t, C)) = D
SK
t
(C).
Theorem 1. Suppose (G, E, D) is a secure symmetric key
encryption scheme, and fK is a secure pseudorandom func
tion family. Then, is (N1, N)keyinsulated with secure
key updates.
2.4 Integrating KeyInsulated Scheme with TVD
As illustrated in Figure 1(a), a TVD allows a customer
(Alice) to use multiple VMs running on top of multiple phys
ical computers in the cloud. The communications between
the applications running in the same TVD should be pro
tected from the environment outside the TVD.
As illustrated in Figure 1(b), where we consider two VMs
running on top of the same Virtual Machine Monitor (VMM)
for the sake of simplicity, keyinsulated symmetric key cryp
tography can mitigate the repeated exposures of secret keys.
More specically, we can let each VM hold a master key
(called computer master key), and let the VMM hold a set of
master keys (called device master keys). At the beginning of
each time period, a VM receives from the device keyupdate
software module a partial secret key, which is derived from
the device master key. The computer keyupdate module will
derive a period secret key from the partial secret key and the
computer master key. The period secret key is the symmet
ric key for protecting the communications between the two
VMs that belong to the same TVD. As a proof of concept, we
report our implementation of keyinsulated symmetric key
scheme in the KVM environment as well as its performance
measurements. Since the dierence between standard sym
metric key cryptography and keyinsulated symmetric key
cryptography is the key update operation at the beginning
of each time period, the performance metric we consider is
the key update time, which is dependent upon the number
of VMs one will communicate with, and is dependent upon
the number of VMs running on top of a single physical com
puter.
As a proof of concept, we implemented the keyinsulated
symmetric key scheme in the KVM environment. Our ex
perimental system was a desktop computer. The hardware
was two x86 processors at 2.5 GHz with 2GB memory. The
Alices Trusted Virtual Domain (TVD)
VMM
Hardware w/ TPM
VMM
Hardware w/ TPM
Hardware
w/ TPM
VM11 VM12
VMM
VMa1 VMa2
Hardware
w/ TPM
VMM
VMb1 VMb2 VM21 VM22
Bobs TVD
(a) TVD in cloud environment
VMM
VM1
Partial Secret Key1
Secure Communication
Computer
KeyUpdate
Period Secret Key12
Computer
Master Key1
VM2
Computer
KeyUpdate
Period Secret Key12
Computer
Master Key2
Device Master Key1
Communication Between VMs and VMM
Symmetric Key
En/Decryption
Message Message
Device
KeyUpdate
Partial Secret Key2
Device Master Key2
Symmetric Key
En/Decryption
(b) TVD with keyinsulated symmetric key encryption
Figure 1: Keyinsulated symmetric key cryptogra
phy and TVD
Host OS was Ubuntu 11.10. The guest OS was Ubuntu
10.04. The device in our formal model was implemented as
a small software module in KVM, called Device KeyUpdate,
which implements the Device KeyUpdate algorithm. Simi
larly, we implemented a Computer KeyUpdate module in the
VM. We choose to implement the device in KVM because
we can modify the source code. Note that TPM does not
allow one to run any thirdparty code.
There are two approaches to realize keyinsulation in KVM.
The dierence between the two approaches is how the Device
KeyUpdate module and the Computer KeyUpdate module
communicate. Figure 2(a) demonstrates approach I, which
utilizes the virtual CDROM mechanism. Specically, the
Device KeyUpdate module in KVM will write the key up
dates to a virtual CD (in the format of ISO le), and then
insert the virtual CD into the CDROM device of the re
spective VM. Figure 2(b) demonstrates approach II, which
utilizes KVMs VirtioSerial feature that further allows the
Computer KeyUpdate module to acknowledge the receiving
of key updates from the Device KeyUpdate module.
Since the secure communications between VMs using the
period secret keys are the same as the standard use of sym
metric key schemes, we want to demonstrate that the key
update operations do not incur any signicant performance
cost. This is justied by the fact that the cost for evalu
ating pseudorandom functions, for which we used AES128,
can be almost ignored in practice. The most signicant part
of the cost is the communication from the Device KeyUpdate
module to the Computer KeyUpdate module. Since one VM
Host OS + KVM Device Master Key
Device KeyUpdate
VM1
Computer
KeyUpdate
Period Secret Key
Partial Secret Key
Secure Communication
Computer
Master Key
Computer
KeyUpdate
Period Secret Key
VM2
Computer
Master Key
Virtual
CDROM
Virtual
CD
Virtual
CDROM
Virtual
CD
(a) Implementation approach I
Host OS + KVM Device Master Key
Device KeyUpdate
VM1
Computer
KeyUpdate
Period Secret Key
Partial Secret Key
Secure Communication
Computer
Master Key
Computer
KeyUpdate
Period Secret Key
VM2
Computer
Master Key
(b) Implementation approach II
Figure 2: Two approaches for implementing key
insulated symmetric key schemes
may need to conduct secure communications with multiple
or many other VMs, we measure the performance impact of
the number of key updates (i.e., the number of VMs with
which one VM communicates). Since a VMM needs to sup
port multiple VMs simultaneously, we measure the perfor
mance impact of the number of VMs running on top of a
physical machine.
Figure 3(a) compares the communication costs of the two
approaches with respect to the number of key updates. In
the experiments, we ran a single VM on top of KVM. Sup
pose one VM needs to conduct secure communications with
up to 1,200 other VMs, which is possible with the TVD ab
straction mentioned in the Introduction, the Computer Key
Update module in the VM needs to receive up to 1,200 key
updates from the Device KeyUpdate module in the KVM. It
is clear that Approach II is two orders of magnitude faster
than Approach I. Because Approach II incurs very small
communication cost, we also plotted the zoomedin version
of the curve. It is interesting to note that the communica
tion cost of Approach I is roughly independent of the num
ber of key updates; whereas, the communication cost of Ap
0 200 400 600 800 1000 1200
0
100
200
300
400
Number of Keys Transferred
T
i
m
e
(
m
s
)
Approach I
Approach II
0 200 400 600 800 1000 1200
0
5
10
(a) Impact of number of keys
1 2 3 4
0
500
1000
1500
Number of VMs
T
i
m
e
(
m
s
)
Approach I
Approach II
(b) Impact of number of VMs
Figure 3: Performance evaluation
proach II is proportional to the number of key updates. This
phenomenon is inherent to the communication mechanisms.
Figure 3(b) compares the communication costs of the two
approaches with respect to the number of VMs running on
top of a single KVM. In our experiments, we ran 1, 2, 3, 4
VMs on the aforementioned desktop hardware platform, re
spectively. In any case, each VM was allocated with 256MB
memory and ran Ubuntu 10.04. The curves correspond to
that each VM receives 1,200 key updates from the Device
KeyUpdate module. In either case, we observe that the
communication cost is roughly proportional to the number
of VMs running on the hardware platform. In summary,
we observe that Approach II is much more ecient than
Approach I.
2.5 Augmented KeyInsulation Scheme
Augmented keyinsulated symmetric key scheme oers a
stronger security guarantee under certain circumstances. Its
deployment and devicetocomputer communication cost are
essentially the same as the ones of the above keyinsulated
symmetric key scheme, except that the key update algo
rithms need to evaluate two more pseudorandom functions
(e.g., AES128). This explains why we do not repeat the
implementation part. Let (G, E, D) be a secure symmet
ric key cryptosystem. The augmented keyinsulated sym
metric key scheme for secure two party communication is
specied below. A key chain specied by Xi,0 is dened as
Xi,t = fX
i,t1
(0) for 1 t N.
Key Generation. This algorithm is executed in a se
cure environment. Suppose Xi,0
1i4
is a set of
secrets uniformly chosen from 0, 1
k
. Alice stores
(X1,0, X2,0) on her computer, and (X3,0, X4,0) on her
device; Bob stores (X1,0, X3,0) on his computer, and
(X2,0, X4,0) on his device.
Device KeyUpdate. At the beginning of time period t
(1 t N), Alices device holds (X3,t1, X4,t1), and
Bobs device holds (X2,t1, X4,t1). This algorithm
includes the following steps.
1. Alices device sends fX
3,t1
(1)fX
4,t1
(1) to her
computer; Bobs device sends fX
2,t1
(1)fX
4,t1
(1)
to his computer.
2. Alices device computes and holds (X3,t, X4,t) and
erases (X3,t1, X4,t1); Bobs device computes and
holds (X2,t, X4,t) and erases (X2,t1, X4,t1).
Computer KeyUpdate. At the beginning of period t,
where 1 t N, Alices computer holds secrets
(SKt1; X1,t1, X2,t1); Bobs computer holds secrets
(SKt1; X1,t1, X3,t1).
1. Both Alices computer and Bobs computer com
pute and hold SKt = fX
1,t1
(1) fX
2,t1
(1)
fX
3,t1
(1) fX
4,t1
(1), which is the secret key
for time period t.
2. Alices computer computes and holds the pair of
secrets (X1,t, X2,t), erases (SKt1; X1,t1, X2,t1);
Bobs computer computes and holds the pair of
secrets (X1,t, X3,t), erases (SKt1; X1,t1, X3,t1).
Recall that Xi,t = fX
i,t1
(0).
Encryption. For period t, set c
SK
t
(t, M) = E
SK
t
(M).
Decryption. for period t, set T
SK
t
(t, C)) = D
SK
t
(C).
Theorem 2. If (G, E, D) is a secure symmetric encryp
tion scheme and fK is a secure pseudorandom function
family, then is an augmented keyinsulated symmetric key
scheme.
3. CONCLUSION
We presented the denition and constructions of keyinsulated
symmetric key schemes, and reported an implementation in
the KVM environment.
Acknowledgement
We thank Jonathan Katz for discussions and suggestions.
4. REFERENCES
[1] R. Anderson, Invited Lecture, ACM CCS97.
[2] M. Bellare and S. Miner, A ForwardSecure Digital
Signature Scheme, Crypto99.
[3] M. Bellare and B. Yee. ForwardSecurity in
PrivateKey Cryptography. RSACT03.
[4] Y. Desmedt and Y. Frankel. Threshold Cryptosystems.
CRYPTO89, pp 307315.
[5] Y. Dodis, M. Franklin, J. Katz, A. Miyajo, and M.
Yung. IntrusionResilient PublicKey Encryption.
RSACT03.
[6] Y. Dodis, M. Franklin, J. Katz, A. Miyajo, and M.
Yung. A Generic Construction for IntrusionResilient
PublicKey Encryption. RSACT04.
[7] Y. Dodis, J. Katz, S. Xu, and M. Yung. KeyInsulated
Public Key Cryptosystems. Eurocrypt02.
[8] Y. Dodis, J. Katz, S. Xu, and M. Yung. KeyInsulated
Signature Schemes. PKC03.
[9] O. Goldreich, S. Goldwasser, and S. Micali, How to
Construct Random Functions, J. ACM, Vol. 33, No. 4,
1986, pp 210217.
[10] G. Itkis and L. Reyzin. SiBIR: SignerBase
IntrusionResilient Signatures. Crypto02.
[11] J. Grin, T. Jaeger, R. Perez, R. Sailer, L. van Doorn
and R. Caceres, Trusted Virtual Domains: Toward
Secure Distributed Services, Proc. 2005 IEEE
Workshop on Hot Topics in System Dependability.
[12] J. Katz and M. Yung, Complete Characterization of
Security Notions for Probabilistic PrivateKey
Encryption, STOC00.
[13] B. Yee. Using secure coprocessors. PhD thesis,
Carnegie Mellon University, 1994.