120 research outputs found
Improved efficiency of Kiltz07-KEM
Kiltz proposed a practical key encapsulation mechanism(Kiltz07-KEM) which is secure
against adaptive chosen ciphertext attacks(IND-CCA2) under the gap hashed
Diffie-Hellman(GHDH) assumption\cite{Kiltz2007}. We show a variant of Kiltz07-KEM which
is more efficient than Kiltz07-KEM in encryption. The new scheme can be proved to be
IND-CCA2 secure under the same assumption, GHDH
Towards Post-Quantum Security for Signal's X3DH Handshake
Modern key exchange protocols are usually based on the Diffie–Hellman (DH) primitive. The beauty of this primitive, among other things, is its potential reusage of key shares: DH shares can be either used a single time or in multiple runs. Since DH-based protocols are insecure against quantum adversaries, alternative solutions have to be found when moving to the post-quantum setting. However, most post-quantum candidates, including schemes based on lattices and even supersingular isogeny DH, are not known to be secure under key reuse. In particular, this means that they cannot be necessarily deployed as an immediate DH substitute in protocols.
In this paper, we introduce the notion of a split key encapsulation mechanism (split KEM) to translate the desired key-reusability of a DH-based protocol to a KEM-based flow. We provide the relevant security notions of split KEMs and show how the formalism lends itself to lifting Signal’s X3DH handshake to the post-quantum KEM setting without additional message flows.
Although the proposed framework conceptually solves the raised issues, instantiating it securely from post-quantum assumptions proved to be non-trivial. We give passively secure instantiations from (R)LWE, yet overcoming the above-mentioned insecurities under key reuse in the presence of active adversaries remains an open problem. Approaching one- sided key reuse, we provide a split KEM instantiation that allows such reuse based on the KEM introduced by Kiltz (PKC 2007), which may serve as a post-quantum blueprint if the underlying hardness assumption (gap hashed Diffie–Hellman) holds for the commutative group action of CSIDH (Asiacrypt 2018).
The intention of this paper hence is to raise awareness of the challenges arising when moving to KEM-based key exchange protocols with key-reusability, and to propose split KEMs as a specific target for instantiation in future research
Memory-Tight Multi-Challenge Security of Public-Key Encryption
We give the first examples of public-key encryption schemes which can be proven to achieve multi-challenge, multi-user CCA security via reductions that are tight in time, advantage, and memory. Our constructions are obtained by applying the KEM-DEM paradigm to variants of Hashed ElGamal and the Fujisaki-Okamoto transformation that are augmented by adding uniformly random strings to their ciphertexts and/or keys.
The reductions carefully combine recent proof techniques introduced by Bhattacharyya’20 and Ghoshal- Ghosal-Jaeger-Tessaro’22. Our proofs for the augmented ECIES version of Hashed-ElGamal make use of a new computational Diffie-Hellman assumption wherein the adversary is given access to a pairing to a random group, which we believe may be of independent interest
Group Action Key Encapsulation and Non-Interactive Key Exchange in the QROM
In the context of quantum-resistant cryptography, cryptographic group actions offer an abstraction of isogeny-based cryptography in the Commutative Supersingular Isogeny Diffie-Hellman (CSIDH) setting. In this work, we revisit the security of two previously proposed natural protocols: the Group Action Hashed ElGamal key encapsulation mechanism (GA-HEG KEM) and the Group Action Hashed Diffie-Hellman non-interactive key-exchange (GA-HDH NIKE) protocol. The latter protocol has already been considered to be used in practical protocols such as Post-Quantum WireGuard (S&P \u2721) and OPTLS (CCS \u2720).
We prove that active security of the two protocols in the Quantum Random Oracle Model (QROM) inherently relies on very strong variants of the Group Action Strong CDH problem, where the adversary is given arbitrary quantum access to a DDH oracle. That is, quantum accessible Strong CDH assumptions are not only sufficient but also necessary to prove active security of the GA-HEG KEM and the GA-HDH NIKE protocols.
Furthermore, we propose variants of the protocols with QROM security from the classical Strong CDH assumption, i.e., CDH with classical access to the DDH oracle. Our first variant uses key confirmation and can therefore only be applied in the KEM setting. Our second but considerably less efficient variant is based on the twinning technique by Cash et al. (EUROCRYPT \u2708) and in particular yields the first actively secure isogeny-based NIKE with QROM security from the standard CDH assumption
Efficient CCA-secure Threshold Public-Key Encryption Scheme
In threshold public-key encryption, the decryption key is divided into n
shares, each one of which is given to a different decryption user in order to avoid single points of failure. In this study, we propose a simple and efficient non-interactive threshold public-key encryption scheme by using the hashed Diffie-Hellman assumption in bilinear groups.
Compared with the other related constructions, the proposed scheme is more efficient
Efficient One-round Key Exchange in the Standard Model
We consider one-round identity-based key exchange protocols secure
in the standard model. The security analysis uses the powerful security model of Canetti and
Krawczyk and a natural extension of it to the ID-based setting. It is shown how
KEMs can be used in a generic way to obtain two different
protocol designs with progressively stronger security guarantees. A detailed
analysis of the performance of the protocols is included; surprisingly, when
instantiated with specific KEM constructions, the resulting protocols are
competitive with the best previous schemes that have proofs only in the random
oracle model
Strongly Secure Authenticated Key Exchange from Supersingular Isogenies
This paper aims to address the open problem, namely, to find new techniques to design and prove security of supersingular isogeny-based authenticated key exchange (AKE) protocols against the widest possible adversarial attacks, raised by Galbraith in 2018. Concretely, we present two AKEs based on a double-key PKE in the supersingular isogeny setting secure in the sense of CK, one of the strongest security models for AKE. Our contributions are summarised as follows. Firstly, we propose a strong secure PKE,
, based on SI-DDH assumption. By applying modified Fujisaki-Okamoto transformation, we obtain a secure KEM, . Secondly, we propose a two-pass AKE, , based on SI-DDH assumption, using as a building block. Thirdly, we present a modified version of that is secure against leakage under the 1-Oracle SI-DH assumption. Using the modified as a building block, we then propose a three-pass AKE, , based on 1-Oracle SI-DH assumption. Finally, we prove that both and are CK secure in the random oracle model and supports arbitrary registration. We also provide an implementation to illustrate the efficiency of our schemes.
Our schemes compare favourably against existing isogeny-based AKEs. To the best of our knowledge, they are the first of its kind to offer security against arbitrary registration, wPFS, KCI and MEX simultaneously. Regarding efficiency, our schemes outperform existing schemes in terms of bandwidth as well as CPU cycle count
Cryptanalysis and Improvement of an Efficient CCA Secure PKE Scheme
Recently in Chinese Journal of Computers, Kang et al. [12]
proposed an efficient CCA secure public key encryption (PKE) scheme,
and claimed that it is more efficient in the public/private keys than the
famous CS98 and BMW05 CCA secure public key encryption scheme.
However, in this paper we will show that their proposal is not secure at
all. Furthermore, we improve their scheme to be a secure one and prove its security
Post-Quantum Multi-Recipient Public Key Encryption
A multi-message multi-recipient PKE (mmPKE) encrypts a batch of
messages, in one go, to a corresponding set of independently chosen
receiver public keys. The resulting multi-recipient ciphertext can be
then be reduced (by any 3rd party) to a shorter, receiver specific,
invidual ciphertext . Finally, to recover the -th message in the
batch from their indvidual ciphertext the -th receiver only needs
their own decryption key. A special case of mmPKE is multi-recipient PKE
where all receivers are sent the same message. By treating (m)mPKE and
their KEM counterparts as a stand-alone primitives we allow for more
efficient constructions than trivially composing individual PKE/KEM
instances. This is especially valuable in the post-quantum setting, where
PKE/KEM ciphertexts and public keys tend to be far larger than their
classic counterparts.
In this work we describe a collection of new results around batched KEMs
and PKE. We provide both classic and post-quantum proofs for all results.
Our results are geared towards practical constructions and applications
(for example in the domain of PQ-secure group messaging).
Concretely, our results include a new non-adaptive to adaptive compiler
for CPA-secure mKEMs resulting in public keys roughly half the size of
the previous state-of-the-art [Hashimoto et.al., CCS\u2721]. We also prove
their FO transform for mKEMs to be secure in the quantum random oracle
model. We provide the first mKEM combiner as well as two mmPKE
constructions. The first is an arbitrary message-length black-box
construction from an mKEM (e.g. one produced by combining a PQ with a
classic mKEM). The second is optimized for short messages and achieves
hybrid PQ/classic security more directly. When encrypting short
messages (e.g. as in several recent mmPKE applications) at 256-bits of
security the mmPKE ciphertext are bytes shorter than the generic
construction. Finally, we provide an optimized implementation of the (CCA
secure) mKEM construction based on the NIST PQC winner Kyber and report
benchmarks showing a significant speedup for batched encapsulation and up
to 79% savings in ciphertext size compared to a naive solution
Chosen-Ciphertext Secure Fuzzy Identity-Based Key Encapsulation without ROM
We use hybrid encryption with Fuzzy Identity-Based Encryption (Fuzzy-IBE) schemes, and present the first and efficient fuzzy identity-based key encapsulation mechanism (Fuzzy-IB-KEM) schemes which are chosen-ciphertext secure (CCA) without random oracle in the selective-ID model. To achieve these goals, we consider Fuzzy-IBE schemes as consisting of separate key and data encapsulation mechanisms (KEM-DEM), and then give the definition of Fuzzy-IB-KEM. Our main idea is to enhance Sahai and Waters\u27 large universe construction (Sahai and Waters, 2005), chosen-plaintext secure (CPA) Fuzzy-IBE, by adding some redundant information to the ciphertext to make it CCA-secure
- …