4 research outputs found
Natural sd-RCCA secure public-key encryptions from hybrid paradigms
The existence of natural public-key encryption (PKE) schemes satisfying secretly detectable replayable CCA (sd-RCCA) security is left as open. By introducing probabilistic message authentication codes (MACs) into popular KEM plus DEM paradigms, several instances of such schemes are presented in this paper. It is known that the encrypt-then-authenticate paradigm gives an RCCA secure DEM when the underlying MAC is regular (but not strong) secure, where forgeries for old messages might be possible. By further requiring that the validity of such forgeries can be verified only secretly, sd-RCCA secure DEMs is obtained. Combining such DEMs with CCA secure KEMs gives sd-RCCA secure hybrid PKEs. We first formalize the related notions and this paradigm, and also other variants of KEM plus DEM hybrid paradigm since MACs are commonly used in them. Then we show natural examples of desired probabilistic MACs under the standard DDH assumption, and find appropriate KEMs to match the message space for those MACs and then obtain natural instances of sd-RCCA secure hybrid PKEs
Natural sd-RCCA Secure Public-key Encryptions from Hybrid Paradigms
The existence of natural public-key encryption (PKE) schemes satisfying secretly detectable replayable CCA (sd-RCCA) security is left as open. By introducing probabilistic message authentication codes (MACs) into popular KEM plus DEM paradigms, several instances of such schemes are presented in this paper. It is known that the encrypt-then-authenticate paradigm gives an RCCA secure DEM when the underlying MAC is regular (but not strong) secure, where forgeries for old messages might be possible. By further requiring that the validity of such forgeries can be verified only secretly, sd-RCCA secure DEMs is obtained. Combining such DEMs with CCA secure KEMs gives sd-RCCA secure hybrid PKEs. We first formalize the related notions and this paradigm, and also other variants of KEM plus DEM hybrid paradigm since MACs are commonly used in them. Then we show natural examples of desired probabilistic MACs under the standard DDH assumption, and find appropriate KEMs to match the message space for those MACs and then obtain natural instances of sd-RCCA secure hybrid PKEs
Server-Aided Continuous Group Key Agreement
Continuous Group Key Agreement (CGKA) -- or Group Ratcheting -- lies at the
heart of a new generation of scalable End-to-End secure (E2E)
cryptographic multi-party applications. One of the most important (and first
deployed) CGKAs is ITK which underpins the IETF\u27s upcoming Messaging
Layer Security E2E secure group messaging standard. To scale beyond the group
sizes possible with earlier E2E protocols, a central focus of CGKA protocol
design is to minimize bandwidth requirements (i.e. communication
complexity).
In this work, we advance both the theory and design of CGKA culminating in
an extremely bandwidth efficient CGKA. To that end, we first generalize
the standard CGKA communication model by introducing server-aided CGKA
(saCGKA) which generalizes CGKA and more accurately models how most E2E protocols are deployed in
the wild. Next, we introduce the SAIK protocol; a modification of ITK,
designed for real-world use, that leverages the new capabilities available to
an saCGKA to greatly reduce its communication (and computational) complexity
in practical concrete terms.
Further, we introduce an intuitive, yet precise, security model for saCGKA.
It improves upon existing security models for CGKA in several ways. It more
directly captures the intuitive security goals of CGKA. Yet, formally it also
relaxes certain requirements allowing us to take advantage of the saCGKA
communication model. Finally, it is significantly simpler making it more
tractable to work with and easier to build intuition for. As a result, the
security proof of SAIK is also simpler and more modular.
Finally, we provide empirical data comparing the (at times, quite
dramatically improved) complexity profile of SAIK to state-of-the art CGKAs.
For example, in a newly created group with 10K members, to change the group
state (e.g. add/remove parties) ITK requires each group member download
1.38MB. However, with SAIK, members download no more than 2.7KB