Hybrid Encryption in a Multi-user Setting, Revisited

This paper contributes to understanding the interplay of security notions for PKE, KEMs, and DEMs, in settings with multiple users, challenges, and instances. We start analytically by first studying (a) the tightness aspects of the standard hybrid KEM+DEM encryption paradigm, (b) the inherent weak security properties of all deterministic DEMs due to generic key-collision attacks in the multi-instance setting, and (c) the negative effect of deterministic DEMs on the security of hybrid encryption. We then switch to the constructive side by (d) introducing the concept of an augmented data encapsulation mechanism (ADEM) that promises robustness against multi-instance attacks, (e) proposing a variant of hybrid encryption that uses an ADEM instead of a DEM to alleviate the problems of the standard KEM+DEM composition, and (f) constructing practical ADEMs that are secure in the multi-instance setting

KEM Combiners

Key-encapsulation mechanisms (KEMs) are a common stepping stone for constructing public-key encryption. Secure KEMs can be built from diverse assumptions, including ones related to integer factorization, discrete logarithms, error correcting codes, or lattices. In light of the recent NIST call for post-quantum secure PKE, the zoo of KEMs that are believed to be secure continues to grow. Yet, on the question of which is the most secure KEM opinions are divided. While using the best candidate might actually not seem necessary to survive everyday life situations, placing a wrong bet can actually be devastating, should the employed KEM eventually turn out to be vulnerable. We introduce KEM combiners as a way to garner trust from different KEM constructions, rather than relying on a single one: We present efficient black-box constructions that, given any set of `ingredient\u27 KEMs, yield a new KEM that is (CCA) secure as long as at least one of the ingredient KEMs is. As building blocks our constructions use cryptographic hash functions and blockciphers. Some corresponding security proofs require idealized models for these primitives, others get along on standard assumptions

Strengthening public-key cryptography

Dieses Werk stärkt die Sicherheit von Public-Key-Kryptosystemen in praxisnahen Szenarios. Als Erstes nehmen wir das Problem in Angriff, ein möglichst sicheres Schema für konkrete Anwendungen zu wählen: diese Arbeit legt dar, dass sich eine beliebige Anzahl von (Key-Encapsulation-)Schemata zu einem einzigen verbinden lassen, das sicher ist, sofern mindestens eines der ursprünglichen sicher ist. Als Zweites studieren wir den Einfluss mehrerer Nutzer auf die Sicherheit. Wir identifizieren und überbrücken eine inhärente Sicherheitslücke hybrider Verschlüsselung durch alternative Konstruktionen, deren Sicherheit nicht abnimmt, wenn die Anzahl der Nutzer zunimmt. Danach betrachten wir den Fall, in dem Angreifer mehrere Nutzer zugleich kompromittieren. Um Massenüberwachung zu quantifizieren, untersuchen wir, wie die Sicherheit in der Anzahl der Nutzer skaliert. Konkret prüfen wir das Skalierungsverhalten des mit elliptischen Kurven implementierten Hashed-ElGamal-Verschlüsselungsverfahrens.This thesis aims to make public-key encryption (PKE) more secure in real-world scenarios. First, we tackle the problem of choosing which scheme should be used in practice for optimal security: With our techniques, any number of (key encapsulation) schemes can be combined into one that is secure as long as at least one of the original schemes is. Then, we study how the presence of multiple users influences security. We identify and overcome an intrinsic weakness in the multi-user security of hybrid encryption. We propose alternative constructions whose security does not decrease when the number of users grows. The scenario is naturally extended to breaking multiple users at once. We define how security scales with the number of targets to quantify vulnerability to mass surveillance. Concretely, we examine the scaling properties of the Hashed ElGamal encryption scheme instantiated with elliptic curves

Everybody\u27s a Target: Scalability in Public-Key Encryption

For $1\leq m \leq n$, we consider a natural $m$-out-of-$n$ multi-instance scenario for a public-key encryption (PKE) scheme. An adversary, given $n$ independent instances of PKE, wins if he breaks at least $m$ out of the $n$ instances. In this work, we are interested in the scaling factor of PKE schemes, $\mathrm{SF}$, which measures how well the difficulty of breaking $m$ out of the $n$ instances scales in $m$. That is, a scaling factor $\mathrm{SF}=\ell$ indicates that breaking $m$ out of $n$ instances is at least $\ell$ times more difficult than breaking one single instance. A PKE scheme with small scaling factor hence provides an ideal target for mass surveillance. In fact, the Logjam attack (CCS 2015) implicitly exploited, among other things, an almost constant scaling factor of ElGamal over finite fields (with shared group parameters). For Hashed ElGamal over elliptic curves, we use the generic group model to argue that the scaling factor depends on the scheme\u27s granularity. In low granularity, meaning each public key contains its independent group parameter, the scheme has optimal scaling factor $\mathrm{SF}=m$; In medium and high granularity, meaning all public keys share the same group parameter, the scheme still has a reasonable scaling factor $\mathrm{SF}=\sqrt{m}$. Our findings underline that instantiating ElGamal over elliptic curves should be preferred to finite fields in a multi-instance scenario. As our main technical contribution, we derive new generic-group lower bounds of $\Omega(\sqrt{m p})$ on the difficulty of solving both the $m$-out-of-$n$ Gap Discrete Logarithm and the $m$-out-of-$n$ Gap Computational Diffie-Hellman problem over groups of prime order $p$, extending a recent result by Yun (EUROCRYPT 2015). We establish the lower bound by studying the hardness of a related computational problem which we call the search-by-hypersurface problem