Skip to main content
SpringerLink
Log in

A New Security Notion for PKC in the Standard Model: Weaker, Simpler, and Still Realizing Secure Channels

  • Conference paper
  • First Online:
Public-Key Cryptography – PKC 2022 (PKC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13178))

Included in the following conference series:

Abstract

Encryption satisfying CCA2 security is commonly known to be unnecessarily strong for realizing secure channels. Moreover, CCA2 constructions in the standard model are far from being competitive practical alternatives to constructions via random oracle. A promising research area to alleviate this problem are weaker security notions—like IND-RCCA secure encryption or IND-atag-wCCA secure tag-based encryption—which are still able to facilitate secure message transfer (SMT) via authenticated channels.

In this paper we introduce the concept of sender-binding encryption (SBE), unifying prior approaches of SMT construction in the universal composability (UC) model. We furthermore develop the corresponding non-trivial security notion of IND-SB-CPA and formally prove that it suffices for realizing SMT in conjunction with authenticated channels. Our notion is the weakest so far in the sense that it generically implies the weakest prior notions—RCCA and atag-wCCA—without additional assumptions, while the reverse is not true. A direct consequence is that IND-stag-wCCA, which is strictly weaker than IND-atag-wCCA but stronger than our IND-SB-CPA, can be used to construct a secure channel.

Finally, we give an efficient IND-SB-CPA secure construction in the standard model from IND-CPA secure double receiver encryption (DRE) based on McEliece. This shows that IND-SB-CPA security yields simpler and more efficient constructions in the standard model than the weakest prior notions, i.e., IND-atag-wCCA and IND-stag-wCCA.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/otrv4/otrv4/blob/master/otrv4.md.

  2. 2.

    In spite of being a generic paradigm this work was applied only to McEliece so far.

  3. 3.

    For the encryption mechanism we will sometimes omit the explicit input of the ID S if it is clear from the context which party S is conducting the encryption.

  4. 4.

    National Institute of Standards and Technology.

  5. 5.

    At this point we assume the simulator to track the protocol executions in their head so they know which \( mid \) to use. For readability purposes we refrained from introducing notation to explicitly store this.

  6. 6.

    Please convince yourself from the definition of the simulator \(\mathcal {S}_{\text {M-SMT}}\) that it has all the knowledge required for simulation and that activations/outputs of \(\mathcal {F}_\text {M-SMT}\) will actually occur at the right times.

References

  1. Badertscher, C., Maurer, U., Portmann, C., Rito, G.: Revisiting (R)CCA security and replay protection. IACR Cryptol, pp. 177 (2020). ePrint Arch. 2020. https://eprint.iacr.org/2020/177

  2. Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_3

    Chapter  Google Scholar 

  3. Beskorovajnov, W., Groll, R., Muller-Quade, J., Ottenhues, A., Schwerdt, R.: A new security notion for PKC in the standard model: weaker, simpler, and still realizing secure channels, cryptology. ePrint Archive, Report 2021/1649 (2021). https://ia.cr/2021/1649

  4. Bogos, S., Tramer, F., Vaudenay, S.: On solving LPN using BKW and variants. IACR Cryptol. ePrint Arch. (2015). http://eprint.iacr.org/2015/049

  5. Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007)

    Article  MathSciNet  Google Scholar 

  6. Boneh, D., Katz, J.: Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 87–103. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_8

    Chapter  Google Scholar 

  7. Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP Message Format. RFC 4880, pp. 1–90 (2007). https://doi.org/10.17487/RFC4880

  8. Canetti, R.: Security and Composition of Multi-party Cryptographic Protocols, Cryptology ePrint Archive, Report 1998/018 (1998). https://eprint.iacr.org/1998/018

  9. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press (2001). https://doi.org/10.1109/SFCS.2001.959888

  10. Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology, Revisited, Cryptology ePrint Archive, Report 1998/011 (1998). https://eprint.iacr.org/1998/011

  11. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33

    Chapter  Google Scholar 

  12. Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_16

    Chapter  Google Scholar 

  13. Cheng, H., Li, X., Qian, H., Yan, D.: Simpler CCA secure PKE from LPN problem without double-trapdoor. In: Naccache, D., Xu, S., Qing, S., Samarati, P., Blanc, G., Lu, R., Zhang, Z., Meddahi, A. (eds.) ICICS 2018. LNCS, vol. 11149, pp. 756–766. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01950-1_46

    Chapter  Google Scholar 

  14. Chow, S.S.M., Franklin, M.K., Zhang, H.: Practical dual-receiver encryption - soundness, complete non-malleability, and applications. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, pp. 85–105. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3319-04852-9

  15. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)

    Article  MathSciNet  Google Scholar 

  16. Damgard, I., Park, S.: Is Public-Key Encryption Based on LPN Practical? IACR Cryptol. ePrint Arch. (2012). http://eprint.iacr.org/2012/699

  17. Diament, T., Lee, H.K., Keromytis, A.D., Yung, M.: The dual receiver cryptosystem and its applications. In: Atluri, V., Pfitzmann, B., McDaniel, P. (eds.) ACM CCS 2004, pp. 330–343. ACM Press (2004). https://doi.org/10.1145/1030083

  18. Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)

    Article  MathSciNet  Google Scholar 

  19. Dottling, N., Dowsley, R., Mxiller-Quade, J., Nascimento, A.C.A.: A CCA2 Secure Variant of the McEliece Cryptosystem, Cryptology ePrint Archive, Report 2008/468 (2008). https://eprint.iacr.org/2008/468

  20. Freeman, D.M., Goldreich, O., Kiltz, E., Rosen, A., Segev, G.: More constructions of lossy and correlation-secure trapdoor functions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 279–295. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_17

    Chapter  Google Scholar 

  21. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press (2008). https://doi.org/10.1145/1374376.1374407

  22. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)

    Article  MathSciNet  Google Scholar 

  23. Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_30

    Chapter  Google Scholar 

  24. Kiltz, E., Masny, D., Pietrzak, K.: Simple chosen-ciphertext security from low-noise LPN. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 1–18. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_1

    Chapter  Google Scholar 

  25. Kiltz, E., Mohassel, P., O’Neill, A.: Adaptive trapdoor functions and chosen-ciphertext security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 673–692. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_34

    Chapter  Google Scholar 

  26. MacKenzie, P.D., Reiter, M.K., Yang, K.: Alternatives to non-malleability: definitions, constructions, and applications (extended ebstract). In: Naor, M. (ed.) TCC 2004. LNCS, pp. 171–190. Springer, Heidelberg (2004). https://doi.org/10.1007/9783-540-24638-1

  27. Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr. 49(1–3), 289–305 (2008). https://doi.org/10.1007/sl0623-008-9175-9

    Article  MathSciNet  MATH  Google Scholar 

  28. Peikert, C, Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press (2008). https://doi.org/10.1145/1374376.1374406

  29. Rackoff, O., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO’91. LNCS, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-l_35

  30. Rill, J.: Towards Applying Cryptographic Security Models to Real-World Systems. Karlsruhe Institute of Technology, Germany (2020)

    Google Scholar 

  31. Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_25

    Chapter  Google Scholar 

  32. Schaad, J., Ramsdell, B., Turner, S.: Secure/multipurpose internet mail extensions (S/MIME) version 4.0 message specification. RFC 8551, pp. 1–63 (2019). https://doi.org/10.17487/RFC8551

  33. Unger, N., Goldberg, I.: Improved strongly deniable authenticated key exchanges for secure messaging. PoPETs 2018(1), 21–66 (2018)

    Google Scholar 

  34. YU, Y., Zhang, J.: Cryptography with auxiliary input and trapdoor from constant-noise LPN. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 214–243. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_9

    Chapter  Google Scholar 

Download references

Acknowledgments

We thank Björn Kaidel for fruitful initial discussions. We thank the PKC 2022 anonymous reviewers for their valuable feedback. The work presented in this paper has been funded by the German Federal Ministry of Education and Research (BMBF) under the project “PQC4MED” (ID 16KIS1044) and by KASTEL Security Research Labs.

Author information

Authors and Affiliations

  1. FZI Research Center for Information Technology, Karlsruhe, Germany

    Wasilij Beskorovajnov, Roland Gröll & Jörn Müller-Quade

  2. Karlsruhe Institute of Technology (KIT), Karlsruhe, Germany

    Jörn Müller-Quade, Astrid Ottenhues & Rebecca Schwerdt

  3. KASTEL Security Research Labs, Karlsruhe, Germany

    Jörn Müller-Quade, Astrid Ottenhues & Rebecca Schwerdt

Authors
  1. Wasilij Beskorovajnov
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roland Gröll
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jörn Müller-Quade
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Astrid Ottenhues
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rebecca Schwerdt
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rebecca Schwerdt .

Editor information

Editors and Affiliations

  1. National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan

    Goichiro Hanaoka

  2. Yokohama National University, Yokohama, Japan

    Junji Shikata

  3. The University of Electro-Communications, Tokyo, Japan

    Yohei Watanabe

A Notations and Abbreviations

A Notations and Abbreviations

This section can be used to look up all notations and abbreviations employed throughout this paper.

1.1 A.1 Notations

figure o

1.2 A.2 Abbreviations

  • CCA2 adaptive chosen ciphertext attack

  • CPA chosen plaintext attack

  • DAKEZ Deniable authenticated key exchange with zero-knowledge

  • DRE double receiver encryption

  • IBE identity based encryption

  • IF ideal functionality

  • IND indistinguishability

  • IND-CCA2 indistinguishability under adaptive chosen ciphertext attack

  • IND-CPA indistinguishability under chosen plaintext attack

  • IND-gtag-wCCA indistinguishability under given-tag weakly chosen ciphertext attack

  • gtag-wCCA given-tag weakly chosen ciphertext attack

  • IND-stag-wCCA indistinguishability under selective-tag weakly chosen ciphertext attack

  • stag-wCCA selective-tag weakly chosen ciphertext attack

  • IND-RCCA indistinguishability under replayable chosen ciphertext attack

  • IND-sID-CPA indistinguishability under selective identity chosen plaintext attack

  • IND-SB-CPA indistinguishability under sender-binding chosen plaintext attack

  • IND-atag-wCCA indistinguishability under adaptive-tag weakly chosen ciphertext attack

  • atag-wCCA adaptive-tag weakly chosen ciphertext attack

  • KRK key registration with knowledge

  • LPN learning parity with noise

  • LPNDP learning parity with noise decisional problem

  • LWE learning with errors

  • M-SMT multiple secure message transfer

  • OTR Off-the-Record

  • PA plaintext awareness

  • PKE public key encryption

  • PKI public key infrastructure

  • PPT probabilistic polynomial time

  • PQC post-quantum cryptography

  • RCCA replayable chosen ciphertext attack

  • ROM random oracle model

  • RPA registration-based plaintext awareness

  • SBE sender-binding encryption

  • SMT secure message transfer

  • TBE tag-based encryption

  • UC universal composability

  • XZDH Extended Zero-knowledge Diffie-Hellman

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Beskorovajnov, W., Gröll, R., Müller-Quade, J., Ottenhues, A., Schwerdt, R. (2022). A New Security Notion for PKC in the Standard Model: Weaker, Simpler, and Still Realizing Secure Channels. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13178. Springer, Cham. https://doi.org/10.1007/978-3-030-97131-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-97131-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-97130-4

  • Online ISBN: 978-3-030-97131-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation