Abstract
Encryption satisfying CCA2 security is commonly known to be unnecessarily strong for realizing secure channels. Moreover, CCA2 constructions in the standard model are far from being competitive practical alternatives to constructions via random oracle. A promising research area to alleviate this problem are weaker security notions—like IND-RCCA secure encryption or IND-atag-wCCA secure tag-based encryption—which are still able to facilitate secure message transfer (SMT) via authenticated channels.
In this paper we introduce the concept of sender-binding encryption (SBE), unifying prior approaches of SMT construction in the universal composability (UC) model. We furthermore develop the corresponding non-trivial security notion of IND-SB-CPA and formally prove that it suffices for realizing SMT in conjunction with authenticated channels. Our notion is the weakest so far in the sense that it generically implies the weakest prior notions—RCCA and atag-wCCA—without additional assumptions, while the reverse is not true. A direct consequence is that IND-stag-wCCA, which is strictly weaker than IND-atag-wCCA but stronger than our IND-SB-CPA, can be used to construct a secure channel.
Finally, we give an efficient IND-SB-CPA secure construction in the standard model from IND-CPA secure double receiver encryption (DRE) based on McEliece. This shows that IND-SB-CPA security yields simpler and more efficient constructions in the standard model than the weakest prior notions, i.e., IND-atag-wCCA and IND-stag-wCCA.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
In spite of being a generic paradigm this work was applied only to McEliece so far.
- 3.
For the encryption mechanism we will sometimes omit the explicit input of the ID S if it is clear from the context which party S is conducting the encryption.
- 4.
National Institute of Standards and Technology.
- 5.
At this point we assume the simulator to track the protocol executions in their head so they know which \( mid \) to use. For readability purposes we refrained from introducing notation to explicitly store this.
- 6.
Please convince yourself from the definition of the simulator \(\mathcal {S}_{\text {M-SMT}}\) that it has all the knowledge required for simulation and that activations/outputs of \(\mathcal {F}_\text {M-SMT}\) will actually occur at the right times.
References
Badertscher, C., Maurer, U., Portmann, C., Rito, G.: Revisiting (R)CCA security and replay protection. IACR Cryptol, pp. 177 (2020). ePrint Arch. 2020. https://eprint.iacr.org/2020/177
Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-88403-3_3
Beskorovajnov, W., Groll, R., Muller-Quade, J., Ottenhues, A., Schwerdt, R.: A new security notion for PKC in the standard model: weaker, simpler, and still realizing secure channels, cryptology. ePrint Archive, Report 2021/1649 (2021). https://ia.cr/2021/1649
Bogos, S., Tramer, F., Vaudenay, S.: On solving LPN using BKW and variants. IACR Cryptol. ePrint Arch. (2015). http://eprint.iacr.org/2015/049
Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007)
Boneh, D., Katz, J.: Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 87–103. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_8
Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP Message Format. RFC 4880, pp. 1–90 (2007). https://doi.org/10.17487/RFC4880
Canetti, R.: Security and Composition of Multi-party Cryptographic Protocols, Cryptology ePrint Archive, Report 1998/018 (1998). https://eprint.iacr.org/1998/018
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press (2001). https://doi.org/10.1109/SFCS.2001.959888
Canetti, R., Goldreich, O., Halevi, S.: The Random Oracle Methodology, Revisited, Cryptology ePrint Archive, Report 1998/011 (1998). https://eprint.iacr.org/1998/011
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33
Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_16
Cheng, H., Li, X., Qian, H., Yan, D.: Simpler CCA secure PKE from LPN problem without double-trapdoor. In: Naccache, D., Xu, S., Qing, S., Samarati, P., Blanc, G., Lu, R., Zhang, Z., Meddahi, A. (eds.) ICICS 2018. LNCS, vol. 11149, pp. 756–766. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01950-1_46
Chow, S.S.M., Franklin, M.K., Zhang, H.: Practical dual-receiver encryption - soundness, complete non-malleability, and applications. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, pp. 85–105. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3319-04852-9
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Damgard, I., Park, S.: Is Public-Key Encryption Based on LPN Practical? IACR Cryptol. ePrint Arch. (2012). http://eprint.iacr.org/2012/699
Diament, T., Lee, H.K., Keromytis, A.D., Yung, M.: The dual receiver cryptosystem and its applications. In: Atluri, V., Pfitzmann, B., McDaniel, P. (eds.) ACM CCS 2004, pp. 330–343. ACM Press (2004). https://doi.org/10.1145/1030083
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Dottling, N., Dowsley, R., Mxiller-Quade, J., Nascimento, A.C.A.: A CCA2 Secure Variant of the McEliece Cryptosystem, Cryptology ePrint Archive, Report 2008/468 (2008). https://eprint.iacr.org/2008/468
Freeman, D.M., Goldreich, O., Kiltz, E., Rosen, A., Segev, G.: More constructions of lossy and correlation-secure trapdoor functions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 279–295. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_17
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press (2008). https://doi.org/10.1145/1374376.1374407
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)
Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_30
Kiltz, E., Masny, D., Pietrzak, K.: Simple chosen-ciphertext security from low-noise LPN. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 1–18. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_1
Kiltz, E., Mohassel, P., O’Neill, A.: Adaptive trapdoor functions and chosen-ciphertext security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 673–692. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_34
MacKenzie, P.D., Reiter, M.K., Yang, K.: Alternatives to non-malleability: definitions, constructions, and applications (extended ebstract). In: Naor, M. (ed.) TCC 2004. LNCS, pp. 171–190. Springer, Heidelberg (2004). https://doi.org/10.1007/9783-540-24638-1
Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr. 49(1–3), 289–305 (2008). https://doi.org/10.1007/sl0623-008-9175-9
Peikert, C, Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press (2008). https://doi.org/10.1145/1374376.1374406
Rackoff, O., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO’91. LNCS, pp. 433–444. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-l_35
Rill, J.: Towards Applying Cryptographic Security Models to Real-World Systems. Karlsruhe Institute of Technology, Germany (2020)
Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_25
Schaad, J., Ramsdell, B., Turner, S.: Secure/multipurpose internet mail extensions (S/MIME) version 4.0 message specification. RFC 8551, pp. 1–63 (2019). https://doi.org/10.17487/RFC8551
Unger, N., Goldberg, I.: Improved strongly deniable authenticated key exchanges for secure messaging. PoPETs 2018(1), 21–66 (2018)
YU, Y., Zhang, J.: Cryptography with auxiliary input and trapdoor from constant-noise LPN. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 214–243. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_9
Acknowledgments
We thank Björn Kaidel for fruitful initial discussions. We thank the PKC 2022 anonymous reviewers for their valuable feedback. The work presented in this paper has been funded by the German Federal Ministry of Education and Research (BMBF) under the project “PQC4MED” (ID 16KIS1044) and by KASTEL Security Research Labs.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Notations and Abbreviations
A Notations and Abbreviations
This section can be used to look up all notations and abbreviations employed throughout this paper.
1.1 A.1 Notations
1.2 A.2 Abbreviations
-
CCA2 adaptive chosen ciphertext attack
-
CPA chosen plaintext attack
-
DAKEZ Deniable authenticated key exchange with zero-knowledge
-
DRE double receiver encryption
-
IBE identity based encryption
-
IF ideal functionality
-
IND indistinguishability
-
IND-CCA2 indistinguishability under adaptive chosen ciphertext attack
-
IND-CPA indistinguishability under chosen plaintext attack
-
IND-gtag-wCCA indistinguishability under given-tag weakly chosen ciphertext attack
-
gtag-wCCA given-tag weakly chosen ciphertext attack
-
IND-stag-wCCA indistinguishability under selective-tag weakly chosen ciphertext attack
-
stag-wCCA selective-tag weakly chosen ciphertext attack
-
IND-RCCA indistinguishability under replayable chosen ciphertext attack
-
IND-sID-CPA indistinguishability under selective identity chosen plaintext attack
-
IND-SB-CPA indistinguishability under sender-binding chosen plaintext attack
-
IND-atag-wCCA indistinguishability under adaptive-tag weakly chosen ciphertext attack
-
atag-wCCA adaptive-tag weakly chosen ciphertext attack
-
KRK key registration with knowledge
-
LPN learning parity with noise
-
LPNDP learning parity with noise decisional problem
-
LWE learning with errors
-
M-SMT multiple secure message transfer
-
OTR Off-the-Record
-
PA plaintext awareness
-
PKE public key encryption
-
PKI public key infrastructure
-
PPT probabilistic polynomial time
-
PQC post-quantum cryptography
-
RCCA replayable chosen ciphertext attack
-
ROM random oracle model
-
RPA registration-based plaintext awareness
-
SBE sender-binding encryption
-
SMT secure message transfer
-
TBE tag-based encryption
-
UC universal composability
-
XZDH Extended Zero-knowledge Diffie-Hellman
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Beskorovajnov, W., Gröll, R., Müller-Quade, J., Ottenhues, A., Schwerdt, R. (2022). A New Security Notion for PKC in the Standard Model: Weaker, Simpler, and Still Realizing Secure Channels. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds) Public-Key Cryptography – PKC 2022. PKC 2022. Lecture Notes in Computer Science(), vol 13178. Springer, Cham. https://doi.org/10.1007/978-3-030-97131-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-97131-1_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-97130-4
Online ISBN: 978-3-030-97131-1
eBook Packages: Computer ScienceComputer Science (R0)