Abstract
Secure communication is gained by combining encryption with authentication. In real-world applications encryption commonly takes the form of KEM-DEM hybrid encryption, which is combined with ideal authentication. The pivotal question is how weak the employed key encapsulation mechanism (KEM) is allowed to be to still yield universally composable (UC) secure communication when paired with symmetric encryption and ideal authentication. This question has so far been addressed for public-key encryption (PKE) only, showing that encryption does not need to be stronger than sender-binding CPA, which binds the CPA secure ciphertext non-malleably to the sender ID. For hybrid encryption, prior research unanimously reaches for CCA2 secure encryption which is unnecessarily strong. Answering this research question is vital to develop more efficient and feasible protocols for real-world secure communication and thus enable more communication to be conducted securely.
In this paper we use ideas from the PKE setting to develop new answers for hybrid encryption. We develop a new and significantly weaker security notion—sender-binding CPA for KEMs—which is still strong enough for secure communication. By using game-based notions as building blocks, we attain secure communication in the form of ideal functionalities with proofs in the UC-framework. Secure communication is reached in both the classic as well as session context by adding authentication and one-time/replayable CCA secure symmetric encryption respectively. We furthermore provide an efficient post-quantum secure LWE-based construction in the standard model giving an indication of the real-world benefit resulting from our new security notion. Overall we manage to make significant progress on discovering the minimal security requirements for hybrid encryption components to facilitate secure communication.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
When not obvious, the type of scheme a security notion pertains to is given in subscript.
- 2.
Note that the security of the DEM can be significantly extenuated if we are willing to use authenticated channels for all messages.
- 3.
We assume the simulator to internally track the protocol executions to know which \( mid \) to use.
- 4.
Note that although \(\mathcal {A}\) knows the content of any message that \(\mathcal {Z}_2\) asks S or R to send, this communication is not handled via \(\mathcal {F}_{\text {AUTH}}\) and hence every corrupted party may send ciphertexts to S or R expecting them to decrypt as if they were from the other party.
- 5.
If any check fails, abort with output \(\bot \).
References
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Shoup, V.: A Proposal for an ISO Standard for Public Key Encryption. Cryptology ePrint Archive, Paper 2001/112 (2001). https://eprint.iacr.org/2001/112
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33
Beskorovajnov, W., Gröll, R., Müller-Quade, J., Ottenhues, A., Schwerdt, R.: A new security notion for PKC in the standard model: weaker, simpler, and still realizing secure channels. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) Public-Key Cryptography - PKC 2022. Lecture Notes in Computer Science, vol. 13178, pp. 316–344. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97131-1_11
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing 33, 167–226 (2002). https://doi.org/10.1137/S0097539702403773
Boyen, X., Izabachène, M., Li, Q.: Secure hybrid encryption in the standard model from hard learning problems. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 399–418. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_21
Schwerdt, R., Benz, L., Beskorovajnov, W., Eilebrecht, S., Müller-Quade, J., Ottenhues, A.: Sender-binding key encapsulation, Cryptology ePrint Archive, Paper 2023/127 (2023). https://eprint.iacr.org/2023/127. https://eprint.iacr.org/2023/127. 2023
Nagao, W., Manabe, Y., Okamoto, T.: A Universally composable secure channel based on the KEM-DEM framework. In: Kilian, J. (eds.) Theory of Cryptography. TCC 2005. Lecture Notes in Computer Science, vol. 3378, pp. 28–38. Springer, Heidelberg (2006). https://doi.org/10.1007/978-3-540-30576-7_23
Information technology – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers. Standard, Geneva, CH: International Organization for Standardization (2006)
Abe, M., Gennaro, R., Kurosawa, K., Shoup, V.: Tag-KEM/DEM: a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 128–146. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_8
MacKenzie, P., Reiter, M.K., Yang, K.: Alternatives to non-malleability: definitions, constructions, and applications. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 171–190. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_10
Herranz, J., Hofheinz, D., Kiltz, E.: Some (in)sufficient conditions for secure hybrid encryption. Inf. Comput. 208, 1243–1257 (2010). https://doi.org/10.1016/j.ic.2010.07.002
Katz, J., Yung, M.: Characterization of security notions for probabilistic private-key encryption. J. Cryptol. 19, 67–95 (2006). https://doi.org/10.1007/s00145-005-0310-8
Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145 (2001)
Canetti, R.: Universally composable signature, certification, and authentication. In: Proceedings 17th IEEE Computer Security Foundations Workshop, pp. 219–233 (2004)
Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 337–351 (2002)
Kurosawa, K., Desmedt, Y.: A new paradigm of hybrid encryption scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_26
Bos, J., et al.: CRYSTALS - Kyber: A CCA-secure module-lattice- based KEM. In: 2018 IEEE European Symposium on Security and Privacy, pp. 353–367 (2018). https://doi.org/10.1109/EuroSP.2018.00032
Choi, S.G., et al.: The Kurosawa-Desmedt key encapsulation is not chosen-ciphertext secure. Inf. Process. Lett. 109(16), 897–901 (2009)
Kurosawa, K., Trieu Phong, L.: Kurosawa-Desmedt key encapsulation mechanism, revisited. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 51–68. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06734-6_4
Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: International Conference on the Theory and Applications Of Cryptographic Techniques, pp. 453–474 (2001)
Micciancio, D., Peikert, C.: TRapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_5
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 84–93 (2009). https://doi.org/10.1145/1568318.1568324
Acknowledgements
We thank the PKC 2023 anonymous reviewers for their valuable feedback. The work presented in this paper has been funded by the German Federal Ministry of Education and Research (BMBF) under the project “PQC4MED” (ID 16KIS1044) and by KASTEL Security Research Labs.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Benz, L., Beskorovajnov, W., Eilebrecht, S., Müller-Quade, J., Ottenhues, A., Schwerdt, R. (2023). Sender-binding Key Encapsulation. In: Boldyreva, A., Kolesnikov, V. (eds) Public-Key Cryptography – PKC 2023. PKC 2023. Lecture Notes in Computer Science, vol 13940. Springer, Cham. https://doi.org/10.1007/978-3-031-31368-4_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-31368-4_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-31367-7
Online ISBN: 978-3-031-31368-4
eBook Packages: Computer ScienceComputer Science (R0)
