Skip to main content
SpringerLink
Log in

Super-strong RKA secure MAC, PKE and SE from tag-based hash proof system

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

\(\mathcal {F}\)-related-key attacks (RKA) on cryptographic systems consider adversaries who can observe the outcome of a system under not only the original key, say k, but also related keys f(k), with f adaptively chosen from \(\mathcal {F}\) by the adversary. In this paper, we define new RKA security notions for several cryptographic primitives including message authentication code (MAC), public-key encryption (PKE) and symmetric encryption (SE). This new kind of RKA notions are called super-strong RKA securities, which stipulate minimal restrictions on the adversary’s forgery or oracle access, thus turn out to be the strongest ones among existing RKA security requirements. We present paradigms for constructing super-strong RKA secure MAC, PKE and SE from a common ingredient, namely Tag-based hash proof system (THPS). We also present constructions for THPS based on the k-linear and the DCR assumptions. When instantiating our paradigms with concrete THPS constructions, we obtain super-strong RKA secure MAC, PKE and SE schemes for the class of restricted affine functions \(\mathcal {F}_{\text {raff}}\), of which the class of linear functions \(\mathcal {F}_{\text {lin}}\) is a subset. To the best of our knowledge, our MACs, PKEs and SEs are the first ones possessing super-strong RKA securities for a non-claw-free function class \(\mathcal {F}_{\text {raff}}\) in the standard model and under standard assumptions. Our constructions are free of pairing and are as efficient as those proposed in previous works. In particular, the keys, tags of MAC and ciphertexts of PKE and SE all consist of only a constant number of group elements.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. A function class \(\mathcal {F}\) from \(\mathcal {K}\) to \(\mathcal {K}\) is called claw-free [2], if for all \(f \ne f' \in \mathcal {F}\) and all \({k} \in \mathcal {K}\), \(f({k}) \ne f'({k})\). Note that \(\mathcal {F}_{\text {lin}}\) is claw-free, while \(\mathcal {F}_{\text {aff}}\) and \(\mathcal {F}_{\text {poly}}^d\) are not.

  2. We note that our super-strong IND-\(\mathcal {F}\)-RK-CCA2 for PKE and SE is reduced to the (strong) IND-\(\mathcal {F}\)-RK-CCA2 security when the function class \(\mathcal {F}\) is claw-free.

  3. We note that the \(\mathcal {F}\)-extracting property is not necessary here, since in the proof of the theorem, the adversary always knows the public key \(\mathsf {pk}\) in the scenario of PKE.

  4. There is no strong IND-\(\mathcal {F}\)-RK-CCA2 security defined for SE. Up to now, the IND-\(\mathcal {F}\)-RK-CCA2 security defined in [3] is the strongest RKA security notion for SE (before our work). For consistency, we name our new RKA security notion as super-strong IND-\(\mathcal {F}\)-RK-CCA2.

  5. Strictly speaking, this holds only if \(\text {gcd}(t- t', N) =1\). However, in our applications, if \(t \ne t' \in \mathbb {Z}_{N}\) but \(\text {gcd}(t- t', N) \ne 1\), i.e., \(\text {gcd}(t- t', N) \in \{p, q\}\), the adversary can factorize N thus break the DCR assumption w.r.t. \(\textsf {GenN}\). Therefore, except with a negligible probability, we can always assume that \(\text {gcd}(t- t', N) =1\).

  6. Strictly speaking, \(a - a'\) has inverse only if \(\text {gcd}(a- a', N) =1\). By a similar argument as Footnote 5, we can always assume that \(\text {gcd}(a- a', N) =1\), otherwise the adversary in our applications can break the DCR assumption w.r.t. \(\textsf {GenN}\).

References

  1. Abdalla M., Benhamouda F., Passelègue A., Paterson K.G.: Related-key security for pseudorandom functions beyond the linear barrier. In: Garay J.A., Gennaro R. (eds.) CRYPTO 2014, Part I, pp. 77–94 (2014).

  2. Bellare M., Cash D.: Pseudorandom functions and permutations provably secure against related-key attacks. In: Rabin T. (ed.) CRYPTO 2010, pp. 666–684 (2010).

  3. Bellare M., Cash D., Miller R.: Cryptography secure against related-key attacks and tampering. In: Lee D.H., Wang X. (eds.) ASIACRYPT 2011, pp. 486–503 (2011).

  4. Bellare M., Kohno T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham E. (ed.) EUROCRYPT 2003, pp. 491–506 (2003).

  5. Bellare M., Paterson K.G., Thomson S.: RKA security beyond the linear barrier: IBE, encryption and signatures. In: Wang X., Sako K. (eds.) ASIACRYPT 2012, pp. 331–348 (2012).

  6. Bhattacharyya R., Roy A.: Secure message authentication against related-key attack. In: Moriai S. (ed.) FSE 2013, pp. 305–324 (2013).

  7. Biham E.: New types of cryptanalytic attacks using related keys. In: Helleseth T. (ed.) EUROCRYPT 1993, pp. 398–409 (1993).

  8. Biham E., Shamir A.: Differential fault analysis of secret key cryptosystems. In: Jr B.S.K. (ed.) CRYPTO 1997, pp. 513–525 (1997).

  9. Boneh D., DeMillo R.A., Lipton R.J.: On the importance of checking cryptographic protocols for faults (extended abstract). In: Fumy W. (ed.) EUROCRYPT 1997, pp. 37–51 (1997).

  10. Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. In: Cachin C., Camenisch J. (eds.) EUROCRYPT 2004, pp. 207–222 (2004).

  11. Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64 (2002).

  12. Cramer R., Shoup V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2004).

    Article  MathSciNet  MATH  Google Scholar 

  13. Damgård I., Faust S., Mukherjee P., Venturi D.: Bounded tamper resilience: how to go beyond the algebraic barrier. In: Sako K., Sarkar P. (eds.) ASIACRYPT 2013, Part II, pp. 140–160 (2013).

  14. Damgård I., Jurik M.: A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system. In: Kim K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, New York (2001).

  15. Dodis Y., Kiltz E., Pietrzak K., Wichs D.: Message authentication, revisited. In: Pointcheval D., Johansson T. (eds.) EUROCRYPT 2012, pp. 355–374 (2012).

  16. Escala A., Herold G., Kiltz E., Ràfols C., Villar J.L.: An algebraic framework for diffie-hellman assumptions. In: Canetti R., Garay J.A. (eds.) CRYPTO 2013, Part II, pp. 129–147 (2013).

  17. Gennaro R., Lysyanskaya A., Malkin T., Micali S., Rabin T.: Algorithmic tamper-proof (ATP) security: theoretical foundations for security against hardware tampering. In: Naor M. (ed.) TCC 2004, pp. 258–277 (2004).

  18. Håstad J., Impagliazzo R., Levin L.A., Luby M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999).

    Article  MathSciNet  MATH  Google Scholar 

  19. Hofheinz D.: Adaptive partitioning. In: Coron J., Nielsen J.B. (eds.) EUROCRYPT 2017, Part III. LNCS, vol. 10212, pp. 489–518 (2017).

  20. Hofheinz D., Kiltz E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571 (2007).

  21. Hofheinz D., Kiltz E.: The group of signed quadratic residues and applications. In: Halevi S. (ed.) CRYPTO 2009, pp. 637–653 (2009).

  22. Jia D., Li B., Lu X., Mei Q.: Related key secure PKE from hash proof systems. In: Yoshida M., Mouri K. (eds.) IWSEC 2014, pp. 250–265 (2014).

  23. Jia D., Lu X., Li B., Mei Q.: RKA secure PKE based on the DDH and HR assumptions. In: Susilo W., Reyhanitabar R. (eds.) ProvSec 2013, pp. 271–287 (2013).

  24. Kiltz E., Mohassel P., O’Neill A.: Adaptive trapdoor functions and chosen-ciphertext security. In: Gilbert H. (ed.) EUROCRYPT 2010, pp. 673–692 (2010).

  25. Kiltz E., Pietrzak K., Stam M., Yung M.: A new randomness extraction paradigm for hybrid encryption. In: Joux A. (ed.) EUROCRYPT 2009, pp. 590–609 (2009).

  26. Knudsen L.R.: Cryptanalysis of LOKI91. In: Seberry J., Zheng Y. (eds.) AUSCRYPT 1992, pp. 196–208 (1992).

  27. Kurosawa K., Desmedt Y.: A new paradigm of hybrid encryption scheme. In: Franklin M.K. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, New York (2004).

  28. Lu X., Li B., Jia D.: Related-key security for hybrid encryption. In: Chow S.S.M., Camenisch J., Hui L.C.K., Yiu S. (eds.) ISC 2014, pp. 19–32 (2014).

  29. Morillo P., Ràfols C., Villar J.L.: The kernel matrix Diffie-Hellman assumption. In: Cheon J.H., Takagi T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 729–758 (2016).

  30. Qin B., Liu S.: Leakage-resilient chosen-ciphertext secure public-key encryption from hash proof system and one-time lossy filter. In: Sako K., Sarkar P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 381–400. Springer, New York (2013).

  31. Qin B., Liu S., Chen K.: Efficient chosen-ciphertext secure public-key encryption scheme with high leakage-resilience. IET Inf. Secur. 9(1), 32–42 (2015).

    Article  Google Scholar 

  32. Wee H.: Public key encryption against related key attacks. In: Fischlin M., Buchmann J.A., Manulis M. (eds.) PKC 2012, pp. 262–279 (2012).

  33. Wee H.: KDM-security via homomorphic smooth projective hashing. In: Cheng C., Chung K., Persiano G., Yang B. (eds.) PKC 2016, Part II. LNCS, vol. 9615, pp. 159–179. Springer, New York (2016).

  34. Wegman M.N., Carter L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981).

    Article  MathSciNet  MATH  Google Scholar 

  35. Xagawa K.: Message authentication codes secure against additively related-key attacks. In: Symposium on Cryptography and Information Security (SCIS). http://eprint.iacr.org/2013/111 (2013).

Download references

Acknowledgements

We would like to thank the referees for their helpful comments and suggestions. The authors are supported by the National Natural Science Foundation of China (Grant Nos. 61672346, 61373153).

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, 200240, China

    Shuai Han, Shengli Liu & Lin Lyu

  2. State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China

    Shuai Han, Shengli Liu & Lin Lyu

  3. Westone Cryptologic Research Center, Beijing, 100070, China

    Shengli Liu

Authors
  1. Shuai Han
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shengli Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lin Lyu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shengli Liu.

Additional information

Communicated by K. Matsuura.

Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 396 KB)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Han, S., Liu, S. & Lyu, L. Super-strong RKA secure MAC, PKE and SE from tag-based hash proof system. Des. Codes Cryptogr. 86, 1411–1449 (2018). https://doi.org/10.1007/s10623-017-0404-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-017-0404-y

Keywords

Mathematics Subject Classification

Search

Navigation