CCA Secure Multi-recipient KEM from LPN

Cheng, Haitao; Li, Xiangxue; Qian, Haifeng; Yan, Di

doi:10.1007/978-3-030-01950-1_30

Cited by 2 publications

(2 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Yu et al [18] constructed an IND-CCA secure key encapsulation mechanism by using FO transformation [19]- [21] to the IND-CPA secure key encapsulation mechanism. In [22], Cheng et al constructed a multiple-recipient Key-Encapsulation Mechanism (mKEM) scheme in the Random Oracle Model (ROM) from low-noise LPN.…”

Section: Introductionmentioning

confidence: 99%

Chosen-Ciphertext Secure Key Encapsulation Mechanism in the Standard Model

2021

IEEE Access

Self Cite

View full text Add to dashboard Cite

Key Encapsulation Mechanism (KEM) is a foundational cryptography primitive, which can provide secure symmetric cryptographic key material for transmission by using public key algorithms. Until now, many Chosen-Ciphertext (IND-CCA) secure KEM schemes are constructed from Chosen-Plaintext (IND-CPA) or One-Way (OW-CPA) secure PKE via the generic Fujisaki-Okamoto (FO) transformations (TCC 2017). However, the security relies on the Random Oracle Model (ROM). To the best of our knowledge, there are no IND-CCA secure KEM schemes based on Learning Parity with Noise (LPN) assumption that can against post quantum attacks in the standard model. In this work, we propose the first direct construction of LPN-based KEM, which is secure in the standard model. In particular, we use double-trapdoor technique to answer adversary's decryption queries correctly and a Target Collision Resistant (TCR) hash function to check the validity of the ciphertext. The encapsulated key is determined by a special LPN problem (with no random oracle required). The scheme is IND-CCA secure against post-quantum attacks under the low-noise LPN assumptions by a series of games and the security reduction is tight. Compared with previous schemes on 128-bit security level, our CCA-secure scheme only holds 50.78MB public keys, 62.50MB secret keys and 4.54KB ciphertexts, which is more efficient than the schemes of Döttling et al.

show abstract

Section: Introductionmentioning

confidence: 99%

Chosen-Ciphertext Secure Key Encapsulation Mechanism in the Standard Model

2021

IEEE Access

Self Cite

View full text Add to dashboard Cite

show abstract

“…First, to the best of our knowledge, all the literature on mKEMs is based on classical assumptions (e.g., Di e-Hellman type assumptions) which are believed to not endure quantum adversaries. We are aware of one recent work [17] that claims the construction of an IND-CCA secure mKEM from the learning parity with noise (LPN) assumption, which is believed to be quantumly secure. However, while going over their results, we noticed that their scheme is insecure since there is a trivial break in their claimed IND-CCA security.…”

Section: Introductionmentioning

confidence: 99%

Scalable Ciphertext Compression Techniques for Post-quantum KEMs and Their Applications

Katsumata

Kwiatkowski²,

Pintore

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

A multi-recipient key encapsulation mechanism, or mKEM, provides a scalable solution to securely communicating to a large group, and o↵ers savings in both bandwidth and computational cost compared to the trivial solution of communicating with each member individually. All prior works on mKEM are only limited to classical assumptions and, although some generic constructions are known, they all require specific properties that are not shared by most post-quantum schemes. In this work, we first provide a simple and e cient generic construction of mKEM that can be instantiated from versatile assumptions, including post-quantum ones. We then study these mKEM instantiations at a practical level using 8 post-quantum KEMs (which are lattice and isogeny-based NIST candidates), and CSIDH, and show that compared to the trivial solution, our mKEM o↵ers savings of at least one order of magnitude in the bandwidth, and make encryption time shorter by a factor ranging from 1.92 to 35. Additionally, we show that by combining mKEM with the TreeKEM protocol used by MLS -an IETF draft for secure group messaging -we obtain significant bandwidth savings.

show abstract

CCA Secure Multi-recipient KEM from LPN

Cited by 2 publications

References 28 publications

Chosen-Ciphertext Secure Key Encapsulation Mechanism in the Standard Model

Chosen-Ciphertext Secure Key Encapsulation Mechanism in the Standard Model

Scalable Ciphertext Compression Techniques for Post-quantum KEMs and Their Applications

Contact Info

Product

Resources

About