Scalable Ciphertext Compression Techniques for Post-quantum KEMs and Their Applications

Katsumata, Shuichi; Kwiatkowski, Kris; Pintore, Federico; Prest, Thomas

doi:10.1007/978-3-030-64837-4_10

Cited by 16 publications

(20 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The notion of merged KEMs [32] aims to optimize bandwidth for public ratchets in the Signal protocol; our work and the notion of split KEMs instead is concerned with the initial key agreement with contributions from both parties. In their notion of multi-recipient KEMs, Katsumata et al [45] also decompose the encapsulation process, though without allowing a secret input of the sender to enter encapsulation as in our split KEM notion.…”

Section: Related Workmentioning

confidence: 99%

Towards Post-Quantum Security for Signal’s X3DH Handshake

Brendel

Fischlin

Günther

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Post-quantum protocols. Post-quantum secure protocol variants based on KEMs have been proposed for TLS 1.3 [70] and WireGuard [42]. These protocols, unlike Signal, allow (multiple) round trips and therefore do not experience the same problem we discuss in this paper. For Signal, Alwen, Coretti, and Dodis [2] give a first variant of Signal's double-ratchet that is amenable to post-quantum secure KEMs, however exclude the crucial initial key agreement. Duits [33] explores transitioning Signal to the post-quantum setting; the suggested replacement of DH with Supersingular Isogeny Diffie-Hellman (SIDH) [44,19] however is not secure under the required key reuse, as we discuss next.Key reuse with LWE and SIDH. There are a number of attacks on lattice-based key exchange schemes when keys are reused [35,22,26,59,24,67,5,25,40,62]. There exist proposals to enable secure key reuse in (R)LWE-based schemes [39,23], however, these proposals only seem to at most guard against specific attacks at a time, while still being vulnerable to other attacks. All LWE-based KEMs in Rounds 2 and 3 of the NIST process rely on the Fujisaki-Okamoto transform

show abstract

Section: Related Workmentioning

confidence: 99%

Towards Post-Quantum Security for Signal’s X3DH Handshake

Brendel

Fischlin

Günther

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…We introduce the notion of a committing mPKE, or CmPKE. First, a (decomposable) multi-recipient PKE (mPKE) [43] takes as input a message M and a list of N encryption keys, and outputs a multi-recipient ciphertext (ct 0 ,…”

Section: 11mentioning

confidence: 99%

“…We show how to build a CmPKE from an mPKE [43] and a key-committing SKE [2,32,33,37], which can itself be built using standard symmetric primitives [2]. Compared to the base mPKE, the overhead is minimal: ct i = ct i , and T is formed of ct 0 and a term of size 2κ bits, which is no larger than a hash digest.…”

Section: 11mentioning

confidence: 99%

“…existing PKEs based on the post-quantum problems LWE, LWR, SIDH and CSIDH were recently adapted to the mPKE setting in [43]. These mPKEs achieve ratios | ct i |/|ct| between 1/5 and 1/169, which could potentially translate into inversely proportional bandwidth savings.…”

Section: 11mentioning

confidence: 99%

“…These mPKEs achieve ratios | ct i |/|ct| between 1/5 and 1/169, which could potentially translate into inversely proportional bandwidth savings. The work of [43] has two shortcomings; (a) their mPKEs are direct transpositions of existing PKEs, which were not necessarily designed to minimize | ct i |, and (b) it does not study the concrete impact of the mPKE setting on cryptanalysis. We address these two shortcomings via a two-pronged approach.…”

Section: 11mentioning

confidence: 99%

See 2 more Smart Citations

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Hashimoto

Katsumata²,

Postlethwaite

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Continuous group key agreements (CGKAs) are a class of protocols that can provide strong security guarantees to secure group messaging protocols such as Signal and MLS. Protection against device compromise is provided by commit messages: at a regular rate, each group member may refresh their key material by uploading a commit message, which is then downloaded and processed by all the other members. In practice, propagating commit messages dominates the bandwidth consumption of existing CGKAs.We propose Chained CmPKE, a CGKA with an asymmetric bandwidth cost: in a group of N members, a commit message costs O(N ) to upload and O(1) to download, for a total bandwidth cost of O(N ). In contrast, TreeKEM [14,19,52] costs Ω(log N ) in both directions, for a total cost Ω(N log N ). Our protocol relies on generic primitives, and is therefore readily post-quantum.We go one step further and propose post-quantum primitives that are tailored to Chained CmPKE, which allows us to cut the growth rate of uploaded commit messages by two or three orders of magnitude compared to naive instantiations. Finally, we realize a software implementation of Chained CmPKE. Our experiments show that even for groups with a size as large as N = 2 10 , commit messages can be computed and processed in less than 100 ms.

show abstract