Security of Symmetric Primitives under Incorrect Usage of Keys

Farshim, Pooya; Orlandi, Claudio; Roşie, Răzvan

doi:10.46586/tosc.v2017.i1.449-473

Cited by 29 publications

(14 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We show how to build a CmPKE from an mPKE [43] and a key-committing SKE [2,32,33,37], which can itself be built using standard symmetric primitives [2]. Compared to the base mPKE, the overhead is minimal: ct i = ct i , and T is formed of ct 0 and a term of size 2κ bits, which is no larger than a hash digest.…”

Section: 11mentioning

confidence: 99%

“…We also define key commitment for a SKE [33] which roughly states that it is difficult to find two secret keys that correctly decrypt the same ciphertext (to possibly different messages). As in prior works [2,32,33,37], we define this notion by providing the (non-uniform) adversary oracle access to Enc s and Dec s , where we implicitly assume these two algorithms are implemented using an internal hash function modeled as a random oracle.…”

Section: Preliminaries 21 One-time Ind-cca Skementioning

confidence: 99%

“…We consider a strengthening of a standard mPKE which we coin a committing mPKE (CmPKE). The motivation for this is similar in spirit to those of key committing SKEs or AEADs [2,32,33,37], where we ask a ciphertext to be bound to a unique key and message pair. Although it may sound like an obscure property at first glance, this property has been shown to be vital for establishing security in several practical applications such as Facebook Messenger [32], (see [2] for more examples).…”

Section: Committing Multi-recipient Pkementioning

confidence: 99%

See 2 more Smart Citations

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Hashimoto

Katsumata²,

Postlethwaite

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Continuous group key agreements (CGKAs) are a class of protocols that can provide strong security guarantees to secure group messaging protocols such as Signal and MLS. Protection against device compromise is provided by commit messages: at a regular rate, each group member may refresh their key material by uploading a commit message, which is then downloaded and processed by all the other members. In practice, propagating commit messages dominates the bandwidth consumption of existing CGKAs.We propose Chained CmPKE, a CGKA with an asymmetric bandwidth cost: in a group of N members, a commit message costs O(N ) to upload and O(1) to download, for a total bandwidth cost of O(N ). In contrast, TreeKEM [14,19,52] costs Ω(log N ) in both directions, for a total cost Ω(N log N ). Our protocol relies on generic primitives, and is therefore readily post-quantum.We go one step further and propose post-quantum primitives that are tailored to Chained CmPKE, which allows us to cut the growth rate of uploaded commit messages by two or three orders of magnitude compared to naive instantiations. Finally, we realize a software implementation of Chained CmPKE. Our experiments show that even for groups with a size as large as N = 2 10 , commit messages can be computed and processed in less than 100 ms.

show abstract

Section: 11mentioning

confidence: 99%

Section: Preliminaries 21 One-time Ind-cca Skementioning

confidence: 99%

Section: Committing Multi-recipient Pkementioning

confidence: 99%

See 1 more Smart Citation

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Hashimoto

Katsumata²,

Postlethwaite

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Roughly speaking, robustness guarantees that it is hard to produce a ciphertext which decrypts validly under two different private keys. Fortunately, it was shown in [28] that composing Kyber.KEM with an appropriately "robust" DEM (as defined in [23]) will result in a robust hybrid PKE scheme. In other words, composing Kyber with a one-time strongly pseudorandom and robust DEM will result in a post-quantum strongly anonymous and robust PKE scheme.…”

mentioning

confidence: 99%

Post-quantum Anonymity of Kyber

Maram

Xagawa²

2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Kyber is a key-encapsulation mechanism (KEM) that was recently selected by NIST in its PQC standardization process; it is also the only scheme to be selected in the context of public-key encryption (PKE) and key establishment. The main security target for KEMs, and their associated PKE schemes, in the NIST PQC context has been IND-CCA security. However, some important modern applications also require their underlying KEMs/PKE schemes to provide anonymity (Bellare et al., ASIACRYPT 2001). Examples of such applications include anonymous credential systems, cryptocurrencies, broadcast encryption schemes, authenticated key exchange, and auction protocols. It is hence important to analyze the compatibility of NIST's new PQC standard in such "beyond IND-CCA" applications. Some starting steps were taken by Grubbs et al. (EUROCRYPT 2022) and Xagawa (EUROCRYPT 2022) wherein they studied the anonymity properties of most NIST PQC third round candidate KEMs. Unfortunately, they were unable to show the anonymity of Kyber because of certain technical barriers. In this paper, we overcome said barriers and resolve the open problems posed by Grubbs et al. (EUROCRYPT 2022) and Xagawa (EURO-CRYPT 2022) by establishing the anonymity of Kyber, and the (hybrid)PKE schemes derived from it, in a post-quantum setting. Along the way, we also provide an approach to obtain tight IND-CCA security proofs for Kyber with concrete bounds; this resolves another issue identified by the aforementioned works related to the post-quantum IND-CCA security claims of Kyber from a provable security point-of-view. Our results also extend to Saber, a NIST PQC third round finalist, in a similar fashion.

show abstract

“…As another robustnesses notions, Mohassel[44] defined robustness for key-encapsulation mechanisms, Farshim et al[30] defined robustness for symmetric primitives (authenticated-encryption, message-authentication codes and pseudo-random functions), and Géraud et al[33] defined robustness for functional encryption and digital signatures.…”

mentioning

confidence: 99%

Implementation of a Strongly Robust Identity-Based Encryption Scheme over Type-3 Pairings

Okano

Emura

Ishibashi

et al. 2020

IJNC

View full text Add to dashboard Cite

Identity-based encryption (IBE) is a powerful mechanism for maintaining security. However, systems based on IBE are unpopular when compared with those of the public-key encryption (PKE). In our opinion, one of the reasons is a gap between theory and practice. For example, a generic transformation of weakly/strongly robust IBE from any IBE has been proposed by Abdalla et al., no robust IBE scheme is explicitly given. This means that, theoretically, anyone can construct a weakly/strongly robust IBE scheme by employing this transformation. However, this seems not easily applicable to noncryptographers. In this paper, we first introduce the Gentry IBE scheme constructed over Type-3 pairings by employing the transformation proposed by Abe et al., and second we explicitly give strongly/weakly robust Gentry IBE schemes by employing the Abdalla et al. transformation. Finally, we show its implementation result and show that we can add strong robustness to the Gentry IBE scheme with a very few additional costs. We employ the mcl library to support a Barreto-Naehrig curve defined over the 462-bit prime. The encryption requires about 5 ms, whereas the decryption requires about 9 ms.

show abstract

Security of Symmetric Primitives under Incorrect Usage of Keys

Cited by 29 publications

References 0 publications

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

A Concrete Treatment of Efficient Continuous Group Key Agreement via Multi-Recipient PKEs

Post-quantum Anonymity of Kyber

Implementation of a Strongly Robust Identity-Based Encryption Scheme over Type-3 Pairings

Contact Info

Product

Resources

About