On the Impossibility of Constructing Efficient Key Encapsulation and Programmable Hash Functions in Prime Order Groups

In this paper, we discuss the impossibility of constructing chosen ciphertext secure CCA secure key encapsulation mechanisms KEMs with low ciphertext overhead. More specifically, we rule out the existence of algebraic black-box reductions from the bounded CCA security of a natural class of KEMs to any non-interactive problem. The class of KEMs captures the structure of the currently most efficient KEMs defined in standard prime order groups, but restricts an encapsulation to consist of a single group element and a string. This result suggests that we cannot rely on existing techniques to construct a CCA secure KEM in standard prime order groups with a ciphertext overhead lower than two group elements. Furthermore, we show how the properties of an algebraic programmable hash function can be used to construct a simple, efficient and CCA secure KEM based on the hardness of the decisional Diffie-Hellman problem with a ciphertext overhead of just a single group element. Since this KEM construction is covered by the above mentioned impossibility result, this enables us to derive a lower bound on the hash key size of an algebraic programmable hash function, and rule out the existence of algebraic poly, n-programmable hash functions in prime order groups for any integer n. The latter result answers an open question posed by Hofheinz and Kiltz CRYPTO'08 in the case of algebraic programmable hash functions in prime order groups.

[1]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[2]  Tal Malkin,et al.  On the impossibility of basing trapdoor functions on trapdoor predicates , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[3]  Eike Kiltz,et al.  Secure Hybrid Encryption from Weakened Key Encapsulation , 2007, CRYPTO.

[4]  Periklis A. Papakonstantinou,et al.  On the Impossibility of Basing Identity Based Encryption on Trapdoor Permutations , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[5]  Kaoru Kurosawa,et al.  Between Hashed DH and Computational DH: Compact Encryption from Weaker Assumption , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[6]  Craig Gentry,et al.  Practical Identity-Based Encryption Without Random Oracles , 2006, EUROCRYPT.

[7]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, IACR Cryptol. ePrint Arch..

[8]  Jonathan Katz,et al.  On Black-Box Constructions of Predicate Encryption from Trapdoor Permutations , 2009, ASIACRYPT.

[9]  Luca Trevisan,et al.  Notions of Reducibility between Cryptographic Primitives , 2004, TCC.

[10]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[11]  Steven Myers,et al.  Towards a Separation of Semantic and CCA Security for Public Key Encryption , 2007, TCC.

[12]  Vincent Naessens,et al.  Structure Preserving CCA Secure Encryption and Applications , 2011, ASIACRYPT.

[13]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[14]  Kaoru Kurosawa,et al.  Efficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption , 2008, IACR Cryptol. ePrint Arch..

[15]  Jens Groth,et al.  Separating Short Structure-Preserving Signatures from Non-interactive Assumptions , 2011, ASIACRYPT.

[16]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[17]  Takahiro Matsuda,et al.  Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks , 2011, Public Key Cryptography.

[18]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[19]  Amit Sahai,et al.  Non-malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterization , 1999, CRYPTO.

[20]  Tibor Jager,et al.  Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model , 2010, Public Key Cryptography.

[21]  Marc Fischlin,et al.  On the Impossibility of Three-Move Blind Signature Schemes , 2010, EUROCRYPT.

[22]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.

[23]  David Cash,et al.  The Twin Diffie–Hellman Problem and Applications , 2009, Journal of Cryptology.

[24]  Eike Kiltz,et al.  Chosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman , 2007, Public Key Cryptography.

[25]  Jonathan Katz,et al.  A study of separations in cryptography: new results and new models , 2011 .

[26]  Tibor Jager,et al.  Short Signatures From Weaker Assumptions , 2011, IACR Cryptol. ePrint Arch..

[27]  Eike Kiltz,et al.  Programmable Hash Functions and Their Applications , 2008, Journal of Cryptology.

[28]  Eike Kiltz,et al.  The Group of Signed Quadratic Residues and Applications , 2009, CRYPTO.

[29]  Rafael Pass,et al.  Limits of provable security from standard assumptions , 2011, STOC '11.

[30]  David Pointcheval,et al.  About the Security of Ciphers (Semantic Security and Pseudo-Random Permutations) , 2004, Selected Areas in Cryptography.

[31]  Joonsang Baek,et al.  Constructing Strong KEM from Weak KEM (or How to Revive the KEM/DEM Framework) , 2008, SCN.

[32]  Sampath Kannan,et al.  The relationship between public key encryption and oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[33]  Abhi Shelat,et al.  Bounded CCA2-Secure Encryption , 2007, ASIACRYPT.

[34]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, ASIACRYPT.

[35]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[36]  Qixiang Mei,et al.  Direct chosen ciphertext security from identity-based techniques , 2005, CCS '05.

[37]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[38]  Yutaka Kawai,et al.  Public Key Encryption Schemes from the (B)CDH Assumption with Better Efficiency , 2010, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[39]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.

[40]  Keita Emura,et al.  Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption , 2013, Public Key Cryptography.

[41]  Javier Herranz,et al.  Some (in)sufficient conditions for secure hybrid encryption , 2010, Inf. Comput..