KDM Security in the Hybrid Framework

We study the natural question of how well suited the hybrid encryption paradigm is in the context of key-dependent message (KDM) attacks. We prove that if a key derivation function (KDF) is used in between the public (KEM) and symmetric (DEM) part of the hybrid scheme and this KDF is modelled as a random oracle, then one-wayness of the KEM and indistinguishability of the DEM together suffice for KDM security of the resulting hybrid scheme. We consider the most general scenario, namely CCA attacks and KDM functions that can call the random oracle. Although the result itself is not entirely unsuspected—it does solve an open problem from Black, Rogaway, and Shrimpton (SAC 2002)—proving it is considerably less straightforward; we develop some proof techniques that might be applicable in a wider context.

[1]  Michael Backes,et al.  OAEP Is Secure under Key-Dependent Messages , 2008, ASIACRYPT.

[2]  Moti Yung,et al.  Efficient Circuit-Size Independent Public Key Encryption with KDM Security , 2011, EUROCRYPT.

[3]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[4]  Vinod Vaikuntanathan,et al.  Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages , 2011, CRYPTO.

[5]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[6]  Jan Camenisch,et al.  Practical Group Signatures without Random Oracles , 2005, IACR Cryptol. ePrint Arch..

[7]  Robert H. Deng,et al.  Variations of Diffie-Hellman Problem , 2003, ICICS.

[8]  Kenneth G. Paterson Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings , 2011, EUROCRYPT.

[9]  Hugo Krawczyk,et al.  Security under key-dependent inputs , 2007, CCS '07.

[10]  David Cash,et al.  Cryptographic Agility and Its Relation to Circular Encryption , 2010, EUROCRYPT.

[11]  Eike Kiltz,et al.  Secure Hybrid Encryption from Weakened Key Encapsulation , 2007, CRYPTO.

[12]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[13]  Chris Peikert,et al.  Circular and KDM Security for Identity-Based Encryption , 2012, Public Key Cryptography.

[14]  Yael Tauman Kalai,et al.  Black-Box Circular-Secure Encryption beyond Affine Functions , 2011, TCC.

[15]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[16]  Zvika Brakerski,et al.  Circular and Leakage Resilient Public-Key Encryption Under Subgroup Indistinguishability (or: Quadratic Residuosity Strikes Back) , 2010, IACR Cryptol. ePrint Arch..

[17]  Jonathan Herzog,et al.  Soundness of Formal Encryption in the Presence of Key-Cycles , 2005, ESORICS.

[18]  Graham Steel,et al.  Security for Key Management Interfaces , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[19]  Matthew Green,et al.  New Definitions and Separations for Circular Security , 2012, Public Key Cryptography.

[20]  John Black,et al.  Encryption-Scheme Security in the Presence of Key-Dependent Messages , 2002, Selected Areas in Cryptography.

[21]  Peeter Laud,et al.  Sound Computational Interpretation of Formal Encryption with Composed Keys , 2003, ICISC.

[22]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[23]  Jan Camenisch,et al.  A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks , 2009, IACR Cryptol. ePrint Arch..

[24]  Dominique Unruh,et al.  Programmable encryption and key-dependent messages , 2012, IACR Cryptol. ePrint Arch..

[25]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[26]  Rosario Gennaro,et al.  A Note on An Encryption Scheme of Kurosawa and Desmedt , 2004, IACR Cryptol. ePrint Arch..

[27]  Yuval Ishai,et al.  Bounded Key-Dependent Message Security , 2010, IACR Cryptol. ePrint Arch..

[28]  Mihir Bellare,et al.  Authenticated and Misuse-Resistant Encryption of Key-Dependent Data , 2011, IACR Cryptol. ePrint Arch..

[29]  Yael Tauman Kalai,et al.  On Symmetric Encryption and Point Obfuscation , 2010, TCC.

[30]  Dennis Hofheinz,et al.  Towards Key-Dependent Message Security in the Standard Model , 2008, EUROCRYPT.

[31]  Phillip Rogaway Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings , 2011, CRYPTO.

[32]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[33]  David Cash,et al.  Ciphers that securely encipher their own keys , 2011, CCS '11.

[34]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[35]  Marc Fischlin,et al.  Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography , 2012 .

[36]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[37]  Ron Rothblum,et al.  On the Circular Security of Bit-Encryption , 2013, TCC.

[38]  Rafail Ostrovsky,et al.  Circular-Secure Encryption from Decision Diffie-Hellman , 2008, CRYPTO.

[39]  Kaoru Kurosawa,et al.  Tag-KEM/DEM: A New Framework for Hybrid Encryption and A New Analysis of Kurosawa-Desmedt KEM , 2005, EUROCRYPT.

[40]  Benny Applebaum,et al.  Key-Dependent Message Security: Generic Amplification and Completeness , 2011, Journal of Cryptology.

[41]  Alexander W. Dent,et al.  A Designer's Guide to KEMs , 2003, IMACC.

[42]  Marc Fischlin,et al.  Public key cryptography -- PKC 2012 : 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, May 21-23 2012 : proceedings , 2012 .

[43]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[44]  Birgit Pfitzmann,et al.  Key-dependent Message Security under Active Attacks--BRSIM/UC-Soundness of Symbolic Encryption with Key Cycles , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[45]  Alexander W. Dent,et al.  On the Equivalence of Two Models for Key-Dependent-Message Encryption , 2009, IACR Cryptol. ePrint Arch..

[46]  Thomas Holenstein,et al.  On the (Im)Possibility of Key Dependent Encryption , 2009, TCC.

[47]  C. Moler,et al.  Advances in Cryptology , 2000, Lecture Notes in Computer Science.

[48]  Yvo Desmedt,et al.  A New Paradigm of Hybrid Encryption Scheme , 2004, CRYPTO.