Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CCA-Secure Hybrid Encryption in Correlated Randomness Model and KEM Combiners

Somnath Panja, Setareh Sharifian, Shaoquan Jiang, Reihaneh Safavi-Naini

TL;DR

This work defines iKEM and cKEM with respective information theoretic computational security, and proves a composition theorem for them and a computationally secure DEM, resulting in secure HEs with proved computational security (CPA and CCA) and without any computational assumption.

Abstract

A hybrid encryption (HE) system is an efficient public key encryption system for arbitrarily long messages. An HE system consists of a public key component called key encapsulation mechanism (KEM), and a symmetric key component called data encapsulation mechanism (DEM). The HE encryption algorithm uses a KEM generated key k to encapsulate the message using DEM, and send the ciphertext together with the encapsulaton of k, to the decryptor who decapsulates k and uses it to decapsulate the message using the corresponding KEM and DEM components. The KEM/DEM composition theorem proves that if KEM and DEM satisfy well-defined security notions, then HE will be secure with well defined security. We introduce HE in correlated randomness model where the encryption and decryption algorithms have samples of correlated random variables that are partially leaked to the adversary. Security of the new KEM/DEM paradigm is defined against computationally unbounded or polynomially bounded adversaries. We define iKEM and cKEM with respective information theoretic computational security, and prove a composition theorem for them and a computationally secure DEM, resulting in secure HEs with proved computational security (CPA and CCA) and without any computational assumption. We construct two iKEMs that provably satisfy the required security notions of the composition theorem. The iKEMs are used to construct two efficient quantum-resistant HEs when used with an AES based DEM. We also define and construct combiners with proved security that combine the new KEM/DEM paradigm of HE with the traditional public key based paradigm of HE.

CCA-Secure Hybrid Encryption in Correlated Randomness Model and KEM Combiners

TL;DR

This work defines iKEM and cKEM with respective information theoretic computational security, and proves a composition theorem for them and a computationally secure DEM, resulting in secure HEs with proved computational security (CPA and CCA) and without any computational assumption.

Abstract

A hybrid encryption (HE) system is an efficient public key encryption system for arbitrarily long messages. An HE system consists of a public key component called key encapsulation mechanism (KEM), and a symmetric key component called data encapsulation mechanism (DEM). The HE encryption algorithm uses a KEM generated key k to encapsulate the message using DEM, and send the ciphertext together with the encapsulaton of k, to the decryptor who decapsulates k and uses it to decapsulate the message using the corresponding KEM and DEM components. The KEM/DEM composition theorem proves that if KEM and DEM satisfy well-defined security notions, then HE will be secure with well defined security. We introduce HE in correlated randomness model where the encryption and decryption algorithms have samples of correlated random variables that are partially leaked to the adversary. Security of the new KEM/DEM paradigm is defined against computationally unbounded or polynomially bounded adversaries. We define iKEM and cKEM with respective information theoretic computational security, and prove a composition theorem for them and a computationally secure DEM, resulting in secure HEs with proved computational security (CPA and CCA) and without any computational assumption. We construct two iKEMs that provably satisfy the required security notions of the composition theorem. The iKEMs are used to construct two efficient quantum-resistant HEs when used with an AES based DEM. We also define and construct combiners with proved security that combine the new KEM/DEM paradigm of HE with the traditional public key based paradigm of HE.
Paper Structure (26 sections, 15 theorems, 78 equations, 10 figures, 6 algorithms)

This paper contains 26 sections, 15 theorems, 78 equations, 10 figures, 6 algorithms.

Table of Contents

  1. Introduction
  2. Our Results
  3. Related work
  4. Preliminaries
  5. KEM in correlated randomness model
  6. Ciphertext Integrity (INT-CTXT) in preprocessing model.
  7. Hybrid encryption in Preprocessing Model
  8. Instantiating iKEM
  9. A CEA secure construction
  10. Security analysis of iKEM construction \ref{['ikem:cea']}
  11. A CCA secure construction
  12. Relation with CEA secure iKEM
  13. Security analysis of iKEM construction \ref{['ikem:cca']}
  14. Ciphertext integrity of construction \ref{['ikem:cca']}
  15. KEM combiners for iKEM
  16. ...and 11 more sections

Key Result

Theorem 1

Let $\cksch$ and $i\mathcal{KEM}$ be a cKEM and an iKEM, respectively, and $\demsch$ denote a one-time symmetric key encryption scheme that is compatible with the corresponding $\cksch$ or $i\mathcal{KEM}$. Then the following composition results hold for the hybrid encryption in preprocessing model,

Figures (10)

  • Figure 1: The distinguishing game $\mathrm{KIND}_{\mathsf{kem},\mathsf{D}}^{atk\text{-}b}$, where $b\stackrel{\$}\gets\{0,1\}$, and $atk\in\{cpa,cca1,cca2\}$. The decapsulation oracle $\mathsf{kem.Dec}(sk,\cdot)$ has the private key $sk$. Oracle output $\mathsf{O}_i = \varepsilon, i\in\{1, 2\}$, means $\mathsf{O}_i$ returns the empty string $\varepsilon$. $\mathsf{O}_2$ cannot be asked to decapsulate $c^*$.
  • Figure 2: DEM distinguishing game. Here, $\mathsf{dem.Enc}(k,\cdot)$ and $\mathsf{dem.Dec}(k,\cdot)$ are encryption and decryption oracles with key $k$, respectively, and $\varepsilon$ denotes an empty string.
  • Figure 3: The security game $\mathrm{pKIND}_{\mathsf{pkem},\mathsf{D}}^{atk\text{-}b}$ where $b\stackrel{\$}\gets\in\{0,1\}$ and $atk\in\{ot,cea,cca\}$. Here $\mathsf{O}_1(\cdot)$ and $\mathsf{O}_2(\cdot)$ are oracles that are accessed before and after the challenge is seen, respectively. $\mathsf{O}_i = \varepsilon$, for $i\in\{1, 2\}$, means $\mathsf{O}_i$ returns the empty string $\varepsilon$. The number of queries for computational (resp. unbounded) adversaries will be a polynomial in $\lambda$ (resp. constant number $q_e$ encapsulation and $q_d$ decapsulation queries). The adversary $\mathsf{D}_2$ cannot ask $c^*$ to decryption oracle.
  • Figure 4: The integrity game of pKEM. Computationally bounded adversaries can make any-poly encapsulation and decapsulation queries. Unbounded adversaries can make fixed-poly $q_e$ encapsulation and $q_d$ decapsulation queries. $\hat{c}$ cannot be a queries output of $\mathsf{pkem.Enc}(r_A,\cdot)$.
  • Figure 5: Hybrid encryption $\mathsf{HE}_{\mathsf{pkem},\mathsf{SE}}$ in preprocessing model
  • ...and 5 more figures

Theorems & Definitions (35)

  • Theorem
  • Definition 1: Universal hash family
  • Lemma 1: Generalized Leftover Hash Lemma DodisORS08
  • Definition 2: KEM distinguishing advantage HERRANZ20101243
  • Definition 3: Security of DEM: IND-OT, IND-OTCCA, IND-CPA, IND-CCA1, IND-CCA2 HERRANZ20101243
  • Definition 4: KEM in Preprocessing Model (pKEM)
  • Definition 5: pKEM distinguishing advantage
  • Remark 1: iKEM with bounded-query security
  • Definition 6: pKEM ciphertext integrity
  • Theorem 1
  • ...and 25 more