[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

What a lovely hat

Is it made out of tin foil?




Dates are inconsistent

Dates are inconsistent

149 results sorted by ID

Possible spell-corrected query: and-CCA
2024/1607 (PDF) Last updated: 2024-10-09
Tighter Proofs for PKE-to-KEM Transformation in the Quantum Random Oracle Model
Jinrong Chen, Yi Wang, Rongmao Chen, Xinyi Huang, Wei Peng
Public-key cryptography

In this work, we provide new, tighter proofs for the $T_{RH}$-transformation by Jiang et al. (ASIACRYPT 2023), which converts OW-CPA secure PKEs into KEMs with IND-1CCA security, a variant of typical IND-CCA security where only a single decapsulation query is allowed. Such KEMs are efficient and have been shown sufficient for real-world applications by Huguenin-Dumittan and Vaudenay at EUROCRYPT 2022. We reprove Jiang et al.'s $T_{RH}$-transformation in both the random oracle model (ROM) and...

2024/1282 (PDF) Last updated: 2024-09-02
NTRU+PKE: Efficient Public-Key Encryption Schemes from the NTRU Problem
Jonghyun Kim, Jong Hwan Park
Public-key cryptography

We propose a new NTRU-based Public-Key Encryption (PKE) scheme called $\mathsf{NTRU+}\mathsf{PKE}$, which effectively incorporates the Fujisaki-Okamoto transformation for PKE (denoted as $\mathsf{FO}_{\mathsf{PKE}}$) to achieve chosen-ciphertext security in the Quantum Random Oracle Model (QROM). While $\mathsf{NTRUEncrypt}$, a first-round candidate in the NIST PQC standardization process, was proven to be chosen-ciphertext secure in the Random Oracle Model (ROM), it lacked corresponding...

2024/1225 (PDF) Last updated: 2024-10-21
SIGNITC: Supersingular Isogeny Graph Non-Interactive Timed Commitments
Knud Ahrens
Public-key cryptography

Non-Interactive Timed Commitment schemes (NITC) allow to open any commitment after a specified delay $t_{\mathrm{fd}}$. This is useful for sealed bid auctions and as primitive for more complex protocols. We present the first NITC without repeated squaring or theoretical black box algorithms like NIZK proofs or one-way functions. It has fast verification, almost arbitrary delay and satisfies IND-CCA hiding and perfect binding. Our protocol is based on isogenies between supersingular elliptic...

2024/1122 (PDF) Last updated: 2024-07-09
Finding Bugs and Features Using Cryptographically-Informed Functional Testing
Giacomo Fenzi, Jan Gilcher, Fernando Virdia
Implementation

In 2018, Mouha et al. (IEEE Trans. Reliability, 2018) performed a post-mortem investigation of the correctness of reference implementations submitted to the SHA3 competition run by NIST, finding previously unidentified bugs in a significant portion of them, including two of the five finalists. Their innovative approach allowed them to identify the presence of such bugs in a black-box manner, by searching for counterexamples to expected cryptographic properties of the implementations under...

2024/1080 (PDF) Last updated: 2024-07-03
Separating Selective Opening Security From Standard Security, Assuming IO
Justin Holmgren, Brent Waters
Foundations

Assuming the hardness of LWE and the existence of IO, we construct a public-key encryption scheme that is IND-CCA secure but fails to satisfy even a weak notion of indistinguishability security with respect to selective opening attacks. Prior to our work, such a separation was known only from stronger assumptions such as differing inputs obfuscation (Hofheinz, Rao, and Wichs, PKC 2016). Central to our separation is a new hash family, which may be of independent interest. Specifically,...

2024/843 (PDF) Last updated: 2024-05-29
Formally verifying Kyber Episode V: Machine-checked IND-CCA security and correctness of ML-KEM in EasyCrypt
José Bacelar Almeida, Santiago Arranz Olmos, Manuel Barbosa, Gilles Barthe, François Dupressoir, Benjamin Grégoire, Vincent Laporte, Jean-Christophe Léchenet, Cameron Low, Tiago Oliveira, Hugo Pacheco, Miguel Quaresma, Peter Schwabe, Pierre-Yves Strub
Public-key cryptography

We present a formally verified proof of the correctness and IND-CCA security of ML-KEM, the Kyber-based Key Encapsulation Mechanism (KEM) undergoing standardization by NIST. The proof is machine-checked in EasyCrypt and it includes: 1) A formalization of the correctness (decryption failure probability) and IND-CPA security of the Kyber base public-key encryption scheme, following Bos et al. at Euro S&P 2018; 2) A formalization of the relevant variant of the Fujisaki-Okamoto transform in...

2024/777 (PDF) Last updated: 2024-05-25
Measure-Rewind-Extract: Tighter Proofs of One-Way to Hiding and CCA Security in the Quantum Random Oracle Model
Jiangxia Ge, Heming Liao, Rui Xue
Public-key cryptography

The One-Way to Hiding (O2H) theorem, first given by Unruh (J ACM 2015) and then restated by Ambainis et al. (CRYPTO 2019), is a crucial technique for solving the reprogramming problem in the quantum random oracle model (QROM). It provides an upper bound $d\cdot\sqrt{\epsilon}$ for the distinguisher's advantage, where $d$ is the query depth and $\epsilon$ denotes the advantage of a one-wayness attacker. Later, in order to obtain a tighter upper bound, Kuchta et al. (EUROCRYPT 2020) proposed...

2024/732 (PDF) Last updated: 2024-06-11
Compact Encryption based on Module-NTRU problems
Shi Bai, Hansraj Jangir, Hao Lin, Tran Ngo, Weiqiang Wen, Jinwei Zheng
Public-key cryptography

The Module-NTRU problem, introduced by Cheon, Kim, Kim, Son (IACR ePrint 2019/1468), and Chuengsatiansup, Prest, Stehlé, Wallet, Xagawa (ASIACCS ’20), generalizes the versatile NTRU assump- tion. One of its main advantages lies in its ability to offer greater flexibil- ity on parameters, such as the underlying ring dimension. In this work, we present several lattice-based encryption schemes, which are IND-CPA (or OW-CPA) secure in the standard model based on the Module-NTRU and...

2024/345 (PDF) Last updated: 2024-02-27
An Efficient Adaptive Attack Against FESTA
Guoqing Zhou, Maozhi Xu
Attacks and cryptanalysis

At EUROCRYPT’23, Castryck and Decru, Maino et al., and Robert present efficient attacks against supersingular isogeny Diffie-Hellman key exchange protocol (SIDH). Drawing inspiration from these attacks, Andrea Basso, Luciano Maino, and Giacomo Pope introduce FESTA, an isogeny-based trapdoor function, along with a corresponding IND-CCA secure public key encryption (PKE) protocol at ASIACRYPT’23. FESTA incorporates either a diagonal or circulant matrix into the secret key to mask torsion...

2024/039 (PDF) Last updated: 2024-04-15
X-Wing: The Hybrid KEM You’ve Been Looking For
Manuel Barbosa, Deirdre Connolly, João Diogo Duarte, Aaron Kaiser, Peter Schwabe, Karoline Varner, Bas Westerbaan
Public-key cryptography

X-Wing is a hybrid key-encapsulation mechanism based on X25519 and ML-KEM-768. It is designed to be the sensible choice for most applications. The concrete choice of X25519 and ML-KEM-768 allows X-Wing to achieve improved efficiency compared to using a generic KEM combiner. In this paper, we introduce the X-Wing hybrid KEM construction and provide a proof of security. We show (1) that X-Wing is a classically IND-CCA secure KEM if the strong Diffie-Hellman assumption holds in the X25519...

2024/023 (PDF) Last updated: 2024-03-27
CCA Security with Short AEAD Tags
Mustafa Khairallah
Secret-key cryptography

The size of the authentication tag represents a significant overhead for applications that are limited by bandwidth or memory. Hence, some authenticated encryption designs have a smaller tag than the required privacy level, which was also suggested by the NIST lightweight cryptography standardization project. In the ToSC 2022, two papers have raised questions about the IND-CCA security of AEAD schemes in this situation. These papers show that (a) online AE cannot provide IND-CCA security...

2023/1702 (PDF) Last updated: 2023-11-02
On Quantum Simulation-Soundness
Behzad Abdolmaleki, Céline Chevalier, Ehsan Ebrahimi, Giulio Malavolta, Quoc-Huy Vu
Foundations

Non-interactive zero-knowledge (NIZK) proof systems are a cornerstone of modern cryptography, but their security has received little attention in the quantum settings. Motivated by improving our understanding of this fundamental primitive against quantum adversaries, we propose a new definition of security against quantum adversary. Specifically, we define the notion of quantum simulation soundness (SS-NIZK), that allows the adversary to access the simulator in superposition. We show a...

2023/1468 (PDF) Last updated: 2024-06-07
QFESTA: Efficient Algorithms and Parameters for FESTA using Quaternion Algebras
Kohei Nakagawa, Hiroshi Onuki
Public-key cryptography

In 2023, Basso, Maino, and Pope proposed FESTA (Fast Encryption from Supersingular Torsion Attacks), an isogeny-based public-key encryption (PKE) protocol that uses the SIDH attack for decryption. In the same paper, they proposed a parameter for that protocol, but the parameter requires high-degree isogeny computations. In this paper, we introduce QFESTA (Quaternion Fast Encapsulation from Supersingular Torsion Attacks), a new variant of FESTA that works with better parameters using...

2023/1380 (PDF) Last updated: 2023-09-14
Tighter Security for Generic Authenticated Key Exchange in the QROM
Jiaxin Pan, Benedikt Wagner, Runzhi Zeng
Public-key cryptography

We give a tighter security proof for authenticated key exchange (AKE) protocols that are generically constructed from key encapsulation mechanisms (KEMs) in the quantum random oracle model (QROM). Previous works (Hövelmanns et al., PKC 2020) gave reductions for such a KEM-based AKE protocol in the QROM to the underlying primitives with square-root loss and a security loss in the number of users and total sessions. Our proof is much tighter and does not have square-root loss. Namely, it only...

2023/1337 (PDF) Last updated: 2023-09-07
SoK: Public Key Encryption with Openings
Carlo Brunetta, Hans Heum, Martijn Stam
Public-key cryptography

When modelling how public key encryption can enable secure communication, we should acknowledge that secret information, such as private keys or the randomness used for encryption, could become compromised. Intuitively, one would expect unrelated communication to remain secure, yet formalizing this intuition has proven challenging. Several security notions have appeared that aim to capture said scenario, ranging from the multi-user setting with corruptions, via selective opening attacks...

2023/1298 (PDF) Last updated: 2023-08-31
NEV: Faster and Smaller NTRU Encryption using Vector Decoding
Jiang Zhang, Dengguo Feng, Di Yan
Public-key cryptography

In this paper, we present NEV -- a faster and smaller NTRU Encryption using Vector decoding, which is provably IND-CPA secure in the standard model under the decisional NTRU and RLWE assumptions over the cyclotomic ring $R_q = \mathbb{Z}_q[X]/(X^n+1)$. Our main technique is a novel and non-trivial way to integrate a previously known plaintext encoding and decoding mechanism into the provably IND-CPA secure NTRU variant by Stehl\'e and Steinfeld (Eurocrypt 2011). Unlike the original NTRU...

2023/1230 (PDF) Last updated: 2023-08-14
Almost Tight Multi-User Security under Adaptive Corruptions from LWE in the Standard Model
Shuai Han, Shengli Liu, Zhedong Wang, Dawu Gu
Public-key cryptography

In this work, we construct the first digital signature (SIG) and public-key encryption (PKE) schemes with almost tight multi-user security under adaptive corruptions based on the learning-with-errors (LWE) assumption in the standard model. Our PKE scheme achieves almost tight IND-CCA security and our SIG scheme achieves almost tight strong EUF-CMA security, both in the multi-user setting with adaptive corruptions. The security loss is quadratic in the security parameter, and independent of...

2023/1092 (PDF) Last updated: 2024-02-01
The wrong use of FESTA trapdoor functions leads to an adaptive attack
Tomoki Moriya, Hiroshi Onuki
Attacks and cryptanalysis

Isogeny-based cryptography is one of the candidates for post-quantum cryptography. In 2023, Kani's theorem breaks an isogeny-based scheme SIDH, which was considered a promising post-quantum scheme. Though Kani's theorem damaged isogeny-based cryptography, some researchers have been trying to dig into the applications of this theorem. A FESTA trapdoor function is an isogeny-based trapdoor function that is one trial to apply Kani's theorem to cryptography. This paper claims that there is an...

2023/864 (PDF) Last updated: 2024-01-19
Compact Selective Opening Security From LWE
Dennis Hofheinz, Kristina Hostáková, Julia Kastner, Karen Klein, Akin Ünal
Public-key cryptography

Selective opening (SO) security is a security notion for public-key encryption schemes that captures security against adaptive corruptions of senders. SO security comes in chosen-plaintext (SO-CPA) and chosen-ciphertext (SO-CCA) variants, neither of which is implied by standard security notions like IND-CPA or IND-CCA security. In this paper, we present the first SO-CCA secure encryption scheme that combines the following two properties: (1) it has a constant ciphertext expansion...

2023/862 (PDF) Last updated: 2023-06-07
Tighter QCCA-Secure Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model
Jiangxia Ge, Tianshu Shan, Rui Xue
Public-key cryptography

Hofheinz et al. (TCC 2017) proposed several key encapsulation mechanism (KEM) variants of Fujisaki-Okamoto (\textsf{FO}) transformation, including $\textsf{FO}^{\slashed{\bot}}$, $\textsf{FO}_m^{\slashed{\bot}}$, $\textsf{QFO}_m^{\slashed{\bot}}$, $\textsf{FO}^{\bot}$, $\textsf{FO}_m^\bot$ and $\textsf{QFO}_m^\bot$, and they are widely used in the post-quantum cryptography standardization launched by NIST. These transformations are divided into two types, the implicit and explicit rejection...

2023/792 (PDF) Last updated: 2023-05-30
On the Fujisaki-Okamoto transform: from Classical CCA Security to Quantum CCA Security
Jiangxia Ge, Tianshu Shan, Rui Xue
Public-key cryptography

The Fujisaki-Okamoto (\textsf{FO}) transformation (CRYPTO 1999 and Journal of Cryptology 2013) and its KEM variants (TCC 2017) are used to construct \textsf{IND-CCA}-secure PKE or KEM schemes in the random oracle model (ROM). In the post-quantum setting, the ROM is extended to the quantum random oracle model (QROM), and the \textsf{IND-CCA} security of \textsf{FO} transformation and its KEM variants in the QROM has been extensively analyzed. Grubbs et al. (EUROCRYPTO 2021) and Xagawa...

2023/660 (PDF) Last updated: 2023-09-21
FESTA: Fast Encryption from Supersingular Torsion Attacks
Andrea Basso, Luciano Maino, Giacomo Pope
Public-key cryptography

We introduce FESTA, an efficient isogeny-based public-key encryption (PKE) protocol based on a constructive application of the SIDH attacks. At its core, FESTA is based on a novel trapdoor function, which uses an improved version of the techniques proposed in the SIDH attacks to develop a trapdoor mechanism. Using standard transformations, we construct an efficient PKE that is IND-CCA secure in the QROM. Additionally, using a different transformation, we obtain the first isogeny-based PKE...

2023/558 Last updated: 2024-05-06
A Multireceiver Certificateless Signcryption (MCLS) Scheme
Alia Umrani, Apurva K Vangujar, Paolo Palmieri
Public-key cryptography

User authentication and message confidentiality are the basic security requirements of high-end applications such as multicast communication and distributed systems. Several efficient signature-then-encrypt cryptographic schemes have been proposed to offer these security requirements with lower computational cost and communication overhead. However, signature-then-encryption techniques take more computation time than signcryption techniques. Signcryption accomplishes both digital signature...

2023/153 (PDF) Last updated: 2023-02-09
Almost Tight Multi-User Security under Adaptive Corruptions & Leakages in the Standard Model
Shuai Han, Shengli Liu, Dawu Gu
Public-key cryptography

In this paper, we consider tight multi-user security under adaptive corruptions, where the adversary can adaptively corrupt some users and obtain their secret keys. We propose generic constructions for a bunch of primitives, and the instantiations from the matrix decision Diffie-Hellman (MDDH) assumptions yield the following schemes: (1) the first digital signature (SIG) scheme achieving almost tight strong EUF-CMA security in the multi-user setting with adaptive corruptions in the...

2023/007 (PDF) Last updated: 2023-09-14
Post-Quantum Security of Key Encapsulation Mechanism against CCA Attacks with a Single Decapsulation Query
Haodong Jiang, Zhi Ma, Zhenfeng Zhang
Public-key cryptography

Recently, in post-quantum cryptography migration, it has been shown that an IND-1-CCA-secure key encapsulation mechanism (KEM) is required for replacing an ephemeral Diffie-Hellman (DH) in widely-used protocols, e.g., TLS, Signal, and Noise. IND-1-CCA security is a notion similar to the traditional IND-CCA security except that the adversary is restricted to one single decapsulation query. At EUROCRYPT 2022, based on CPA-secure public-key encryption (PKE), Huguenin-Dumittan and Vaudenay...

2022/1696 (PDF) Last updated: 2023-02-13
Post-Quantum Anonymity of Kyber
Varun Maram, Keita Xagawa
Public-key cryptography

Kyber is a key-encapsulation mechanism (KEM) that was recently selected by NIST in its PQC standardization process; it is also the only scheme to be selected in the context of public-key encryption (PKE) and key establishment. The main security target for KEMs, and their associated PKE schemes, in the NIST PQC context has been IND-CCA security. However, some important modern applications also require their underlying KEMs/PKE schemes to provide anonymity (Bellare et al., ASIACRYPT 2001)....

2022/1654 (PDF) Last updated: 2022-11-29
On the Complete Non-Malleability of the Fujisaki-Okamoto Transform
Daniele Friolo, Matteo Salvino, Daniele Venturi
Public-key cryptography

The Fujisaki-Okamoto (FO) transform (CRYPTO 1999 and JoC 2013) turns any weakly (i.e., IND-CPA) secure public-key encryption (PKE) scheme into a strongly (i.e., IND-CCA) secure key encapsulation method (KEM) in the random oracle model (ROM). Recently, the FO transform re-gained momentum as part of CRISTAL-Kyber, selected by the NIST as the PKE winner of the post-quantum cryptography standardization project. Following Fischlin (ICALP 2005), we study the complete non-malleability of KEMs...

2022/1651 (PDF) Last updated: 2023-07-17
TiGER: Tiny bandwidth key encapsulation mechanism for easy miGration based on RLWE(R)
Seunghwan Park, Chi-Gon Jung, Aesun Park, Joongeun Choi, Honggoo Kang
Public-key cryptography

The quantum resistance Key Encapsulation Mechanism (PQC-KEM) design aims to replace cryptography in legacy security protocols. It would be nice if PQC-KEM were faster and lighter than ECDH or DH for easy migration to legacy security protocols. However, it seems impossible due to the temperament of the secure underlying problems in a quantum environment. Therefore, it makes reason to determine the threshold of the scheme by analyzing the maximum bandwidth the legacy security protocol can...

2022/1584 (PDF) Last updated: 2022-11-15
Instantiability of Classical Random-Oracle-Model Encryption Transforms
Alice Murphy, Adam O'Neill, Mohammad Zaheri
Public-key cryptography

Extending work leveraging program obfuscation to instantiate random-oracle-based transforms (e.g., Hohenberger et al., EUROCRYPT 2014, Kalai et al., CRYPTO 2017), we show that, using obfuscation and other assumptions, there exist standard-model hash functions that suffice to instantiate the classical RO-model encryption transforms OAEP (Bellare and Rogaway, EUROCRYPT 1994) and Fujisaki-Okamoto (CRYPTO 1999, J. Cryptology 2013) for specific public-key encryption (PKE) schemes to achieve...

2022/1498 (PDF) Last updated: 2022-12-14
Simple, Fast, Efficient, and Tightly-Secure Non-Malleable Non-Interactive Timed Commitments
Peter Chvojka, Tibor Jager
Public-key cryptography

Timed commitment schemes, introduced by Boneh and Naor (CRYPTO 2000), can be used to achieve fairness in secure computation protocols in a simple and elegant way. The only known non-malleable construction in the standard model is due to Katz, Loss, and Xu (TCC 2020). This construction requires general-purpose zero knowledge proofs with specific properties, and it suffers from an inefficient commitment protocol, which requires the committing party to solve a computationally expensive...

2022/1224 (PDF) Last updated: 2022-09-15
From Plaintext-extractability to IND-CCA Security
Ehsan Ebrahimi
Public-key cryptography

We say a public-key encryption is plaintext-extractable in the random oracle model if there exists an algorithm that given access to all inputs/outputs queries to the random oracles can simulate the decryption oracle. We argue that plaintext-extractability is enough to show the indistinguishably under chosen ciphertext attack (IND-CCA) of OAEP+ transform (Shoup, Crypto 2001) when the underlying trapdoor permutation is one-way. We extend the result to the quantum random oracle model...

2022/1148 (PDF) Last updated: 2022-09-04
On Security Against Time Traveling Adversaries
Lúcás Críostóir Meier
Foundations

If you had a time machine, what cryptography would you be able to break? In this work, we investigate the notion of time travel, formally defining models for adversaries equipped with a time machine, and exploring the consequences for cryptography. We find that being able to rewind time breaks some cryptographic schemes, and being able to freely move both forwards and backwards in time breaks even more schemes. We look at the impacts of time travel on encryption and signatures in...

2022/919 (PDF) Last updated: 2022-07-14
Side-Channel Attacks on Lattice-Based KEMs Are Not Prevented by Higher-Order Masking
Kalle Ngo, Ruize Wang, Elena Dubrova, Nils Paulsrud
Attacks and cryptanalysis

In this paper, we present the first side-channel attack on a higher-order masked implementation of an IND-CCA secure lattice-based key encapsulation mechanism (KEM). Our attack exploits a vulnerability in the procedure for the arithmetic to Boolean conversion which we discovered. On the example of Saber KEM, we demonstrate successful message and secret key recovery attacks on the second- and third-order masked implementations running on a different device than the profiling one. In our...

2022/617 (PDF) Last updated: 2023-01-08
SO-CCA Secure PKE in the Quantum Random Oracle Model or the Quantum Ideal Cipher Model
Shingo Sato, Junji Shikata
Public-key cryptography

Selective opening (SO) security is one of the most important security notions of public key encryption (PKE) in a multi-user setting. Even though messages and random coins used in some ciphertexts are leaked, SO security guarantees the confidentiality of the other ciphertexts. Actually, it is shown that there exist PKE schemes which meet the standard security such as indistinguishability against chosen ciphertext attacks (IND-CCA security) but do not meet SO security against chosen...

2022/031 (PDF) Last updated: 2022-01-14
BAT: Small and Fast KEM over NTRU Lattices
Pierre-Alain Fouque, Paul Kirchner, Thomas Pornin, Yang Yu
Public-key cryptography

We present $\BAT$ -- an IND-CCA secure key encapsulation mechanism (KEM) that is based on NTRU but follows an encryption/decryption paradigm distinct from classical NTRU KEMs. It demonstrates a new approach of decrypting NTRU ciphertext since its introduction 25 years ago. Instead of introducing an artificial masking parameter $p$ to decrypt the ciphertext, we use 2 linear equations in 2 unknowns to recover the message and the error. The encryption process is therefore close to the GGH...

2021/1624 (PDF) Last updated: 2021-12-17
On the IND-CCA1 Security of FHE Schemes
Prastudy Fauzi, Martha Norberg Hovd, Håvard Raddum

Fully homomorphic encryption (FHE) is a powerful tool in cryptography that allows one to perform arbitrary computations on encrypted material without having to decrypt it first. There are numerous FHE schemes, all of which are expanded from somewhat homomorphic encryption (SHE) schemes, and some of which are considered viable in practice. However, while these FHE schemes are semantically (IND-CPA) secure, the question of their IND-CCA1 security is much less studied. In this paper, we group...

2021/1615 (PDF) Last updated: 2023-05-20
High-order Polynomial Comparison and Masking Lattice-based Encryption
Jean-Sébastien Coron, François Gérard, Simon Montoya, Rina Zeitoun
Implementation

The main protection against side-channel attacks consists in computing every function with multiple shares via the masking countermeasure. For IND-CCA secure lattice-based encryption schemes, the masking of the decryption algorithm requires the high-order computation of a polynomial comparison. In this paper, we describe and evaluate a number of different techniques for such high-order comparison, always with a security proof in the ISW probing model. As an application, we describe the full...

2021/1596 (PDF) Last updated: 2022-04-04
SHealS and HealS: isogeny-based PKEs from akey validation method for SIDH
Tako Boris Fouotsa, Christophe Petit
Public-key cryptography

In 2016, Galbraith et al. presented an adaptive attack on the SIDH key exchange protocol. In SIKE, one applies a variant of the Fujisaki-Okamoto transform to force Bob to reveal his encryption key to Alice, which Alice then uses to re-encrypt Bob's ciphertext and verify its validity. Therefore, Bob can not reuse his encryption keys. There have been two other proposed countermeasures enabling static-static private keys: k-SIDH and its variant by Jao and Urbanik. These countermeasures are...

2021/1458 (PDF) Last updated: 2021-11-06
QC-MDPC codes DFR and the IND-CCA security of BIKE
Valentin Vasseur
Public-key cryptography

The aim of this document is to clarify the DFR (Decoding Failure Rate) claims made for BIKE, a third round alternate candidate KEM (Key Encapsulation Mechanism) to the NIST call for post-quantum cryptography standardization. For the most part, the material presented here is not new, it is extracted from the relevant scientific literature, in particular [V21]. Even though a negligible DFR is not needed for a KEM using ephemeral keys (e.g. TLS) which only requires IND-CPA security, it seems...

2021/1323 (PDF) Last updated: 2022-09-22
Anonymity of NIST PQC Round 3 KEMs
Keita Xagawa
Public-key cryptography

This paper investigates __anonymity__ of all NIST PQC Round 3 KEMs: Classic McEliece, Kyber, NTRU, Saber, BIKE, FrodoKEM, HQC, NTRU Prime (Streamlined NTRU Prime and NTRU LPRime), and SIKE. We show the following results: * NTRU is anonymous in the quantum random oracle model (QROM) if the underlying deterministic PKE is strongly disjoint-simulatable. NTRU is collision-free in the QROM. A hybrid PKE scheme constructed from NTRU as KEM and appropriate DEM is anonymous and robust. (Similar...

2021/1288 (PDF) Last updated: 2021-09-24
FO-like Combiners and Hybrid Post-Quantum Cryptography
Loïs Huguenin-Dumittan, Serge Vaudenay
Public-key cryptography

Combining several primitives together to offer greater security is an old idea in cryptography. Recently, this concept has resurfaced as it could be used to improve trust in new Post-Quantum (PQ) schemes and smooth the transition to PQ cryptography. In particular, several ways to combine key exchange mechanisms (KEMs) into a secure hybrid KEM have been proposed. In this work, we observe that most PQ KEMs are built using a variant of the Fujisaki-Okamoto (FO) transform. Thus, we propose...

2021/1200 (PDF) Last updated: 2021-12-24
KDM Security for the Fujisaki-Okamoto Transformations in the QROM
Fuyuki Kitagawa, Ryo Nishimaki
Public-key cryptography

Key dependent message (KDM) security is a security notion that guarantees confidentiality of communication even if secret keys are encrypted. KDM security has found a number of applications in practical situations such as hard-disk encryption systems, anonymous credentials, and bootstrapping of fully homomorphic encryptions. Recently, it also found an application in quantum delegation protocols as shown by Zhang (TCC 2019). In this work, we investigate the KDM security of existing practical...

2021/881 (PDF) Last updated: 2021-06-29
Secure Code-Based Key Encapsulation Mechanism with Short Ciphertext and Secret Key
Jayashree Dey, Ratna Dutta
Public-key cryptography

Code-based public key cryptosystems are one of the main techniques available in the area of Post-Quantum Cryptography. This work aims to propose a key encapsulation mechanism (KEM) with short ciphertext and secret key. Our goal is achieved in two steps. We first present a public key encryption (PKE) scheme, basicPKE, using a parity check matrix of Maximum Distance Separable (MDS) code as the public key matrix. In our construction, we exploit the structure of a companion matrix to obtain an...

2021/844 (PDF) Last updated: 2022-12-16
A note on IND-qCCA security in the ROM and its applications: CPA security is sufficient for TLS 1.3
Loïs Huguenin-Dumittan, Serge Vaudenay

Bounded IND-CCA security (IND-qCCA) is a notion similar to the traditional IND-CCA security, except the adversary is restricted to a constant number q of decryption/decapsulation queries. We show in this work that IND-qCCA is easily obtained from any passively secure PKE in the (Q)ROM. That is, simply adding a confirmation hash or computing the key as the hash of the plaintext and ciphertext holds an IND-qCCA KEM. In particular, there is no need for derandomization or re-encryption as in...

2021/718 (PDF) Last updated: 2021-10-14
Will You Cross the Threshold for Me? - Generic Side-Channel Assisted Chosen-Ciphertext Attacks on NTRU-based KEMs
Prasanna Ravi, Martianus Frederic Ezerman, Shivam Bhasin, Anupam Chattopadhyay, Sujoy Sinha Roy
Public-key cryptography

In this work, we propose generic and novel side-channel assisted chosen-ciphertext attacks on NTRU-based key encapsulation mechanisms (KEMs). These KEMs are IND-CCA secure, that is, they are secure in the chosen-ciphertext model. Our attacks involve the construction of malformed ciphertexts. When decapsulated by the target device, these ciphertexts ensure that a targeted intermediate variable becomes very closely related to the secret key. An attacker, who can obtain information about the...

2021/708 (PDF) Last updated: 2022-03-02
Anonymous, Robust Post-Quantum Public Key Encryption
Paul Grubbs, Varun Maram, Kenneth G. Paterson
Public-key cryptography

A core goal of the NIST PQC competition is to produce public-key encryption (PKE) schemes which, even if attacked with a large-scale quantum computer, maintain the security guarantees needed by applications. The main security focus in the NIST PQC context has been IND-CCA security, but other applications demand that PKE schemes provide 'anonymity' (Bellare et al., ASIACRYPT 2001), and 'robustness' (Abdalla et al., TCC 2010). Examples of such applications include anonymous communication...

2021/320 (PDF) Last updated: 2021-03-11
Binding BIKE errors to a key pair
Nir Drucker, Shay Gueron, Dusan Kostic
Public-key cryptography

The KEM BIKE is a Round-3 alternative finalist in the NIST Post-Quantum Cryptography project. It uses the FO$^{\not \bot}$ transformation so that an instantiation with a decoder that has a DFR of $2^{-128}$ will make it IND-CCA secure. The current BIKE design does not bind the randomness of the ciphertexts (i.e., the error vectors) to a specific public key. We propose to change this design, although currently, there is no attack that leverages this property. This modification can be...

2021/218 (PDF) Last updated: 2021-05-31
SimS: a Simplification of SiGamal
Tako Boris Fouotsa, Christophe Petit
Public-key cryptography

At Asiacrypt 2020, Moriya et al. introduced two new IND-CPA secure supersingular isogeny based Public Key Encryption (PKE) protocols: SiGamal and C-SiGamal. Unlike the PKEs canonically derived from SIDH and CSIDH, the new protocols provide IND-CPA security without the use of hash functions. SiGamal and C-SiGamal are however not IND-CCA secure. Moriya et al. suggested a variant of SiGamal that could be IND-CCA secure, but left its study as an open problem. In this paper, we revisit the...

2021/079 (PDF) Last updated: 2021-01-22
A Side-Channel Attack on a Masked IND-CCA Secure Saber KEM
Kalle Ngo, Elena Dubrova, Qian Guo, Thomas Johansson
Public-key cryptography

In this paper, we present the first side-channel attack on a first-order masked implementation of IND-CCA secure Saber KEM. We show how to recover both the session key and the long-term secret key from 16 traces by deep learning-based power analysis without explicitly extracting the random mask at each execution. Since the presented method is not dependent on the mask, we can improve success probability by combining score vectors of multiple traces captured for the same ciphertext. This is...

2020/1548 (PDF) Last updated: 2024-01-27
CCA-Secure (Puncturable) KEMs from Encryption With Non-Negligible Decryption Errors
Valerio Cini, Sebastian Ramacher, Daniel Slamanig, Christoph Striecks
Public-key cryptography

Public-key encryption (PKE) schemes or key-encapsulation mechanisms (KEMs) are fundamental cryptographic building blocks to realize secure communication protocols. There are several known transformations that generically turn weakly secure schemes into strongly (i.e., IND-CCA) secure ones. While most of these transformations require the weakly secure scheme to provide perfect correctness, Hofheinz, Hövelmanns, and Kiltz (HHK) (TCC 2017) have recently shown that variants of the...

2020/1232 (PDF) Last updated: 2020-10-09
On the Existence of Weak Keys for QC-MDPC Decoding
Nicolas Sendrier, Valentin Vasseur
Public-key cryptography

We study in this work a particular class of QC-MDPC codes for which the decoding failure rate is significantly larger than for typical QC-MDPC codes of same parameters. Our purpose is to figure out whether the existence of such weak codes impacts the security of cryptographic schemes using QC-MDPC codes as secret keys. A class of weak keys was exhibited in [DGK19]. We generalize it and show that, though their Decoding Failure Rate (DFR) is higher than normal, the set is not large enough to...

2020/743 (PDF) Last updated: 2020-06-18
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM
Qian Guo, Thomas Johansson, Alexander Nilsson
Implementation

In the implementation of post-quantum primitives, it is well known that all computations that handle secret information need to be implemented to run in constant time. Using the Fujisaki-Okamoto transformation or any of its different variants, a CPA-secure primitive can be converted into an IND-CCA secure KEM. In this paper we show that although the transformation does not handle secret information apart from calls to the CPA-secure primitive, it has to be implemented in constant time....

2020/534 (PDF) Last updated: 2022-03-15
Post-quantum TLS without handshake signatures
Peter Schwabe, Douglas Stebila, Thom Wiggers
Cryptographic protocols

We present KEMTLS, an alternative to the TLS 1.3 handshake that uses key-encapsulation mechanisms (KEMs) instead of signatures for server authentication. Among existing post-quantum candidates, signature schemes generally have larger public key/signature sizes compared to the public key/ciphertext sizes of KEMs: by using an IND-CCA-secure KEM for server authentication in post-quantum TLS, we obtain multiple benefits. A size-optimized post-quantum instantiation of KEMTLS requires less than...

2020/510 (PDF) Last updated: 2020-05-05
On the Applicability of the Fujisaki-Okamoto Transformation to the BIKE KEM
Nir Drucker, Shay Gueron, Dusan Kostic, Edoardo Persichetti
Public-key cryptography

The QC-MDPC code-based KEM BIKE is one of the Round-2 candidates of the NIST PQC standardization project. Its specification document describes a version that is claimed to have IND-CCA security. The security proof uses the Fujisaki-Okamoto transformation and a de-coder that targeted a Decoding Failure Rate (DFR) of 2^{-128} (for Level-1 security). However, there are several aspects that need to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR...

2020/409 (PDF) Last updated: 2020-04-13
Classical Misuse Attacks on NIST Round 2 PQC: The Power of Rank-Based Schemes
Loïs Huguenin-Dumittan, Serge Vaudenay
Public-key cryptography

The US National Institute of Standards and Technology (NIST) recently announced the public-key cryptosystems (PKC) that have passed to the second round of the post-quantum standardization process. Most of these PKC come in two flavours: a weak IND-CPA version and a strongly secure IND-CCA construction. For the weaker scheme, no level of security is claimed in the plaintext-checking attack (PCA) model. However, previous works showed that, for several NIST candidates, only a few PCA queries...

2020/367 (PDF) Last updated: 2024-07-04
Exploiting Decryption Failures in Mersenne Number Cryptosystems
Marcel Tiepelt, Jan-Pieter D'Anvers
Public-key cryptography

Mersenne number schemes are a new strain of potentially quantum-safe cryptosystems that use sparse integer arithmetic modulo a Mersenne prime to encrypt messages. Two Mersenne number based schemes were submitted to the NIST post-quantum standardization process: Ramstake and Mersenne-756839. Typically, these schemes admit a low but non-zero probability that ciphertexts fail to decrypt correctly. In this work we show that the information leaked from failing ciphertexts can be used to gain...

2020/150 (PDF) Last updated: 2020-07-30
On the Security of NTS-KEM in the Quantum Random Oracle Model
Varun Maram
Public-key cryptography

NTS-KEM is one of the 17 post-quantum public-key encryption (PKE) and key establishment schemes remaining in contention for standardization by NIST. It is a code-based cryptosystem that starts with a combination of the (weakly secure) McEliece and Niederreiter PKE schemes and applies a variant of the Fujisaki-Okamoto (Journal of Cryptology 2013) or Dent (IMACC 2003) transforms to build an IND-CCA secure key encapsulation mechanism (KEM) in the classical random oracle model (ROM). Such...

2020/137 (PDF) Last updated: 2020-07-13
Consistency for Functional Encryption
Christian Badertscher, Aggelos Kiayias, Markulf Kohlweiss, Hendrik Waldner
Foundations

In functional encryption (FE) a sender, Alice, encrypts plaintexts that a receiver, Bob, can obtain functional evaluations of, while Charlie is responsible for initializing the encryption keys and issuing the decryption keys. Standard notions of security for FE deal with a malicious Bob and how the confidentiality of Alice's messages can be maintained taking into account the leakage that occurs due to the functional keys that are revealed to the adversary via various forms of...

2020/075 (PDF) Last updated: 2020-07-19
Memory-Tight Reductions for Practical Key Encapsulation Mechanisms
Rishiraj Bhattacharyya
Public-key cryptography

The efficiency of a black-box reduction is an important goal of modern cryptography. Traditionally, the time complexity and the success probability were considered as the main aspects of efficiency measurements. In CRYPTO 2017, Auerbach et al. introduced the notion of memory-tightness in cryptographic reductions and showed a memory-tight reduction of the existential unforgeability of the RSA-FDH signature scheme. Unfortunately, their techniques do not extend directly to the reductions...

2019/1434 (PDF) Last updated: 2019-12-10
About Low DFR for QC-MDPC Decoding
Nicolas Sendrier, Valentin Vasseur
Public-key cryptography

McEliece-like code-based key exchange mechanisms using QC-MDPC codes can reach IND-CPA security under hardness assumptions from coding theory, namely quasi-cyclic syndrome decoding and quasi-cyclic codeword finding. To reach higher security requirements, like IND-CCA security, it is necessary in addition to prove that the decoding failure rate (DFR) is negligible, for some decoding algorithm and a proper choice of parameters. Getting a formal proof of a low DFR is a difficult task. Instead,...

2019/1388 (PDF) Last updated: 2019-12-04
Secure Key Encapsulation Mechanism with Compact Ciphertext and Public Key from Generalized Srivastava code
Jayashree Dey, Ratna Dutta
Public-key cryptography

Code-based public key cryptosystems have been found to be an interesting option in the area of Post-Quantum Cryptography. In this work, we present a key encapsulation mechanism (KEM) using a parity check matrix of the Generalized Srivastava code as the public key matrix. Generalized Srivastava codes are privileged with the decoding technique of Alternant codes as they belong to the family of Alternant codes. We exploit the dyadic structure of the parity check matrix to reduce the storage of...

2019/1291 (PDF) Last updated: 2021-09-20
SÉTA: Supersingular Encryption from Torsion Attacks
Luca De Feo, Cyprien Delpech de Saint Guilhem, Tako Boris Fouotsa, Péter Kutas, Antonin Leroux, Christophe Petit, Javier Silva, Benjamin Wesolowski
Public-key cryptography

We present Séta, a new family of public-key encryption schemes with post-quantum security based on isogenies of supersingular elliptic curves. It is constructed from a new family of trapdoor one-way functions, where the inversion algorithm uses Petit's so called torsion attacks on SIDH to compute an isogeny between supersingular elliptic curves given an endomorphism of the starting curve and images of torsion points. We prove the OW-CPA security of Séta and present an IND-CCA variant using...

2019/1289 (PDF) Last updated: 2019-11-07
On constant-time QC-MDPC decoding with negligible failure rate
Nir Drucker, Shay Gueron, Dusan Kostic
Public-key cryptography

The QC-MDPC code-based KEM Bit Flipping Key Encapsulation (BIKE) is one of the Round-2 candidates of the NIST PQC standardization project. It has a variant that is proved to be IND-CCA secure. The proof models the KEM with some black-box ("ideal") primitives. Specifically, the decapsulation invokes an ideal primitive called "decoder", required to deliver its output with a negligible Decoding Failure Rate (DFR). The concrete instantiation of BIKE substitutes this ideal primitive with a new...

2019/1278 (PDF) Last updated: 2019-11-05
An IND-CCA-Secure Code-Based EncryptionScheme Using Rank Metric
Hamad Al Shehhi, Emanuele Bellini, Filipe Borba, Florian Caullery, Marc Manzano, Victor Mateu
Cryptographic protocols

The use of rank instead of Hamming metric has been proposed to address the main drawback of code-based cryptography: large key sizes. There exist several Key Encapsulation Mechanisms (KEM) and Public Key Encryption (PKE) schemes using rank metric including some submissions to the NIST call for standardization of Post-Quantum Cryptography. In this work, we present an IND-CCA PKE scheme based on the McEliece adaptation to rank metric proposed by Loidreau at PQC 2017. This IND-CCA PKE scheme...

2019/1078 (PDF) Last updated: 2019-09-23
Puncturable Proxy Re-Encryption supporting to Group Messaging Service
Tran Viet Xuan Phuong, Willy Susilo, Jongkil Kim, Guomin Yang, Dongxi Liu
Public-key cryptography

This work envisions a new encryption primitive for many-to-many paradigms such as group messaging systems. Previously, puncturable encryption (PE) was introduced to provide forward security for asynchronous messaging services. However, existing PE schemes were proposed only for one-to-one communication, and causes a significant overhead for a group messaging system. In fact, the group communication over PE can only be achieved by encrypting a message multiple times for each receiver by the...

2019/1012 (PDF) Last updated: 2019-09-10
Simple and Efficient KDM-CCA Secure Public Key Encryption
Fuyuki Kitagawa, Takahiro Matsuda, Keisuke Tanaka
Public-key cryptography

We propose two efficient public key encryption (PKE) schemes satisfying key dependent message security against chosen ciphertext attacks (KDM-CCA security). The first one is KDM-CCA secure with respect to affine functions. The other one is KDM-CCA secure with respect to polynomial functions. Both of our schemes are based on the KDM-CPA secure PKE schemes proposed by Malkin, Teranishi, and Yung (EUROCRYPT 2011). Although our schemes satisfy KDM-CCA security, their efficiency overheads...

2019/948 (PDF) Last updated: 2021-06-02
Generic Side-channel attacks on CCA-secure lattice-based PKE and KEM schemes
Prasanna Ravi, Sujoy Sinha Roy, Anupam Chattopadhyay, Shivam Bhasin
Public-key cryptography

In this work, we demonstrate generic and practical side-channel assisted chosen ciphertext attacks on multiple LWE/LWR-based Public Key Encryption (PKE) and Key Encapsulation Mechanism (KEM) secure in the chosen ciphertext model (IND-CCA security). Firstly, we identified EM-based side-channel vulnerabilities in the error correcting codes (ECC) used in LWE/LWR-based schemes that enable to distinguish the value/validity of the codewords output from the decryption operation. We also identified...

2019/711 (PDF) Last updated: 2020-04-11
SIKE'd Up: Fast and Secure Hardware Architectures for Supersingular Isogeny Key Encapsulation
Brian Koziel, A-Bon Ackie, Rami El Khatib, Reza Azarderakhsh, Mehran Mozaffari-Kermani
Implementation

In this work, we present a fast parallel architecture to perform supersingular isogeny key encapsulation (SIKE). We propose and implement a fast isogeny accelerator architecture that uses fast and parallelized isogeny formulas. On top of our isogeny accelerator, we build a novel architecture for the SIKE primitive, which provides both quantum and IND-CCA security. Since SIKE can support static keys, we propose and implement additional differential power analysis countermeasures. We...

2019/590 (PDF) Last updated: 2019-09-20
Tighter proofs of CCA security in the quantum random oracle model
Nina Bindel, Mike Hamburg, Kathrin Hövelmanns, Andreas Hülsing, Edoardo Persichetti
Public-key cryptography

[Modified slightly because MathJax doesn't render $U^{notbot}$ correctly] We revisit the construction of IND-CCA secure key encapsulation mechanisms (KEM) from public-key encryption schemes (PKE). We give new, tighter security reductions for several constructions. Our main result is a tight reduction for the security of the $U^{notbot}$-transform of Hofheinz, Hövelmanns, and Kiltz (TCC'17) which turns OW-CPA secure deterministic PKEs into IND-CCA secure KEMs. This result is enabled by a new...

2019/510 (PDF) Last updated: 2019-05-20
Tweaking the Asymmetry of Asymmetric-Key Cryptography on Lattices: KEMs and Signatures of Smaller Sizes
Jiang Zhang, Yu Yu, Shuqin Fan, Zhenfeng Zhang, Kang Yang
Public-key cryptography

Lattice-based cryptosystems are less efficient than their number-theoretic counterparts (based on RSA, discrete logarithm, etc.) in terms of key and ciphertext (signature) sizes. For adequate security the former typically needs thousands of bytes while in contrast the latter only requires at most hundreds of bytes. This significant difference has become one of the main concerns in replacing currently deployed public-key cryptosystems with lattice-based ones. Observing the inherent...

2019/494 (PDF) Last updated: 2021-12-09
On the non-tightness of measurement-based reductions for key encapsulation mechanism in the quantum random oracle model
Haodong Jiang, Zhenfeng Zhang, Zhi Ma
Public-key cryptography

Key encapsulation mechanism (KEM) variants of the Fujisaki-Okamoto (FO) transformation (TCC 2017) that turn a weakly-secure public-key encryption (PKE) into an IND-CCA-secure KEM, were widely used among the KEM submissions to the NIST Post-Quantum Cryptography Standardization Project. Under the standard CPA security assumptions, i.e., OW-CPA and IND-CPA, the security of these variants in the quantum random oracle model (QROM) has been proved by black-box reductions, e.g., Jiang et al....

2019/292 (PDF) Last updated: 2019-09-03
Timing attacks on Error Correcting Codes in Post-Quantum Schemes
Jan-Pieter D'Anvers, Marcel Tiepelt, Frederik Vercauteren, Ingrid Verbauwhede
Public-key cryptography

While error correcting codes (ECC) have the potential to significantly reduce the failure probability of post-quantum schemes, they add an extra ECC decoding step to the algorithm. Even though this additional step does not compute directly on the secret key, it is susceptible to side-channel attacks. We show that if no precaution is taken, it is possible to use timing information to distinguish between ciphertexts that result in an error before decoding and ciphertexts that do not contain...

2019/291 (PDF) Last updated: 2021-06-04
CCA Security and Trapdoor Functions via Key-Dependent-Message Security
Fuyuki Kitagawa, Takahiro Matsuda, Keisuke Tanaka
Public-key cryptography

We study the relationship among public-key encryption (PKE) satisfying indistinguishability against chosen plaintext attacks (IND-CPA security), that against chosen ciphertext attacks (IND-CCA security), and trapdoor functions (TDF). Specifically, we aim at finding a unified approach and some additional requirement to realize IND-CCA secure PKE and TDF based on IND-CPA secure PKE, and show the following two main results. As the first main result, we show how to achieve IND-CCA security via...

2019/090 (PDF) Last updated: 2019-05-03
Round5: Compact and Fast Post-Quantum Public-Key Encryption
Hayo Baan, Sauvik Bhattacharya, Scott Fluhrer, Oscar Garcia-Morchon, Thijs Laarhoven, Ronald Rietman, Markku-Juhani O. Saarinen, Ludo Tolhuizen, Zhenfei Zhang
Public-key cryptography

We present the ring-based configuration of the NIST submission Round5, a Ring Learning with Rounding (RLWR)- based IND-CPA secure public-key encryption scheme. It combines elements of the NIST candidates Round2 (use of RLWR as underlying problem, having $1+x+\ldots +x^n$ with $n+1$ prime as reduction polynomial, allowing for a large design space) and HILA5 (the constant-time error-correction code XEf). Round5 performs part of encryption, and decryption via multiplication in...

2019/052 (PDF) Last updated: 2019-01-25
Key Encapsulation Mechanism with Explicit Rejection in the Quantum Random Oracle Model
Haodong Jiang, Zhenfeng Zhang, Zhi Ma

The recent post-quantum cryptography standardization project launched by NIST increased the interest in generic key encapsulation mechanism (KEM) constructions in the quantum random oracle (QROM). Based on a OW-CPA-secure public-key encryption (PKE), Hofheinz, Hövelmanns and Kiltz (TCC 2017) first presented two generic constructions of an IND-CCA-secure KEM with quartic security loss in the QROM, one with implicit rejection (a pseudorandom key is return for an invalid ciphertext) and the...

2018/1087 (PDF) Last updated: 2019-03-20
Breaking the confidentiality of OCB2
Bertram Poettering
Secret-key cryptography

OCB2 is a widely standardized mode of operation of a blockcipher that aims at providing authenticated encryption. A recent report by Inoue and Minematsu (IACR EPRINT report 2018/1040) indicates that OCB2 does not meet this goal. Concretely, by describing simple forging attacks the authors evidence that the (sub)goal of authenticity is not reached. The report does not question the confidentiality offered by OCB2. In this note we show how the attacks of Inoue and Minematsu can be extended to...

2018/998 Last updated: 2018-12-03
A Key Recovery Attack on Streamlined NTRU Prime
Chen Li

For years, researchers have been engaged in finding new cryptography schemes with high security and efficiency that can resist against the attacking from quantum computers. Lattice-based cryptography scheme is believed as a promising candidate. But to achieve both high efficiency and high security is not easy. Until recently, some Lattice-based schemes with enough efficiency have been proposed and submitted to the post-quantum cryptography standardization project that initiated by NIST....

2018/884 (PDF) Last updated: 2019-04-02
Key Encapsulation from Noisy Key Agreement in the Quantum Random Oracle Model
Alan Szepieniec, Reza Reyhanitabar, Bart Preneel
Public-key cryptography

A multitude of post-quantum key encapsulation mechanisms (KEMs) and public key encryption (PKE) schemes implicitly rely on a protocol by which Alice and Bob exchange public messages and converge on secret values that are identical up to some small noise. By our count, 24 out of 49 KEM or PKE submissions to the NIST Post-Quantum Cryptography Standardization project follow this strategy. Yet the notion of a noisy key agreement (NKA) protocol lacks a formal definition as a primitive in its own...

2018/883 (PDF) Last updated: 2018-09-23
Public Key Encryption Resilient to Post-Challenge Leakage and Tampering Attacks
Suvradip Chakraborty, C. Pandu Rangan
Public-key cryptography

In this paper, we introduce a new framework for constructing public-key encryption (PKE) schemes resilient to joint post-challenge/after-the-fact leakage and tampering attacks in the bounded leakage and tampering (BLT) model, introduced by Damgård et al. (Asiacrypt 2013). All the prior formulations of PKE schemes considered leakage and tampering attacks only before the challenge ciphertext is made available to the adversary. However, this restriction seems necessary, since achieving security...

2018/838 (PDF) Last updated: 2021-08-25
(Tightly) QCCA-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model
Keita Xagawa, Takashi Yamakawa
Public-key cryptography

This paper studies indistinguishability against quantum chosen-ciphertext attacks (IND-qCCA security) of key-encapsulation mechanisms (KEMs) in quantum random oracle model (QROM). We show that the SXY conversion proposed by Saito, Yamakawa, and Xagawa (EUROCRYPT 2018) and the HU conversion proposed by Jiang, Zhang, and Ma (PKC 2019) turn a weakly-secure deterministic public-key encryption scheme into an IND-qCCA-secure KEM scheme in the QROM. The proofs are very similar to those for the...

2018/636 (PDF) Last updated: 2018-07-04
Lattice-Based Dual Receiver Encryption and More
Daode Zhang, Kai Zhang, Bao Li, Xianhui Lu, Haiyang Xue, Jie Li

Dual receiver encryption (DRE), proposed by Diament et al. at ACM CCS 2004, is a special extension notion of public-key encryption, which enables two independent receivers to decrypt a ciphertext into a same plaintext. This primitive is quite useful in designing combined public key cryptosystems and denial of service attack-resilient protocols. Up till now, a series of DRE schemes are constructed from bilinear pairing groups and lattices. In this work, we introduce a construction of...

2018/583 (PDF) Last updated: 2018-06-12
Ring Homomorphic Encryption Schemes
Mugurel Barcau, Vicentiu Pasol
Public-key cryptography

We analyze the structure of commutative ring homomorphic encryption schemes and show that they are not quantum IND-CCA secure.

2018/484 (PDF) Last updated: 2019-07-11
Authenticated Encryption with Nonce Misuse and Physical Leakages: Definitions, Separation Results, and Leveled Constructions
Chun Guo, Olivier Pereira, Thomas Peters, François-Xavier Standaert
Secret-key cryptography

We propose definitions and constructions of authenticated encryption (AE) schemes that offer security guarantees even in the presence of nonce misuse and side-channel leakages. This is part of an important ongoing effort to make AE more robust, while preserving appealing efficiency properties. Our definitions consider an adversary enhanced with the leakages of all the computations of an AE scheme, together with the possibility to misuse nonces, be it during all queries (in the spirit of...

2018/230 (PDF) Last updated: 2019-03-18
Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM
Jan-Pieter D’Anvers, Angshuman Karmakar, Sujoy Sinha Roy, Frederik Vercauteren
Public-key cryptography

In this paper, we introduce Saber, a package of cryptographic primitives whose security relies on the hardness of the Module Learning With Rounding problem (Mod-LWR). We first describe a secure Diffie-Hellman type key exchange protocol, which is then transformed into an IND-CPA encryption scheme and finally into an IND-CCA secure key encapsulation mechanism using a post-quantum version of the Fujisaki-Okamoto transform. The design goals of this package were simplicity, efficiency and...

2018/135 (PDF) Last updated: 2018-02-07
A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT
Daniel Jost, Christian Badertscher, Fabio Banfi

The security for authenticated encryption schemes is often captured by demanding CCA security (IND-CCA) and integrity of plaintexts (INT-PTXT). In this short note, we prove that this implies in particular integrity of ciphertexts, i.e., INT-CTXT. Hence, the two sets of requirements mentioned in the title are equivalent.

2017/1214 (PDF) Last updated: 2018-03-09
HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction
Daniel J. Bernstein, Leon Groot Bruinderink, Tanja Lange, Lorenz Panny
Public-key cryptography

We show that the NISTPQC submission HILA5 is not secure against chosen-ciphertext attacks. Specifically, we demonstrate a key-recovery attack on HILA5 using an active attack on reused keys. The attack works around the error correction in HILA5. The attack applies to the HILA5 key-encapsulation mechanism (KEM), and also to the public-key encryption mechanism (PKE) obtained by NIST's procedure for combining the KEM with authenticated encryption. This contradicts the most natural interpretation...

2017/1096 (PDF) Last updated: 2019-07-03
IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited
Haodong Jiang, Zhenfeng Zhang, Long Chen, Hong Wang, Zhi Ma
Public-key cryptography

With the gradual progress of NIST's post-quantum cryptography standardization, the Round-1 KEM proposals have been posted for public to discuss and evaluate. Among the IND-CCA-secure KEM constructions, mostly, an IND-CPA-secure (or OW-CPA-secure) public-key encryption (PKE) scheme is first introduced, then some generic transformations are applied to it. All these generic transformations are constructed in the random oracle model (ROM). To fully assess the post-quantum security, security...

2017/1037 (PDF) Last updated: 2017-12-28
DAGS: Key Encapsulation using Dyadic GS Codes
Gustavo Banegas, Paulo S. L. M. Barreto, Brice Odilon Boidje, Pierre-Louis Cayrel, Gilbert Ndollane Dione, Kris Gaj, Cheikh Thiecoumba Gueye, Richard Haeussler, Jean Belo Klamti, Ousmane N'diaye, Duc Tri Nguyen, Edoardo Persichetti, Jefferson E. Ricardini

Code-based Cryptography is one of the main areas of interest for the Post-Quantum Cryptography Standardization call. In this paper, we introduce DAGS, a Key Encapsulation Mechanism (KEM) based on Quasi-Dyadic Generalized Srivastava codes. The scheme is proved to be IND-CCA secure in both Random Oracle Model and Quantum Random Oracle Model. We believe that DAGS will offer competitive performance, especially when compared with other existing code-based schemes, and represent a valid candidate...

2017/1005 (PDF) Last updated: 2021-08-25
Tightly-Secure Key-Encapsulation Mechanism in the Quantum Random Oracle Model
Tsunekazu Saito, Keita Xagawa, Takashi Yamakawa
Public-key cryptography

Key-encapsulation mechanisms secure against chosen ciphertext attacks (IND-CCA-secure KEMs) in the quantum random oracle model have been proposed by Boneh, Dagdelen, Fischlin, Lehmann, Schafner, and Zhandry (CRYPTO 2012), Targhi and Unruh (TCC 2016-B), and Hofheinz, Hövelmanns, and Kiltz (TCC 2017). However, all are non-tight and, in particular, security levels of the schemes obtained by these constructions are less than half of original security levels of their building blocks. In this...

2017/853 (PDF) Last updated: 2017-09-10
Generic Forward-Secure Key Agreement Without Signatures
Cyprien de Saint Guilhem, Nigel P. Smart, Bogdan Warinschi
Cryptographic protocols

We present a generic, yet simple and efficient transformation to obtain a forward secure authenticated key exchange protocol from a two-move passively secure unauthenticated key agreement scheme (such as standard Diffie--Hellman or Frodo or NewHope). Our construction requires only an IND-CCA public key encryption scheme (such as RSA-OAEP or a method based on ring-LWE), and a message authentication code. Particularly relevant in the context of the state-of-the-art of postquantum secu re...

2017/604 (PDF) Last updated: 2021-11-02
A Modular Analysis of the Fujisaki-Okamoto Transformation
Dennis Hofheinz, Kathrin Hövelmanns, Eike Kiltz
Public-key cryptography

The Fujisaki-Okamoto (FO) transformation (CRYPTO 1999 and Journal of Cryptology 2013) turns any weakly secure public-key encryption scheme into a strongly (i.e., IND-CCA) secure one in the random oracle model. Unfortunately, the FO analysis suffers from several drawbacks, such as a non-tight security reduction, and the need for a perfectly correct scheme. While several alternatives to the FO transformation have been proposed, they have stronger requirements, or do not obtain all desired...

2017/510 (PDF) Last updated: 2017-08-21
Hedging Public-Key Encryption in the Real World
Alexandra Boldyreva, Christopher Patton, Thomas Shrimpton
Public-key cryptography

Hedged PKE schemes are designed to provide useful security when the per-message randomness fails to be uniform, say, due to faulty implementations or adversarial actions. A simple and elegant theoretical approach to building such schemes works like this: Synthesize fresh random bits by hashing all of the encryption inputs, and use the resulting hash output as randomness for an underlying PKE scheme. The idea actually goes back to the Fujisaki-Okamoto transform for turning CPA-secure...

2017/441 (PDF) Last updated: 2017-10-10
New Approach to Practical Leakage-Resilient Public-Key Cryptography
Suvradip Chakraborty, Janaka Alawatugoda, C. Pandu Rangan

We present a new approach to construct several leakage-resilient cryptographic primitives, including leakage-resilient public-key encryption (PKE) schemes, authenticated key exchange (AKE) protocols and low-latency key exchange (LLKE) protocols. To this end, we introduce a new primitive called leakage-resilient non-interactive key exchange (LR-NIKE) protocol. We introduce a generic security model for LR-NIKE protocols, which can be instantiated in both the bounded and continuous-memory...

2017/354 (PDF) Last updated: 2017-06-27
Tightly Secure Ring-LWE Based Key Encapsulation with Short Ciphertexts
Martin R. Albrecht, Emmanuela Orsini, Kenneth G. Paterson, Guy Peer, Nigel P. Smart
Public-key cryptography

We provide a tight security proof for an IND-CCA Ring-LWE based Key Encapsulation Mechanism that is derived from a generic construction of Dent (IMA Cryptography and Coding, 2003). Such a tight reduction is not known for the generic construction. The resulting scheme has shorter ciphertexts than can be achieved with other generic constructions of Dent or by using the well-known Fujisaki-Okamoto constructions (PKC 1999, Crypto 1999). Our tight security proof is obtained by reducing to the...

2017/222 Last updated: 2019-08-21
A Note on Obtain Confidentiality or/ and Authenticity in Big Data by ID-Based Generalized Signcryption
Nizamud Dina, Arif Iqbal Umar, Abdul Waheed, Noor ul Amin
Public-key cryptography

ID based generalized signcryption can adaptively work as a signature scheme, an encryption scheme or a signcryption scheme and avoid weighty and complicated certificate management like Public Key Infrastructure. It has application in emerging paradigm big data security. Recently,Wei et al proposed a new ID based generalized signcryption scheme to obtain con…dentiality or/and authenticity in big data, and claimed that their scheme is provably secure in standard model. Unfortunately, by...

2016/1126 (PDF) Last updated: 2017-07-06
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Jung Hee Cheon, Duhyeong Kim, Joohee Lee, Yongsoo Song

The LWE problem has been widely used in many constructions for post-quantum cryptography due to its strong security reduction from the worst-case of lattice hard problems and its lightweight operations. The PKE schemes based on the LWE problem have a simple and fast decryption, but the encryption phase is rather slow due to large parameter size for the leftover hash lemma or expensive Gaussian samplings. In this paper, we propose a novel PKE scheme, called Lizard, without relying on either...

2016/1055 (PDF) Last updated: 2016-11-21
A Practical Post-Quantum Public-Key Cryptosystem Based on spLWE
Jung Hee Cheon, Kyoo Hyung Han, Jinsu Kim, Changmin Lee, Yongha Son

The Learning with Errors (LWE) problem has been widely used as a hardness assumption to construct public-key primitives. In this paper, we propose an efficient instantiation of a PKE scheme based on LWE with a sparse secret, named as spLWE. We first construct an IND-CPA PKE and convert it to an IND-CCA scheme in the quantum random oracle model by applying a modified Fujisaki-Okamoto conversion of Unruh. In order to guarantee the security of our base problem suggested in this paper, we...

2016/858 (PDF) Last updated: 2016-09-08
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
Qian Guo, Thomas Johansson, Paul Stankovski

Algorithms for secure encryption in a post-quantum world are currently receiving a lot of attention in the research community, including several larger projects and a standardization effort from NIST. One of the most promising algorithms is the code-based scheme called QC-MDPC, which has excellent performance and a small public key size. In this work we present a very efficient key recovery attack on the QC-MDPC scheme using the fact that decryption uses an iterative decoding step and this...

2016/342 (PDF) Last updated: 2016-06-27
On the Selective Opening Security of Practical Public-Key Encryption Schemes
Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge
Public-key cryptography

We show that two well-known and widely employed public-key encryption schemes -- RSA Optimal Asymmetric Encryption Padding (RSA-OAEP) and Diffie-Hellman Integrated Encryption Scheme (DHIES), instantiated with a one-time pad, -- are secure under (the strong, simulation-based security notion of) selective opening security against chosen-ciphertext attacks in the random oracle model. Both schemes are obtained via known generic transformations that transform relatively weak primitives (with...

2016/293 (PDF) Last updated: 2016-03-17
A Parametric Family of Attack Models for Proxy Re-Encryption
David Nuñez, Isaac Agudo, Javier Lopez
Public-key cryptography

Proxy Re-Encryption (PRE) is a type of Public-Key Encryption (PKE) that provides an additional re-encryption functionality. Although PRE is inherently more complex than PKE, attack models for PRE have not been developed further than those inherited from PKE. In this paper we address this gap and define a parametric family of attack models for PRE, based on the availability of both the decryption and re-encryption oracles during the security game. This family enables the definition of...

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.