Key-dependent Message Security Research Articles

KDM Security IBE Based on LWE beyond Affine Functions

Key-dependent message (KDM) security identity-based encryption (IBE) schemes aim to solve the security risks caused by the dependency between plaintext and secret keys in traditional IBE schemes. However, current KDM-IBE schemes are only secure with respect to affine functions, which limits their security level when a message is derived from the evaluation of a polynomial function using the secret key. To address this issue, in this study, we propose a novel approach to construct a KDM-IBE scheme with respect to polynomial or even arbitrary functions that achieves maximum security based on the learning with errors (LWE) assumption. Our approach overcomes two major technical barriers to constructing KDM-IBE schemes with respect to polynomial functions. Compared to existing KDM-IBE schemes, our proposed scheme ensures the secrecy of the key-related plaintext, even when it is obtained using arbitrary functions, not just affine functions. Thus, our approach provides a more robust solution to the security risks inherent in traditional IBE schemes.

Efficient Lattice-Based Cryptosystems with Key Dependent Message Security

Key-dependent message (KDM) security is of great research significance, to better analyse and solve the potential security problems in complex application scenarios. Most of the current KDM security schemes are based on traditional hard mathematical problems, where the public key and ciphertext are not compact enough, and make the ciphertext size grow linearly with the degree of the challenge functions. To solve the above problems and the inefficient ciphertext operation, the authors propose a compact lattice-based cryptosystem with a variant of the RLWE problem, which applies an invertible technique to obtain the RLWE* problem. It remains hard after the modification from the RLWE problem. Compared with the ACPS scheme, our scheme further expands the set of challenge functions based on the affine function of the secret key, and the size of public key and ciphertext is O˜(n), which is independent of the challenge functions. In addition, this scheme enjoys a high level of efficiency, the cost of encryption and decryption is only ploylog(n) bit operations per message symbol, and we also prove that our scheme is KDM-CPA secure under the RLWE* assumption.

Security of Symmetric Primitives against Key-Correlated Attacks

We study the security of symmetric primitives against key-correlated attacks (KCA), whereby an adversary can arbitrarily correlate keys, messages, and ciphertexts. Security against KCA is required whenever a primitive should securely encrypt key-dependent data, even when it is used under related keys. KCA is a strengthening of the previously considered notions of related-key attack (RKA) and key-dependent message (KDM) security. This strengthening is strict, as we show that 2-round Even–Mansour fails to be KCA secure even though it is both RKA and KDM secure. We provide feasibility results in the ideal-cipher model for KCAs and show that 3-round Even–Mansour is KCA secure under key offsets in the random-permutation model. We also give a natural transformation that converts any authenticated encryption scheme to a KCA-secure one in the random-oracle model. Conceptually, our results allow for a unified treatment of RKA and KDM security in idealized models of computation.

Security of Symmetric Primitives against Key-Correlated Attacks

We study the security of symmetric primitives against key-correlated attacks (KCA), whereby an adversary can arbitrarily correlate keys, messages, and ciphertexts. Security against KCA is required whenever a primitive should securely encrypt key-dependent data, even when it is used under related keys. KCA is a strengthening of the previously considered notions of related-key attack (RKA) and key-dependent message (KDM) security. This strengthening is strict, as we show that 2-round Even–Mansour fails to be KCA secure even though it is both RKA and KDM secure. We provide feasibility results in the ideal-cipher model for KCAs and show that 3-round Even–Mansour is KCA secure under key offsets in the random-permutation model. We also give a natural transformation that converts any authenticated encryption scheme to a KCA-secure one in the random-oracle model. Conceptually, our results allow for a unified treatment of RKA and KDM security in idealized models of computation.

On the KDM-CCA Security from Partial Trapdoor One-Way Family in the Random Oracle Model

Abstract In PKC 2000, Pointcheval presented a generic technique to make a highly secure cryptosystem from any partially trapdoor one-way function in the random oracle model. More precisely, any suitable problem providing a one-way cryptosystem can be efficiently derived into a chosen-ciphertext attack (CCA) secure public key encryption (PKE) scheme. In fact, the overhead only consists of two hashing and a XOR. In this paper, we consider the key-dependent message (KDM) security of the Pointcheval’s transformation. Unfortunately, we do not know how to directly prove its KDM-CCA security because there are some details in the proof that we can not bypass. However, a slight modification of the original transformation (we call twisted Pointcheval’s scheme) makes it possible to obtain the KDM-CCA security. As a result, we prove that the twisted Pointcheval’s scheme achieves the KDM-CCA security without introducing any new assumption. That is, we can construct a KDM-CCA secure PKE scheme from partial trapdoor one-way injective family in the random oracle model.

KDM security for identity-based encryption: Constructions and separations

For encryption schemes, key dependent message (KDM) security requires that ciphertexts preserve secrecy even when the messages to be encrypted depend on the secret keys. While KDM security has been extensively studied for public-key encryption (PKE), it receives much less attention in the setting of identity-based encryption (IBE). In this work, we focus on the KDM security for IBE. Our results are threefold.We first propose a generic approach to transfer the KDM security results (both positive and negative) from PKE to IBE. At the heart of our approach is a neat structure-mirroring PKE-to-IBE transformation based on indistinguishability obfuscation and puncturable PRFs, which establishes a connection between PKE and IBE in general. However, the obtained results are restricted to selective-identity sense. We then concentrate on results in adaptive-identity sense.On the positive side, we present two constructions that achieve KDM security in the adaptive-identity sense for the first time. One is built from identity-based hash proof system (IB-HPS) with homomorphic property. The other is built from indistinguishability obfuscation and a new notion named puncturable unique signature, which is bounded KDM-secure in the single-key setting.On the negative side, we separate CPA/CCA security from n-circular security (which is a prototypical case of KDM security) for IBE by giving a counterexample based on differing-inputs obfuscation and a new notion named puncturable IBE. We further propose a general framework for generating n-circular security counterexamples in identity-based setting, which might be of independent interest.

Security of Even–Mansour Ciphers under Key-Dependent Messages

The iterated Even–Mansour (EM) ciphers form the basis of many blockcipher designs. Several results have established their security in the CPA/CCA models, under related-key attacks, and in the indifferentiability framework. In this work, we study the Even–Mansour ciphers under key-dependent message (KDM) attacks. KDM security is particularly relevant for blockciphers since non-expanding mechanisms are convenient in setting such as full disk encryption (where various forms of key-dependency might exist). We formalize the folklore result that the ideal cipher is KDM secure. We then show that EM ciphers meet varying levels of KDM security depending on the number of rounds and permutations used. One-round EM achieves some form of KDM security, but this excludes security against offsets of keys. With two rounds we obtain KDM security against offsets, and using different round permutations we achieve KDM security against all permutation-independent claw-free functions. As a contribution of independent interest, we present a modular framework that can facilitate the security treatment of symmetric constructions in models that allow for correlated inputs.

Security of Even-Mansour Ciphers under Key-Dependent Messages

The iterated Even–Mansour (EM) ciphers form the basis of many blockcipher designs. Several results have established their security in the CPA/CCA models, under related-key attacks, and in the indifferentiability framework. In this work, we study the Even–Mansour ciphers under key-dependent message (KDM) attacks. KDM security is particularly relevant for blockciphers since non-expanding mechanisms are convenient in setting such as full disk encryption (where various forms of key-dependency might exist). We formalize the folklore result that the ideal cipher is KDM secure. We then show that EM ciphers meet varying levels of KDM security depending on the number of rounds and permutations used. One-round EM achieves some form of KDM security, but this excludes security against offsets of keys. With two rounds we obtain KDM security against offsets, and using different round permutations we achieve KDM security against all permutation-independent claw-free functions. As a contribution of independent interest, we present a modular framework that can facilitate the security treatment of symmetric constructions in models that allow for correlated inputs.

Low Noise LPN: Key dependent message secure public key encryption an sample amplification

Cryptographic schemes based on the learning parity with noise (LPN) problem have several very desirable aspects: low computational overhead, simple implementation and conjectured post-quantum hardness. Choosing the LPN noise parameter sufficiently low allows for public key cryptography. In this study, the authors construct the first standard model public key encryption scheme with key dependent message security based solely on the low-noise LPN problem. Additionally, they establish a new connection between LPN with a bounded number of samples and LPN with an unbounded number of samples. In essence, they show that if LPN with a small error and a small number of samples is hard, then LPN with a slightly larger error and an unbounded number of samples is also hard. The key technical ingredient to establish both results is a variant of the LPN problem called the extended LPN problem.

Garbling XOR Gates “For Free” in the Standard Model

Yao's garbled circuit (GC) technique is a powerful cryptographic tool which allows to encrypt a circuit $$C$$C by another circuit $${\hat{C}}$$C^ in a way that hides all information except the final output. Yao's original construction incurs a constant overhead in both computation and communication per gate of the circuit $$C$$C (proportional to the complexity of symmetric encryption). Kolesnikov and Schneider (ICALP 2008) introduced an optimized variant that garbles XOR gates for free in a way that involves no cryptographic operations and no communication. This variant has become very popular and has lead to notable performance improvements. The security of the free-XOR optimization was originally proved in the random oracle model. Despite some partial progress (Choi et al., TCC 2012), the question of replacing the random oracle with a standard cryptographic assumption has remained open. We resolve this question by showing that the free-XOR approach can be realized in the standard model under the learning parity with noise (LPN) assumption. Our result is obtained in two steps:1.We show that the random oracle can be replaced with a symmetric encryption, which remains secure under a combined form of related-key (RK) and key-dependent message (KDM) attacks.2.We show that such a symmetric encryption can be constructed based on the LPN assumption. As an additional contribution, we prove that the combination of RK and KDM security is nontrivial in the following sense: There exists an encryption scheme which achieves RK security and KDM security separately, but breaks completely at the presence of combined RK-KDM attacks.

New method of key-dependent message security for asymmetric encryption

Key-dependent message KDM security should be considered in the design of security protocols, especially for complicated ones, where the messages related to the secret key might be encrypted. In this paper, we present a new method of constructing a KDM secure asymmetric encryption scheme with the notation of hybrid encryption in the standard model; although the notation of hybrid encryption was thought as no help to get rid of dependencies between messages and the secret key. Our result can also be seen as a partial instantiation for a previously well-known KDM secure asymmetric encryption scheme based on random oracle. As we know, this has never been carried out before. And our result indicates a new cryptographic application for the primitive of lossy trapdoor function. Throughout the paper, our main idea is to archive KDM security by making use of both leakage-resilience and auxiliary-input security properties. Copyright © 2014 John Wiley & Sons, Ltd.

Construction of a key-dependent message secure symmetric encryption scheme in the ideal cipher model

Key-dependent message (KDM) security is an important security issue that has attracted much research in recent years. In this paper, we present a new construction of the symmetric encryption scheme in the the ideal cipher model (ICM); we prove that our scheme is KDM secure against active attacks with respect to arbitrary polynomialtime challenge functions. Our main idea is to introduce a universal hash function (UHF) h as a random value for each encryption, and then use s = h(sk) as the key of the ideal cipher F, where sk is the private key of our symmetric encryption scheme. Although many other schemes that are secure against KDM attacks have already been proposed, in both the ideal standard models, the much more significance of our paper is the simplicity in which we implement KDM security against active attacks.

Key-Dependent Message Security: Generic Amplification and Completeness

Key-dependent message (KDM) secure encryption schemes provide secrecy even when the attacker sees encryptions of messages related to the secret-key sk. Namely, the scheme should remain secure even when messages of the form f(sk) are encrypted, where f is taken from some function class $\mathcal{F}$ . A KDM amplification procedure takes an encryption scheme which satisfies $\mathcal{F}$ -KDM security, and boosts it into a $\mathcal{G}$ -KDM secure scheme, where the function class $\mathcal{G}$ should be richer than $\mathcal{F}$ . It was recently shown by Brakerski et al. (TCC 2011) and Barak et al. (EUROCRYPT 2010) that a strong form of amplification is possible, provided that the underlying encryption scheme satisfies some special additional properties. In this work, we prove the first generic KDM amplification theorem which relies solely on the KDM security of the underlying scheme without making any other assumptions. Specifically, we show that an elementary form of KDM security against functions in which each output bit either copies or flips a single bit of the key (a.k.a. projections) can be amplified into KDM security with respect to any function family that can be computed in arbitrary fixed polynomial-time. Furthermore, our amplification theorem and its proof are insensitive to the exact setting of KDM security, and they hold in the presence of multiple-keys and in the symmetric-key/public-key and the CPA/CCA cases. As a result, we can amplify the security of most known KDM constructions, including ones that could not be amplified before. Finally, we study the minimal conditions under which full-KDM security (with respect to all functions) can be achieved. We show that under strong notion of KDM security, the existence of fully homomorphic encryption which allows to encrypt the secret-key (i.e., cyclic-secure) is not only sufficient for full-KDM security, as shown by Barak et al., but also necessary. On the other hand, we observe that for standard KDM security, this condition can be relaxed by adopting Gentry's bootstrapping technique (STOC 2009) to the KDM setting.

A Latticed-Based Public Key Encryption with KDM Security from R-LWE

Since the introduction of the ring learning with errors (R-LWE) by Lyubashevsky, Peikert and Regev, many efficient and secure applications were founded in cryptography. In this paper, we mainly present an efficient public-key encryption scheme based on the R-LWE assumption. It is very simple to describe and analyze. As well as it can achieve security against certain key-dependent message (KDM) attacks. Namely, this efficient encryption scheme can securely encrypt its own secret key. The security of this scheme follows from the already proven hardness of the R-LWE problem since the R-LWE assumption is reducible to worst-case problems on the ideal lattice. Besides, the scheme enjoys a high level efficiency and low cost since the operations of the scheme are very simple and fast. The cost of both the encryption and decryption is only polylog(n) bit per message symbol.

Key-dependent message security under active attacks - BRSIM/UC-soundness of Dolev-Yao-style encryption with key cycles

Key-dependent message (KDM) security was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. It was mainly...

Key-dependent message security under active attacks – BRSIM/UC-soundness of Dolev–Yao-style encryption with key cycles

Key-dependent message (KDM) security was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. It was mainly motivated by key cycles in Dolev–Yao models, i.e., symbolic abstractions of cryptography by term alge bras, and a corresponding computational soundness result was later shown by Adão et al. However, both the KDM definition and this soundness result do not allow the general active attacks typical for Dolev–Yao models or for security protocols in general. We extend these definitions to obtain a soundness result under active attacks. We first present a definition AKDM (adaptive KDM) as a KDM equivalent of authenticated symmetric encryption, i.e., it provides chosen-ciphertext security and integrity of ciphertexts for key cycles. However, this is not yet sufficient for the desired computational soundness result and thus we define DKDM (dynamic KDM) that additionally allows limited dynamic revelation of keys. We show that DKDM is sufficient for computational soundness, even in the strong sense of blackbox reactive simulatability (BRSIM)/UC and in cases with joint terms with other operators. We also build on current KDM-secure schemes to construct schemes secure under the new definitions. Moreover, we prove implications or construct separating examples, respectively, for new definitions and existing ones for symmetric encryption.