Advertisement

Understanding and Constructing AKE via Double-Key Key Encapsulation Mechanism

  • Haiyang Xue
  • Xianhui LuEmail author
  • Bao Li
  • Bei Liang
  • Jingnan He
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)

Abstract

Motivated by abstracting the common idea behind several implicitly authenticated key exchange (AKE) protocols, we introduce a primitive that we call double-key key encapsulation mechanism (2-key KEM). It is a special type of KEM involving two pairs of secret-public keys and satisfying some function and security property. Such 2-key KEM serves as the core building block and provides alternative approaches to simplify the constructions of AKE. To see the usefulness of 2-key KEM, we show how several existing constructions of AKE can be captured as 2-key KEM and understood in a unified framework, including widely used HMQV, NAXOS, Okamoto-AKE, and FSXY12-13 schemes. Then, we show (1) how to construct 2-key KEM from concrete assumptions, (2) how to adapt the classical Fujisaki-Okamoto transformation and KEM combiner to achieve the security requirement of 2-key KEM, (3) an elegant Kyber-AKE over lattice using the improved Fujisaki-Okamoto technique.

Keywords

Authenticated key exchange CK model Key encapsulation mechanism 

Notes

Acknowledgments

Haiyang Xue was supported by the National Natural Science Foundation of China 61602473, 61672019, 61772522, and the National Cryptography Development Fund MMJJ20170116. Xianhui Lu was supported by the National Natural Science Foundation of China 61572495. Bao Li was supported by the National Natural Science Foundation of China 61772515. Jingnan He was supported by the National Natural Science Foundation of China 61672030. Bei Liang was partially supported by the STINT grant (no 3720596). This work was supported by the National 973 Program of China under Grant 2014CB340603 and the Fundamental theory and cutting edge technologyResearch Program of Institute of Information Engineering, CAS (Grant No. Y7Z0291103).

References

  1. 1.
    Boyd, C., Cliff, Y., Gonzalez Nieto, J., Paterson, K.G.: Efficient one-round key exchange in the standard model. In: Mu, Y., Susilo, W., Seberry, J. (eds.) ACISP 2008. LNCS, vol. 5107, pp. 69–83. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-70500-0_6CrossRefGoogle Scholar
  2. 2.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570 (2015)Google Scholar
  3. 3.
    Bos, J., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE Symposium on Security and Privacy, pp. 353–367. Code is available in https://github.com/pq-crystals/kyber
  4. 4.
    Barbosa, M., Farshim, P.: Relations among notions of complete non-malleability: indistinguishability characterisation and efficient construction without random oracles. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 145–163. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14081-5_10CrossRefzbMATHGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48329-2_21CrossRefGoogle Scholar
  6. 6.
    Cremers, C.J.F.: Session-state reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 20–33. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01957-9_2CrossRefGoogle Scholar
  7. 7.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_28CrossRefGoogle Scholar
  8. 8.
    Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-45708-9_10CrossRefGoogle Scholar
  9. 9.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055717CrossRefGoogle Scholar
  10. 10.
    Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002).  https://doi.org/10.1007/3-540-46035-7_4CrossRefGoogle Scholar
  11. 11.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. SIAM J. Comput. 30, 391–437 (2000)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Fischlin, M.: Completely non-malleable schemes. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 779–790. Springer, Heidelberg (2005).  https://doi.org/10.1007/11523468_63CrossRefGoogle Scholar
  14. 14.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_34CrossRefGoogle Scholar
  15. 15.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Strongly secure authenticated key exchange from factoring, codes, and lattices. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 467–484. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-30057-8_28CrossRefzbMATHGoogle Scholar
  16. 16.
    Fujioka, A., Suzuki, K., Xagawa, K., Yoneyama, K.: Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism. In: AsiaCCS, pp. 83–94 (2013)Google Scholar
  17. 17.
    Giacon, F., Heuer, F., Poettering, B.: KEM combiners. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 190–218. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76578-5_7CrossRefGoogle Scholar
  18. 18.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70500-2_12CrossRefzbMATHGoogle Scholar
  19. 19.
    Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006).  https://doi.org/10.1007/11681878_30CrossRefGoogle Scholar
  20. 20.
    Kiltz, E., Pietrzak, K., Stam, M., Yung, M.: A new randomness extraction paradigm for hybrid encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 590–609. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-01001-9_34CrossRefGoogle Scholar
  21. 21.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_19CrossRefGoogle Scholar
  22. 22.
    Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_24CrossRefGoogle Scholar
  23. 23.
    Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_33CrossRefGoogle Scholar
  24. 24.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-75670-5_1CrossRefzbMATHGoogle Scholar
  25. 25.
    Matsumoto, T., Takashima, Y., Imai, H.: On seeking smart public-key distribution systems. Trans. IECE Jpn. E69(2), 99–106 (1986)Google Scholar
  26. 26.
    Menezes, A., Qu, M., Vanstone, S.: Some new key agreement protocols providing mutual implicit authentication. In: SAC 1995, pp. 22–32 (1995)Google Scholar
  27. 27.
    Okamoto, T.: Authenticated Key Exchange and Key Encapsulation Without Random Oracles. IACR ePrint report 2007/473, full version of [28]Google Scholar
  28. 28.
    Okamoto, T.: Authenticated key exchange and key encapsulation in the standard model. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 474–484. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_29CrossRefGoogle Scholar
  29. 29.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11659-4_12CrossRefzbMATHGoogle Scholar
  30. 30.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC 2008, pp. 187–196 (2008)Google Scholar
  31. 31.
    Wee, H.: Efficient chosen-ciphertext security via extractable hash proofs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 314–332. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_17CrossRefGoogle Scholar
  32. 32.
    Xue, H., Lu, X., Li, B., Liang, B., He, J.: Understanding and Constructing AKE via Double-key Key Encapsulation Mechanism IACR ePrint report 2018/817Google Scholar
  33. 33.
    Yoneyama, K.: One-round authenticated key exchange with strong forward secrecy in the standard model against constrained adversary. In: Hanaoka, G., Yamauchi, T. (eds.) IWSEC 2012. LNCS, vol. 7631, pp. 69–86. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34117-5_5CrossRefzbMATHGoogle Scholar
  34. 34.
    Yao, A.C.C., Zhao, Y.: OAKE: a new family of implicitly authenticated Diffie-Hellman protocols. In: CCS 2013, pp. 1113–1128 (2013)Google Scholar
  35. 35.
    Zhang, J., Zhang, Z., Ding, J., Snook, M., Dagdelen, Ö.: Authenticated key exchange from ideal lattices. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 719–751. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_24CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Haiyang Xue
    • 1
    • 2
    • 3
  • Xianhui Lu
    • 1
    • 2
    • 3
    Email author
  • Bao Li
    • 1
    • 2
    • 3
  • Bei Liang
    • 4
  • Jingnan He
    • 1
    • 2
  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Data Assurance and Communication Security Research CenterChinese Academy of SciencesBeijingChina
  3. 3.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina
  4. 4.Chalmers University of TechnologyGothenburgSweden

Personalised recommendations