Information-theoretic Key Encapsulation and its Applications
aa r X i v : . [ c s . CR ] F e b Information-theoretic Key Encapsulation and itsApplication to Secure Communication
Setareh Sharifian, Reihaneh Safavi-Naini
University of CalgaryAB, Canada
Abstract —A hybrid encryption scheme is a public key encryp-tion system that consists of a public-key part called the keyencapsulation mechanism (KEM) , and a (symmetric) secret-keypart called data encapsulation mechanism (DEM) : the publickey part is used to generate a shared secret key between thetwo parties, and the symmetric key part is used to encrypt themessage. Hybrid encryption schemes are widely used for securecommunication over the Internet. In this paper we initiate thestudy of hybrid encryption in preprocessing model which assumesaccess to initial correlated variables by all the parties (includingthe eavesdropper). We define information theoretic KEM (iKEM)that together with a (computationally) secure DEM results ina hybrid encryption scheme in preprocessing model. We definesecurity of each building block and prove a composition theoremthat guarantees security of the final encryption system. We showthat iKEM can be realized by a one-message SKA (OW-SKA)protocol with an extended security definition. Using a OW-SKAthat satisfies this extended definition of security effectively allowsthe secret key that is generated by the OW-SKA to be usedwith symmetric key encryption system such as AES in countermode. We discuss our results and future work including providingstronger security for the final encryption, and using informationtheoretic DEM to construct information theoretic encryptionsystems. I. I
NTRODUCTION
Public key encryption (PKE) schemes are usually definedfor restricted message spaces and so the ciphertext can hide alimited number of plaintext bits. A
Hybrid encryption scheme consists of a public-key part and a (symmetric) secret-key part.The public key part is called key encapsulation mechanism(KEM) , and generates a pair of, (i) a random symmetric key K , and (ii) a ciphertext c . The symmetric key part uses thegenerated key K to encrypt the actual data to obtain the cor-responding ciphertext c ′ using an efficient data encapsulationmechanism (DEM) (e.g. such as counter mode of AES [1]).The pair ( c, c ′ ) allows the decryptor to first recover K from c ,and then use it to decrypt c ′ and obtain the data. KEM/DEMparadigm was formalized by Cramer and Shoup [2] and hasbeen widely in Internet protocols to implement public keycryptography in protocols such as TLS [3] and SSH protocols[4] and is incorporated in standards such as [5].Today’s main constructions of KEM rely on the hardnessof two computational problems, Discrete Logarithm (DL) andinteger factorization problems, for both of which efficient quan-tum algorithms have been proposed by Shor [6]. KEMs thatremain secure in presence of quantum computers (also called post-quantum secure ), have constructed using hard problemsin lattice theory [7], [8] or coding theory [9], [10] for whichefficient quantum algorithms is not known. These constructionshave significantly higher computation and communication cost, and will need updates with the new developments in computingand security technologies (e.g. updating parameters when newalgorithms and attacks are found). We note that post-quantumsecurity of hybrid encryption systems is primarily determinedby the KEM part as security of symmetric key encryptionschemes will not be significantly affected by quantum com-puters (one need to use longer keys).In this paper we initiate the study of “KEM/DEM paradigmin preprocessing model” , where the specification of the proto-col includes a joint distribution D over R × .. × R n , where R i is a finite domain. Before the start of the protocol, a (trusted)sampler samples correlated random values ( r , . . . , r n ) , anddelivers r i to the party P i before the protocol starts (thusmaking it independent of the input). The model has beenwidely studied in cryptography with both positive and negativeresults on unconditionally secure computation with correlatedrandomness [11]. In information theoretic security a similarinitial setup is considered for key agreement protocols and isreferred to as source model [12], [13]: In a two party keyagreement in source model, before protocol starts, a trustedsampler samples a public distribution P ( x, y, z ) and gives thesamples of x , y , and z , to Alice, Bob and Eve, respectively.An example of this setting was proposed by Maurer [13] andis known as satellite setting where a satellite broadcasts arandom beacon that is received by protocol parties throughtheir (independent) channels. Our main observation is thata one-message two-party key agreement (also called one-way SKA (OW-SKA) [14], [15]) can serve as a KEM ina hybrid encryption scheme and together with DEM, canprovide post-quantum security for the encryption system. Ourintuition is that using an information theoretically secure KEMwill establish a key that will not depend on the computationpower of the adversary, and since a DEM component that isimplemented using an algorithm such as AES-256 will be safeagainst quantum computers [16], the combination of the twowill provide post-quantum security.The KEM in this model will use private randomness samples(of correlated random variables) that Alice and Bob hold, toestablish a shared key and so the resulting hybrid encryptionscheme in preprocessing model is not a public key encryption. In fact, the hybrid encryption system in preprocessing model will be neither public key, nor is symmetric key system thatrequires a shared secret key before the scheme is used. Rather,it will start with the initial correlated samples of the twoparties for secure encryption and decryption of data. The hybridencryption system will be computationally secure (although itcan be extended to information theoretic case (see Discussionn Section V). A traditional OW-SKA cannot be directly usedas a KEM because of the difference in the security definitionof the two.
Overview of our main contributions.
We formalizeKEM/KEM paradigm in preprocessing model and prove acomposition theorem that shows security of the resultingencryption system when appropriate definitions and securitynotions for KEM and DEM are used. We define informationtheoretic KEM (iKEM) and its security notions (Definitions 9and 10) inline with computational KEM and using game-based security definition. In this approach security is definedas the success probability of an adversary in a game against achallenger, and is described by a probabilistic experiment witha well-defined success event. Lemma 2 relates this successprobability to the statistical distance based security definitionof OW-SKA. Security definition of DEM will be the sameas in traditional hybrid encryption schemes and is recalled inDefinition 7. We define a hybrid encryption in preprocessingmodel (Definiton 11) and its security notions (Definiton 12)against a computationally bounded adversary, and prove acomposition theorem (Theorem 2) that shows combining aniKEM and a DEM with appropriate security definitions resultsin a hybrid encryption system in preprocessing model withprovable security with respect to the defined security notion.As a concrete example of our results, in Section IV weextend the OW-SKA in [17] to provide iKEM security in thesense of Definition 10. By choosing parameters of the iKEMto output a secure 256 bit key, we can use AES-256 in countermodel as the required DEM.
Discussion.
Hybrid encryption system in preprocessing modeland employing OW-SKA as an iKEM to establish the requiredkey for DEM, are novel and have a number of important impli-cations. Firstly, it will allow secure integration of informationtheoretic secure OW-SKA in encryption systems in practice.Maurer [18] noted the security challenges of using a securelyestablished key in practice. Ben-or et. al [19] had noted that adirect application of an information theoretic secure key thatis obtained through a quantum key distribution protocol forencryption may not result in a secure encryption system, andone needs to use stronger definition of security that takes intoaccount composability of the key with other crypto systems.Similar results were also shown by Renner and K¨onig [20]. Thesecurity notions of iKEM allow composability of the key with computationally secure symmetric key encryption, such thatthe resulting encryption system satisfies CPA (Chosen PlaintextAttack) security notions of symmetric key encryption (withfixed number of plaintext queries).Our work can be extended to define stronger security no-tions for iKEM (e.g. security against chosen ciphertext attack(CCA)), and stronger security notion from the final hybridencryption in preprocessing model.Secondly, we noted that hybrid encryption in preprocessingmodel provides post-quantum security. Our proposed construc-tion of iKEM in source model can be used in wireless settingswhere a beacon broadcasts randomness. It is well known [13]that secret key agreement with information theoretic securityrequires initial correlated variables. An interesting direction offuture work will be to extend our results to iKEMs using other physical layer assumptions for establishing a shared key usinga single message.Thirdly, hybrid encryption in preprocessing model leads to efficient encryption scheme with post-quantum security andwithout requiring a secure key agreement protocol. Alternativesto such an encryption would be to use a traditional KEM withpost-quantum security, which because of high computation costwill become inaccessible to resource constrained IoT devicessuch as a smart lock that have long life. Using direct applicationof a key agreement protocol with post-quantum security willhave a similar inefficiency drawback.
Related Works.
Cramer and Shoup [2] formalized KEM/DEMparadigm and proved that CCA security of KEM and DEM as apublic key and a symmetric key encryption, respectively, leadsto CCA security of the final (public key) hybrid encryptionsystem. This is the strongest commonly used security notionfor encryption systems. Kurosawa and Desmedt [21] presenteda hybrid encryption scheme that shows that CCA-secure hybridencryption can be achieved using a weaker security notion forKEM (the KEM in their construction was later shown to benot CCA secure [22]). The existence of strongly secure hybridencryption schemes (CCA secure) from weaker primitives wasalso studied by Abe et al.[23] and Shacham [24]. The necessaryand sufficient conditions on the security of DEM and KEMparts to achieve a desired level of security by the hybridencryption is studied in [25].Study of secret key agreement in source model was initiatedby Maurer [13] and Ahlswede and Csisz´ar [12], with manyfollowup work for different physical layer setups. One-waysecret key (OW-SK) capacity was introduced by Ahlswede andCsisz´ar [12], who derived OW-SK capacity. Holenstein andRenner [14] considered one-way SKA (OW-SKA) protocolsand gave constructions that achieve OW-SK capacity. Thereare a number of capacity achieving OW-SKA constructions[26], [27], [28], [17], in some cases [17] with explicit lowerbound on finite key length.Cryptographic protocols that have been studied in pre-processing model include oblivious transfer [29] and multi-party computation (MPC) protocols [30], [11]. The sourcemodel in information theoretic key agreements uses a similarinitialization phase [31].
Organization.
Preliminaries are reviewed in is given in Sec-tion II. Our main contribution is in Section III, where we pro-pose the hybrid encryption in preprocessing modeland discussits security. A practical construction of our scheme is given inSection IV, and concluding remarks are discussed in Section V.II. P
RELIMINARIES
A. Notations
We denote random variables (RVs) with upper-case letters,(e.g., X ), and their realizations with lower-case letters, (e.g., x ). Calligraphic letters denote sets and size of the set X isdenoted by |X | . U X denotes a random variable with uniformdistribution over X and U ℓ denotes a random variable withuniform distribution over { , } ℓ .Functions are denoted with sanserif fonts e.g., f ( · ) . We usethe symbol ‘ ← ’, to assign a constant value (on the right-handside) to a variable (on the left-hand side). Similarly, we use, $ ← ’, to assign to a variable either a uniformly sampled valuefrom a set or the output of a randomized algorithm.The probability mass function (p.m.f) of an RV X is denotedby P X and P X ( x ) = Pr( X = x ) . Col ( X ) is the collisionprobability of random variable X ∈ X is defined as theprobability that two independent samples of X are equal. Thatis Col ( X ) = X x ∈X (Pr[ X = x ]) .For two random variables X and Y , P XY denotes their jointdistribution, and P X | Y denotes their conditional distribution.The statistical distance between two corresponding RVs X and Y defined over a common alphabet T , is given by, SD ( X ; Y ) = max W⊂T (Pr( X ∈ W ) − Pr( Y ∈ W )) , (1)where Pr( X ∈ W ) = P t ∈W Pr( X = t ) .The min-entropy H ∞ ( X ) of random variable X ∈ X withdistribution P X where P X ( x ) ∈ [0 , , x ∈ X , is definedby H ∞ ( X ) = − log(max x (P X ( x ))) . The average conditionalmin-entropy [32] is commonly defined as, ˜ H ∞ ( X | Y ) = − log E y ∈Y max x ∈X P X | Y ( x | y ) . Randomness extractors map a random variable with a guar-anteed entropy, to a random variable from a smaller set that isstatistically close (in terms of the statistical distance) to a uni-form random variable. See [33] and references therein for moredetails. One of the well known constructions for randomnessextractors is by using (Strong)Universal Hash Families (UHF)via the so called
Leftover Hash Lemma (LHL) [34]. will usea variation of the LHL [34], called the generalized
LHL [35,Lemma 2.4] later in this paper.
Definition 1 (Strong Universal Hash Family [36]) . A family offunctions { h s : X → Y} s ∈S is a Strong Universal Hash Familyif for any x = x ′ and any a, b ∈ Y , Pr[ h S ( x ) = a ∧ h S ( x ′ ) = b ] = |Y| , where the probability is over the uniform choicesover S . Lemma 1 (Generalized LHL) . For two possibly dependantrandom variables A ∈ X and B ∈ Y , applying a universalhash function (UHF) { h s : X → { , } ℓ } s ∈S on A can extracta uniformly random variable whose length ℓ will be boundedby the average min-entropy of A , given B , and the requiredcloseness to the uniform distribution. That is: SD ( B, S, ( h S ( A )); ( B, S, U ℓ )) ≤ p ℓ − ˜ H ∞ ( A | B ) , where S is the randomly chosen seed of the hash functionfamily, and the average conditional min-entropy is definedabove.B. One-way Secret Key Agreement (OW-SKA) One-way secret key agreement was first considered byAhlswede [12]. Ahlswede considered source model whereAlice and Bob have samples of correlated RVs X and Y , andEve has their side-information Z , and variables are obtainedthrough a joint public distribution P XY Z . “Forward key capac-ity” in this setting is defined for key establishment protocolsin which there is a single message from Alice to Bob.Theseprotocols are later called “one-way secret key agreement” (OW-SKA) [14].
Definition 2 (OW-SKA [14]) . Let λ denote the securityparameter and ℓ denote the length of the shared key ( λ, ℓ ∈ N )and P XY Z = { P n ′ XY Z | n ′ ∈ N } be a family of distributionsover X × Y × Z . A one-way secret-key agreement (OW-SKA)protocol consists of the the function m ( λ, ℓ ) : N × N → N that specifies n ′ = m ( λ, ℓ ) ; a (probabilistic) function familywith parameters λ and ℓ , { τ Alice : X → K λ × C} λ,ℓ ,mapping x ∈ X to a bit string k A ∈ { , } ℓ (the secretkey) and c ∈ C (the communication); and a function family, { τ Bob : Y × C → K λ } λ,ℓ mapping c ∈ C and y ∈ Y to a bitstring k B ∈ { , } ℓ . The goal of secret-key agreement is to establish a key k = k A = k B that appears uniformly random to Eve. Definition 3 (Secure OW-SKA Protocol) . Let C denote the RVcorresponding to the message that is communicated from Aliceto Bob over the public channel. Eve sees C and has the sideinformation Z , a random variable distributed over Z . A OW-SKA protocol on X × Y is secure on a probability distributionfamily P XY Z if for λ, ℓ ∈ N , the OW-SKA protocol outputs a ( ǫ, σ ) -Secret Key (in short ( ǫ, σ ) -SK) K , an RV over K thatsatisfies the following reliability and security properties:(reliability) Pr[ K A = K B = K ] ≥ − ǫ, (2) (security) SD (( K, F , Z ); ( U K λ , F , Z )) ≤ σ, (3) where K A and K B are random variables corresponding to τ Alice () and τ Bob () functions respectively, and ǫ and σ aresmall non-negative numbers.C. Hybrid Encryption A hybrid encryption scheme is a public-key encryption(PKE) schcme that uses (i) a special PKE, known as KEM,that is used to encrypt a symmetric key that is decrytable byBob to establish a shared key between Alice and Bob, and(ii) a symmetric key encryption schemes, known as DEM, toencrypt an arbitrarily long message.In the following, we use λ to denote a parameter thatdetermines security level of the system, and use the unaryrepresentation λ that is commonly used in cryptography.In the rest of this section the attacker is assumed to becomputationally bounded. Definition 4 (Key Encapsulation Mechanism (KEM) [37]) . A KEM
KEM = (
Kem . Gen , KEM . Enc , KEM . Dec ) for anassociated key space KeySP ( λ ) = K , is a triple of algorithmsdefined as follows: Kem . Gen (1 λ ) is a randomized key generation algorithmthat takes the security parameter λ ∈ N returns a publicand secret-key pair ( pk, sk ) . KEM . Enc ( pk ) takes a public key pk and outputs aciphertext c , and a key k ∈ K . KEM . Dec ( sk, c ) is a deterministic decapsulation algo-rithm that takes a secret key sk and a ciphertext c , andreturns a key k ∈ K , or ⊥ that denotes failure,where private and public key spaces are SK and PK , respec-tively, and a ciphertext space is C . That is sk ∈ SK , pk ∈ PK ,and c ∈ C . KEM
KEM is ǫ -correct if for all ( sk, pk ) ← Kem . Gen (1 λ ) and ( c, k ) ← KEM . Enc ( pk ) , it holds thatPr [ KEM . Dec ( sk, c ) = k ] ≤ ǫ , where probability is over thechoices of ( sk, pk ) and the randomness of KEM . Enc ( · ) . Security of KEM is defined as indistinguishability of thegenerated key from a random string against an attacker thatmay have access to the decryption algorithm (attacker canalways access the encryption algorithm using the public key).Access to the decryption oracle is by sending a ciphertext toa decryption oracle and receiving the corresponding plaintext,or ⊥ that denotes invalid ciphertext. This is known as ChosenCiphertext Attack (CCA) security. CCA1 and CCA2 refer todisallowing or allowing ciphertext queries before or after thechallenge ciphertext is seen. An attack without any accessto the decryption algorithm is called Chosen Plaintext Attack(CPA).
We use notations and formalization of [25]. Let thestring atk be instantiated by any of the formal symbols cpa, cca , cca , while AT K is then the corresponding formalsymbol from
CP A, CCA , CCA . O dec ( · ) is the decryptionoracle, and O dec ( · ) = ε means the oracle on any input, returnsthe empty string, ε . Security of a KEM KEM is formalizedby bounding the key indistinguishability (kind) advantage ofan adversary A denoted by Adv kind
KEM , A and defined in thefollowing: Definition 5 (Security of KEM: IND-CPA, IND-CCA1, IN-D-CCA2 [25]) . Let
KEM = (
Kem . Gen , KEM . Enc , KEM . Dec ) be a KEM scheme and let A = ( A , A ) be an adversary. For atk ∈ { cpa, cca , cca } and λ ∈ N , let Adv kind - atk KEM , A ( λ ) , Pr[( pk, sk ) $ ← Kem . Gen (1 λ ); st $ ← A O dec ( · ) ( pk );( k ∗ , c ∗ ) $ ← KEM . Enc ( pk ); k ← k ∗ ; k ← K λ ; b $ ← { , } ; A O dec ( · )2 ( c ∗ , st, k b ) = b ] − , where atk O dec ( · ) O dec ( · ) cpa ε εcca KEM . Dec ( sk, · ) εcca KEM . Dec ( sk, · ) KEM . Dec ( sk, · ) Let
AT K ∈ {
CP A, CCA , CCA } . A KEM is σ - IN D - AT K secure, if for all computationally boundedadversaries A , Adv kind - atk KEM , A ( λ ) ≤ σ . Definition 6 (Data Encapsulation Mechanism (DEM) [37]) . A DEM
DEM = (
DEM . Enc , DEM . Dec ) associated to a keyspace KeySP ( λ ) = K λ consists of two algorithms: DEM . Enc ( k, m ) encrypts message m under the uni-formly chosen key k ∈ K λ and outputs a ciphertext c . DEM . Enc ( c, k ) decrypts the ciphertext c using the key k to get back a message m or the special rejection symbol ⊥ . Similar to [37], we assume encryption and decryptionalgorithms are deterministic, and that the scheme is (per-fectly) correct (i.e. “sound” in the terminology of [37]),and for all k ∈ K λ , and all message m , we have Pr[
DEM . Dec (cid:0) k, DEM . Enc ( k, m ) (cid:1) = m ] = 1 . Security of DEM against CPA, CCA1, and CCA2 is definedin [37] and is the same as the corresponding definitions for symmetric encryption schemes as defined in [38]. DEM is asymmetric key primitive and so unlike KEM in which accessto encryption oracle is free, access to encryption oracle is a re-source. CPA security of DEM allows the attacker to have accessto encryption oracle. Herranz et al. [25] considered two moreone-time attacks for DEM, known as one-time (OT) attack andone-time (adaptive) chosen-ciphertext attacks (OTCCA) thatcorrespond to passive attack and chosen-ciphertext attack afterobserving the challenge, respectively. OT attack is a CPAattack where the adversary does not have any access to theencryption oracle. Security a DEM
DEM is formalized bybounding the indistinguishability advantage of an adversary A denoted by Adv ind
DEM , A and defined in the following: Definition 7 (Security of DEM: IND-OT, IND-OTCCA,IND-CPA, IND-CCA1, IND-CCA2 [25]) . Let
DEM =( DEM . Enc , DEM . Dec ) be a DEM scheme with KeySP ( λ ) = K λ and let A = ( A , A ) be an adversary. For atk ∈{ ot, otcca, cpa, cca , cca } and λ ∈ N , let Adv ind - atk DEM , A ( λ ) , Pr[ k $ ← K λ ; ( st, m , m ) $ ← A O enc ( · ) , O dec ( · )1 (1 λ ); b $ ← { , } ;( c ∗ ) ← DEM . Enc ( k, m b ); A O enc ( · ) , O dec ( · )2 ( c ∗ , st ) = b ] − , where atk O enc ( · ) O dec ( · ) O dec ( · ) ot ε ε εotcca ε ε DEM . Dec ( k, · ) cpa DEM . Enc ( k, · ) ε εcca DEM . Enc ( k, · ) DEM . Dec ( k, · ) εcca DEM . Enc ( k, · ) DEM . Dec ( k, · ) DEM . Dec ( k, · ) A DEM is σ - IN D - AT K for
AT K ∈{ OT, OT CCA, CP A, CCA , CCA } if for all adversaries A , Adv ind - atk DEM , A ( λ ) ≤ σ . Definition 8 (Hybrid PKE (HPKE) [37]) . An HPKE
HPKE
KEM , DEM = (
HPKE . Gen , HPKE . Enc , HPKE . Dec ) usesa pair of KEM KEM = (
Kem . Gen , KEM . Enc , KEM . Dec ) and DEM DEM = (
DEM . Enc , DEM . Dec ) algorithms witha common key space KeySP ( λ ) = K λ , and consists ofthree algorithms for key generation, encryption and decryptiondefined below. Algo
HPKE . Gen (1 λ ) Algo
HPKE . Enc ( pk, m ) ( pk, sk ) $ ← Kem . Gen (1 λ , D ) ( c , k ) $ ← iKEM . Enc ( pk ) Return ( pk, sk ) c ← DEM . Enc ( k, m ) Return ( c , c ) Algo
HPKE . Enc ( sk, c , c ) k ← KEM . Dec ( y, c ) if ⊥← iKEM . Dec ( y, c ) Return ⊥ m ← DEM . Dec ( c , k ) Return m Fig. 1: Hybrid public-key encryption
The following composition theorem gives security of hybridencryption [25] (Theorem 5.1).
Theorem 1 (IND-ATK KEM + IND-ATK ′ DEM ⇒ IND-ATKPKE) . [25, Theorem 5.1] ] For ATK ∈ { CPA, CCA1, CCA2 } nd ATK ′ ∈ { OT,OTCCA } , if KEM is a secure KEM underIND-ATK attacks and
DEM is a secure DEM under IND-ATK ′ attacks, then the hybrid public key encryption scheme HPKE
KEM , DEM is a secure public key encryption scheme underIND-ATK attacks, where for ATK ∈ {
CPA, CCA1 } , ATK ′ = OTand for ATK = CCA2, ATK ′ = OTCCA. In Section III, we prove a similar composition theorem foriKEM and DEM with specific security notions.III. H
YBRID ENCRYPTION IN PREPROCESSING MODEL
In the preprocessing model Alice, Bob and the attacker haveaccess to their corresponding samples of a joint distribution.The distribution is public but the samples are private inputs of the parties. A hybrid encryption in preprocessing model,denoted by HE iKEM , DEM , uses a pair of algorithms iKEM withinformation theoretic security, and DEM with computationalsecurity to construct a hybrid encryption.We first define information theoretic KEM (iKEM) and giveits security notions, and then describe the HE KEM , DEM systemthat uses a DEM as defined in Definition 6.
A. KEM in Preprocessing Model (iKEM)
An iKEM allows Alice and Bob to use their samples ofcorrelated randomness and a single message from Alice to Bob,to obtain a shared key that is secure against an eavesdropper (awiretapper) with side information that is represented by theirinitial random samples.
Definition 9 (iKEM) . An iKEM iKEM is defined by a triple ofalgorithms iKEM . Gen , iKEM . Enc and iKEM . Dec , as follows: iKEM . Gen (1 λ , D ) the generation algorithm takes thesecurity parameter λ ∈ N and a publicly known fam-ily of distributions D , and provides private inputs toAlice and Bob, and possibly Eve, denoted by x, y and z ,respectively. iKEM . Enc ( x ) , the encapsulation algorithm, is a prob-abilistic algorithm that takes as input Alice’s randomstring x and outputs a ciphertext/key pair ( c, k ) . iKEM . Dec ( y, c ) , the decapsulation algorithm, is a de-terministic algorithm that takes as input the receiver’srandom string y and ciphertext c , and outputs key k or special symbol ⊥ ( ⊥ implies that the ciphertext wasinvalid).Correctness of iKEM: iKEM . Enc ( · ) outputs a pair ( c, k ) ofciphertext and key. We use iKEM . Enc ( x ) .key to denote k ,and iKEM . Enc ( x ) .ctxt to denote c . The iKEM is ǫ -correctif for a given pair of samples ( x, y ) , Pr [ iKEM . Dec ( y, c ) = iKEM . Enc ( x ) .key ] ≤ ǫ , where ǫ is a small function in λ andthe probability is over all the random coins of iKEM . Enc , iKEM . Dec and iKEM . Gen . Security of iKEM:
Security of iKEM is against an attackerwith unlimited computational power that in addition to its sideinformation, can query the encapsulation and decapsulationalgorithms. We thus, consider two types of oracles, O enc ( · ) and O dec ( · ) , and their corresponding attacks, EncapsulationOracle Attack (EnO) and
Chosen Ciphertext Attack (CCA) ,.respectively. A query to O enc ( · ) does not have any input,and outputs a pair ( c, k ) where k and c are a key and the corresponding ciphertext that is obtained by using the secretinput of Alice and other system’s public information. A queryto O dec ( · ) is a ciphertext c that is chosen by the attacker,and will result in O dec ( · ) to output either a key k , or ⊥ ,indicating that iKEM . Dec can/cannot generate a valid key forthe presented c .We consider three types of attackers: an attacker with noaccess to encapsulation or decapsulation oracles (OT attack),an attacker with access to q e encapsulation queries ( q e - EnO attack), and an attacker that has access to a total of q c queriesto the decapsulation and/or encapsulation oracles ( q c - CCA attack). The corresponding security notions are denoted byIND-OT, IND- q e -EnO, and IND- q c -CCA, respectively. For agiven security level λ , the number of queries affect parametersof the iKEM. We use A U = ( A U1 , A U2 ) to denote an adversarywith “U”nbounded computation that uses algorithm A U1 beforeseeing the challenge, and passes the learnt information (itsstate) to algorithm A U2 that is executed after seeing the chal-lenge. Security a iKEM iKEM is formalized by bounding theinformation theoretic key indistinguishability (ikind) advantageof an adversary A U denoted by Adv ikind iKEM , A U and defined in thefollowing: Definition 10 (Security of iKEM: IND-OT,IND- q e -EnO, IND- q c -CCA) . Let iKEM =( iKEM . Gen , iKEM . Enc , iKEM . Dec ) be an iKEM schemeand let A U = ( A U1 , A U2 ) be an unbounded adversary. For atk ∈ { ot, q e - eno, q c - cca } , q ∈ { q e , q c } and λ ∈ N , let Adv ikind - atk K , A U ( λ, q ) , , Pr[( x, y, z ) $ ← iKEM . Gen (1 λ ); st $ ← A U1 O enc ( · ) ( z );( k ∗ , c ∗ ) $ ← iKEM . Enc ( y ); k ← k ∗ ; k ← K λ ; b $ ← { , } A U2 O dec ( · ) ( c ∗ , st, k b ) = b ] − , where atk O enc ( · ) O dec ( · ) ot ε εq e - eno iKEM . Enc x ( · ) εq c - cca iKEM . Enc x ( · ) iKEM . Dec y ( · ) An iKEM is σ - IN D - AT K secure for q ∈ { q e , q c } , and AT K ∈ { OT , q e -EnO , q c -CCA } , if for all adversaries A U , Adv ikind - atk iKEM , A U ( λ, q ) ≤ σ . The following lemma shows that the distinguishing advan-tage of the adversary A U in Definition 10 is bounded bythe the statistical distance of the generated key with uniformdistribution, given adversary’s view of the game. This lemmacan be seen as a special case of [39, Lemma 4], where the random system is an iKEM. Lemma 2.
Let v q e - eno A U = ( v eno A U , · · · , v q e eno A U ) for v enoi ∈ K λ ×C denote the encapsulation oracle’s responses to adversary A U ’s queries in the q e -bounded EnO attack, and V q e - eno A U denote the corresponding random variable (that is probabilisticaccording to the randomness of iKEM . Enc algorithm and thedistribution of Bob’s private and public inputs). The iKEM is -indistinguishable against q e -bounded EnO, if and only if for all adversaries A U , we have SD (cid:0) ( Z, C ∗ , K ∗ , V q e - eno A U );( Z, C ∗ , U K λ , V q e - eno A U ) (cid:1) ≤ σ, (4) where random variables Z , C ∗ and K ∗ correspond to z , theinitial correlated random string received by the adversary, andthe challenge ciphertext and key pair ( c ∗ , k ∗ ) , respectively.Proof of Lemma 2 . The proof has two parts: (a) the iKEMindistinguishable if the statistical distance is bounded, and (b)if the iKEM is indistinguishable then the statistical distance isbounded. We show each part separately:(a) Suppose a given iKEM is σ -indistinguishable. Then (4)holds. Because if it doesn’t, there exist a set W ⊂ Z × K λ × C for which | Pr[ (cid:0) ( Z, K ∗ , C ∗ ) ∈ W (cid:1) , V q e - eno A U ] − Pr[ (cid:0)
Z, U K λ , C ∗ ) ∈ W (cid:1) , V q e - eno A U )]) > σ We use W and define an adversary algorithm A ∗ U that forany ( z, c ∗ , k ∗ ) ∈ W outputs zero. This allows A ∗ U to gainan advantage Adv ikind - atk iKEM , A U ( λ ) > σ , and this contradicts theassumption (that the iKEM is σ -indistinguishable). Thereforethe statistical distance is less than σ .(b) Suppose (4) holds, then let F A U : Z × K λ × C → { , } be an arbitrary function that takes A U ’s inputs ( z, c ∗ ), k ∗ and v q e - eno A U ) and output 0 or 1. Then we have Adv ikind - atk iKEM , A U ( λ, q e ) ≤ max F AU | Pr[ F A U ( Z, C ∗ , K ∗ , V q e - eno A U ) = 1] − Pr[ F A U ( Z, C ∗ , U K λ , V q e - eno A U ) = 1] . Let
W ⊂ Z × K λ × C be the set for which (Pr[ (cid:0) ( Z, C ∗ , K ∗ ) ∈W (cid:1) , V q e - eno A U )] − Pr[ (cid:0) ( Z, C ∗ , U K λ ) ∈ W (cid:1) , V q e - eno A U )]) is max-imized, then define F A U ( · ) to be 1 only if its input is in W .From the definition of the statistical distance (1), it is easy tosee that Adv ikind - atk iKEM , A U ( λ, q e ) ≤ max F AU | Pr[ F A U ( Z, C ∗ , K ∗ , V q e - eno A U ) = 1] − Pr[ F A U ( Z, C ∗ , U K λ , V q e - eno A U ) = 1]= SD (cid:0) ( Z, C ∗ , K ∗ , v q e - eno A U ); ( Z, C ∗ , U K λ , V q e - eno A U ) (cid:1) ≤ σ (cid:4) Corollary 1.
The iKEM in Definition 9 is IND-OT secure ifand only if: SD (cid:0) ( Z, C ∗ , K ∗ ); ( Z, C ∗ , U K λ ) (cid:1) ≤ σ, (5) where random variables Z , and ( C ∗ , K ∗ ) correspond to z , andthe pair of challenge ciphertext and key ( c ∗ , k ∗ ) , respectively.Proof. The proof follows from Lemma 2 and noting thatfor IND-OT security query is allowed for the adversary and v q e - eno A is empty. (cid:4) B. DEM in Preprocessing Model
Hybrid encryption in preprocessing model will use the DEMdefinition Definition 6 with security notions as in Defintion 7,and defined against a computationally “B”ounded adversarythat will be denoted by A B . C. Hybrid Encryption using iKEM
Hybrid encryption in preprocessing model uses private sam-ples of correlated variables as the key material in an iKEM withinformation theoretic security against (unbounded attacker A U ),and a DEM with computational security (bounded attacker A B )and provides a computationally secure encryption system. Definition 11. [Hybrid Encryption (HE) in PreprocessingModel] Let iKEM = ( iKEM . Gen , iKEM . Enc ; iKEM . Dec ) and DEM = (
DEM . Enc , DEM . Dec ) be a pair of iKEM and DEMdefined with the same security parameter λ , and the samekey space KeySp ( λ ) = K λ , for each λ . We define a hybridencryption in preprocessing model denoted by HE iKEM , DEM =( HE . Gen , HE . Enc , HE . Dec ) using an iKEM and a DEM, asfollows. Algo HE . Gen (1 λ ) Algo HE . Enc ( x, m ) ( x, y, z ) $ ← iKEM . Gen (1 λ , D ) ( c , k ) $ ← iKEM . Enc ( x ) Return ( x, y, z ) c ← DEM . Enc ( k, m ) Return ( c , c ) Algo HE . Dec ( y, c , c ) k ← iKEM . Dec ( y, c ) if ⊥← iKEM . Dec ( y, c ) Return ⊥ m ← DEM . Dec ( c , k ) Return m Fig. 2: Information theoretic hybrid encryption
Remark 1.
A hybrid encryption scheme in preprocessingmodel uses private samples and so access to the encryptionoracle (CPA) corresponds to an attack where the attacker seesthe output of the encryption system on messages of its choice.Each call to the HE . Enc x ( · ) oracle uses the same privatesamples x , but different encryption key . This is different fromaccess to encryption oracle in DEM definition, where the secretkey that is used for encryption of data is fixed. We consider three security notions for hybrid encryption inpreprocessing model, depending on the attacker’s access to theencryption and decryption oracles. Unlike traditional definitionof security in computational setting where the number ofqueries can grow with the input size of the algorithm ( λ ),we will consider a fixed number of queries. This is becauseof security requirement of iKEM that is defined for the fixednumber of queries. Security against adversaries with accessto a fixed number of queries has also been considered incomputational cryptography for reasons such as providingconcrete constructions [40], [41]. The scheme parameters willdepend on the number of oracle accesses.We define one-time CPA attack, denoted by IND-OT, for anattacker with no oracle access (passive attacker), inline with OTattack in DEM. We also define IND- q p -vCPA (indistinguisha-bility against “variable key” chosen plaintext attack) where theattacker has access to a fixed number of encryption queries to HE . Enc x ( · ) oracle. We use “variable key” to emphasize theDEM key in each query will be freshly generated.Decryption queries will be defined similar to that of HPKE,against the decryption oracle HE . Dec y ( · ) . Finally, we defineND- q c -CCA security of the hybrid encryption in preprocessingmodel where the attacker has access to a total of q c oraclequeries, where the oracles can be HE . Enc x ( · ) , or HE . Dec y ( · ) (encryption and decryption oracles). Definition 12. [IND-OT, IND- q p -vCPA, IND- q c -CCA se-curity of hybrid encryption in preprocessing model] Let HE iKEM , DEM = ( HE . Gen , HE . Enc , HE . Dec ) be a hybrid en-cryption in preprocessing model using an iKEM iKEM =( iKEM . Gen , iKEM . Enc ; iKEM . Dec ) and a DEM DEM =( DEM . Enc , DEM . Dec ) . Let A B = ( A B1 , A B2 ) be a computa-tionally bounded adversary. For q ∈ { q p , q c } and atk ∈{ ot, q p - vcpa, q c - cca } and λ ∈ N , let Adv ind - atk HE , A B ( λ, q ) , Pr[( x, y, z ) ← HE . Gen (1 λ );( st, m , m ) $ ← A B1 O enc ( · ) , O dec ( · ) ( z ); b $ ← { , } ;( c ∗ ) $ ← DEM . Enc ( k, m b ); A B2 O enc ( · ) , O dec ( · ) ( c ∗ , st ) = b ] − , where atk O enc ( · ) O dec ( · ) ot ε εq p - vcpa HE . Enc x ( · ) εq c - cca HE . Enc x ( · ) HE . Dec y ( · ) A hybrid encryption scheme HE iKEM,DEM in prepro-cessing model is σ - IN D - AT K for q ∈ { q e , q c } and AT K ∈ {
CPA , q p -vCPA , q c -CCA } if for all adversaries A B , Adv ind - atk HE , A B ( λ, q ) ≤ σ . The following composition theorem for hybrid encryptionshows that, an IND-OT secure iKEM and an IND-OT secureDEM implies an IND-OT secure HE, and a q − EnO secureiKEM and an IND-OT secure DEM implies a q − vCPA secureHE. Theorem 2 (IND-ATK iKEM + IND-OT DEM ⇒ IND-ATKHE) . For a security parameter λ ∈ N , let DEM denote acomputationally secure σ ′ -IND-OT secure DEM, and iKEM de-note an information theoretically secure ǫ -correct σ -IND- AT K secure iKEM, where
AT K ∈ {
OT, q - EnO } , and assume iKEM and DEM have compatible key spaces
KeySP ( λ ) = K λ .Then, the hybrid encryption scheme HE iKEM , DEM is a com-putationally secure IND-
AT K ′ secure hybrid encryption inpreprocessing model with security against a computationallybounded adversary A B = ( A B1 , A B2 ) and Adv ind - atk HE , A B ( λ, q ) ≤ ǫ + σ + σ ′ , where for AT K = OT , AT K ′ = OT and for AT K = q - EnO , AT K ′ = q - vCP A .Proof.a) AT K = OT : For a given sample sam = ( x, y, z ) generated by iKEM . Gen , we define a set of bad keys BK sam generated by iKEM . Enc , where BK sam = { k = iKEM . Enc ( x ) .key : iKEM . Dec ( y, c ) = k } . According to the correctness of iKEM , for k $ ← K λ we have Pr[ k ∈ BK sam ] ≤ ǫ . We define two experiments as follows: EXP x, y, z ) $ ← HE . Gen (1 λ );( st, m , m ) $ ← A B1 ( z ); b $ ← { , } ;( c ∗ ) $ ← DEM . Enc ( k, m b ); A B2 ( c ∗ , st ) = b ] EXP k $ ← K λ ; ( st, m , m ) $ ← A B1 ( z ); b $ ← { , } ;( c ∗ ) $ ← DEM . Enc ( k, m b ); A B2 ( c ∗ , st ) = b ] . We have
Pr[
EXP ≤ Pr[ k / ∈ BK sam ] · Pr[ k $ ← K λ ; ( st, m , m ) $ ← A B1 ( z ); b $ ← { , } ; ( c ∗ ) $ ← DEM . Enc ( k, m b ); A B2 ( c ∗ , st ) = b ] + Pr[ k ∈ BK sam ] We use
Pr[ k / ∈ BK sam ] ≤ and Pr[ k ∈ BK sam ] ≤ ǫ .Therefore, Pr[
EXP ≤ Pr[ k $ ← K λ ; ( st, m , m ) $ ← A B1 ( z ); b $ ← { , } ;( c ∗ ) $ ← DEM . Enc ( k, m b ); A B2 ( c ∗ , st ) = b ] + ǫ Now, since
DEM is σ ′ -IND-OT secure against a computa-tionally bounded adversary A B , from Definition 6 we have Pr[
EXP − ≤ σ ′ + ǫ (6)On the other hand, since the iKEM’s key is σ -IND-CPA secure, | Pr[
EXP − Pr[
EXP | ≤ Adv ind - ot HE , A B ( λ ) ≤ Adv ind - ot HE , A U ( λ ) ≤ σ, (7) where A U denotes a computationally unbounded and A B de-notes a computationally bounded adversary. Now from (6) and(7) Adv ind - ot HE , A B ( λ ) = Pr[ EXP − ≤ ǫ + σ + σ ′ . b) AT K = q - vCP A : The proof of this part is exactly thesame as part (a) by noting that all adversaries queries to theencryption oracle is directly forwarded to the encapsulationalgorithm of the iKEM (since DEM encryption algorithm isdeterministic). We have Adv ind - q - vcpa HE , A B ( λ ) ≤ ǫ + σ + σ ′ (cid:4) IV. A C
ONSTRUCTION OF I
KEMOW-SKA with security definition given as Definition 2 isan IND-OT secure iKEM and so using Corollary 1, resultsin an IND-OT secure HE. This is the weakest security notionfor encryption systems. Stronger security will be when iKEMsecurity is against an adversary with access to the encryptionoracle (i.e. q-ENO). In this section, we build on an existingconstruction of OW-SKA [17] with security satisfying Defini-tion 3, to construct an iKEM with IND-q-ENO security. Theprotocol analysis provided a lower bound on the key length(finite length analysis). As shown below, providing an IND-q-ENO security for an iKEM that is based on this protocolrequires longer initialization string, . onstruction 1.
The iKEM iKEM
OWSKA . The iKEM iKEM
OWSKA = ( iKEM . Gen , iKEM . Enc , iKEM . Dec ) will havethe following algorithms.Initialization: Let { h s : X → { , } t } s ∈S and { h ′ s ′ : X →{ , } ℓ } s ′ ∈S ′ be two strong universal hash families (UHFs).Also let C = { , } t ×S×S ′ and K λ = { , } ℓ denote the set ofciphertexts and keys. The relation between t, ℓ and correctnessand security parameters is given in [Theorem 2][17]. We recallthese relations in Theorems 3 and 4 The three algorithms aras follows. • iK OWSKA . Gen (1 λ , P XY Z ) : The generationalgorithm chooses an appropriate P n ′ XY Z from P XY Z = { P n ′ XY Z | n ′ ∈ N } according to λ , andsamples the distribution to output the triplet x, y and z of correlated samples, and privately gives them to Alice,Bob and Eve, respectively. That is ( x, y, z ) $ ← iK OWSKA . Gen (1 λ , P XY Z ) . • iK OWSKA . Enc ( x ) : The encapsulation algorithm iKEM . Enc ( · ) samples s ′ $ ← S ′ and s $ ← S for theseed of the strongly universal hash functions, andgenerates the key k = h ′ s ′ ( x ) and the ciphertext c = ( h s ( x ) , s ′ , s ) , Thus ( c, k ) = (cid:0) ( h s ( x ) , s ′ , s ) , h ′ s ′ ( x ) (cid:1) $ ← iK OWSKA . Enc ( x ) . • iK OWSKA . Dec ( y, c ) : The decapsulation mechanism iKEM . Dec ( y, c ) takes the private input of Bob, y , andthe ciphertext h s ( x ) , s ′ , s as inputs, and outputs the key h s ′ ( x ) or ⊥ . We have k = ( h ′ s ′ ( x )) ← iK OWSKA . Dec (cid:0) y, ( h s ( x ) , s ′ , s ) (cid:1) . The decapsulation algorithm works as follows: Parses the received ciphertext to ( g, s ′ , s ) , where g is a t -bit string. Define the set, T ( X | y ) , { x : − log P n ′ X | Y ( x | y ) ≤ ν } , (8) For each vector x ∈ T ( X | y ) , check g ? = h s ( x ) . Output ˆ x if it is the unique value of x that satisfies g = h s (ˆ x ) ; Else output ⊥ .The value of ν depends on the correlation of x and y :higher correlation corresponds to smaller ν , and smallerset of candidates (see Theorem 1 for the precise relation-ship).If successful, the decapsulation algorithm outputs a key k = h ′ s ′ (ˆ x ) ; otherwise it outputs ⊥ . For a given correlation between RVs
X, Y and Z mea-sured by the average conditional min-entropies ˜ H ∞ ( X | Y ) and ˜ H ∞ ( X | Z ) , Theorem 3 gives the minimum length of theciphertext to bound the error probability of the protocol by ǫ ,and for a given ciphertext length, gives the maximum numberof key bits that can be established using iKEM when theadversary is not allowed to make any queries (encapsulationor decapsulation oracles), in order to bound its advantage by σ for any computatinally unbounded adversary. Note that in contrast to [17], here we are not interested in achieving thesecrecy capacity of the setting and for simpler representation,we can skip the last round of “entropy smoothing” [42] inderiving the relations between the scheme parameters and usemin-entropy instead of the Shannon entropy as the measure ofcorrelation between Alice and Bob’s random variables. Theorem 3. [17, Theorem 2] The iKEM iKEM
OWSKA is ǫ -correct and σ -IND-OT secure if the output length of the hashfunction h s ( . ) denoted by t satisfy, t ≥ H ∞ ( X | Y ) /ǫ − log ǫ − , and the length of the established key using the iKEM iKEM ,satisfies ℓ ≤ ˜ H ∞ ( X | Z ) − t + 2 log σ + 2 . IND-OT secure iKEMs can become q e -bounded EnO secureas long as EnO queries do not reveal all information aboutthe key. For this purpose one needs to bound the amount ofleaked information due to q e queries and then remove theleaked information due to EnO queries. This is simply doneby applying privacy amplification techniques [43] (in particularuniversal hashing) to the generated key of the iKEM protocol.In Theorem 4, we take an IND-OT secure iKEM and convertit to a q e -bounded EnO secure iKEM using this technique. Theorem 4.
Any established key using the iKEM iKEM
OWSKA ,with the length of ℓ ≤ σ e + ˜ H ∞ ( X | Z ) q e +1 − t − log( q e /σ e ) is σ e -indistinguishable against an adversary with access to q e encapsulation queries ( σ e -bounded EnO).Proof . Each query to the encapsulation oracle gives a pairof matching key and ciphertext ( c, k ) to the adversary. Thevector v q e - eno A = ( v eno , · · · , v enoq e ) is the vector of adversary’sreceived responses to their EnO queries, and reveals informa-tion about X to them. The remaining uncertainty about X that can be used for key extraction is H ∞ ( X | V enoi = v enoi ) ,where v enoi = ( c i , k i ) and c i = ( c i , s i , s ′ i ) . Let the valuesof S and S ′ (in h S ( X ) and h ′ S ′ ( X ) ) in the i th query’sresponse, c i = ( c i , s i , s ′ i ) , be s i and s ′ i . From [32, Lemma2.2](b), for C i ∈ { , } t and K i ∈ { , } ℓ we have ˜ H ∞ ( X | Z, C i , K i ) ≥ ˜ H ∞ ( X | Z ) − t − ℓ , and from [32, Lemma2.2](a), ˜ H ∞ ( X | Z, C i = c i , K i = k i ) ≥ ˜ H ∞ ( X | C i , K i ) − log (1 /δ ) with probability at least − δ over the choice of( c i , k i ). Let δ = σ e q e . Thus ˜ H ∞ ( X | Z, V eno = v eno ) = ˜ H ∞ ( X | Z, C = c , K = k ) ≥ H ∞ ( X ) − t − ℓ − log ( q e /σ e ) , (9)with probability at least − σ e q e . This is adversary’s maximumuncertainty about X after making a query to the encapsulationoracle, and so each query decreases the remaining min-entropyof X by at most by t + ℓ + log( q e /σ e ) with probability at least − σ e q e . Thus, after q e queries we have ˜ H ∞ ( X | Z, V q e - eno A = v q e - eno A ) ≥ ˜ H ∞ ( X | Z ) − q e ( t + ℓ +log( q e /σ e )) with probabilityat least (1 − σ e q e ) q e , and since from Lemma 1 SD (cid:0) ( Z, h S ( X ) , S, S ′ , ( h ′ S ′ ( X ));( Z, h S ( X ) , S, S ′ , U ℓ ) (cid:1) ≤ p t + ℓ − ˜ H ∞ ( X | Z ) , (10)e have SD (cid:18)(cid:16) Z, S q e +1 , S ′ q e +1 , h S ( X ) , h ′ S ′ ( X ) , v q e - eno (cid:17) ; (cid:16) Z, S q e +1 , S ′ q e +1 , h S ( X ) , U ℓ , v q e - eno (cid:17)(cid:19) ≤ p ( q e +1)( t + ℓ +log( q e /σ e )) − ˜ H ∞ ( X | Z ) , with probability (1 − σ e q e ) q e . Since ℓ ≤ σ e + ˜ H ∞ ( X | Z ) q e +1 − t − log( q e /σ e ) , the above statistical distance is bounded by σ e with probability (1 − σ e q e ) q e and by 1 otherwise. Thus we have, SD (cid:18)(cid:16) Z, S, S ′ , h S ( X ) , h ′ S ′ ( X ) , v q e - eno A (cid:17) ; (cid:16) Z, S, S ′ , h S ( X ) , U ℓ , v q e - eno A (cid:17)(cid:19) ≤ (1 − σ e q e ) q e σ e + (cid:0) − (1 − σ e q e ) q e (cid:1) (1) ≤ σ e + σ e ≤ σ e , where (1) inequality is since − σ e q e ≤ and − (1 − σ e q e ) q e ≤ σ e due to Bernoulli’s inequality stating for t ≥ and ≤ x ≤ , inequality xt ≥ − (1 − x ) t holds. Finally, for C ∗ =( h S ( X ) , S ′ , S ) , the inequality (4) is satisfied . That is we have σ e -indistinguishability against q e EnO. (cid:4)
V. C
ONCLUDING R EMARKS
In this work, we formalized KEM/DEM paradigm in prepro-cessing model. This formalization is with the help of definingan iKEM that encapsulates information theoretic keys. Weshowed the key generated by an iKEM scheme can be safelyused in computational DEMs (such as AES). The security ofthe combined scheme depends on the security of the iKEMkey against well defined attacks (OT, EnO and CCA). Theseattacks model information leakages to the adversary throughthe encryption or decryption algorithms. We initiated the studyof this new paradigm but our work can be studied under moregeneral frameworks discussed bellow.
On the composability of iKEM:
Informally, the correctnessand security conditions of an iKEM can be rephrased in acomposable framework such as the UC framework [44] orthe Constructive Cryptography framework [18] as follows:The iKEM constructs a shared secret key (the ideal world)using resources (correlated randomness) in the preprocessingphase, and an authenticated communication channel (the realworld), such that the two worlds are indistinguishable even fora computationally unbounded environment. We show this bycombining the correctness and indistinguishability conditionsunder a singular bound on the statistical distance of the randomvariables in two words: Lemma 3.
For an ǫ -correct, σ -IND-OT iKEM in Definition 9,let KeySP = K λ and k A and k B be the keys obtained byAlice and Bob, and K A and K B be the corresponding randomvariables, respectively. That is, iKEM . Enc ( x ) .key = k A and iKEM . Dec ( y, c ) = k B . Then SD (cid:0) ( Z, C ∗ , K A , K B ); ( Z, C ∗ , U K λ , U K λ ) (cid:1) ≤ σ + ǫ, (11) We show this for an IND-OT iKEM. The proof for IND-EnO security isthe same.
Proof. A σ -IND-OT iKEM satisfies: SD (cid:0) ( Z, C ∗ , K A ); ( Z, C ∗ , U K λ ) (cid:1) ≤ σ ( ) ⇒ SD (cid:0) ( Z, C ∗ , K A , K A ); ( Z, C ∗ , U K λ , U K λ ) (cid:1) ≤ σ. (12) On the other hand, according to the correctness condition SD (cid:0) ( Z, C ∗ , K A , K A ); ( Z, C ∗ , K A , K B ) (cid:1) ≤ ǫ (13) and finally, from (12) and (13) and by the application of thetriangle inequality, we have (11). (cid:4) A computationally unbounded HE:
In Section III, we stud-ied the security of the hybrid encryption scheme in prepro-cessing model against a computationally bounded adversary.Security against an unbounded adversary can be achieved byencrypting messages under the key from an iKEM schemeusing a symmetric encryption scheme that is secure againsta computationally unbounded adversary (to verify this letthe adversary in Theorem 2 be computationally unbounded).Shannon’s one-time pad (OTP) encryption scheme is theonly deterministic symmetric encryption scheme that is secureagainst a computationally unbounded adversary. Although inthis work we assumed the DEM used in the construction ofthe hybrid encryption scheme is deterministic, this conditioncan be relaxed to expand the application of iKEM key toother information theoretic symmetric encryption schemes.Probabilistic information theoretic symmetric key encryptionschemes are proposed in [45], [46], [47].
Remark 2.
The composability of these schemes is not studied(in particular the composability of [45] is an open problem)but in case of positive answer to the composability of theseschemes, the iKEM key can be used in these schemes to con-struct a HE secure scheme against computationally unboundedadversary. R EFERENCES[1] N.-F. Standard, “Announcing the advanced encryption standard (aes),”
Federal Information Processing Standards Publication , vol. 197, no. 1-51, pp. 3–3, 2001.[2] R. Cramer and V. Shoup, “Design and analysis of practical public-keyencryption schemes secure against adaptive chosen ciphertext attack,”
SIAM Journal on Computing , vol. 33, no. 1, pp. 167–226, 2003.[3] E. Rescorla, “The Transport Layer Security (TLS) Protocol Version1.3,” Internet Engineering Task Force, Internet-Draft draft-ietf-tls-rfc8446bis-00, Oct. 2020, work in Progress. [Online]. Available:https://datatracker.ietf.org/doc/html/draft-ietf-tls-rfc8446bis-00[4] B. Harris and L. Velvindron, “Ed25519 and Ed448 Public KeyAlgorithms for the Secure Shell (SSH) Protocol,” RFC 8709, Feb. 2020.[Online]. Available: https://rfc-editor.org/rfc/rfc8709.txt[5] R. Barnes, K. Bhargavan, B. Lipp, and C. A. Wood, “Hybrid PublicKey Encryption,” Internet Engineering Task Force, Internet-Draft draft-irtf-cfrg-hpke-07, Dec. 2020, work in Progress. [Online]. Available:https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hpke-07[6] P. W. Shor, “Polynomial-Time Algorithms for Prime Factorization andDiscrete Logarithms on a Quantum Computer,”
SIAM Journal on Com-puting , vol. 26, no. 5, pp. 1484–1509, oct 1997.[7] D. J. Bernstein, C. Chuengsatiansup, T. Lange, and C. Van Vredendaal,“Ntru prime.”
IACR Cryptol. ePrint Arch. , vol. 2016, p. 461, 2016.[8] J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J. M. Schanck,P. Schwabe, G. Seiler, and D. Stehl´e, “Crystals-kyber: a cca-securemodule-lattice-based kem,” in . IEEE, 2018, pp. 353–367.[9] N. Aragon, P. Barreto, S. Bettaieb, L. Bidoux, O. Blazy, J.-C. Deneuville,P. Gaborit, S. Gueron, T. Guneysu, C. A. Melchor et al. , “Bike: bitflipping key encapsulation,” 2017.10] C. A. Melchor, N. Aragon, S. Bettaieb, L. Bidoux, O. Blazy, J.-C.Deneuville, P. Gaborit, E. Persichetti, G. Z´emor, and I.-C. Bourges,“Hamming quasi-cyclic (hqc),”
NIST PQC Round , vol. 2, pp. 4–13, 2018.[11] Y. Ishai, E. Kushilevitz, S. Meldgaard, C. Orlandi, and A. Paskin-Cherniavsky, “On the power of correlated randomness in secure com-putation,” in
Theory of Cryptography Conference . Springer, 2013, pp.600–620.[12] R. Ahlswede and I. Csisz´ar, “Common randomness in information theoryand cryptography. I. Secret sharing,”
IEEE Trans. Inf. Theory , vol. 39,no. 4, pp. 1121–1132, jul 1993.[13] U. M. Maurer, “Secret key agreement by public discussion from commoninformation,”
IEEE Trans. Inf. Theory , vol. 39, no. 3, pp. 733–742, may1993.[14] T. Holenstein and R. Renner, “One-Way Secret-Key Agreement andApplications to Circuit Polarization and Immunization of Public-KeyEncryption,” in
Lecture Notes in Computer Science (including subseriesLecture Notes in Artificial Intelligence and Lecture Notes in Bioinfor-matics) , 2005, pp. 478–493.[15] T. Holenstein, “Strengthening key agreement using hard-core sets,” Ph.D.dissertation, ETH Zurich, 2006.[16] X. Bonnetain, M. Naya-Plasencia, and A. Schrottenloher, “Quantumsecurity analysis of aes,”
IACR Transactions on Symmetric Cryptology ,vol. 2019, no. 2, pp. 55–93, 2019.[17] S. Sharifian, A. Poostindouz, and R. Safavi-Naini, “A capacity-achievingone-way key agreement with improved finite blocklength analysis, (inproceedings of isita 2020),” in . IEEE, 2020.[18] U. Maurer, “Constructive cryptography–a new paradigm for securitydefinitions and proofs,” in
Joint Workshop on Theory of Security andApplications . Springer, 2011, pp. 33–56.[19] M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim,“The universal composable security of quantum key distribution,” in
Theory of Cryptography Conference . Springer, 2005, pp. 386–406.[20] R. Renner and R. K¨onig, “Universally composable privacy amplificationagainst quantum adversaries,” in
Theory of Cryptography Conference .Springer, 2005, pp. 407–425.[21] K. Kurosawa and Y. Desmedt, “A new paradigm of hybrid encryptionscheme,” in
Annual International Cryptology Conference . Springer,2004, pp. 426–442.[22] J. Herranz, D. Hofheinz, and E. Kiltz, “The kurosawa-desmedt keyencapsulation is not chosen-ciphertext secure.”
IACR Cryptol. ePrintArch. , vol. 2006, p. 207, 2006.[23] M. Abe, R. Gennaro, K. Kurosawa, and V. Shoup, “Tag-kem/dem: Anew framework for hybrid encryption and a new analysis of kurosawa-desmedt kem,” in
Annual International Conference on the Theory andApplications of Cryptographic Techniques . Springer, 2005, pp. 128–146.[24] H. Shacham, “A cramer-shoup encryption scheme from the linear as-sumption and from progressively weaker linear variants.”
IACR Cryptol.ePrint Arch. , vol. 2007, p. 74, 2007.[25] J. Herranz, D. Hofheinz, and E. Kiltz, “Kem/dem: Necessary andsufficient conditions for secure hybrid encryption,”
Manuscript in prepa-ration , 2006.[26] R. Renner and S. Wolf, “Simple and Tight Bounds for InformationReconciliation and Privacy Amplification,” in , B. Roy,Ed. Chennai, India: Springer Berlin Heidelberg, 2005, pp. 199–216.[27] J. M. Renes, R. Renner, and D. Sutter, “Efficient one-way secret-keyagreement and private channel coding via polarization,” in
InternationalConference on the Theory and Application of Cryptology and InformationSecurity . Springer, 2013, pp. 194–213.[28] R. A. Chou, M. R. Bloch, and E. Abbe, “Polar Coding for Secret-KeyGeneration,”
IEEE Trans. Inf. Theory , vol. 61, no. 11, pp. 6213–6237, nov2015. [Online]. Available: http://ieeexplore.ieee.org/document/7217814/[29] D. Beaver, “Efficient multiparty protocols using circuit randomization,”in
Annual International Cryptology Conference . Springer, 1991, pp.420–432.[30] R. Bendlin, I. Damg˚ard, C. Orlandi, and S. Zakarias, “Semi-homomorphic encryption and multiparty computation,” in
Annual Inter-national Conference on the Theory and Applications of CryptographicTechniques . Springer, 2011, pp. 169–188.[31] U. Maurer, “Information-theoretically secure secret-key agreement bynot authenticated public discussion,” in
International Conference on theTheory and Applications of Cryptographic Techniques . Springer, 1997,pp. 209–225.[32] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generatestrong keys from biometrics and other noisy data,” in
International conference on the theory and applications of cryptographic techniques .Springer, 2004, pp. 523–540.[33] N. Nisan and D. Zuckerman, “Randomness is linear in space,”
Journalof Computer and System Sciences , vol. 52, no. 1, pp. 43–52, 1996.[34] R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random generationfrom one-way functions,” in
Proceedings of the twenty-first annual ACMsymposium on Theory of computing . ACM, 1989, pp. 12–24.[35] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors:How to generate strong keys from biometrics and other noisy data,”
SIAM Journal on Computing , vol. 38, no. 1, pp. 97–139, jan 2008.[Online]. Available: https://epubs.siam.org/doi/10.1137/060651380[36] M. N. Wegman and J. L. Carter, “New hash functions and their use inauthentication and set equality,”
Journal of computer and system sciences ,vol. 22, no. 3, pp. 265–279, 1981.[37] V. Shoup, “A proposal for an iso standard for public key encryption(version 2.1),”
IACR e-Print Archive , vol. 112, 2001.[38] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A concrete securitytreatment of symmetric encryption,” in
Proceedings 38th Annual Sympo-sium on Foundations of Computer Science . IEEE, 1997, pp. 394–403.[39] U. Maurer, K. Pietrzak, and R. Renner, “Indistinguishability amplifica-tion,” in
Annual International Cryptology Conference . Springer, 2007,pp. 130–149.[40] R. Cramer, G. Hanaoka, D. Hofheinz, H. Imai, E. Kiltz, R. Pass,A. Shelat, and V. Vaikuntanathan, “Bounded cca2-secure encryption,” in
International Conference on the Theory and Application of Cryptologyand Information Security . Springer, 2007, pp. 502–518.[41] B. Fuller, A. O’neill, and L. Reyzin, “A unified approach to determin-istic encryption: New constructions and a connection to computationalentropy,”
Journal of Cryptology , vol. 28, no. 3, pp. 671–717, 2015.[42] T. Holenstein and R. Renner, “On the Randomness of IndependentExperiments,”
IEEE Trans. Inf. Theory , vol. 57, no. 4, pp. 1865–1871,apr 2011.[43] C. H. Bennett, G. Brassard, and J.-M. Robert, “Privacy amplificationby public discussion,”
SIAM journal on Computing , vol. 17, no. 2, pp.210–229, 1988.[44] R. Canetti, “Universally composable security: A new paradigm forcryptographic protocols,” in
Proceedings 42nd IEEE Symposium onFoundations of Computer Science . IEEE, 2001, pp. 136–145.[45] Y. Dodis and A. Smith, “Entropic Security and the Encryption of HighEntropy Messages,” in
Theory of Cryptography Conference . Springer,2005, pp. 556–577.[46] A. Russell and Hong Wang, “How to fool an unbounded adversary witha short key,”
IEEE Transactions on Information Theory , vol. 52, no. 3,pp. 1130–1140, 2006.[47] S. Sharifian and R. Safavi-Naini, “A modular semantically secure wiretapcode with shared key for weakly symmetric channels,” in2019 IEEEInformation Theory Workshop (ITW)