[go: up one dir, main page]

What a lovely hat

Is it made out of tin foil?

Paper 2021/844

A note on IND-qCCA security in the ROM and its applications: CPA security is sufficient for TLS 1.3

Loïs Huguenin-Dumittan
Serge Vaudenay
Abstract

Bounded IND-CCA security (IND-qCCA) is a notion similar to the traditional IND-CCA security, except the adversary is restricted to a constant number q of decryption/decapsulation queries. We show in this work that IND-qCCA is easily obtained from any passively secure PKE in the (Q)ROM. That is, simply adding a confirmation hash or computing the key as the hash of the plaintext and ciphertext holds an IND-qCCA KEM. In particular, there is no need for derandomization or re-encryption as in the Fujisaki-Okamoto (FO) transform. This makes the decapsulation process of such IND-qCCA KEM much more efficient than its FO-derived counterpart. In addition, IND-qCCA KEMs could be used in the recently proposed KEMTLS protocol [ACM CCS 2020] that requires IND-1CCA ephemeral key-exchange mechanisms or in TLS 1.3. Then, using similar proof techniques, we show that CPA-secure KEMs are sufficient for the TLS 1.3 handshake to be secure, solving an open problem in the ROM. In turn, this implies that the PRF-ODH assumption used to prove the security of TLS 1.3 is not necessary and can be replaced by the CDH assumption in the ROM. We also highlight and briefly discuss several use cases of IND-1CCA KEMs in protocols and ratcheting primitives.

Metadata
Available format(s)
PDF
Publication info
A major revision of an IACR publication in EUROCRYPT 2022
Contact author(s)
lois huguenin-dumittan @ epfl ch
serge vaudenay @ epfl ch
History
2022-12-16: last of 2 revisions
2021-06-21: received
See all versions
Short URL
https://ia.cr/2021/844
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/844,
      author = {Loïs Huguenin-Dumittan and Serge Vaudenay},
      title = {A note on {IND}-{qCCA} security in the {ROM} and its applications: {CPA} security is sufficient for {TLS} 1.3},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/844},
      year = {2021},
      url = {https://eprint.iacr.org/2021/844}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.