CryptoDB
Benjamin Lipp
Publications
Year
Venue
Title
2023
ASIACRYPT
The Pre-Shared Key Modes of HPKE
Abstract
The Hybrid Public Key Encryption (HPKE) standard was
recently published as RFC 9180 by the Crypto Forum Research Group
(CFRG) of the Internet Research Task Force (IRTF). The RFC specifies
an efficient public key encryption scheme, combining asymmetric and
symmetric cryptographic building blocks.
Out of HPKE’s four modes, two have already been formally analyzed by
Alwen et al. (EUROCRYPT 2021). This work considers the remaining
two modes: HPKE_PSK and HPKE_AuthPSK. Both of them are “pre-shared
key” modes that assume the sender and receiver hold a symmetric pre-
shared key. We capture the schemes with two new primitives which we
call pre-shared key public-key encryption (pskPKE) and pre-shared key
authenticated public-key encryption (pskAPKE). We provide formal secu-
rity models for pskPKE and pskAPKE and prove (via general composition
theorems) that the two modes HPKE_PSK and HPKE_AuthPSK offer active
security (in the sense of insider privacy and outsider authenticity) under
the Gap Diffie-Hellman assumption.
We furthermore explore possible post-quantum secure instantiations of the
HPKE standard and propose new solutions based on lattices and isogenies.
Moreover, we show how HPKE’s basic HPKE_PSK and HPKEAuth_PSK modes
can be used black-box in a simple way to build actively secure post-
quantum/classic-hybrid (authenticated) encryption schemes. Our hybrid
constructions provide a cheap and easy path towards a practical post-
quantum secure drop-in replacement for the basic HPKE modes HPKE_Base
and HPKE_Auth.
2021
EUROCRYPT
Analysing the HPKE Standard
📺
Abstract
The Hybrid Public Key Encryption (HPKE) scheme is an emerging standard currently under consideration by the Crypto Forum Research Group (CFRG) of the IETF as a candidate for formal approval. Of the four modes of HPKE, we analyse the authenticated mode HPKE_Auth in its single-shot encryption form as it contains what is, arguably, the most novel part of HPKE.
HPKE_Auth’s intended application domain is captured by a new primitive which we call Authenticated Public Key Encryption (APKE). We provide syntax and security definitions for APKE schemes, as well as for the related Authenticated Key Encapsulation Mechanisms (AKEMs). We prove security of the AKEM scheme DH-AKEM underlying HPKE Auth based on the Gap Diffie-Hellman assumption and provide general AKEM/DEM composition theorems with which to argue about HPKE_Auth’s security. To this end, we also formally analyse HPKE_Auth’s key schedule and key derivation functions. To increase confidence in our results we use the automatic theorem proving tool CryptoVerif. All our bounds are quantitative and
we discuss their practical implications for HPKE_Auth.
As an independent contribution we propose the new framework of nominal groups that allows us to capture abstract syntactical and security properties of practical elliptic curves, including the Curve25519 and Curve448 based groups (which do not constitute cyclic groups).
Program Committees
- Crypto 2023
Coauthors
- Joël Alwen (2)
- Bruno Blanchet (1)
- Eduard Hauck (1)
- Jonas Janneck (1)
- Eike Kiltz (2)
- Benjamin Lipp (2)
- Doreen Riepel (1)