KEMTLS with Delayed Forward Identity Protection in (Almost) a Single Round Trip

Bounded IND-CCA security (IND-qCCA) is a notion similar to the traditional IND-CCA security, except the adversary is restricted to a constant number q of decryption/decapsulation queries. We show in this work that IND-qCCA is easily obtained from any passively secure PKE in the (Q)ROM. That is, simply adding a confirmation hash or computing the key as the hash of the plaintext and ciphertext holds an IND-qCCA KEM. In particular, there is no need for derandomization or re-encryption as in the Fujisaki-Okamoto (FO) transform [15]. This makes the decapsulation process of such IND-qCCA KEM much more efficient than its FO-derived counterpart. In addition, IND-qCCA KEMs could be used in the recently proposed KEMTLS protocol [29] that requires IND-1CCA ephemeral key-exchange mechanisms or in TLS 1.3. Then, using similar proof techniques, we show that CPA-secure KEMs are sufficient for the TLS 1.3 handshake to be secure, solving an open problem in the ROM. In turn, this implies that the PRF-ODH assumption used to prove the security of TLS 1.3 is not necessary and can be replaced by the CDH assumption in the ROM. We also highlight and briefly discuss several use cases of IND-1CCA KEMs in protocols and ratcheting primitives. K0 ← H(σ * ); h * ← H (σ * , ct * 0 ) K1 ←$ K ct * ← (ct * 0 , h * )

show abstract

“…The same remarks apply to the very recent variants of KEMTLS with predistributed keys proposed by Günther et al [19] and Schwabe et al [31].…”

Section: Kemtlsmentioning

confidence: 52%

“…Finally, following the KEMTLS paper [29], several recent works used the notion of IND-1CCA KEM to build secure protocols (e.g. [19,31,6]), showing the growing importance of such a notion.…”

Section: Related Workmentioning

confidence: 99%