International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

On IND-qCCA security in the ROM and its applications: CPA security is sufficient for TLS 1.3

Authors:
Loïs Huguenin-Dumittan , EPFL
Serge Vaudenay , EPFL
Download:
Search ePrint
Search Google
Presentation: Slides
Conference: EUROCRYPT 2022
Abstract: Bounded IND-CCA security (IND-qCCA) is a notion similar to the traditional IND-CCA security, except the adversary is restricted to a constant number q of decryption/decapsulation queries. We show in this work that IND-qCCA is easily obtained from any passively secure PKE in the (Q)ROM. That is, simply adding a confirmation hash or computing the key as the hash of the plaintext and ciphertext holds an IND-qCCA KEM. In particular, there is no need for derandomization or re-encryption as in the Fujisaki-Okamoto (FO) transform (JoC 2013). This makes the decapsulation process of such IND-qCCA KEM much more efficient than its FO-derived counterpart. In addition, IND-qCCA KEMs could be used in the recently proposed KEMTLS protocol (ACM CCS 2020) that requires IND-1CCA ephemeral key-exchange mechanisms or in TLS 1.3. Then, using similar proof techniques, we show that CPA-secure KEMs are sufficient for the TLS 1.3 handshake to be secure, solving an open problem in the ROM. In turn, this implies that the PRF-ODH assumption used to prove the security of TLS 1.3 is not necessary in the ROM. We also highlight and briefly discuss several use cases of IND-1CCA KEMs in protocols and ratcheting primitives.
Video from EUROCRYPT 2022
BibTeX
@inproceedings{eurocrypt-2022-31881,
  title={On IND-qCCA security in the ROM and its applications: CPA security is sufficient for TLS 1.3},
  publisher={Springer-Verlag},
  author={Loïs Huguenin-Dumittan and Serge Vaudenay},
  year=2022
}