Paper 2024/1360

CPA-secure KEMs are also sufficient for Post-Quantum TLS 1.3

Biming Zhou, Fudan University
Haodong Jiang, Henan Key Laboratory of Network Cryptography Technology, Zhengzhou, 450001, Henan, China
Yunlei Zhao, Fudan University
Abstract

In the post-quantum migration of TLS 1.3, an ephemeral Diffie-Hellman must be replaced with a post-quantum key encapsulation mechanism (KEM). At EUROCRYPT 2022, Huguenin-Dumittan and Vaudenay [EC:HugVau22] demonstrated that KEMs with standard CPA security are sufficient for the security of the TLS1.3 handshake. However, their result is only proven in the random oracle model (ROM), and as the authors comment, their reduction is very much non-tight and not sufficient to guarantee security in practice due to the $O(q^6)$-loss, where $q$ is the number of adversary’s queries to random oracles. Moreover, in order to analyze the post-quantum security of TLS 1.3 handshake with a KEM, it is necessary to consider the security in the quantum ROM (QROM). Therefore, they leave the tightness improvement of their ROM proof and the QROM proof of such a result as an interesting open question. In this paper, we resolve this problem. We improve the ROM proof in [EC:HugVau22] from an $O(q^6)$-loss to an $O(q)$-loss with standard CPA-secure KEMs which can be directly obtained from the underlying public-key encryption (PKE) scheme in CRYSTALS-Kyber. Moreover, we show that if the KEMs are constructed from rigid deterministic public-key encryption (PKE) schemes such as the ones in Classic McElieceand NTRU, this $O(q)$-loss can be further improved to an $O(1)$-loss. Hence, our reductions are sufficient to guarantee security in practice. According to our results, a CPA-secure KEM (which is more concise and efficient than the currently used CCA/1CCA-secure KEM) can be directly employed to construct a post-quantum TLS 1.3. Furthermore, we lift our ROM result into QROM and first prove that the CPA-secure KEMs are also sufficient for the post-quantum TLS 1.3 handshake. In particular, the techniques introduced to improve reduction tightness in this paper may be of independent interest.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
A minor revision of an IACR publication in ASIACRYPT 2024
Keywords
TLS1.3tightnessQROMKEM-TLS
Contact author(s)
bmzhou22 @ m fudan edu cn
hdjiang13 @ 163 com
History
2024-09-25: last of 4 revisions
2024-08-29: received
See all versions
Short URL
https://ia.cr/2024/1360
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1360,
      author = {Biming Zhou and Haodong Jiang and Yunlei Zhao},
      title = {{CPA}-secure {KEMs} are also sufficient for Post-Quantum {TLS} 1.3},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1360},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1360}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.