Paper 2024/1454

Interval Key-Encapsulation Mechanism

Alexander Bienstock, J.P. Morgan AI Research and J.P. Morgan AlgoCRYPT CoE
Yevgeniy Dodis, New York University
Paul Rösler, FAU Erlangen-Nürnberg
Daniel Wichs, Northeastern University, NTT Research
Abstract

Forward-Secure Key-Encapsulation Mechanism (FS-KEM; Canetti et al. Eurocrypt 2003) allows Alice to encapsulate a key $k$ to Bob for some time $t$ such that Bob can decapsulate it at any time $t'\leq t$. Crucially, a corruption of Bob's secret key after time $t$ does not reveal $k$. In this work, we generalize and extend this idea by also taking Post-Compromise Security (PCS) into account and call it Interval Key-Encapsulation Mechanism (IKEM). Thus, we do not only protect confidentiality of previous keys against future corruptions but also confidentiality of future keys against past corruptions. For this, Bob can regularly renew his secret key and inform others about the corresponding public key. IKEM enables Bob to decapsulate keys sent to him over an interval of time extending into the past, in case senders have not obtained his latest public key; forward security only needs to hold with respect to keys encapsulated before this interval. This basic IKEM variant can be instantiated based on standard KEM, which we prove to be optimal in terms of assumptions as well as ciphertext and key sizes. We also extend this notion of IKEM for settings in which Bob decapsulates (much) later than Alice encapsulates (e.g., in high-latency or segmented networks): if a third user Charlie forwards Alice's ciphertext to Bob and, additionally, knows a recently renewed public key of Bob's, Charlie could re-encrypt the ciphertext for better PCS. We call this extended notion IKEMR. Our first IKEMR construction based on trapdoor permutations has (almost) constant sized ciphertexts in the number of re-encryptions; and our second IKEMR construction based on FS-PKE has constant sized public keys in the interval size. Finally, to bypass our lower bound on the IKEM(R) secret key size, which must be linear in the interval size, we develop a new Interval RAM primitive with which Bob only stores a constant sized part of his secret key locally, while outsourcing the rest to a (possibly adversarial) server. For all our constructions, we achieve security against active adversaries. For this, we obtain new insights on Replayable CCA security for KEM-type primitives, which might be of independent interest.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in ASIACRYPT 2024
Keywords
FS-PKEFS-KEMForward SecurityPost-Compromise SecurityForward SecrecyInterval KEMInterval RAM
Contact author(s)
alex bienstock @ jpmchase com
dodis @ cs nyu edu
paul roesler @ fau de
wichs @ ccs neu edu
History
2024-09-18: approved
2024-09-17: received
See all versions
Short URL
https://ia.cr/2024/1454
License
Creative Commons Attribution-ShareAlike
CC BY-SA

BibTeX

@misc{cryptoeprint:2024/1454,
      author = {Alexander Bienstock and Yevgeniy Dodis and Paul Rösler and Daniel Wichs},
      title = {Interval Key-Encapsulation Mechanism},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1454},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1454}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.