Abstract
The Hybrid Public Key Encryption (HPKE) standard was recently published as RFC 9180 by the Crypto Forum Research Group (CFRG) of the Internet Research Task Force (IRTF). The RFC specifies an efficient public key encryption scheme, combining asymmetric and symmetric cryptographic building blocks.
Out of HPKE’s four modes, two have already been formally analyzed by Alwen et al. (EUROCRYPT 2021). This work considers the remaining two modes: \(\textsf{HPKE}_\textsf{PSK}\) and \(\textsf{HPKE}_\textsf{AuthPSK}\). Both of them are “pre-shared key” modes that assume the sender and receiver hold a symmetric pre-shared key. We capture the schemes with two new primitives which we call pre-shared key public-key encryption (\(\textsf{pskPKE}\)) and pre-shared key authenticated public-key encryption (\(\textsf{pskAPKE}\)). We provide formal security models for \(\textsf{pskPKE}\) and \(\textsf{pskAPKE}\) and prove (via general composition theorems) that the two modes \(\textsf{HPKE}_\textsf{PSK}\) and \(\textsf{HPKE}_\textsf{AuthPSK}\) offer active security (in the sense of insider privacy and outsider authenticity) under the Gap Diffie-Hellman assumption.
We furthermore explore possible post-quantum secure instantiations of the HPKE standard and propose new solutions based on lattices and isogenies. Moreover, we show how HPKE’s basic \(\textsf{HPKE}_\textsf{PSK}\) and \(\textsf{HPKE}_\textsf{AuthPSK}\) modes can be used black-box in a simple way to build actively secure post-quantum/classic-hybrid (authenticated) encryption schemes. Our hybrid constructions provide a cheap and easy path towards a practical post-quantum secure drop-in replacement for the basic HPKE modes \(\textsf{HPKE}_\textsf{Base}\) and \(\textsf{HPKE}_\textsf{Auth}\).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
To prevent confusion we do explicitly call this notion insider secure and only use the term “insider” if it is possible to the (asymmetric) secret key of a sender. See also the security definition of the \(\textsf{pskAPKE}\).
References
Alwen, J., Blanchet, B., Hauck, E., Kiltz, E., Lipp, B., Riepel, D.: Analysing the HPKE standard. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 87–116. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_4
Anastasova, M., Kampanakis, P., Massimo, J.: PQ-HPKE: post-quantum hybrid public key encryption. IACR Cryptology ePrint Archive, p. 414 (2022). https://eprint.iacr.org/2022/414
Barnes, R., Beurdouche, B., Robert, R., Millican, J., Omara, E., Cohn-Gordon, K.: The Messaging Layer Security (MLS) Protocol. Internet-Draft draft-ietf-mls-protocol-20, Internet Engineering Task Force (2023, work in Progress). https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/20/
Barnes, R.L., Bhargavan, K., Lipp, B., Wood, C.A.: Hybrid public key encryption. RFC 9180, RFC Editor (2022). https://www.rfc-editor.org/rfc/rfc9180.html
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Bellare, M., Rogaway, P.: Code-based game-playing proofs and the security of triple encryption. Cryptology ePrint Archive, Report 2004/331 (2004). https://eprint.iacr.org/2004/331
Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_10
Bos, J., et al.: Crystals-kyber: a CCA-secure module-lattice-based KEM. In: 2018 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 353–367. IEEE (2018)
Cramer, R., Shoup, V.: SIAM Journal on Computing
Dent, A.W., Zheng, Y. (eds.): Practical Signcryption. Information Security and Cryptography. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-540-89411-7
Ducas, L., et al.: CRYSTALS-Dilithium: a lattice-based digital signature scheme. IACR TCHES 2018(1), 238–268 (2018). https://doi.org/10.13154/tches.v2018.i1.238-268. https://tches.iacr.org/index.php/TCHES/article/view/839
Duman, J., Hartmann, D., Kiltz, E., Kunzweiler, S., Lehmann, J., Riepel, D.: Group action key encapsulation and non-interactive key exchange in the qrom. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part II. LNCS, vol. 13792, pp. 36–66. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-22966-4_2
Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.G.: Non-interactive key exchange. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 254–271. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_17
Gajland, P., de Kock, B., Quaresma, M., Malavolta, G., Schwabe, P.: Swoosh: practical lattice-based non-interactive key exchange. Cryptology ePrint Archive (2023)
Geoghegan, T., Patton, C., Rescorla, E., Wood, C.A.: Distributed Aggregation Protocol for Privacy Preserving Measurement. Internet-Draft draft-ietf-ppm-dap-04, Internet Engineering Task Force (2023, work in Progress). https://datatracker.ietf.org/doc/draft-ietf-ppm-dap/04/
Kinnear, E., McManus, P., Pauly, T., Verma, T., Wood, C.A.: Oblivious DNS over HTTPS. Technical report 9230 (2022). https://doi.org/10.17487/RFC9230. https://www.rfc-editor.org/info/rfc9230
Langley, A., Hamburg, M., Turner, S.: Elliptic curves for security. RFC 7748, RFC Editor (2016). https://www.rfc-editor.org/rfc/rfc7748.html
Len, J., Grubbs, P., Ristenpart, T.: Partitioning oracle attacks. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 195–212. USENIX Association (2021)
National Institute of Standards and Technology: Digital Signature Standard (DSS). FIPS Publication 186-4 (2013). https://doi.org/10.6028/nist.fips.186-4
Paterson, K.G., van der Merwe, T.: Reactive and proactive standardisation of TLS. In: Chen, L., McGrew, D., Mitchell, C. (eds.) SSR 2016. LNCS, vol. 10074, pp. 160–186. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49100-4_7
Rescorla, E., Oku, K., Sullivan, N., Wood, C.A.: TLS Encrypted Client Hello. Internet-Draft draft-ietf-tls-esni-16, Internet Engineering Task Force (2023, work in Progress). https://datatracker.ietf.org/doc/draft-ietf-tls-esni/16/
Zheng, Y.: Digital signcryption or how to achieve cost(signature & encryption) \(\ll \) cost(signature) + cost(encryption). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052234
Acknowledgements
The authors thank the anonymous reviewers to point out an error in our NIKE construction and an error in one of our proofs. They also thank Doreen Riepel for very helpful feedback and discussions. Jonas Janneck was supported by the European Union (ERC AdG REWORC - 101054911). Eike Kiltz was supported by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy – EXC 2092 CASA - 390781972, and by the European Union (ERC AdG REWORC - 101054911).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Alwen, J., Janneck, J., Kiltz, E., Lipp, B. (2023). The Pre-Shared Key Modes of HPKE. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14443. Springer, Singapore. https://doi.org/10.1007/978-981-99-8736-8_11
Download citation
DOI: https://doi.org/10.1007/978-981-99-8736-8_11
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8735-1
Online ISBN: 978-981-99-8736-8
eBook Packages: Computer ScienceComputer Science (R0)