The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Penggabung mekanisme pengkapsulan utama (KEM), baru-baru ini diformalkan oleh Giacon, Heuer, dan Poettering (PKC'18), membolehkan lindung nilai terhadap KEM yang tidak selamat atau pilihan parameter yang lemah dengan menggabungkan KEM ramuan ke dalam satu KEM yang kekal selamat dengan mengandaikan hanya satu daripada bahan asas KEM adalah selamat. Ini nampaknya sangat relevan apabila mempertimbangkan KEM tahan kuantum yang selalunya berdasarkan pada andaian kekerasan dan pilihan parameter yang boleh dikatakan kurang difahami. Kami mencadangkan penggabung KEM ringkas baharu berdasarkan kod pengesahan mesej selamat sekali (MAC) dan cincang selamat input berkorelasi dua kali. Menggerakkan cincang selamat input berkorelasi dengan a t-cincang bebas yang bijak untuk nilai yang sesuai bagi t, menghasilkan penggabung KEM berdasarkan primitif tambahan yang lebih lemah daripada pembinaan model standard Giaon et al. dan seterusnya menghilangkan keperluan untuk dilakukan n pas penuh ke atas enkapsulasi, di mana n ialah bilangan bahan KEM, yang Giacon et al. menonjolkan sebagai kelemahan skim mereka. Walau bagaimanapun, tidak seperti Giacon et al., pembinaan kami memerlukan kunci awam KEM gabungan untuk menyertakan kunci cincang, dan tambahan pula memerlukan teg MAC untuk ditambahkan pada pengkapsulan KEM gabungan.
Goichiro HANAOKA
National Institute of Advanced Industrial Science and Technology (AIST)
Takahiro MATSUDA
National Institute of Advanced Industrial Science and Technology (AIST)
Jacob C. N. SCHULDT
National Institute of Advanced Industrial Science and Technology (AIST)
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Salinan
Goichiro HANAOKA, Takahiro MATSUDA, Jacob C. N. SCHULDT, "A New Combiner for Key Encapsulation Mechanisms" in IEICE TRANSACTIONS on Fundamentals,
vol. E102-A, no. 12, pp. 1668-1675, December 2019, doi: 10.1587/transfun.E102.A.1668.
Abstract: Key encapsulation mechanism (KEM) combiners, recently formalized by Giacon, Heuer, and Poettering (PKC'18), enable hedging against insecure KEMs or weak parameter choices by combining ingredient KEMs into a single KEM that remains secure assuming just one of the underlying ingredient KEMs is secure. This seems particularly relevant when considering quantum-resistant KEMs which are often based on arguably less well-understood hardness assumptions and parameter choices. We propose a new simple KEM combiner based on a one-time secure message authentication code (MAC) and two-time correlated input secure hash. Instantiating the correlated input secure hash with a t-wise independent hash for an appropriate value of t, yields a KEM combiner based on a strictly weaker additional primitive than the standard model construction of Giaon et al. and furthermore removes the need to do n full passes over the encapsulation, where n is the number of ingredient KEMs, which Giacon et al. highlight as a disadvantage of their scheme. However, unlike Giacon et al., our construction requires the public key of the combined KEM to include a hash key, and furthermore requires a MAC tag to be added to the encapsulation of the combined KEM.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E102.A.1668/_p
Salinan
@ARTICLE{e102-a_12_1668,
author={Goichiro HANAOKA, Takahiro MATSUDA, Jacob C. N. SCHULDT, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={A New Combiner for Key Encapsulation Mechanisms},
year={2019},
volume={E102-A},
number={12},
pages={1668-1675},
abstract={Key encapsulation mechanism (KEM) combiners, recently formalized by Giacon, Heuer, and Poettering (PKC'18), enable hedging against insecure KEMs or weak parameter choices by combining ingredient KEMs into a single KEM that remains secure assuming just one of the underlying ingredient KEMs is secure. This seems particularly relevant when considering quantum-resistant KEMs which are often based on arguably less well-understood hardness assumptions and parameter choices. We propose a new simple KEM combiner based on a one-time secure message authentication code (MAC) and two-time correlated input secure hash. Instantiating the correlated input secure hash with a t-wise independent hash for an appropriate value of t, yields a KEM combiner based on a strictly weaker additional primitive than the standard model construction of Giaon et al. and furthermore removes the need to do n full passes over the encapsulation, where n is the number of ingredient KEMs, which Giacon et al. highlight as a disadvantage of their scheme. However, unlike Giacon et al., our construction requires the public key of the combined KEM to include a hash key, and furthermore requires a MAC tag to be added to the encapsulation of the combined KEM.},
keywords={},
doi={10.1587/transfun.E102.A.1668},
ISSN={1745-1337},
month={December},}
Salinan
TY - JOUR
TI - A New Combiner for Key Encapsulation Mechanisms
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 1668
EP - 1675
AU - Goichiro HANAOKA
AU - Takahiro MATSUDA
AU - Jacob C. N. SCHULDT
PY - 2019
DO - 10.1587/transfun.E102.A.1668
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E102-A
IS - 12
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - December 2019
AB - Key encapsulation mechanism (KEM) combiners, recently formalized by Giacon, Heuer, and Poettering (PKC'18), enable hedging against insecure KEMs or weak parameter choices by combining ingredient KEMs into a single KEM that remains secure assuming just one of the underlying ingredient KEMs is secure. This seems particularly relevant when considering quantum-resistant KEMs which are often based on arguably less well-understood hardness assumptions and parameter choices. We propose a new simple KEM combiner based on a one-time secure message authentication code (MAC) and two-time correlated input secure hash. Instantiating the correlated input secure hash with a t-wise independent hash for an appropriate value of t, yields a KEM combiner based on a strictly weaker additional primitive than the standard model construction of Giaon et al. and furthermore removes the need to do n full passes over the encapsulation, where n is the number of ingredient KEMs, which Giacon et al. highlight as a disadvantage of their scheme. However, unlike Giacon et al., our construction requires the public key of the combined KEM to include a hash key, and furthermore requires a MAC tag to be added to the encapsulation of the combined KEM.
ER -