Figure - uploaded by Benjamin Lipp
Content may be subject to copyright.
Security notions for Authenticated Key Encapsulation Mechanisms (AKEMs)

Security notions for Authenticated Key Encapsulation Mechanisms (AKEMs)

Source publication
Conference Paper
Full-text available
The Hybrid Public Key Encryption (HPKE) scheme is an emerging standard currently under consideration by the Crypto Forum Research Group (CFRG) of the IETF as a candidate for formal approval. Of the four modes of HPKE, we analyse the authenticated mode HPKE_Auth in its single-shot encryption form as it contains what is, arguably, the most novel part...


... Currently in MLS, the authors require an hybrid public key encryption (HPKE) scheme, as designed in [BBLW20] (which was recently studied in [ABH+21]), composed of a KEM to transmit a symmetric key k and an AEAD encryption scheme that encrypts the data under k, as well as a key derivation function. The security of this scheme is examined in [ABH+20]. In the rest of this work, we denote by Enc pk (m : r) the HPKE encryption of a message m under the public key pk using randomness r. ...
Secure Instant Messaging applications (such as WhatsApp or Signal) have become unavoidable means of communications in our every day lives. These applications offer desirable security features such as end-to-end encryption, forward and post-compromise security. However, these properties are often limited to one-to-one communications. The purpose of the work presented here is to reach, in the multi device context as well as in group messaging, an optimal level of security, as for the classial one-to-one communications. On the multi-device side, we propose a Multi-Device Instant Messaging protocole, based on the Ratcheted Key exchange used in Signal, and already widely deployed in other applications. On the group side, we are insterested in the Messaging Layer Security (MLS) protocol, which aims at providing a secure group messaging solution. The security of the protocol relies in particular on the possibility for any user to update the group secrets. In its actual design, a flaw appears in this updating process. We propose a solution to secure the update mechanism, using Zero-Knowledge (ZK) technics as building blocks. As a main contribution, we provide two different ZK protocols to prove knowledge of the input of a pseudorandom function implemented as a circuit, given an algebraic commitment of the output and the input.