Hybrid Obfuscated Key Exchange and KEMs

Hybrid Obfuscated Key Exchange and KEMs

연구 분야: Cryptography

학회: Annual International Cryptology Conference

Hiding the metadata in Internet protocols serves to protect user privacy, dissuade traffic analysis, and prevent network ossification. Fully encrypted protocols require even the initial key exchange to be obfuscated: a passive observer should be unable to distinguish a protocol execution from an exchange of random bitstrings. Deployed obfuscated key exchanges such as Tor’s pluggable transport protocol \(\texttt{obfs4}\) are Diffie–Hellman-based, and rely on the Elligator encoding for obfuscation. Recently, Günther, Stebila, and Veitch (CCS ’24) proposed a post-quantum variant \(\texttt{pq} {\text {-}}\texttt{obfs} \), using a novel building block called obfuscated key encapsulation mechanisms (OKEMs): KEMs whose public keys and ciphertexts look like random bitstrings. For transitioning real-world protocols, pure post-quantum security is not enough. Many are taking a hybrid approach, combining traditional and post-quantum schemes to hedge against security failures in either component. While hybrid KEMs are already widely deployed (e.g., in TLS 1.3), existing hybridization techniques fail to provide hybrid obfuscation guarantees for OKEMs. Further, even if a hybrid OKEM existed, the \(\texttt{pq} {\text {-}}\texttt{obfs} \) protocol would still not achieve hybrid obfuscation. In this work, we address these challenges by presenting the first OKEM combiner that achieves hybrid \(\textsf{IND} {{\text {-}}}\textsf{CCA} \) security with hybrid ciphertext obfuscation guarantees, and using this to build \(\texttt{Drivel}\), a modification of \(\texttt{pq} {\text {-}}\texttt{obfs} \) that is compatible with hybrid OKEMs. Our OKEM combiner allows for a variety of practical instantiations, e.g., combining obfuscated versions of \(\textsf{DHKEM}\) and \(\textsf{ML} {\text {-}}\textsf{KEM} \). We additionally provide techniques to achieve unconditional public key obfuscation for LWE-based OKEMs, and explore broader applications of hybrid OKEMs, including a construction of the first hybrid password-authenticated key exchange (PAKE) protocol secure against adaptive corruptions in the UC model.