- 82 Views
- Uploaded on
- Presentation posted in: General

A Designer’s Guide to KEMs

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

- Involve two keys: a public key and a private key.
- Alice wants to send a message to Bob.
- Alice encrypts the message using Bob’s public key.
- Bob decrypts the message using his private key.

- Tremendously convenient
(if we ignore the need for a PKI).

- Slow for both encryption and decryption.
- Usually only work with short messages.

“An asymmetric cipher that combines both asymmetric and symmetric cryptographic techniques.”

- ISO/IEC 18033-2

- Randomly generate a symmetric key.
- Encrypt the message using that symmetric key and some symmetric technique.
- Encrypt the symmetric key using an asymmetric technique.
- Send both parts to Bob.

- Decrypt the asymmetric ciphertext to recover the random symmetric key.
- Decrypt the symmetric part using the newly decrypted random symmetric key.
- Hybrid ciphers can cope with long messages and are not much slower then traditional asymmetric ciphers.

- Techniques has been used for years
(Used in PGP, SSL/TLS, IPSec.)

- Can be done badly (see “Why textbook ElGamal and RSA encryption are insecure” by Boneh, Joux and Nguyen.)
- Formalised as a KEM-DEM system by Shoup.

- Formalise hybrid ciphers by splitting it into two parts:
- Asymmetric key encapsulation mechanism (KEM)
- Symmetric data encapsulation mechanism (DEM)

- KEM takes as input a public key and produces a random symmetric key of a pre-specified length and an encryption of that key.
- DEM takes as input a symmetric key and a message and outputs an encryption of that message.
- Both have specific security requirements.

pk

KEM

C1

K

m

C2

DEM

sk

KEM

C1

K

C2

m

DEM

- Indistinguishable from random (IND) in the adaptive chosen ciphertext model (CCA2).
- A KEM is secure if, given a symmetric key K and a ciphertext C produced by the KEM, no attacker can tell if C decrypts to gave K or whether K was chosen at random.
- (The attacker also gets to make queries to a KEM decryption oracle in the usual way).

- By “secure” here we mean secure in a very weak sense.
- We only assume that the encryption algorithm is secure in the OW-CPA model.

Can we build secure KEMs from secure encryption algorithms?

- Secure in the OW-CPA model means it is hard to invert a random ciphertext given only the public key.
- Two known constructions: RSA-KEM and PSEC-KEM.
- Both have security proofs based on the underlying encryption mechanism.

- Generate a random plaintext.
- Encrypt the plaintext to give a ciphertext.
- Hash the plaintext and ciphertext to give a symmetric key.

RNG

r

ENCRYPT

C

HASH

K

- Provably secure (in the random oracle model)
- However proof needs two extra assumptions:
- The encryption algorithm must remain secure even if the attacker is given the ability to tell the difference between valid and invalid ciphertexts.
- We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm.

- Both of these conditions are fulfilled by RSA.

RNG

HASH

SPLIT

SMOOTH

ENCRYPT

C1

HASH

XOR

C2

K

RNG

- Generate a random plaintext.
- Encrypt the plaintext to give a ciphertext.
- Hash the plaintext to get a checksum.
- Hash the plaintext to give a symmetric key.

r

ENCRYPT

C1

HASH

C2

HASH

K

- Provably secure (in the RO model).
- Still need to have one extra assumption:
- We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm.

- This condition is always satisfied if the encryption algorithm is deterministic.

RNG

- Generate a random plaintext.
- Hash the plaintext to get a string of random looking bits.
- Encrypt the plaintext using the hash code as the random coins.
- Hash that ciphertext to give a symmetric key.

r

HASH

ENCRYPT

C

HASH

K

- Provably Secure (in the RO model).
- No need for extra assumptions but does need a formal definition of “probabilistic encryption algorithm”.
- Surprisingly, it doesn’t work for deterministic algorithms (it becomes the first known construction).

- As a practical example we will describe a new KEM that is provably as secure as factoring.
- There are already several hybrid schemes based on the difficulty of factoring (e.g. EPOC-2) but no KEMs.
- Uses New Construction I.

Let n=pq be an RSA modulus.

- Choose r in the range 1, …, n.
- Let C1=Hash(r).
- Let C2=r2 mod n.
- Let K=Hash’(r).
- Output K and (C1,C2).

Let the secret key be some method of determining square roots modulo n.

- Compute the four square roots of C2: r1, r2, r3, and r4.
- If there exists exactly one ri such that Hash(ri)=C1 then output Hash’(ri).
- Otherwise output “error”.

- Provably as secure as factoring (in the random oracle model).
- Checksum helps identify correct root.
- Small chance that valid ciphertexts may be rejected.

- KEM-DEM constructions promising, practical area of research.
- More efficient constructions (especially in terms of ciphertext length)?
- Specialist constructions?