a designer s guide to kems
Download
Skip this Video
Download Presentation
A Designer’s Guide to KEMs

Loading in 2 Seconds...

play fullscreen
1 / 27

A Designer’s Guide to KEMs - PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on

A Designer’s Guide to KEMs. Alex Dent [email protected] http://www.isg.rhul.ac.uk/~alex. Asymmetric Ciphers. Involve two keys: a public key and a private key. Alice wants to send a message to Bob. Alice encrypts the message using Bob’s public key.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' A Designer’s Guide to KEMs' - rasha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a designer s guide to kems

A Designer’s Guide to KEMs

Alex Dent

[email protected]

http://www.isg.rhul.ac.uk/~alex

asymmetric ciphers
Asymmetric Ciphers
  • Involve two keys: a public key and a private key.
  • Alice wants to send a message to Bob.
  • Alice encrypts the message using Bob’s public key.
  • Bob decrypts the message using his private key.
asymmetric ciphers1
Asymmetric Ciphers
  • Tremendously convenient

(if we ignore the need for a PKI).

  • Slow for both encryption and decryption.
  • Usually only work with short messages.
hybrid ciphers
Hybrid Ciphers

“An asymmetric cipher that combines both asymmetric and symmetric cryptographic techniques.”

- ISO/IEC 18033-2

hybrid ciphers1
Hybrid Ciphers
  • Randomly generate a symmetric key.
  • Encrypt the message using that symmetric key and some symmetric technique.
  • Encrypt the symmetric key using an asymmetric technique.
  • Send both parts to Bob.
hybrid ciphers2
Hybrid Ciphers
  • Decrypt the asymmetric ciphertext to recover the random symmetric key.
  • Decrypt the symmetric part using the newly decrypted random symmetric key.
  • Hybrid ciphers can cope with long messages and are not much slower then traditional asymmetric ciphers.
hybrid ciphers3
Hybrid Ciphers
  • Techniques has been used for years

(Used in PGP, SSL/TLS, IPSec.)

  • Can be done badly (see “Why textbook ElGamal and RSA encryption are insecure” by Boneh, Joux and Nguyen.)
  • Formalised as a KEM-DEM system by Shoup.
kems and dems
KEMs and DEMs
  • Formalise hybrid ciphers by splitting it into two parts:
    • Asymmetric key encapsulation mechanism (KEM)
    • Symmetric data encapsulation mechanism (DEM)
kems and dems1
KEMs and DEMs
  • KEM takes as input a public key and produces a random symmetric key of a pre-specified length and an encryption of that key.
  • DEM takes as input a symmetric key and a message and outputs an encryption of that message.
  • Both have specific security requirements.
kems and dems2
KEMs and DEMs

pk

KEM

C1

K

m

C2

DEM

kems and dems3
KEMs and DEMs

sk

KEM

C1

K

C2

m

DEM

the security criterion for kems
The Security Criterion for KEMs
  • Indistinguishable from random (IND) in the adaptive chosen ciphertext model (CCA2).
  • A KEM is secure if, given a symmetric key K and a ciphertext C produced by the KEM, no attacker can tell if C decrypts to gave K or whether K was chosen at random.
  • (The attacker also gets to make queries to a KEM decryption oracle in the usual way).
designing kems
Designing KEMs
  • By “secure” here we mean secure in a very weak sense.
  • We only assume that the encryption algorithm is secure in the OW-CPA model.

Can we build secure KEMs from secure encryption algorithms?

designing kems1
Designing KEMs
  • Secure in the OW-CPA model means it is hard to invert a random ciphertext given only the public key.
  • Two known constructions: RSA-KEM and PSEC-KEM.
  • Both have security proofs based on the underlying encryption mechanism.
known constructions i
Known Constructions I
  • Generate a random plaintext.
  • Encrypt the plaintext to give a ciphertext.
  • Hash the plaintext and ciphertext to give a symmetric key.

RNG

r

ENCRYPT

C

HASH

K

known constructions i1
Known Constructions I
  • Provably secure (in the random oracle model)
  • However proof needs two extra assumptions:
    • The encryption algorithm must remain secure even if the attacker is given the ability to tell the difference between valid and invalid ciphertexts.
    • We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm.
  • Both of these conditions are fulfilled by RSA.
known constructions ii
Known Constructions II

RNG

HASH

SPLIT

SMOOTH

ENCRYPT

C1

HASH

XOR

C2

K

new constructions i
New Constructions I

RNG

  • Generate a random plaintext.
  • Encrypt the plaintext to give a ciphertext.
  • Hash the plaintext to get a checksum.
  • Hash the plaintext to give a symmetric key.

r

ENCRYPT

C1

HASH

C2

HASH

K

new constructions i1
New Constructions I
  • Provably secure (in the RO model).
  • Still need to have one extra assumption:
    • We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm.
  • This condition is always satisfied if the encryption algorithm is deterministic.
new constructions ii
New Constructions II

RNG

  • Generate a random plaintext.
  • Hash the plaintext to get a string of random looking bits.
  • Encrypt the plaintext using the hash code as the random coins.
  • Hash that ciphertext to give a symmetric key.

r

HASH

ENCRYPT

C

HASH

K

new constructions ii1
New Constructions II
  • Provably Secure (in the RO model).
  • No need for extra assumptions but does need a formal definition of “probabilistic encryption algorithm”.
  • Surprisingly, it doesn’t work for deterministic algorithms (it becomes the first known construction).
rabin kem
Rabin-KEM
  • As a practical example we will describe a new KEM that is provably as secure as factoring.
  • There are already several hybrid schemes based on the difficulty of factoring (e.g. EPOC-2) but no KEMs.
  • Uses New Construction I.
encryption
Encryption

Let n=pq be an RSA modulus.

  • Choose r in the range 1, …, n.
  • Let C1=Hash(r).
  • Let C2=r2 mod n.
  • Let K=Hash’(r).
  • Output K and (C1,C2).
decryption
Decryption

Let the secret key be some method of determining square roots modulo n.

  • Compute the four square roots of C2: r1, r2, r3, and r4.
  • If there exists exactly one ri such that Hash(ri)=C1 then output Hash’(ri).
  • Otherwise output “error”.
rabin kem1
Rabin-KEM
  • Provably as secure as factoring (in the random oracle model).
  • Checksum helps identify correct root.
  • Small chance that valid ciphertexts may be rejected.
conclusions
Conclusions
  • KEM-DEM constructions promising, practical area of research.
  • More efficient constructions (especially in terms of ciphertext length)?
  • Specialist constructions?
ad