A designer s guide to kems
This presentation is the property of its rightful owner.
Sponsored Links
1 / 27

A Designer’s Guide to KEMs PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on
  • Presentation posted in: General

A Designer’s Guide to KEMs. Alex Dent [email protected] http://www.isg.rhul.ac.uk/~alex. Asymmetric Ciphers. Involve two keys: a public key and a private key. Alice wants to send a message to Bob. Alice encrypts the message using Bob’s public key.

Download Presentation

A Designer’s Guide to KEMs

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


A designer s guide to kems

A Designer’s Guide to KEMs

Alex Dent

[email protected]

http://www.isg.rhul.ac.uk/~alex


Asymmetric ciphers

Asymmetric Ciphers

  • Involve two keys: a public key and a private key.

  • Alice wants to send a message to Bob.

  • Alice encrypts the message using Bob’s public key.

  • Bob decrypts the message using his private key.


Asymmetric ciphers1

Asymmetric Ciphers

  • Tremendously convenient

    (if we ignore the need for a PKI).

  • Slow for both encryption and decryption.

  • Usually only work with short messages.


Hybrid ciphers

Hybrid Ciphers

“An asymmetric cipher that combines both asymmetric and symmetric cryptographic techniques.”

- ISO/IEC 18033-2


Hybrid ciphers1

Hybrid Ciphers

  • Randomly generate a symmetric key.

  • Encrypt the message using that symmetric key and some symmetric technique.

  • Encrypt the symmetric key using an asymmetric technique.

  • Send both parts to Bob.


Hybrid ciphers2

Hybrid Ciphers

  • Decrypt the asymmetric ciphertext to recover the random symmetric key.

  • Decrypt the symmetric part using the newly decrypted random symmetric key.

  • Hybrid ciphers can cope with long messages and are not much slower then traditional asymmetric ciphers.


Hybrid ciphers3

Hybrid Ciphers

  • Techniques has been used for years

    (Used in PGP, SSL/TLS, IPSec.)

  • Can be done badly (see “Why textbook ElGamal and RSA encryption are insecure” by Boneh, Joux and Nguyen.)

  • Formalised as a KEM-DEM system by Shoup.


Kems and dems

KEMs and DEMs

  • Formalise hybrid ciphers by splitting it into two parts:

    • Asymmetric key encapsulation mechanism (KEM)

    • Symmetric data encapsulation mechanism (DEM)


Kems and dems1

KEMs and DEMs

  • KEM takes as input a public key and produces a random symmetric key of a pre-specified length and an encryption of that key.

  • DEM takes as input a symmetric key and a message and outputs an encryption of that message.

  • Both have specific security requirements.


Kems and dems2

KEMs and DEMs

pk

KEM

C1

K

m

C2

DEM


Kems and dems3

KEMs and DEMs

sk

KEM

C1

K

C2

m

DEM


The security criterion for kems

The Security Criterion for KEMs

  • Indistinguishable from random (IND) in the adaptive chosen ciphertext model (CCA2).

  • A KEM is secure if, given a symmetric key K and a ciphertext C produced by the KEM, no attacker can tell if C decrypts to gave K or whether K was chosen at random.

  • (The attacker also gets to make queries to a KEM decryption oracle in the usual way).


Designing kems

Designing KEMs

  • By “secure” here we mean secure in a very weak sense.

  • We only assume that the encryption algorithm is secure in the OW-CPA model.

Can we build secure KEMs from secure encryption algorithms?


Designing kems1

Designing KEMs

  • Secure in the OW-CPA model means it is hard to invert a random ciphertext given only the public key.

  • Two known constructions: RSA-KEM and PSEC-KEM.

  • Both have security proofs based on the underlying encryption mechanism.


Known constructions i

Known Constructions I

  • Generate a random plaintext.

  • Encrypt the plaintext to give a ciphertext.

  • Hash the plaintext and ciphertext to give a symmetric key.

RNG

r

ENCRYPT

C

HASH

K


Known constructions i1

Known Constructions I

  • Provably secure (in the random oracle model)

  • However proof needs two extra assumptions:

    • The encryption algorithm must remain secure even if the attacker is given the ability to tell the difference between valid and invalid ciphertexts.

    • We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm.

  • Both of these conditions are fulfilled by RSA.


Known constructions ii

Known Constructions II

RNG

HASH

SPLIT

SMOOTH

ENCRYPT

C1

HASH

XOR

C2

K


New constructions i

New Constructions I

RNG

  • Generate a random plaintext.

  • Encrypt the plaintext to give a ciphertext.

  • Hash the plaintext to get a checksum.

  • Hash the plaintext to give a symmetric key.

r

ENCRYPT

C1

HASH

C2

HASH

K


New constructions i1

New Constructions I

  • Provably secure (in the RO model).

  • Still need to have one extra assumption:

    • We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm.

  • This condition is always satisfied if the encryption algorithm is deterministic.


New constructions ii

New Constructions II

RNG

  • Generate a random plaintext.

  • Hash the plaintext to get a string of random looking bits.

  • Encrypt the plaintext using the hash code as the random coins.

  • Hash that ciphertext to give a symmetric key.

r

HASH

ENCRYPT

C

HASH

K


New constructions ii1

New Constructions II

  • Provably Secure (in the RO model).

  • No need for extra assumptions but does need a formal definition of “probabilistic encryption algorithm”.

  • Surprisingly, it doesn’t work for deterministic algorithms (it becomes the first known construction).


Rabin kem

Rabin-KEM

  • As a practical example we will describe a new KEM that is provably as secure as factoring.

  • There are already several hybrid schemes based on the difficulty of factoring (e.g. EPOC-2) but no KEMs.

  • Uses New Construction I.


Encryption

Encryption

Let n=pq be an RSA modulus.

  • Choose r in the range 1, …, n.

  • Let C1=Hash(r).

  • Let C2=r2 mod n.

  • Let K=Hash’(r).

  • Output K and (C1,C2).


Decryption

Decryption

Let the secret key be some method of determining square roots modulo n.

  • Compute the four square roots of C2: r1, r2, r3, and r4.

  • If there exists exactly one ri such that Hash(ri)=C1 then output Hash’(ri).

  • Otherwise output “error”.


Rabin kem1

Rabin-KEM

  • Provably as secure as factoring (in the random oracle model).

  • Checksum helps identify correct root.

  • Small chance that valid ciphertexts may be rejected.


Conclusions

Conclusions

  • KEM-DEM constructions promising, practical area of research.

  • More efficient constructions (especially in terms of ciphertext length)?

  • Specialist constructions?


  • Login