A Designer’s Guide to KEMs
Alex Dent
[email protected]
http://www.isg.rhul.ac.uk/~alex
Asymmetric Ciphers
• Involve two keys: a public key and a private
key.
• Alice wants to send a message to Bob.
• Alice encrypts the message using Bob’s
public key.
• Bob decrypts the message using his private
key.
Asymmetric Ciphers
• Tremendously convenient
(if we ignore the need for a PKI).
• Slow for both encryption and decryption.
• Usually only work with short messages.
Hybrid Ciphers
“An asymmetric cipher that combines both
asymmetric and symmetric cryptographic
techniques.”
- ISO/IEC 18033-2
Hybrid Ciphers
1. Randomly generate a symmetric key.
2. Encrypt the message using that symmetric
key and some symmetric technique.
3. Encrypt the symmetric key using an
asymmetric technique.
4. Send both parts to Bob.
Hybrid Ciphers
1. Decrypt the asymmetric ciphertext to
recover the random symmetric key.
2. Decrypt the symmetric part using the
newly decrypted random symmetric key.
•
Hybrid ciphers can cope with long
messages and are not much slower then
traditional asymmetric ciphers.
Hybrid Ciphers
• Techniques has been used for years
(Used in PGP, SSL/TLS, IPSec.)
• Can be done badly (see “Why textbook
ElGamal and RSA encryption are insecure”
by Boneh, Joux and Nguyen.)
• Formalised as a KEM-DEM system by
Shoup.
KEMs and DEMs
• Formalise hybrid ciphers by splitting it into
two parts:
– Asymmetric key encapsulation mechanism
(KEM)
– Symmetric data encapsulation mechanism
(DEM)
KEMs and DEMs
• KEM takes as input a public key and
produces a random symmetric key of a prespecified length and an encryption of that
key.
• DEM takes as input a symmetric key and a
message and outputs an encryption of that
message.
• Both have specific security requirements.
KEMs and DEMs
pk
KEM
C1
K
m
DEM
C2
KEMs and DEMs
sk
C1
KEM
K
C2
DEM
m
The Security Criterion for KEMs
• Indistinguishable from random (IND) in the
adaptive chosen ciphertext model (CCA2).
• A KEM is secure if, given a symmetric key
K and a ciphertext C produced by the KEM,
no attacker can tell if C decrypts to gave K
or whether K was chosen at random.
• (The attacker also gets to make queries to a
KEM decryption oracle in the usual way).
Designing KEMs
Can we build secure KEMs from
secure encryption algorithms?
• By “secure” here we mean secure in a very
weak sense.
• We only assume that the encryption
algorithm is secure in the OW-CPA model.
Designing KEMs
• Secure in the OW-CPA model means it is
hard to invert a random ciphertext given
only the public key.
• Two known constructions: RSA-KEM and
PSEC-KEM.
• Both have security proofs based on the
underlying encryption mechanism.
Known Constructions I
1. Generate a random
plaintext.
2. Encrypt the plaintext
to give a ciphertext.
3. Hash the plaintext
and ciphertext to
give a symmetric
key.
RNG
r
ENCRYPT
HASH
K
C
Known Constructions I
• Provably secure (in the random oracle model)
• However proof needs two extra assumptions:
– The encryption algorithm must remain secure
even if the attacker is given the ability to tell the
difference between valid and invalid ciphertexts.
– We must be able to tell if a plaintext/ciphertext
pair is valid or not for the encryption algorithm.
• Both of these conditions are fulfilled by RSA.
Known Constructions II
RNG
HASH
SPLIT
SMOOTH
ENCRYPT
C1
HASH
XOR
K
C2
New Constructions I
1. Generate a random
plaintext.
2. Encrypt the plaintext
to give a ciphertext.
3. Hash the plaintext to
get a checksum.
4. Hash the plaintext to
give a symmetric
key.
RNG
r
HASH
K
ENCRYPT
C1
HASH
C2
New Constructions I
• Provably secure (in the RO model).
• Still need to have one extra assumption:
– We must be able to tell if a plaintext/ciphertext
pair is valid or not for the encryption algorithm.
• This condition is always satisfied if the
encryption algorithm is deterministic.
New Constructions II
1.
2.
3.
4.
Generate a random
plaintext.
Hash the plaintext to get
a string of random
looking bits.
Encrypt the plaintext
using the hash code as
the random coins.
Hash that ciphertext to
give a symmetric key.
RNG
r
HASH
ENCRYPT
HASH
K
C
New Constructions II
• Provably Secure (in the RO model).
• No need for extra assumptions but does
need a formal definition of “probabilistic
encryption algorithm”.
• Surprisingly, it doesn’t work for
deterministic algorithms (it becomes the
first known construction).
Rabin-KEM
• As a practical example we will describe a
new KEM that is provably as secure as
factoring.
• There are already several hybrid schemes
based on the difficulty of factoring (e.g.
EPOC-2) but no KEMs.
• Uses New Construction I.
Encryption
Let n=pq be an RSA modulus.
1. Choose r in the range 1, …, n.
2. Let C1=Hash(r).
3. Let C2=r2 mod n.
4. Let K=Hash’(r).
5. Output K and (C1,C2).
Decryption
Let the secret key be some method of
determining square roots modulo n.
1. Compute the four square roots of C2: r1,
r2, r3, and r4.
2. If there exists exactly one ri such that
Hash(ri)=C1 then output Hash’(ri).
3. Otherwise output “error”.
Rabin-KEM
• Provably as secure as factoring (in the
random oracle model).
• Checksum helps identify correct root.
• Small chance that valid ciphertexts may be
rejected.
Conclusions
• KEM-DEM constructions promising,
practical area of research.
• More efficient constructions (especially in
terms of ciphertext length)?
• Specialist constructions?