A Designer’s Guide to KEMs

Alex Dent

alex@fermat.ma.rhul.ac.uk

http://www.isg.rhul.ac.uk/~alex

Asymmetric Ciphers

• Involve two keys: a public key and a private key.

• Alice wants to send a message to Bob.

• Alice encrypts the message using Bob’s public key.

• Bob decrypts the message using his private key.

Asymmetric Ciphers

• Tremendously convenient

(if we ignore the need for a PKI).

• Slow for both encryption and decryption.

• Usually only work with short messages.

Hybrid Ciphers

“An asymmetric cipher that combines both asymmetric and symmetric cryptographic techniques.”

- ISO/IEC 18033-2

Hybrid Ciphers

1. Randomly generate a symmetric key.

2. Encrypt the message using that symmetric key and some symmetric technique.

3. Encrypt the symmetric key using an asymmetric technique.

4. Send both parts to Bob.

Hybrid Ciphers

1. Decrypt the asymmetric ciphertext to recover the random symmetric key.

2. Decrypt the symmetric part using the newly decrypted random symmetric key.

• Hybrid ciphers can cope with long messages and are not much slower then traditional asymmetric ciphers.

Hybrid Ciphers

• Techniques has been used for years

(Used in PGP, SSL/TLS, IPSec.)

• Can be done badly (see “Why textbook ElGamal and RSA encryption are insecure” by Boneh, Joux and Nguyen.)

• Formalised as a KEM-DEM system by Shoup.

KEMs and DEMs

• Formalise hybrid ciphers by splitting it into two parts:– Asymmetric key encapsulation mechanism

(KEM)– Symmetric data encapsulation mechanism

(DEM)

KEMs and DEMs

• KEM takes as input a public key and produces a random symmetric key of a pre-specified length and an encryption of that key.

• DEM takes as input a symmetric key and a message and outputs an encryption of that message.

• Both have specific security requirements.

KEMs and DEMs

pk C1

m C2

K

KEM

DEM

KEMs and DEMs

K

KEM

DEM m

C1

C2

sk

The Security Criterion for KEMs

• Indistinguishable from random (IND) in the adaptive chosen ciphertext model (CCA2).

• A KEM is secure if, given a symmetric key K and a ciphertext C produced by the KEM, no attacker can tell if C decrypts to gave K or whether K was chosen at random.

• (The attacker also gets to make queries to a KEM decryption oracle in the usual way).

Designing KEMs

• By “secure” here we mean secure in a very weak sense.

• We only assume that the encryption algorithm is secure in the OW-CPA model.

Can we build secure KEMs from secure encryption algorithms?

Designing KEMs

• Secure in the OW-CPA model means it is hard to invert a random ciphertext given only the public key.

• Two known constructions: RSA-KEM and PSEC-KEM.

• Both have security proofs based on the underlying encryption mechanism.

Known Constructions I

1. Generate a random plaintext.

2. Encrypt the plaintext to give a ciphertext.

3. Hash the plaintext and ciphertext to give a symmetric key.

RNG

ENCRYPT

HASH

K

C

r

Known Constructions I

• Provably secure (in the random oracle model)

• However proof needs two extra assumptions:– The encryption algorithm must remain secure

even if the attacker is given the ability to tell the difference between valid and invalid ciphertexts.

– We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm.

• Both of these conditions are fulfilled by RSA.

Known Constructions II

RNG HASH SPLIT SMOOTH ENCRYPT

HASH

XOR

K

C1

C2

New Constructions I

1. Generate a random plaintext.

2. Encrypt the plaintext to give a ciphertext.

3. Hash the plaintext to get a checksum.

4. Hash the plaintext to give a symmetric key.

RNG

HASH

HASH

K

C2

r

ENCRYPT C1

New Constructions I

• Provably secure (in the RO model).

• Still need to have one extra assumption:– We must be able to tell if a plaintext/ciphertext

pair is valid or not for the encryption algorithm.

• This condition is always satisfied if the encryption algorithm is deterministic.

New Constructions II

1. Generate a random plaintext.

2. Hash the plaintext to get a string of random looking bits.

3. Encrypt the plaintext using the hash code as the random coins.

4. Hash that ciphertext to give a symmetric key.

RNG

ENCRYPT

HASH

K

C

r

HASH

New Constructions II

• Provably Secure (in the RO model).

• No need for extra assumptions but does need a formal definition of “probabilistic encryption algorithm”.

• Surprisingly, it doesn’t work for deterministic algorithms (it becomes the first known construction).

Rabin-KEM

• As a practical example we will describe a new KEM that is provably as secure as factoring.

• There are already several hybrid schemes based on the difficulty of factoring (e.g. EPOC-2) but no KEMs.

• Uses New Construction I.

Encryption

Let n=pq be an RSA modulus.

1. Choose r in the range 1, …, n.

2. Let C1=Hash(r).

3. Let C2=r2 mod n.

4. Let K=Hash’(r).

5. Output K and (C1,C2).

Decryption

Let the secret key be some method of determining square roots modulo n.

1. Compute the four square roots of C2: r1, r2, r3, and r4.

2. If there exists exactly one ri such that Hash(ri)=C1 then output Hash’(ri).

3. Otherwise output “error”.

Rabin-KEM

• Provably as secure as factoring (in the random oracle model).

• Checksum helps identify correct root.

• Small chance that valid ciphertexts may be rejected.

Conclusions

• KEM-DEM constructions promising, practical area of research.

• More efficient constructions (especially in terms of ciphertext length)?

• Specialist constructions?