Download - A Designer’s Guide to KEMs Alex Dent [email protected] alex.

A Designers Guide to KEMs Alex Dent [email protected] http://www.isg.rhul.ac.uk/~alex

Asymmetric Ciphers Involve two keys: a public key and a private key. Alice wants to send a message to Bob. Alice encrypts the message using Bobs public key. Bob decrypts the message using his private key.

Asymmetric Ciphers Tremendously convenient (if we ignore the need for a PKI). Slow for both encryption and decryption. Usually only work with short messages.

Hybrid Ciphers An asymmetric cipher that combines both asymmetric and symmetric cryptographic techniques. - ISO/IEC 18033-2

Hybrid Ciphers 1.Randomly generate a symmetric key. 2.Encrypt the message using that symmetric key and some symmetric technique. 3.Encrypt the symmetric key using an asymmetric technique. 4.Send both parts to Bob.

Hybrid Ciphers 1.Decrypt the asymmetric ciphertext to recover the random symmetric key. 2.Decrypt the symmetric part using the newly decrypted random symmetric key. Hybrid ciphers can cope with long messages and are not much slower then traditional asymmetric ciphers.

Hybrid Ciphers Techniques has been used for years (Used in PGP, SSL/TLS, IPSec.) Can be done badly (see Why textbook ElGamal and RSA encryption are insecure by Boneh, Joux and Nguyen.) Formalised as a KEM-DEM system by Shoup.

KEMs and DEMs Formalise hybrid ciphers by splitting it into two parts: Asymmetric key encapsulation mechanism (KEM) Symmetric data encapsulation mechanism (DEM)

KEMs and DEMs KEM takes as input a public key and produces a random symmetric key of a pre- specified length and an encryption of that key. DEM takes as input a symmetric key and a message and outputs an encryption of that message. Both have specific security requirements.

KEMs and DEMs pkC1C1 mC2C2 K KEM DEM

KEMs and DEMs K KEM DEM m C1C1 C2C2 sk

The Security Criterion for KEMs Indistinguishable from random (IND) in the adaptive chosen ciphertext model (CCA2). A KEM is secure if, given a symmetric key K and a ciphertext C produced by the KEM, no attacker can tell if C decrypts to gave K or whether K was chosen at random. (The attacker also gets to make queries to a KEM decryption oracle in the usual way).

Designing KEMs By secure here we mean secure in a very weak sense. We only assume that the encryption algorithm is secure in the OW-CPA model. Can we build secure KEMs from secure encryption algorithms?

Designing KEMs Secure in the OW-CPA model means it is hard to invert a random ciphertext given only the public key. Two known constructions: RSA-KEM and PSEC-KEM. Both have security proofs based on the underlying encryption mechanism.

Known Constructions I 1.Generate a random plaintext. 2.Encrypt the plaintext to give a ciphertext. 3.Hash the plaintext and ciphertext to give a symmetric key. RNG ENCRYPT HASH K C r

Known Constructions I Provably secure (in the random oracle model) However proof needs two extra assumptions: The encryption algorithm must remain secure even if the attacker is given the ability to tell the difference between valid and invalid ciphertexts. We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm. Both of these conditions are fulfilled by RSA.

Known Constructions II RNG HASHSPLITSMOOTHENCRYPT HASH XOR K C1C1 C2C2

New Constructions I 1.Generate a random plaintext. 2.Encrypt the plaintext to give a ciphertext. 3.Hash the plaintext to get a checksum. 4.Hash the plaintext to give a symmetric key. RNG HASH K C2C2 r ENCRYPT C1C1

New Constructions I Provably secure (in the RO model). Still need to have one extra assumption: We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm. This condition is always satisfied if the encryption algorithm is deterministic.

New Constructions II 1.Generate a random plaintext. 2.Hash the plaintext to get a string of random looking bits. 3.Encrypt the plaintext using the hash code as the random coins. 4.Hash that ciphertext to give a symmetric key. RNG ENCRYPT HASH K C r

New Constructions II Provably Secure (in the RO model). No need for extra assumptions but does need a formal definition of probabilistic encryption algorithm. Surprisingly, it doesnt work for deterministic algorithms (it becomes the first known construction).

Rabin-KEM As a practical example we will describe a new KEM that is provably as secure as factoring. There are already several hybrid schemes based on the difficulty of factoring (e.g. EPOC-2) but no KEMs. Uses New Construction I.

Encryption Let n=pq be an RSA modulus. 1.Choose r in the range 1, , n. 2.Let C 1 =Hash(r). 3.Let C 2 =r 2 mod n. 4.Let K=Hash(r). 5.Output K and (C 1,C 2 ).

Decryption Let the secret key be some method of determining square roots modulo n. 1.Compute the four square roots of C 2 : r 1, r 2, r 3, and r 4. 2.If there exists exactly one r i such that Hash(r i )=C 1 then output Hash(r i ). 3.Otherwise output error.

Rabin-KEM Provably as secure as factoring (in the random oracle model). Checksum helps identify correct root. Small chance that valid ciphertexts may be rejected.

Conclusions KEM-DEM constructions promising, practical area of research. More efficient constructions (especially in terms of ciphertext length)? Specialist constructions?