A Designer

1
A Designers Guide to KEMs

• Alex Dent
• alex_at_fermat.ma.rhul.ac.uk
• http//www.isg.rhul.ac.uk/alex

2
Asymmetric Ciphers

• Involve two keys a public key and a private key.
• Alice wants to send a message to Bob.
• Alice encrypts the message using Bobs public
  key.
• Bob decrypts the message using his private key.

3
Asymmetric Ciphers

• Tremendously convenient
• (if we ignore the need for a PKI).
• Slow for both encryption and decryption.
• Usually only work with short messages.

4
Hybrid Ciphers

• An asymmetric cipher that combines both
  asymmetric and symmetric cryptographic
  techniques.
• - ISO/IEC 18033-2

5
Hybrid Ciphers

1. Randomly generate a symmetric key.
2. Encrypt the message using that symmetric key and
   some symmetric technique.
3. Encrypt the symmetric key using an asymmetric
   technique.
4. Send both parts to Bob.

6
Hybrid Ciphers

• Decrypt the asymmetric ciphertext to recover the
  random symmetric key.
• Decrypt the symmetric part using the newly
  decrypted random symmetric key.
• Hybrid ciphers can cope with long messages and
  are not much slower then traditional asymmetric
  ciphers.

7
Hybrid Ciphers

• Techniques has been used for years
• (Used in PGP, SSL/TLS, IPSec.)
• Can be done badly (see Why textbook ElGamal and
  RSA encryption are insecure by Boneh, Joux and
  Nguyen.)
• Formalised as a KEM-DEM system by Shoup.

8
(No Transcript)
9
KEMs and DEMs

• Formalise hybrid ciphers by splitting it into two
  parts
• Asymmetric key encapsulation mechanism (KEM)
• Symmetric data encapsulation mechanism (DEM)

10
KEMs and DEMs

• KEM takes as input a public key and produces a
  random symmetric key of a pre-specified length
  and an encryption of that key.
• DEM takes as input a symmetric key and a message
  and outputs an encryption of that message.
• Both have specific security requirements.

11
KEMs and DEMs
pk
C1
KEM
K
m
C2
DEM
12
KEMs and DEMs
sk
KEM
C1
K
m
C2
DEM
13
The Security Criterion for KEMs

• Indistinguishable from random (IND) in the
  adaptive chosen ciphertext model (CCA2).
• A KEM is secure if, given a symmetric key K and a
  ciphertext C produced by the KEM, no attacker can
  tell if C decrypts to gave K or whether K was
  chosen at random.
• (The attacker also gets to make queries to a KEM
  decryption oracle in the usual way).

14
Designing KEMs
Can we build secure KEMs from secure encryption
algorithms?

• By secure here we mean secure in a very weak
  sense.
• We only assume that the encryption algorithm is
  secure in the OW-CPA model.

15
Designing KEMs

• Secure in the OW-CPA model means it is hard to
  invert a random ciphertext given only the public
  key.
• Two known constructions RSA-KEM and PSEC-KEM.
• Both have security proofs based on the underlying
  encryption mechanism.

16
Known Constructions I

1. Generate a random plaintext.
2. Encrypt the plaintext to give a ciphertext.
3. Hash the plaintext and ciphertext to give a
   symmetric key.

RNG
r
ENCRYPT
C
HASH
K
17
Known Constructions I

• Provably secure (in the random oracle model)
• However proof needs two extra assumptions
• The encryption algorithm must remain secure even
  if the attacker is given the ability to tell the
  difference between valid and invalid ciphertexts.
• We must be able to tell if a plaintext/ciphertext
  pair is valid or not for the encryption
  algorithm.
• Both of these conditions are fulfilled by RSA.

18
Known Constructions II
RNG
HASH
SPLIT
SMOOTH
ENCRYPT
C1
HASH
XOR
C2
K
19
New Constructions I
RNG

1. Generate a random plaintext.
2. Encrypt the plaintext to give a ciphertext.
3. Hash the plaintext to get a checksum.
4. Hash the plaintext to give a symmetric key.

r
ENCRYPT
C1
HASH
C2
HASH
K
20
New Constructions I

• Provably secure (in the RO model).
• Still need to have one extra assumption
• We must be able to tell if a plaintext/ciphertext
  pair is valid or not for the encryption
  algorithm.
• This condition is always satisfied if the
  encryption algorithm is deterministic.

21
New Constructions II
RNG

1. Generate a random plaintext.
2. Hash the plaintext to get a string of random
   looking bits.
3. Encrypt the plaintext using the hash code as the
   random coins.
4. Hash that ciphertext to give a symmetric key.

r
HASH
ENCRYPT
C
HASH
K
22
New Constructions II

• Provably Secure (in the RO model).
• No need for extra assumptions but does need a
  formal definition of probabilistic encryption
  algorithm.
• Surprisingly, it doesnt work for deterministic
  algorithms (it becomes the first known
  construction).

23
Rabin-KEM

• As a practical example we will describe a new KEM
  that is provably as secure as factoring.
• There are already several hybrid schemes based on
  the difficulty of factoring (e.g. EPOC-2) but no
  KEMs.
• Uses New Construction I.

24
Encryption

• Let npq be an RSA modulus.
• Choose r in the range 1, , n.
• Let C1Hash(r).
• Let C2r2 mod n.
• Let KHash(r).
• Output K and (C1,C2).

25
Decryption

• Let the secret key be some method of determining
  square roots modulo n.
• Compute the four square roots of C2 r1, r2, r3,
  and r4.
• If there exists exactly one ri such that
  Hash(ri)C1 then output Hash(ri).
• Otherwise output error.

26
Rabin-KEM

• Provably as secure as factoring (in the random
  oracle model).
• Checksum helps identify correct root.
• Small chance that valid ciphertexts may be
  rejected.

27
Conclusions

• KEM-DEM constructions promising, practical area
  of research.
• More efficient constructions (especially in terms
  of ciphertext length)?
• Specialist constructions?