A Designer’s Guide to KEMs Alex Dent email@example.com http://www.isg.rhul.ac.uk/~alex Asymmetric Ciphers • Involve two keys: a public key and a private key. • Alice wants to send a message to Bob. • Alice encrypts the message using Bob’s public key. • Bob decrypts the message using his private key. Asymmetric Ciphers • Tremendously convenient (if we ignore the need for a PKI). • Slow for both encryption and decryption. • Usually only work with short messages. Hybrid Ciphers “An asymmetric cipher that combines both asymmetric and symmetric cryptographic techniques.” - ISO/IEC 18033-2 Hybrid Ciphers 1. Randomly generate a symmetric key. 2. Encrypt the message using that symmetric key and some symmetric technique. 3. Encrypt the symmetric key using an asymmetric technique. 4. Send both parts to Bob. Hybrid Ciphers 1. Decrypt the asymmetric ciphertext to recover the random symmetric key. 2. Decrypt the symmetric part using the newly decrypted random symmetric key. • Hybrid ciphers can cope with long messages and are not much slower then traditional asymmetric ciphers. Hybrid Ciphers • Techniques has been used for years (Used in PGP, SSL/TLS, IPSec.) • Can be done badly (see “Why textbook ElGamal and RSA encryption are insecure” by Boneh, Joux and Nguyen.) • Formalised as a KEM-DEM system by Shoup. KEMs and DEMs • Formalise hybrid ciphers by splitting it into two parts: – Asymmetric key encapsulation mechanism (KEM) – Symmetric data encapsulation mechanism (DEM) KEMs and DEMs • KEM takes as input a public key and produces a random symmetric key of a pre- specified length and an encryption of that key. • DEM takes as input a symmetric key and a message and outputs an encryption of that message. • Both have specific security requirements. KEMs and DEMs pk KEM C1 K m DEM C2 KEMs and DEMs sk KEM C1 K C2 DEM m The Security Criterion for KEMs • Indistinguishable from random (IND) in the adaptive chosen ciphertext model (CCA2). • A KEM is secure if, given a symmetric key K and a ciphertext C produced by the KEM, no attacker can tell if C decrypts to gave K or whether K was chosen at random. • (The attacker also gets to make queries to a KEM decryption oracle in the usual way). Designing KEMs Can we build secure KEMs from secure encryption algorithms? • By “secure” here we mean secure in a very weak sense. • We only assume that the encryption algorithm is secure in the OW-CPA model. Designing KEMs • Secure in the OW-CPA model means it is hard to invert a random ciphertext given only the public key. • Two known constructions: RSA-KEM and PSEC-KEM. • Both have security proofs based on the underlying encryption mechanism. Known Constructions I 1. Generate a random plaintext. RNG 2. Encrypt the plaintext r to give a ciphertext. ENCRYPT C 3. Hash the plaintext and ciphertext to HASH give a symmetric key. K Known Constructions I • Provably secure (in the random oracle model) • However proof needs two extra assumptions: – The encryption algorithm must remain secure even if the attacker is given the ability to tell the difference between valid and invalid ciphertexts. – We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm. • Both of these conditions are fulfilled by RSA. Known Constructions II RNG HASH SPLIT SMOOTH ENCRYPT C1 HASH XOR C2 K New Constructions I 1. Generate a random RNG plaintext. r 2. Encrypt the plaintext ENCRYPT C1 to give a ciphertext. HASH C2 3. Hash the plaintext to get a checksum. 4. Hash the plaintext to HASH give a symmetric key. K New Constructions I • Provably secure (in the RO model). • Still need to have one extra assumption: – We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm. • This condition is always satisfied if the encryption algorithm is deterministic. New Constructions II 1. Generate a random RNG plaintext. r 2. Hash the plaintext to get HASH a string of random looking bits. 3. Encrypt the plaintext ENCRYPT C using the hash code as the random coins. HASH 4. Hash that ciphertext to give a symmetric key. K New Constructions II • Provably Secure (in the RO model). • No need for extra assumptions but does need a formal definition of “probabilistic encryption algorithm”. • Surprisingly, it doesn’t work for deterministic algorithms (it becomes the first known construction). Rabin-KEM • As a practical example we will describe a new KEM that is provably as secure as factoring. • There are already several hybrid schemes based on the difficulty of factoring (e.g. EPOC-2) but no KEMs. • Uses New Construction I. Encryption Let n=pq be an RSA modulus. 1. Choose r in the range 1, …, n. 2. Let C1=Hash(r). 3. Let C2=r2 mod n. 4. Let K=Hash’(r). 5. Output K and (C1,C2). Decryption Let the secret key be some method of determining square roots modulo n. 1. Compute the four square roots of C2: r1, r2, r3, and r4. 2. If there exists exactly one ri such that Hash(ri)=C1 then output Hash’(ri). 3. Otherwise output “error”. Rabin-KEM • Provably as secure as factoring (in the random oracle model). • Checksum helps identify correct root. • Small chance that valid ciphertexts may be rejected. Conclusions • KEM-DEM constructions promising, practical area of research. • More efficient constructions (especially in terms of ciphertext length)? • Specialist constructions?