1 / 27

A Designer’s Guide to KEMs

A Designer’s Guide to KEMs. Alex Dent alex@fermat.ma.rhul.ac.uk http://www.isg.rhul.ac.uk/~alex. Asymmetric Ciphers. Involve two keys: a public key and a private key. Alice wants to send a message to Bob. Alice encrypts the message using Bob’s public key.

rasha
Download Presentation

A Designer’s Guide to KEMs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Designer’s Guide to KEMs Alex Dent alex@fermat.ma.rhul.ac.uk http://www.isg.rhul.ac.uk/~alex

  2. Asymmetric Ciphers • Involve two keys: a public key and a private key. • Alice wants to send a message to Bob. • Alice encrypts the message using Bob’s public key. • Bob decrypts the message using his private key.

  3. Asymmetric Ciphers • Tremendously convenient (if we ignore the need for a PKI). • Slow for both encryption and decryption. • Usually only work with short messages.

  4. Hybrid Ciphers “An asymmetric cipher that combines both asymmetric and symmetric cryptographic techniques.” - ISO/IEC 18033-2

  5. Hybrid Ciphers • Randomly generate a symmetric key. • Encrypt the message using that symmetric key and some symmetric technique. • Encrypt the symmetric key using an asymmetric technique. • Send both parts to Bob.

  6. Hybrid Ciphers • Decrypt the asymmetric ciphertext to recover the random symmetric key. • Decrypt the symmetric part using the newly decrypted random symmetric key. • Hybrid ciphers can cope with long messages and are not much slower then traditional asymmetric ciphers.

  7. Hybrid Ciphers • Techniques has been used for years (Used in PGP, SSL/TLS, IPSec.) • Can be done badly (see “Why textbook ElGamal and RSA encryption are insecure” by Boneh, Joux and Nguyen.) • Formalised as a KEM-DEM system by Shoup.

  8. KEMs and DEMs • Formalise hybrid ciphers by splitting it into two parts: • Asymmetric key encapsulation mechanism (KEM) • Symmetric data encapsulation mechanism (DEM)

  9. KEMs and DEMs • KEM takes as input a public key and produces a random symmetric key of a pre-specified length and an encryption of that key. • DEM takes as input a symmetric key and a message and outputs an encryption of that message. • Both have specific security requirements.

  10. KEMs and DEMs pk KEM C1 K m C2 DEM

  11. KEMs and DEMs sk KEM C1 K C2 m DEM

  12. The Security Criterion for KEMs • Indistinguishable from random (IND) in the adaptive chosen ciphertext model (CCA2). • A KEM is secure if, given a symmetric key K and a ciphertext C produced by the KEM, no attacker can tell if C decrypts to gave K or whether K was chosen at random. • (The attacker also gets to make queries to a KEM decryption oracle in the usual way).

  13. Designing KEMs • By “secure” here we mean secure in a very weak sense. • We only assume that the encryption algorithm is secure in the OW-CPA model. Can we build secure KEMs from secure encryption algorithms?

  14. Designing KEMs • Secure in the OW-CPA model means it is hard to invert a random ciphertext given only the public key. • Two known constructions: RSA-KEM and PSEC-KEM. • Both have security proofs based on the underlying encryption mechanism.

  15. Known Constructions I • Generate a random plaintext. • Encrypt the plaintext to give a ciphertext. • Hash the plaintext and ciphertext to give a symmetric key. RNG r ENCRYPT C HASH K

  16. Known Constructions I • Provably secure (in the random oracle model) • However proof needs two extra assumptions: • The encryption algorithm must remain secure even if the attacker is given the ability to tell the difference between valid and invalid ciphertexts. • We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm. • Both of these conditions are fulfilled by RSA.

  17. Known Constructions II RNG HASH SPLIT SMOOTH ENCRYPT C1 HASH XOR C2 K

  18. New Constructions I RNG • Generate a random plaintext. • Encrypt the plaintext to give a ciphertext. • Hash the plaintext to get a checksum. • Hash the plaintext to give a symmetric key. r ENCRYPT C1 HASH C2 HASH K

  19. New Constructions I • Provably secure (in the RO model). • Still need to have one extra assumption: • We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm. • This condition is always satisfied if the encryption algorithm is deterministic.

  20. New Constructions II RNG • Generate a random plaintext. • Hash the plaintext to get a string of random looking bits. • Encrypt the plaintext using the hash code as the random coins. • Hash that ciphertext to give a symmetric key. r HASH ENCRYPT C HASH K

  21. New Constructions II • Provably Secure (in the RO model). • No need for extra assumptions but does need a formal definition of “probabilistic encryption algorithm”. • Surprisingly, it doesn’t work for deterministic algorithms (it becomes the first known construction).

  22. Rabin-KEM • As a practical example we will describe a new KEM that is provably as secure as factoring. • There are already several hybrid schemes based on the difficulty of factoring (e.g. EPOC-2) but no KEMs. • Uses New Construction I.

  23. Encryption Let n=pq be an RSA modulus. • Choose r in the range 1, …, n. • Let C1=Hash(r). • Let C2=r2 mod n. • Let K=Hash’(r). • Output K and (C1,C2).

  24. Decryption Let the secret key be some method of determining square roots modulo n. • Compute the four square roots of C2: r1, r2, r3, and r4. • If there exists exactly one ri such that Hash(ri)=C1 then output Hash’(ri). • Otherwise output “error”.

  25. Rabin-KEM • Provably as secure as factoring (in the random oracle model). • Checksum helps identify correct root. • Small chance that valid ciphertexts may be rejected.

  26. Conclusions • KEM-DEM constructions promising, practical area of research. • More efficient constructions (especially in terms of ciphertext length)? • Specialist constructions?

More Related