A Designer’s Guide to KEMs Alex Dent

Slides:



Advertisements
Similar presentations
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Advertisements

Computer Security Set of slides 4 Dr Alexei Vernitski.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Hybrid Signcryption with Insider Security Alexander W. Dent.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Asymmetric-Key Cryptography
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Hybrid Signcryption with Outsider Security
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
0x1A Great Papers in Computer Security
Introduction to Public Key Cryptography
Asymmetric encryption. Asymmetric encryption, often called "public key" encryption, allows Alice to send Bob an encrypted message without a shared secret.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Dan Boneh Stream ciphers The One Time Pad Online Cryptography Course Dan Boneh.
8. Data Integrity Techniques
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
10.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 10 Symmetric-Key Cryptography.
Cryptography Lecture 8 Stefan Dziembowski
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Lecture 11 Chosen-Ciphertext Security Stefan Dziembowski MIM UW ver 1.0.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Cryptography Lecture 9 Stefan Dziembowski
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Cryptography Lecture 7: RSA Primality Testing Piotr Faliszewski.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
By Yernar.  Background  Key generation  Encryption  Decryption  Preset Bits  Example.
1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.
Cryptography Lecture 11 Stefan Dziembowski
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Lecture 2: Introduction to Cryptography
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.
Tae-Joon Kim Jong yun Jun
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
COM 5336 Lecture 8 Digital Signatures
1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Attacks on Public Key Encryption Algorithms
Key Exchange References: Applied Cryptography, Bruce Schneier
Group theory exercise.
Cryptography Lecture 26.
Introduction to Symmetric-key and Public-key Cryptography
Cryptography Lecture 25.
Foundations of Network and Computer Security
Cryptography Lecture 21.
Cryptography Lecture 25.
Cryptography Lecture 24.
Cryptography Lecture 26.
Presentation transcript:

A Designer’s Guide to KEMs Alex Dent

Asymmetric Ciphers Involve two keys: a public key and a private key. Alice wants to send a message to Bob. Alice encrypts the message using Bob’s public key. Bob decrypts the message using his private key.

Asymmetric Ciphers Tremendously convenient (if we ignore the need for a PKI). Slow for both encryption and decryption. Usually only work with short messages.

Hybrid Ciphers “An asymmetric cipher that combines both asymmetric and symmetric cryptographic techniques.” - ISO/IEC

Hybrid Ciphers 1.Randomly generate a symmetric key. 2.Encrypt the message using that symmetric key and some symmetric technique. 3.Encrypt the symmetric key using an asymmetric technique. 4.Send both parts to Bob.

Hybrid Ciphers 1.Decrypt the asymmetric ciphertext to recover the random symmetric key. 2.Decrypt the symmetric part using the newly decrypted random symmetric key. Hybrid ciphers can cope with long messages and are not much slower then traditional asymmetric ciphers.

Hybrid Ciphers Techniques has been used for years (Used in PGP, SSL/TLS, IPSec.) Can be done badly (see “Why textbook ElGamal and RSA encryption are insecure” by Boneh, Joux and Nguyen.) Formalised as a KEM-DEM system by Shoup.

KEMs and DEMs Formalise hybrid ciphers by splitting it into two parts: –Asymmetric key encapsulation mechanism (KEM) –Symmetric data encapsulation mechanism (DEM)

KEMs and DEMs KEM takes as input a public key and produces a random symmetric key of a pre- specified length and an encryption of that key. DEM takes as input a symmetric key and a message and outputs an encryption of that message. Both have specific security requirements.

KEMs and DEMs pkC1C1 mC2C2 K KEM DEM

KEMs and DEMs K KEM DEM m C1C1 C2C2 sk

The Security Criterion for KEMs Indistinguishable from random (IND) in the adaptive chosen ciphertext model (CCA2). A KEM is secure if, given a symmetric key K and a ciphertext C produced by the KEM, no attacker can tell if C decrypts to gave K or whether K was chosen at random. (The attacker also gets to make queries to a KEM decryption oracle in the usual way).

Designing KEMs By “secure” here we mean secure in a very weak sense. We only assume that the encryption algorithm is secure in the OW-CPA model. Can we build secure KEMs from secure encryption algorithms?

Designing KEMs Secure in the OW-CPA model means it is hard to invert a random ciphertext given only the public key. Two known constructions: RSA-KEM and PSEC-KEM. Both have security proofs based on the underlying encryption mechanism.

Known Constructions I 1.Generate a random plaintext. 2.Encrypt the plaintext to give a ciphertext. 3.Hash the plaintext and ciphertext to give a symmetric key. RNG ENCRYPT HASH K C r

Known Constructions I Provably secure (in the random oracle model) However proof needs two extra assumptions: –The encryption algorithm must remain secure even if the attacker is given the ability to tell the difference between valid and invalid ciphertexts. –We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm. Both of these conditions are fulfilled by RSA.

Known Constructions II RNG HASHSPLITSMOOTHENCRYPT HASH XOR K C1C1 C2C2

New Constructions I 1.Generate a random plaintext. 2.Encrypt the plaintext to give a ciphertext. 3.Hash the plaintext to get a checksum. 4.Hash the plaintext to give a symmetric key. RNG HASH K C2C2 r ENCRYPT C1C1

New Constructions I Provably secure (in the RO model). Still need to have one extra assumption: –We must be able to tell if a plaintext/ciphertext pair is valid or not for the encryption algorithm. This condition is always satisfied if the encryption algorithm is deterministic.

New Constructions II 1.Generate a random plaintext. 2.Hash the plaintext to get a string of random looking bits. 3.Encrypt the plaintext using the hash code as the random coins. 4.Hash that ciphertext to give a symmetric key. RNG ENCRYPT HASH K C r

New Constructions II Provably Secure (in the RO model). No need for extra assumptions but does need a formal definition of “probabilistic encryption algorithm”. Surprisingly, it doesn’t work for deterministic algorithms (it becomes the first known construction).

Rabin-KEM As a practical example we will describe a new KEM that is provably as secure as factoring. There are already several hybrid schemes based on the difficulty of factoring (e.g. EPOC-2) but no KEMs. Uses New Construction I.

Encryption Let n=pq be an RSA modulus. 1.Choose r in the range 1, …, n. 2.Let C 1 =Hash(r). 3.Let C 2 =r 2 mod n. 4.Let K=Hash’(r). 5.Output K and (C 1,C 2 ).

Decryption Let the secret key be some method of determining square roots modulo n. 1.Compute the four square roots of C 2 : r 1, r 2, r 3, and r 4. 2.If there exists exactly one r i such that Hash(r i )=C 1 then output Hash’(r i ). 3.Otherwise output “error”.

Rabin-KEM Provably as secure as factoring (in the random oracle model). Checksum helps identify correct root. Small chance that valid ciphertexts may be rejected.

Conclusions KEM-DEM constructions promising, practical area of research. More efficient constructions (especially in terms of ciphertext length)? Specialist constructions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.