Key encapsulation mechanism

Last updated
A key encapsulation mechanism, to securely transport a secret key
k
{\displaystyle k}
from a sender to a receiver, consists of three algorithms: Gen, Encap, and Decap. Circles shaded blue--the receiver's public key
p
k
{\displaystyle pk}
and the encapsulation
c
{\displaystyle c}
--can be safely revealed to an adversary, while boxes shaded red--the receiver's private key
s
k
{\displaystyle sk}
and the encapsulated secret key
k
{\displaystyle k}
--must be kept secret. KEM.svg
A key encapsulation mechanism, to securely transport a secret key from a sender to a receiver, consists of three algorithms: Gen, Encap, and Decap. Circles shaded blue—the receiver's public key and the encapsulation —can be safely revealed to an adversary, while boxes shaded red—the receiver's private key and the encapsulated secret key —must be kept secret.

In cryptography, a key encapsulation mechanism, or KEM, is a public-key cryptosystem that allows a sender to generate a short secret key and transmit it to a receiver securely, in spite of eavesdropping and intercepting adversaries. [1] [2] [3] Modern standards for public-key encryption of arbitrary messages are usually based on KEMs. [4] [5]

Contents

A KEM allows a sender who knows a public key to simultaneously generate a short random secret key and an encapsulation or ciphertext of the secret key by the KEM's encapsulation algorithm. The receiver who knows the private key corresponding to the public key can recover the same random secret key from the encapsulation by the KEM's decapsulation algorithm. [1] [2] [3]

The security goal of a KEM is to prevent anyone who doesn't know the private key from recovering any information about the encapsulated secret keys, even after eavesdropping or submitting other encapsulations to the receiver to study how the receiver reacts. [1] [2] [3]

Difference from public-key encryption

A public-key encryption scheme. PKE.svg
A public-key encryption scheme.

The difference between a public-key encryption scheme and a KEM is that a public-key encryption scheme allows a sender to choose an arbitrary message from some space of possible messages, while a KEM chooses a short secret key at random for the sender. [1] [2] [3]

The sender may take the random secret key produced by a KEM and use it as a symmetric key for an authenticated cipher whose ciphertext is sent alongside the encapsulation to the receiver. This serves to compose a public-key encryption scheme out of a KEM and a symmetric-key authenticated cipher in a hybrid cryptosystem. [1] [2] [3] [5]

Most public-key encryption schemes such as RSAES-PKCS1-v1_5, RSAES-OAEP, and Elgamal encryption are limited to small messages [6] [7] and are almost always used to encrypt a short random secret key in a hybrid cryptosystem anyway. [8] [9] [5] And although a public-key encryption scheme can conversely be converted to a KEM by choosing a random secret key and encrypting it as a message, it is easier to design and analyze a secure KEM than to design a secure public-key encryption scheme as a basis. So most modern public-key encryption schemes are based on KEMs rather than the other way around. [10] [5]

Definition

Syntax

A KEM consists of three algorithms: [1] [2] [3] [11] [12]

  1. Key generation, , takes no inputs and returns a pair of a public key and a private key .
  2. Encapsulation, , takes a public key , randomly chooses a secret key , and returns along with its encapsulation .
  3. Decapsulation, , takes a private key and an encapsulation , and either returns an encapsulated secret key or fails, sometimes denoted by returning (called ‘bottom’).

Correctness

A KEM is correct if, for any key pair generated by , decapsulating an encapsulation returned by with high probability yields the same key , that is, . [2] [3] [11] [12]

Security: IND-CCA

Security of a KEM is quantified by its indistinguishability against chosen-ciphertext attack, IND-CCA, which is loosely how much better an adversary can do than a coin toss to tell whether, given a random key and an encapsulation, the key is encapsulated by that encapsulation or is an independent random key. [2] [3] [11] [12]

Specifically, in the IND-CCA game:

  1. The key generation algorithm is run to generate .
  2. is revealed to the adversary.
  3. The adversary can query for arbitrary encapsulations of the adversary's choice.
  4. The encapsulation algorithm is run to randomly generate a secret key and encapsulation , and another secret key is generated independently at random.
  5. A fair coin is tossed, giving an outcome .
  6. The pair is revealed to the adversary.
  7. The adversary can again query for arbitrary encapsulations of the adversary's choice, except for .
  8. The adversary returns a guess , and wins the game if .

The IND-CCA advantage of the adversary is , that is, the probability beyond a fair coin toss at correctly distinguishing an encapsulated key from an independently randomly chosen key.

Examples and motivation

RSA

Traditional RSA encryption, with -bit moduli and exponent , is defined as follows: [13] [14] [15]

  1. Generate a -bit semiprime with at random satisfying , where is the Carmichael function.
  2. Compute .
  3. Return as the public key and as the private key. (Many variations on key generation algorithms and private key formats are available. [16] )
  1. Encode the bit string as an integer with .
  2. Return .
  1. Compute .
  2. Decode the integer as a bit string .

This naive approach is totally insecure. For example, since it is nonrandomized, it cannot be secure against even known-plaintext attack—an adversary can tell whether the sender is sending the message ATTACK AT DAWN versus the message ATTACK AT DUSK simply by encrypting those messages and comparing the ciphertext.

Even if is always a random secret key, such as a 256-bit AES key, when is chosen to optimize efficiency as , the message can be computed from the ciphertext simply by taking real number cube roots, and there are many other attacks against plain RSA. [13] [14] Various randomized padding schemes have been devised in attempts—sometimes failed, like RSAES-PKCS1-v1_5 [13] [17] [18] —to make it secure for arbitrary short messages . [13] [14]

Since the message is almost always a short secret key for a symmetric-key authenticated cipher used to encrypt an arbitrary bit string message, a simpler approach called RSA-KEM is to choose an element of at random and use that to derive a secret key using a key derivation function , roughly as follows: [19] [8]

  1. Choose an integer with uniformly at random.
  2. Return and as its encapsulation.
  1. Compute .
  2. Return .

This approach is simpler to implement, and provides a tighter reduction to the RSA problem, than padding schemes like RSAES-OAEP. [19]

Elgamal

Traditional Elgamal encryption is defined over a multiplicative subgroup of the finite field with generator of order as follows: [20] [21]

  1. Choose uniformly at random.
  2. Compute .
  3. Return as the private key and as the public key.
  1. Choose uniformly at random.
  2. Compute:
  3. Return the ciphertext .
  1. Fail and return if or if , i.e., if or is not in the subgroup generated by .
  2. Compute .
  3. Return .

This meets the syntax of a public-key encryption scheme, restricted to messages in the space (which limits it to message of a few hundred bytes for typical values of ). By validating ciphertexts in decryption, it avoids leaking bits of the private key through maliciously chosen ciphertexts outside the group generated by .

However, this fails to achieve indistinguishability against chosen ciphertext attack. For example, an adversary having a ciphertext for an unknown message can trivially decrypt it by querying the decryption oracle for the distinct ciphertext , yielding the related plaintext , from which can be recovered by . [20]

Traditional Elgamal encryption can be adapted to the elliptic-curve setting, but it requires some way to reversibly encode messages as points on the curve, which is less trivial than encoding messages as integers mod . [22]

Since the message is almost always a short secret key for a symmetric-key authenticated cipher used to encrypt an arbitrary bit string message, a simpler approach is to derive the secret key from and dispense with and altogether, as a KEM, using a key derivation function : [1]

  1. Choose uniformly at random.
  2. Compute .
  3. Return and as its encapsulation.
  1. Fail and return if , i.e., if is not in the subgroup generated by .
  2. Compute .
  3. Return .

When combined with an authenticated cipher to encrypt arbitrary bit string messages, the combination is essentially the Integrated Encryption Scheme. Since this KEM only requires a one-way key derivation function to hash random elements of the group it is defined over, in this case, and not a reversible encoding of messages, it is easy to extend to more compact and efficient elliptic curve groups for the same security, as in the ECIES, Elliptic Curve Integrated Encryption Scheme.

See also

Related Research Articles

RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest widely used for secure data transmission. The initialism "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ), the British signals intelligence agency, by the English mathematician Clifford Cocks. That system was declassified in 1997.

<span class="mw-page-title-main">Vigenère cipher</span> Simple type of polyalphabetic encryption system

The Vigenère cipher is a method of encrypting alphabetic text where each letter of the plaintext is encoded with a different Caesar cipher, whose increment is determined by the corresponding letter of another text, the key.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

The affine cipher is a type of monoalphabetic substitution cipher, where each letter in an alphabet is mapped to its numeric equivalent, encrypted using a simple mathematical function, and converted back to a letter. The formula used means that each letter encrypts to one other letter, and back again, meaning the cipher is essentially a standard substitution cipher with a rule governing which letter goes to which. As such, it has the weaknesses of all substitution ciphers. Each letter is enciphered with the function (ax + b) mod 26, where b is the magnitude of the shift.

The Rabin cryptosystem is a family of public-key encryption schemes based on a trapdoor function whose security, like that of RSA, is related to the difficulty of integer factorization.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciphertext of a certain message , and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length. This concept is the computational complexity analogue to Shannon's concept of perfect secrecy. Perfect secrecy means that the ciphertext reveals no information at all about the plaintext, whereas semantic security implies that any information revealed cannot be feasibly extracted.

Poly1305 is a universal hash family designed by Daniel J. Bernstein in 2002 for use in cryptography.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. Homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and outsourced to commercial cloud environments for processing, all while encrypted.

The Benaloh Cryptosystem is an extension of the Goldwasser-Micali cryptosystem (GM) created in 1985 by Josh (Cohen) Benaloh. The main improvement of the Benaloh Cryptosystem over GM is that longer blocks of data can be encrypted at once, whereas in GM each bit is encrypted individually.

The Naccache–Stern cryptosystem is a homomorphic public-key cryptosystem whose security rests on the higher residuosity problem. The Naccache–Stern cryptosystem was discovered by David Naccache and Jacques Stern in 1998.

The Damgård–Jurik cryptosystem is a generalization of the Paillier cryptosystem. It uses computations modulo where is an RSA modulus and a (positive) natural number. Paillier's scheme is the special case with . The order of can be divided by . Moreover, can be written as the direct product of . is cyclic and of order , while is isomorphic to . For encryption, the message is transformed into the corresponding coset of the factor group and the security of the scheme relies on the difficulty of distinguishing random elements in different cosets of . It is semantically secure if it is hard to decide if two given elements are in the same coset. Like Paillier, the security of Damgård–Jurik can be proven under the decisional composite residuosity assumption.

The Okamoto–Uchiyama cryptosystem is a public key cryptosystem proposed in 1998 by Tatsuaki Okamoto and Shigenori Uchiyama. The system works in the multiplicative group of integers modulo n, , where n is of the form p2q and p and q are large primes.

In cryptography, M8 is a block cipher designed by Hitachi in 1999. It is a modification of Hitachi's earlier M6 algorithm, designed for greater security and high performance in both hardware and 32-bit software implementations. M8 was registered by Hitachi in March 1999 as ISO/IEC 9979-0020.

Cocks IBE scheme is an identity based encryption system proposed by Clifford Cocks in 2001. The security of the scheme is based on the hardness of the quadratic residuosity problem.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Coppersmith's attack describes a class of cryptographic attacks on the public-key cryptosystem RSA based on the Coppersmith method. Particular applications of the Coppersmith method for attacking RSA include cases when the public exponent e is small or when partial knowledge of a prime factor of the secret key is available.

The Sakai–Kasahara scheme, also known as the Sakai–Kasahara key encryption algorithm (SAKKE), is an identity-based encryption (IBE) system proposed by Ryuichi Sakai and Masao Kasahara in 2003. Alongside the Boneh–Franklin scheme, this is one of a small number of commercially implemented identity-based encryption schemes. It is an application of pairings over elliptic curves and finite fields. A security proof for the algorithm was produced in 2005 by Chen and Cheng. SAKKE is described in Internet Engineering Task Force (IETF) RFC 6508.

HEAAN is an open source homomorphic encryption (HE) library which implements an approximate HE scheme proposed by Cheon, Kim, Kim and Song (CKKS). The first version of HEAAN was published on GitHub on 15 May 2016, and later a new version of HEAAN with a bootstrapping algorithm was released. Currently, the latest version is Version 2.1.

References

  1. 1 2 3 4 5 6 7 Galbraith, Steven (2012). "§23.1.1: The KEM/DEM paradigm". Mathematics of Public-Key Cryptography. Cambridge University Press. pp. 471–478. ISBN   978-1-107-01392-6.
  2. 1 2 3 4 5 6 7 8 Shoup, Victor (May 2000). Preneel, Bart (ed.). Using Hash Functions as a Hedge against Chosen Ciphertext Attack. Advances in Cryptology – EUROCRYPT 2000. Lecture Notes in Computer Science. Vol. 1807. Bruges, Belgium: Springer. pp. 275–288. doi: 10.1007/3-540-45539-6_19 . ISBN   978-3-540-67517-4.
  3. 1 2 3 4 5 6 7 8 Cramer, Ronald; Shoup, Victor (2003). "Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack". SIAM Journal on Computing. 33 (1). Society for Industrial and Applied Mathematics: 167–226. doi:10.1137/S0097539702403773.
  4. FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (PDF), National Institute of Standards and Technology, 2024-08-13, doi: 10.6028/NIST.FIPS.203
  5. 1 2 3 4 Barnes, R.; Bhargavan, K.; Lipp, B.; Wood, C. (February 2022). Hybrid Public Key Encryption. Internet Engineering Task Force. doi: 10.17487/RFC9180 . RFC 9180.
  6. Kaliski, B.; Jonsson, J.; Rusch, A. (November 2016). Moriarity, K. (ed.). PKCS #1: RSA Cryptography Specifications Version 2.2. Internet Engineering Task Force. doi: 10.17487/RFC8017 . RFC 8017.
  7. Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (October 1996). "8. Public-Key Encryption". Handbook of Applied Cryptography (PDF). CRC Press. pp. 283–319. ISBN   0-8493-8523-7.
  8. 1 2 Ferguson, Niels; Kohno, Tadayoshi; Schneier, Bruce (2010). "12. RSA". Cryptography Engineering. Wiley. pp. 195–211. ISBN   978-0-470-47424-2.
  9. Callas, J.; Donnerhacke, L.; Finney, H.; Shaw, D.; Thayer, R. (November 2007). OpenPGP Message Format. Internet Engineering Task Force. doi: 10.17487/RFC4880 . RFC 4880.
  10. "Post-Quantum Cryptography: FAQs". National Institute of Standards and Technology. 2024-07-19. Archived from the original on 2024-06-26. Retrieved 2024-07-20.
  11. 1 2 3 Dent, Alexander W. (2002), A Designer’s Guide to KEMs, Cryptology ePrint Archive, International Association for Cryptologic Research
  12. 1 2 3 Hofheinz, Dennis; Hövelmanns, Kathrin; Kiltz, Eike (November 2017). Kalai, Yael; Reyzin, Leonid (eds.). A Modular Analysis of the Fujisaki-Okamoto Transformation. Theory of Cryptography – TCC 2017. Lecture Notes in Computer Science. Vol. 10677. Baltimore, MD, United States: Springer. pp. 341–371. doi: 10.1007/978-3-319-70500-2_12 . ISBN   978-3-319-70499-9.
  13. 1 2 3 4 Aumasson, Jean-Philippe (2018). "10. RSA". Serious Cryptography: A Practical Introduction to Modern Encryption. No Starch Press. pp. 181–199. ISBN   978-1-59327-826-7.
  14. 1 2 3 Stinson, Douglas R. (2006). "5. The RSA Cryptosystem and Factoring Integers". Cryptography Theory and Practice (3rd ed.). Chapman & Hall/CRC. pp. 161–232. ISBN   978-1-58488-508-5.
  15. Rivest, R.L.; Shamir, A.; Adleman, L. (1978-02-01). "A method for obtaining digital signatures and public-key cryptosystems" (PDF). Communications of the ACM. 21 (2). Association for Computer Machinery: 120–126. doi: 10.1145/359340.359342 .
  16. Švenda, Petr; Nemec, Matúš; Sekan, Peter; Kvašňovský, Rudolf; Formánek, David; Komárek, David; Matyáš, Vashek (August 2016). The Million-Key Question—Investigating the Origins of RSA Public Keys. 25th USENIX Security Symposium. Austin, TX, United States: USENIX Association. pp. 893–910. ISBN   978-1-931971-32-4.
  17. Bleichenbacher, Daniel (August 1998). Krawczyk, Hugo (ed.). Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. Advances in Cryptology – CRYPTO '98. Lecture Notes in Computer Science. Vol. 1462. Santa Barbara, CA, United States: Springer. pp. 1–12. doi: 10.1007/BFb0055716 . ISBN   978-3-540-64892-5.
  18. Coron, Jean-Sébastien; Joye, Marc; Naccache, David; Paillier, Pascal (May 2000). Preneel, Bart (ed.). New Attacks on PKCS#1 v1.5 Encryption. Advances in Cryptology – EUROCRYPT 2000. Lecture Notes in Computer Science. Vol. 1807. Bruges, Belgium: Springer. pp. 369–381. doi: 10.1007/3-540-45539-6_25 . ISBN   978-3-540-67517-4.
  19. 1 2 Shoup, Victor (2001), A Proposal for an ISO Standard for Public Key Encryption (version 2.1), Cryptology ePrint Archive, International Association for Cryptologic Research
  20. 1 2 Galbraith, Steven (2012). "§20.3: Textbook Elgamal encryption". Mathematics of Public-Key Cryptography. Cambridge University Press. pp. 471–478. ISBN   978-1-107-01392-6.
  21. Elgamal, Taher (August 1984). Blakley, George Robert; Chaum, David (eds.). A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. Advances in Cryptology – CRYPTO 1984. Lecture Notes in Computer Science. Vol. 196. Santa Barbara, CA, United States: Springer. pp. 10–18. doi: 10.1007/3-540-39568-7_2 . ISBN   978-3-540-15658-1.
  22. Koblitz, Neal (January 1987). "Elliptic Curve Cryptosystems" (PDF). Mathematics of Computation. 48 (177). American Mathematical Society: 203–209. doi: 10.1090/S0025-5718-1987-0866109-5 .