A Designer's Guide to KEMs

A generic or KEM-DEM hybrid construction is a formal method for combining asymmetric and symmetric encryption techniques to give an efficient, provably secure public-key encryption scheme. This method combines an asymmetric key encapsulation mechanism (KEM) with a symmetric data encapsulation mechanism (DEM). A KEM is a probabilistic algorithm that produces a random symmetric key and an asymmetric encryption of that key. A DEM is a deterministic algorithm that takes a message and a symmetric key and encrypts the message under that key. Each of these components must satisfy its own security conditions if the overall scheme is to be secure. In this paper we describe generic constructions for provably secure KEMs based on weak encryption algorithms. We analyse the two most popular techniques for constructing a KEM and note that they are either overly complex or based on needlessly strong assumptions about the security of the underlying trapdoor function. Hence we propose two new, simple methods for constructing a KEM where the security of the KEM is based on weak assumptions about the underlying function. Lastly we propose a new KEM based on the Rabin function that is both efficient and secure, and is the first KEM to be proposed whose security depends upon the intractability of factoring.

[1]  Tatsuaki Okamoto,et al.  How to Enhance the Security of Public-Key Encryption at Minimum Cost , 1999, Public Key Cryptography.

[2]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[3]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[4]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[5]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[6]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[7]  Stefan Lucks,et al.  A Variant of the Cramer-Shoup Cryptosystem for Groups of Unknown Order , 2002, ASIACRYPT.

[8]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[9]  Antoine Joux,et al.  Why Textbook ElGamal and RSA Encryption Are Insecure , 2000, ASIACRYPT.

[10]  David Pointcheval,et al.  REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform , 2001, CT-RSA.

[11]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[12]  Moti Yung,et al.  On the Power of Misbehaving Adversaries and Security Analysis of the Original EPOC , 2001, CT-RSA.

[13]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[14]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.