Key encapsulation mechanism

In cryptography, a key encapsulation mechanism, or KEM, is a public-key cryptosystem that allows a sender to generate a short secret key and transmit it to a receiver securely, in spite of eavesdropping and intercepting adversaries.^[1]^[2]^[3]

A KEM allows a sender who knows a public key to simultaneously generate a short random secret key and an encapsulation or ciphertext of the secret key by the KEM's encapsulation algorithm. The receiver who knows the private key corresponding to the public key can recover the same random secret key from the encapsulation by the KEM's decapsulation algorithm. The security goal of a KEM is to prevent anyone who doesn't know the private key from recovering any information about the encapsulated secret keys, even after eavesdropping or submitting other encapsulations to the receiver to study how the receiver reacts.^[4]

Difference from public-key encryption

The difference between a public-key encryption scheme and a KEM is that a public-key encryption scheme allows a sender to choose an arbitrary message from some space of possible messages, while a KEM chooses a short secret key at random for the sender.^[1]^[2]^[4]

The sender may take the random secret key produced by a KEM and use it as a symmetric key for an authenticated cipher whose ciphertext is sent alongside the encapsulation to the receiver. This approach serves to compose a public-key encryption scheme out of a KEM and a symmetric-key authenticated cipher in a hybrid cryptosystem.^[1]^[2]^[4]

Although a public-key encryption scheme can conversely also be converted to a KEM by choosing a random key and encrypting it, it is easier to design a secure KEM than to design a secure public-key encryption scheme as a foundation, so most modern public-key encryption schemes are designed out of KEMs rather than the other way around.^[5]^[6]

Example using RSA encryption

Using the same notation employed in the RSA article, say Alice has transmitted her public key (n, e) to Bob, while keeping her private key secret, as usual. Bob then wishes to send symmetric key M to Alice. M might be a 128- or 256-bit AES key (suitably padded for security reasons), for example. The key modulus n is typically 2048 bits or more in length, thus much larger than typical symmetric keys. Without suitable padding, if e is small enough that M^e < n, then the encryption can be quickly broken using ordinary integer arithmetic.^[7]

To avoid such potential weakness, Bob first maps M to a larger integer m, where 1 < m < n, by using an agreed-upon reversible protocol known as a padding scheme, such as OAEP. He then computes the ciphertext c corresponding to:

c\equiv m^{e}{\pmod {n}}.

Alice can recover m from c by using her private key exponent d by the following computation:

m\equiv c^{d}{\pmod {n}}.

Given m, she recovers the original key M by reversing the padding scheme.

With KEM the process is simplified as follows:^[8]

Instead of generating a random symmetric key M, Bob first generates a random m with 1 < m < n. He derives his symmetric key M by M = KDF(m), where KDF is a key derivation function, such as a cryptographic hash. He then computes the ciphertext c corresponding to m:

c\equiv m^{e}{\pmod {n}}.

Alice then recovers m from c by using her private key exponent d by the same method as above:

m\equiv c^{d}{\pmod {n}}.

Given m, she can recover the symmetric key M by M = KDF(m).

The KEM eliminates the complexity of the padding scheme and the proofs needed to show that the padding is secure.^[9] Note that while M can be calculated from m in the KEM approach, the reverse is not possible, assuming the key derivation function is a secure one-way function. An attacker who somehow recovers M cannot get the plaintext m. With the padding approach, he can. Thus KEM is said to encapsulate the key.

Note that if the same m is used to encapsulate keys for e or more recipients, and the receivers share the same exponent e, but different p, q and n, then one can recover m via the Chinese remainder theorem. Thus, if key encapsulations for several recipients need to be computed, independent values m should be used.

Earlier versions of Transport Layer Security used RSA for key exchange, before they were deprecated in favour of the more efficient elliptic-curve cryptography.^[10]

Similar techniques are available for Diffie–Hellman key exchange and other public key methods.^[11]

References

^ ^a ^b ^c Galbraith, Steven (2012). "23.1.1 The KEM/DEM paradigm". Mathematics of Public-Key Cryptography. pp. 471–478. ISBN 978-1-107-01392-6.
^ ^a ^b ^c Shoup, Victor (May 2000). Preneel, Bart (ed.). Using Hash Functions as a Hedge against Chosen Ciphertext Attack. Advances in Cryptology – EUROCRYPT 2000. Lecture Notes in Computer Science. Vol. 1807. Bruges, Belgium: Springer. pp. 275–288. doi:10.1007/3-540-45539-6_19. ISBN 978-3-540-67517-4.
^ FIPS 203 (Draft): Module-Lattice-Based Key-Encapsulation Mechanism Standard (PDF), NIST, 2023-08-24, doi:10.6028/NIST.FIPS.203.ipd
^ ^a ^b ^c Cramer, Ronald; Shoup, Victor (2003). "Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack". SIAM Journal on Computing. 33 (1): 167–226. doi:10.1137/S0097539702403773.
^ "Post-Quantum Cryptography: FAQs". NIST. 2024-07-19. Archived from the original on 2024-06-26. Retrieved 2024-07-20.
^ Barnes, R.; Bhargavan, K.; Lipp, B.; Wood, C. (February 2022). Hybrid Public Key Encryption. IETF. doi:10.17487/RFC9180. RFC 9180.
^ RSA (algorithm) § Attacks against plain RSA
^ Key Encapsulation: A New Scheme for Public-Key Encryption XML Security Working Group F2F, May 2009
^ An OAEP Variant With a Tight Security Proof – Draft 1.0, Jakob Jonsson, 2002
^ Sullivan, Nick (10 Aug 2018). "A Detailed Look at RFC 8446 (a.k.a. TLS 1.3)". Cloudflare. Archived from the original on 15 Aug 2018.
^ PSEC-KEM for ECC

Difference from public-key encryption

Example using RSA encryption

References

See also