Key encapsulation mechanism

In cryptography, a key encapsulation mechanism, or KEM, is a public-key cryptosystem that allows a sender to generate a short secret key and transmit it to a receiver securely, in spite of eavesdropping and intercepting adversaries.^[1]^[2]^[3]^[4]

A KEM allows a sender who knows a public key to simultaneously generate a short random secret key and an encapsulation or ciphertext of the secret key by the KEM's encapsulation algorithm. The receiver who knows the private key corresponding to the public key can recover the same random secret key from the encapsulation by the KEM's decapsulation algorithm.^[1]^[2]^[3]

The security goal of a KEM is to prevent anyone who doesn't know the private key from recovering any information about the encapsulated secret keys, even after eavesdropping or submitting other encapsulations to the receiver to study how the receiver reacts.^[1]^[2]^[3]

Difference from public-key encryption

The difference between a public-key encryption scheme and a KEM is that a public-key encryption scheme allows a sender to choose an arbitrary message from some space of possible messages, while a KEM chooses a short secret key at random for the sender.^[1]^[2]^[3]

The sender may take the random secret key produced by a KEM and use it as a symmetric key for an authenticated cipher whose ciphertext is sent alongside the encapsulation to the receiver. This serves to compose a public-key encryption scheme out of a KEM and a symmetric-key authenticated cipher in a hybrid cryptosystem.^[1]^[2]^[3]^[5]

Most public-key encryption schemes such as RSAES-PKCS1-v1_5, RSAES-OAEP, and Elgamal encryption are limited to small messages^[6]^[7] and are almost always used to encrypt a short random secret key in a hybrid cryptosystem anyway.^[8]^[9]^[5] And although a public-key encryption scheme can conversely be converted to a KEM by choosing a random secret key and encrypting it as a message, it is easier to design and analyze a secure KEM than to design a secure public-key encryption scheme as a basis. So most modern public-key encryption schemes are based on KEMs rather than the other way around.^[10]^[5]

Definition

Syntax

A KEM consists of three algorithms:^[1]^[2]^[3]^[11]^[12]

Key generation, $({\mathit {pk}},{\mathit {sk}}):=\operatorname {Gen} ()$ , takes no inputs and returns a pair of a public key ${\mathit {pk}}$ and a private key ${\mathit {sk}}$ .
Encapsulation, $(k,c):=\operatorname {Encap} ({\mathit {pk}})$ , takes a public key ${\mathit {pk}}$ , randomly chooses a secret key $k$ , and returns $k$ along with its encapsulation $c$ .
Decapsulation, $k':=\operatorname {Decap} ({\mathit {sk}},c')$ , takes a private key ${\mathit {sk}}$ and an encapsulation $c'$ , and either returns an encapsulated secret key $k'$ or fails, sometimes denoted by returning $\bot$ .

Correctness

A KEM is correct if, for any key pair $({\mathit {pk}},{\mathit {sk}})$ generated by $\operatorname {KeyGen}$ , decapsulating an encapsulation $c$ returned by $(k,c):=\operatorname {Encap} ({\mathit {pk}})$ with high probability yields the same key $k$ , that is, $\operatorname {Decap} ({\mathit {sk}},c)=k$ .^[2]^[3]^[11]^[12]

Security: IND-CCA

Security of a KEM is quantified by its indistinguishability against chosen-ciphertext attack, IND-CCA, which is loosely how much better an adversary can do than a coin toss to tell whether, given a random key and an encapsulation, the key is encapsulated by that encapsulation or is an independent random key.^[2]^[3]^[11]^[12]

Specifically, in the IND-CCA game:

The key generation algorithm is run to generate $({\mathit {pk}},{\mathit {sk}}):=\operatorname {Gen} ()$ .
${\mathit {pk}}$ is revealed to the adversary.
The adversary can query $\operatorname {Decap} ({\mathit {sk}},c')$ for arbitrary encapsulations $c'$ of the adversary's choice.
The encapsulation algorithm is run to randomly generate a secret key and encapsulation $(k_{0},c):=\operatorname {Encap} ({\mathit {pk}})$ , and another secret key $k_{1}$ is generated independently at random.
A fair coin is tossed, giving an outcome $b\in \{0,1\}$ .
The pair $(k_{b},c)$ is revealed to the adversary.
The adversary can again query $\operatorname {Decap} ({\mathit {sk}},c')$ for arbitrary encapsulations $c'$ of the adversary's choice, except for $c$ .
The adversary returns a guess $b'\in \{0,1\}$ , and wins the game if $b=b'$ .

The IND-CCA advantage of the adversary is $\left|\Pr[b'=b]-1/2\right|$ , that is, the probability beyond a fair coin toss at correctly distinguishing an encapsulated key from an independently randomly chosen key.

Examples and motivation

RSA

Traditional RSA encryption, with $t$ -bit moduli and exponent $e$ , is defined as follows:^[13]

Key generation, $({\mathit {pk}},{\mathit {sk}}):=\operatorname {Gen} ()$ : Generate a $t$ -bit semiprime $2^{t-1}<n<2^{t}$ at random with $\gcd(e,\lambda (n))=1$ , compute $d=e^{-1}{\bmod {\lambda }}(n)$ (where $\lambda (n)$ is the Carmichael function), return ${\mathit {pk}}:=n$ as the public key, and return ${\mathit {sk}}:=(n,d)$ as the private key. (Many variations on key generation algorithms and private key formats are available.^[14])
Encryption of $(t-1)$ -bit message $m$ to public key ${\mathit {pk}}=n$ , giving $c:=\operatorname {Encrypt} ({\mathit {pk}},m)$ : Compute $c:=m^{e}{\bmod {n}}$ .
Decryption of ciphertext $c'$ with private key ${\mathit {sk}}=(n,d)$ , giving $m':=\operatorname {Decrypt} ({\mathit {sk}},c')$ : Return $m':=(c')^{d}{\bmod {n}}$ .

This naive approach is totally insecure. For example, since it is nonrandomized, it cannot be secure against even chosen-plaintext attack. Even if $m$ is always a random secret key, such as a 256-bit AES key, when $e$ is chosen to optimize efficiency as $e=3$ , the message $m$ can be computed from the ciphertext $c$ simply by taking real number cube roots, and there are many other attacks against plain RSA. Various randomized padding schemes such as RSAES-PKCS1-v1_5 and RSAES-OAEP have been devised in attempts—sometimes failed, like RSAES-PKCS1-v1_5^[15]^[16]—to make it secure for arbitrary short messages $m$ .

Since the message $m$ is almost always a short secret key for a symmetric-key authenticated ciphers used to encrypt an arbitrary bit string message, a simpler approach called RSA-KEM is to choose an element of $\mathbb {Z} /n\mathbb {Z}$ at random and use that to derive a secret key using a key derivation function $H$ , roughly as follows:^[17]

Key generation: As above.
Encapsulation for a public key ${\mathit {pk}}=n$ , giving $(k,c):=\operatorname {Encap} ({\mathit {pk}})$ : Choose $r\in \mathbb {Z} /n\mathbb {Z}$ uniformly at random, compute $k=H(r)$ and $c:=r^{e}{\bmod {n}}$ , and return $(k,c)$ with $c$ as the encapsulation of the secret key $k$ .
Decapsulation of $c'$ with private key ${\mathit {sk}}=(n,d)$ , giving $m':=\operatorname {Decap} ({\mathit {sk}},c')$ : Compute $r':=(c')^{d}{\bmod {n}}$ and return $k:=H(r')$ .

This approach is simpler to implement, and provides a tighter reduction to the RSA problem, than padding schemes like RSAES-OAEP.^[17]

Elgamal

Traditional Elgamal encryption is defined over a multiplicative subgroup of the finite field $\mathbb {Z} /p\mathbb {Z}$ with generator $g$ of order $q$ as follows:^[18]

Key generation, $\operatorname {Gen} ()$ : Choose $x\in \mathbb {Z} /q\mathbb {Z}$ uniformly at random, and return ${\mathit {sk}}:=x$ as the private key and ${\mathit {pk}}:=y:=g^{x}{\bmod {p}}$ as the public key.
Encryption of a message $m\in \mathbb {Z} /p\mathbb {Z}$ to public key ${\mathit {pk}}$ , giving $\operatorname {Encrypt} ({\mathit {pk}},m)$ : Choose $r\in \mathbb {Z} /q\mathbb {Z}$ uniformly at random, compute ${\begin{aligned}t&:=y^{r}{\bmod {p}}\\c_{1}&:=g^{r}{\bmod {p}}\\c_{2}&:=(t\cdot m){\bmod {p}},\end{aligned}}$ and return the ciphertext $c:=(c_{1},c_{2})$ .
Decryption of a ciphertext $c'=(c'_{1},c'_{2})$ for a private key ${\mathit {sk}}=x$ , giving $\operatorname {Decrypt} ({\mathit {sk}},c')$ : Compute $t':=(c'_{1})^{x}{\bmod {p}}$ and return $m':=(t^{-1}c'_{2}){\bmod {p}}$ .

Although this meets the syntax of a public-key encryption scheme, restricted to messages in the space $\mathbb {Z} /p\mathbb {Z}$ (which limits it to message of a few hundred bytes for typical values of $p$ ), it fails to achieve indistinguishability against chosen ciphertext attack. For example, an adversary knowing a ciphertext $c=(c_{1},c_{2})$ for a (possibly unknown) message $m$ can easily predict the ciphertext $c'=(c'_{1},c'_{2})$ for the related message $m'=2m{\bmod {p}}$ , by the relation $c'_{2}=c_{2}{\bmod {p}}$ .

Since the message $m$ is almost always a short secret key for a symmetric-key authenticated cipher used to encrypt an arbitrary bit string message, a simpler approach is to derive the secret key from $t$ and dispense with $m$ and $c_{2}$ altogether, as a KEM, using a key derivation function $H$ :

Key generation: As above.
Encapsulation for a public key ${\mathit {pk}}=y$ , giving $(k,c):=\operatorname {Encap} ({\mathit {pk}})$ : Choose $r\in \mathbb {Z} /q\mathbb {Z}$ uniformly at random, compute ${\begin{aligned}t&:=y^{r}{\bmod {p}}\\k&:=H(t)\\c&:=g^{r}{\bmod {p}},\end{aligned}}$ and return $(k,c)$ with $c$ as the encapsulation of the secret key $k$ .
Decapsulation of $c'$ with private key ${\mathit {sk}}=x$ , giving $k':=\operatorname {Decap} ({\mathit {sk}},c')$ : Compute $t':=(c')^{x}{\bmod {p}}$ and return $k':=H(t')$ .

When combined with an authenticated cipher to encrypt arbitrary bit string messages, this KEM is essentially a subroutine of the Integrated Encryption Scheme.

References

^ ^a ^b ^c ^d ^e ^f Galbraith, Steven (2012). "§23.1.1: The KEM/DEM paradigm". Mathematics of Public-Key Cryptography. Cambridge University Press. pp. 471–478. ISBN 978-1-107-01392-6.
^ ^a ^b ^c ^d ^e ^f ^g ^h Shoup, Victor (May 2000). Preneel, Bart (ed.). Using Hash Functions as a Hedge against Chosen Ciphertext Attack. Advances in Cryptology – EUROCRYPT 2000. Lecture Notes in Computer Science. Vol. 1807. Bruges, Belgium: Springer. pp. 275–288. doi:10.1007/3-540-45539-6_19. ISBN 978-3-540-67517-4.
^ ^a ^b ^c ^d ^e ^f ^g ^h Cramer, Ronald; Shoup, Victor (2003). "Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack". SIAM Journal on Computing. 33 (1): 167–226. doi:10.1137/S0097539702403773.
^ FIPS 203 (Draft): Module-Lattice-Based Key-Encapsulation Mechanism Standard (PDF), National Institute of Standards and Technology, 2023-08-24, doi:10.6028/NIST.FIPS.203.ipd
^ ^a ^b ^c Barnes, R.; Bhargavan, K.; Lipp, B.; Wood, C. (February 2022). Hybrid Public Key Encryption. Internet Engineering Task Force. doi:10.17487/RFC9180. RFC 9180.
^ Kaliski, B.; Jonsson, J.; Rusch, A. (November 2016). Moriarity, K. (ed.). PKCS #1: RSA Cryptography Specifications Version 2.2. Internet Engineering Task Force. doi:10.17487/RFC8017. RFC 8017.
^ Menezes, Alfred J.; van Oorschot, Paul C.; Vanstone, Scott A. (October 1996). "8. Public-Key Encryption". Handbook of Applied Cryptography (PDF). CRC Press. pp. 283–319. ISBN 0-8493-8523-7.
^ Ferguson, Niels; Kohno, Tadayoshi; Schneier, Bruce (2010). "12. RSA". Cryptography Engineering. Wiley. p. 206. ISBN 978-0-470-47424-2.
^ Callas, J.; Donnerhacke, L.; Finney, H.; Shaw, D.; Thayer, R. (November 2007). OpenPGP Message Format. Internet Engineering Task Force. doi:10.17487/RFC4880. RFC 4880.
^ "Post-Quantum Cryptography: FAQs". National Institute of Standards and Technology. 2024-07-19. Archived from the original on 2024-06-26. Retrieved 2024-07-20.
^ ^a ^b ^c Dent, Alexander W. (2002), A Designer’s Guide to KEMs, Cryptology ePrint Archive, International Association for Cryptologic Research
^ ^a ^b ^c Hofheinz, Dennis; Hövelmanns, Kathrin; Kiltz, Eike (November 2017). Kalai, Yael; Reyzin, Leonid (eds.). A Modular Analysis of the Fujisaki-Okamoto Transformation. Theory of Cryptography – TCC 2017. Lecture Notes in Computer Science. Vol. 10677. Baltimore, MD, United States: Springer. pp. 341–371. doi:10.1007/978-3-319-70500-2_12. ISBN 978-3-319-70499-9.
^ Rivest, R.L.; Shamir, A.; Adleman, L. (1978-02-01). "A method for obtaining digital signatures and public-key cryptosystems" (PDF). Communications of the ACM. 21 (2). Association for Computer Machinery: 120–126. doi:10.1145/359340.359342.
^ Švenda, Petr; Nemec, Matúš; Sekan, Peter; Kvašňovský, Rudolf; Formánek, David; Komárek, David; Matyáš, Vashek (August 2016). The Million-Key Question—Investigating the Origins of RSA Public Keys. 25th USENIX Security Symposium. Austin, TX, United States: USENIX Association. pp. 893–910. ISBN 978-1-931971-32-4.
^ Bleichenbacher, Daniel (August 1998). Krawczyk, Hugo (ed.). Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. Advances in Cryptology – CRYPTO '98. Lecture Notes in Computer Science. Vol. 1462. Santa Barbara, CA, United States: Springer. pp. 1–12. doi:10.1007/BFb0055716. ISBN 978-3-540-64892-5.
^ Coron, Jean-Sébastien; Joye, Marc; Naccache, David; Paillier, Pascal (May 2000). Preneel, Bart (ed.). New Attacks on PKCS#1 v1.5 Encryption. Advances in Cryptology – EUROCRYPT 2000. Lecture Notes in Computer Science. Vol. 1807. Bruges, Belgium: Springer. pp. 369–381. doi:10.1007/3-540-45539-6_25. ISBN 978-3-540-67517-4.
^ ^a ^b Shoup, Victor (2001), A Proposal for an ISO Standard for Public Key Encryption (version 2.1), Cryptology ePrint Archive, International Association for Cryptologic Research
^ Elgamal, Taher (August 1984). Blakley, George Robert; Chaum, David (eds.). A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. Advances in Cryptology – CRYPTO 1984. Lecture Notes in Computer Science. Vol. 196. Santa Barbara, CA, United States: Springer. pp. 10–18. doi:10.1007/3-540-39568-7_2. ISBN 978-3-540-15658-1.