Skip to main content
SpringerLink
Log in

A Study of KEM Generalizations

  • Conference paper
  • First Online:
Security Standardisation Research (SSR 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13895))

Included in the following conference series:

Abstract

The NIST, in its recent competition on quantum-resilient confidentiality primitives, requested the submission of exclusively KEMs. The task of KEMs is to establish secure session keys that can drive, amongst others, public key encryption and TLS-like secure channels. In this work we test the KEM abstraction in the context of constructing cryptographic schemes that are not subsumed in the PKE and secure channels categories. We find that, when used to construct a key transport scheme or when used within a secure combiner, the KEM abstraction imposes certain inconvenient limits, the settling of which requires the addition of auxiliary symmetric primitives.

We hence investigate generalizations of the KEM abstraction that allow a considerably simplified construction of the above primitives. In particular, we study VKEMs and KDFEMs, which augment classic KEMs by label inputs, encapsulation handle outputs, and key derivation features, and we demonstrate that they can be transformed into KEM combiners and key transport schemes without requiring auxiliary components. We finally show that all four finalist KEMs of the NIST competition are effectively KDFEMs. Our conclusion is that only very mild adjustments are necessary to significantly increase their versatility.

The full version of this article can be found at https://ia.cr/2023/272.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Firstly, agreeing on an auxiliary component will likely require dedicated standardization efforts. Secondly, side-channel resilient implementations of cryptographic algorithms require knowledge of the target machine and hence, in the worst case, one dedicated implementation per computing architecture.

  2. 2.

    For instance, the nonce handling of most AES-based AE/AEAD schemes requires one additional blockcipher invocation.

  3. 3.

    https://datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/.

  4. 4.

    It might be tempting to additionally require that \(c'=c \implies hd '= hd \). However, as no part of our article logically depends on such a property, we abstain from formally demanding it.

  5. 5.

    Analogously to Footnote 4, it might be tempting to additionally require \(c_1'=c_1 \implies hd _1'= hd _1\) and \((c_1',c_2')=(c_1,c_2) \implies hd _2'= hd _2\). However, as no part of our article logically depends on such a property, we once more abstain from formally demanding it.

  6. 6.

    This notion of session id has nothing to do with the one used in the key exchange literature and mentioned in Sect. 1.1. In the context of Fig. 5, session ids are not visible by any protocol algorithm. Their function is exclusively to make sessions individually addressable by the adversary.

  7. 7.

    Analogously to Footnotes 4 and 5, it might be tempting to additionally require that \(c'=c \implies hd '= hd \). However, as no part of our article logically depends on such a property, we once more abstain from formally demanding it.

  8. 8.

    Analogously to Footnotes 4 and 5, it might be tempting to additionally require that \(c'=c \implies hd '= hd \). However, as no part of our article logically depends on such a property, we once more abstain from formally demanding it.

  9. 9.

    Crystals-Kyber has been selected as a winner by the NIST on July 5, 2022.

References

  1. Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process. Technical report, NIST (2016). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf

  2. CYBER; Quantum-safe Hybrid Key Exchanges. Technical Specification TS 103 744, ETSI (2020). https://www.etsi.org/deliver/etsi_ts/103700_103799/103744/01.01.01_60/ts_103744v010101p.pdf

  3. Abe, M., Gennaro, R., Kurosawa, K., Shoup, V.: Tag-KEM/DEM: a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 128–146. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_8

    Chapter  Google Scholar 

  4. Albrecht, M.R., et al.: Classic McEliece. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions

  5. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41

    Chapter  Google Scholar 

  6. Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11

    Chapter  Google Scholar 

  7. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21

    Chapter  Google Scholar 

  8. Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., Stebila, D.: Hybrid key encapsulation mechanisms and authenticated key exchange. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 206–226. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_12

    Chapter  Google Scholar 

  9. Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP message format. RFC 4880, RFC Editor (2007). https://doi.org/10.17487/RFC4880, https://www.rfc-editor.org/info/rfc4880

  10. Chen, C., et al.: NTRU. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions

  11. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  12. D’Anvers, J.P., et al.: SABER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions

  13. Dodis, Y., Katz, J.: Chosen-ciphertext security of multiple encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 188–209. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_11

    Chapter  MATH  Google Scholar 

  14. Duman, J., Hövelmanns, K., Kiltz, E., Lyubashevsky, V., Seiler, G.: Faster lattice-based KEMs via a generic Fujisaki-Okamoto transform using prefix hashing. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 2722–2737. ACM Press (2021). https://doi.org/10.1145/3460120.3484819

  15. Giacon, F., Heuer, F., Poettering, B.: KEM combiners. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 190–218. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_7

    Chapter  Google Scholar 

  16. Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34

    Chapter  Google Scholar 

  17. Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011). https://doi.org/10.1007/s00145-010-9073-y

    Article  MathSciNet  MATH  Google Scholar 

  18. McGrew, D.: An interface and algorithms for authenticated encryption. RFC 5116, RFC Editor (2008). https://doi.org/10.17487/RFC5116, https://www.rfc-editor.org/info/rfc5116

  19. Pinto, A., Poettering, B., Schuldt, J.C.N.: Multi-recipient encryption, revisited. In: Moriai, S., Jaeger, T., Sakurai, K. (eds.) ASIACCS 2014, pp. 229–238. ACM Press (2014)

    Google Scholar 

  20. Poettering, B., Rastikian, S.: A study of KEM generalizations. Cryptology ePrint Archive, Paper 2023/272 (2023). https://eprint.iacr.org/2023/272

  21. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press (2002). https://doi.org/10.1145/586110.586125

  22. Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_22

    Chapter  MATH  Google Scholar 

  23. Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions

  24. Shoup, V.: A proposal for an ISO standard for public key encryption. Technical report, Version 2.1, IBM Zurich Research Lab (2001). https://www.shoup.net/papers/iso-2_1.pdf

  25. Zhang, R., Hanaoka, G., Shikata, J., Imai, H.: On the security of multiple encryption or CCA-security+CCA-security=CCA-security? In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 360–374. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_26

    Chapter  Google Scholar 

Download references

Acknowledgment

Many valuable comments of anonymous SSR’23 reviewers helped improving this article. This research was partially funded by armasuisse Science and Technology (Project Nr. CYD-C-2020010).

Author information

Authors and Affiliations

  1. IBM Research Europe – Zurich, Rüschlikon, Switzerland

    Bertram Poettering & Simon Rastikian

  2. ETH Zurich, Zurich, Switzerland

    Simon Rastikian

Authors
  1. Bertram Poettering
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon Rastikian
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Simon Rastikian .

Editor information

Editors and Affiliations

  1. ETH Zurich, Zurich, Switzerland

    Felix Günther

  2. IBM Research Europe - Zurich, Rüschlikon, Switzerland

    Julia Hesse

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Poettering, B., Rastikian, S. (2023). A Study of KEM Generalizations. In: Günther, F., Hesse, J. (eds) Security Standardisation Research. SSR 2023. Lecture Notes in Computer Science, vol 13895. Springer, Cham. https://doi.org/10.1007/978-3-031-30731-7_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-30731-7_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-30730-0

  • Online ISBN: 978-3-031-30731-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation