Abstract
The NIST, in its recent competition on quantum-resilient confidentiality primitives, requested the submission of exclusively KEMs. The task of KEMs is to establish secure session keys that can drive, amongst others, public key encryption and TLS-like secure channels. In this work we test the KEM abstraction in the context of constructing cryptographic schemes that are not subsumed in the PKE and secure channels categories. We find that, when used to construct a key transport scheme or when used within a secure combiner, the KEM abstraction imposes certain inconvenient limits, the settling of which requires the addition of auxiliary symmetric primitives.
We hence investigate generalizations of the KEM abstraction that allow a considerably simplified construction of the above primitives. In particular, we study VKEMs and KDFEMs, which augment classic KEMs by label inputs, encapsulation handle outputs, and key derivation features, and we demonstrate that they can be transformed into KEM combiners and key transport schemes without requiring auxiliary components. We finally show that all four finalist KEMs of the NIST competition are effectively KDFEMs. Our conclusion is that only very mild adjustments are necessary to significantly increase their versatility.
The full version of this article can be found at https://ia.cr/2023/272.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Firstly, agreeing on an auxiliary component will likely require dedicated standardization efforts. Secondly, side-channel resilient implementations of cryptographic algorithms require knowledge of the target machine and hence, in the worst case, one dedicated implementation per computing architecture.
- 2.
For instance, the nonce handling of most AES-based AE/AEAD schemes requires one additional blockcipher invocation.
- 3.
- 4.
It might be tempting to additionally require that \(c'=c \implies hd '= hd \). However, as no part of our article logically depends on such a property, we abstain from formally demanding it.
- 5.
Analogously to Footnote 4, it might be tempting to additionally require \(c_1'=c_1 \implies hd _1'= hd _1\) and \((c_1',c_2')=(c_1,c_2) \implies hd _2'= hd _2\). However, as no part of our article logically depends on such a property, we once more abstain from formally demanding it.
- 6.
- 7.
Analogously to Footnotes 4 and 5, it might be tempting to additionally require that \(c'=c \implies hd '= hd \). However, as no part of our article logically depends on such a property, we once more abstain from formally demanding it.
- 8.
Analogously to Footnotes 4 and 5, it might be tempting to additionally require that \(c'=c \implies hd '= hd \). However, as no part of our article logically depends on such a property, we once more abstain from formally demanding it.
- 9.
Crystals-Kyber has been selected as a winner by the NIST on July 5, 2022.
References
Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process. Technical report, NIST (2016). https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf
CYBER; Quantum-safe Hybrid Key Exchanges. Technical Specification TS 103 744, ETSI (2020). https://www.etsi.org/deliver/etsi_ts/103700_103799/103744/01.01.01_60/ts_103744v010101p.pdf
Abe, M., Gennaro, R., Kurosawa, K., Shoup, V.: Tag-KEM/DEM: a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 128–146. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_8
Albrecht, M.R., et al.: Classic McEliece. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_11
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_21
Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., Stebila, D.: Hybrid key encapsulation mechanisms and authenticated key exchange. In: Ding, J., Steinwandt, R. (eds.) PQCrypto 2019. LNCS, vol. 11505, pp. 206–226. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25510-7_12
Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: OpenPGP message format. RFC 4880, RFC Editor (2007). https://doi.org/10.17487/RFC4880, https://www.rfc-editor.org/info/rfc4880
Chen, C., et al.: NTRU. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
D’Anvers, J.P., et al.: SABER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Dodis, Y., Katz, J.: Chosen-ciphertext security of multiple encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 188–209. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_11
Duman, J., Hövelmanns, K., Kiltz, E., Lyubashevsky, V., Seiler, G.: Faster lattice-based KEMs via a generic Fujisaki-Okamoto transform using prefix hashing. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 2722–2737. ACM Press (2021). https://doi.org/10.1145/3460120.3484819
Giacon, F., Heuer, F., Poettering, B.: KEM combiners. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 190–218. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_7
Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 631–648. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_34
Liskov, M., Rivest, R.L., Wagner, D.: Tweakable block ciphers. J. Cryptol. 24(3), 588–613 (2011). https://doi.org/10.1007/s00145-010-9073-y
McGrew, D.: An interface and algorithms for authenticated encryption. RFC 5116, RFC Editor (2008). https://doi.org/10.17487/RFC5116, https://www.rfc-editor.org/info/rfc5116
Pinto, A., Poettering, B., Schuldt, J.C.N.: Multi-recipient encryption, revisited. In: Moriai, S., Jaeger, T., Sakurai, K. (eds.) ASIACCS 2014, pp. 229–238. ACM Press (2014)
Poettering, B., Rastikian, S.: A study of KEM generalizations. Cryptology ePrint Archive, Paper 2023/272 (2023). https://eprint.iacr.org/2023/272
Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press (2002). https://doi.org/10.1145/586110.586125
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_22
Schwabe, P., et al.: CRYSTALS-KYBER. Technical report, National Institute of Standards and Technology (2020). https://csrc.nist.gov/projects/post-quantum-cryptography/post-quantum-cryptography-standardization/round-3-submissions
Shoup, V.: A proposal for an ISO standard for public key encryption. Technical report, Version 2.1, IBM Zurich Research Lab (2001). https://www.shoup.net/papers/iso-2_1.pdf
Zhang, R., Hanaoka, G., Shikata, J., Imai, H.: On the security of multiple encryption or CCA-security+CCA-security=CCA-security? In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 360–374. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_26
Acknowledgment
Many valuable comments of anonymous SSR’23 reviewers helped improving this article. This research was partially funded by armasuisse Science and Technology (Project Nr. CYD-C-2020010).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Poettering, B., Rastikian, S. (2023). A Study of KEM Generalizations. In: Günther, F., Hesse, J. (eds) Security Standardisation Research. SSR 2023. Lecture Notes in Computer Science, vol 13895. Springer, Cham. https://doi.org/10.1007/978-3-031-30731-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-30731-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30730-0
Online ISBN: 978-3-031-30731-7
eBook Packages: Computer ScienceComputer Science (R0)