Advertisement

Journal of Cryptology

, Volume 21, Issue 1, pp 97–130 | Cite as

Tag-KEM/DEM: A New Framework for Hybrid Encryption

  • Masayuki AbeEmail author
  • Rosario Gennaro
  • Kaoru Kurosawa
Article

Abstract

This paper presents a novel framework for the generic construction of hybrid encryption schemes which produces more efficient schemes than the ones known before. A previous framework introduced by Shoup combines a key encapsulation mechanism (KEM) and a data encryption mechanism (DEM). While it is sufficient to require both components to be secure against chosen ciphertext attacks (CCA-secure), Kurosawa and Desmedt showed a particular example of KEM that is not CCA-secure but can be securely combined with a specific type of CCA-secure DEM to obtain a more efficient, CCA-secure hybrid encryption scheme. There are also many other efficient hybrid encryption schemes in the literature that do not fit into Shoup’s framework. These facts serve as motivation to seek another framework.

The framework we propose yields more efficient hybrid scheme, and in addition provides insightful explanation about existing schemes that do not fit into the previous framework. Moreover, it allows immediate conversion from a class of threshold public-key encryption to a threshold hybrid one without considerable overhead, which may not be possible in the previous approach.

Keywords

Tag-KEM Hybrid encryption Key encapsulation Threshold encryption 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    M. Abe, Robust distributed multiplication without interaction, in Advances in Cryptology—CRYPTO’99, ed. by M. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 130–147 Google Scholar
  2. [2]
    M. Abe, S. Fehr, Adaptively secure Feldman VSS and applications to universally-composable threshold cryptography. IACR ePrint Archive 2004/119, June 10 2004. Preliminary version was presented in CRYPTO 2004 Google Scholar
  3. [3]
    M. Abe, R. Gennaro, K. Kurosawa, V. Shoup, Tag-KEM/DEM: a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 128–146. Also available at IACR e-print 2005/027 and 2004/194 Google Scholar
  4. [4]
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in First ACM Conference on Computer and Communication Security (Association for Computing Machinery, 1993), pp. 62–73 Google Scholar
  5. [5]
    M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, in Proceedings of the 20th Annual ACM Symposium on the Theory of Computing, pp. 1–10, 1988 Google Scholar
  6. [6]
    K. Bentahar, P. Farshim, M. Malone-Lee, N. Smart, Generic constructions of identity-based and certificateless KEMs. IACR e-print Archive 058/2005, 2005 Google Scholar
  7. [7]
    D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Advances in Cryptology—CRYPTO’98, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 1–12 Google Scholar
  8. [8]
    D. Boneh, Simplified OAEP for the RSA and Rabin functions, in Advances in Cryptology—CRYPTO 2001, ed. by J. Killian. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 275–291 CrossRefGoogle Scholar
  9. [9]
    D. Boneh, X. Boyen, Efficient selective-ID secure identity based encryption, in Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 223–238 Google Scholar
  10. [10]
    D. Boneh, J. Katz, Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. Technical Report 2004/261, IACR ePrint archive, 2004 Google Scholar
  11. [11]
    X. Boyen, Q. Mei, B. Waters, Direct chosen ciphertext security from identity-based techniques, in ACM Conference on Computer and Communications Security (ACM, 2005), pp. 320–329. Also available at IACR e-print 2005/288 Google Scholar
  12. [12]
    D. Boneh, X. Boyen, S. Halevi, Chosen ciphertext secure public key threshold encryption without random oracles, in Topics in Cryptology—CT-RSA 2006, ed. by T. Rabin, S. Halevi. Lecture Notes in Computer Science, vol. 3860 (Springer, Berlin, 2006), pp. 226–243 CrossRefGoogle Scholar
  13. [13]
    R. Canetti, S. Goldwasser, An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack, in Advances in Cryptology—EUROCRYPT’99, ed. by J. Stern. Lecture Notes in Computer Science, vol. 1592 (Springer, Berlin, 1999), pp. 90–106 Google Scholar
  14. [14]
    R. Canetti, H. Krawczyk, J. Nielsen, Relaxing chosen-ciphertext security, in Advances in Cryptology—CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 565–582. Also available at IACR ePrint archive 2003/174 Google Scholar
  15. [15]
    R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption, in Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 207–222 Google Scholar
  16. [16]
    R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in Advances in Cryptology—CRYPTO’98, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 13–25 Google Scholar
  17. [17]
    R. Cramer, V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption, in Advances in Cryptology—EUROCRYPTO 2002, ed. by L. Knudsen. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 45–64 CrossRefGoogle Scholar
  18. [18]
    R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003) zbMATHCrossRefMathSciNetGoogle Scholar
  19. [19]
    A. Dent, A designer’s guide to KEMs, in 9th IMA International Conference on Cryptography and Coding, ed. by K.G. Paterson. Lecture Notes in Computer Science, vol. 2898 (Springer, Berlin, 2003), pp. 133–151 Google Scholar
  20. [20]
    Y.G. Desmedt, Y. Frankel, Threshold cryptosystems, in Advances in Cryptology—CRYPTO’89, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 307–315 Google Scholar
  21. [21]
    D. Dolev, C. Dwork, M. Naor, Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000) zbMATHCrossRefMathSciNetGoogle Scholar
  22. [22]
    E. Fujisaki, T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, in Advances in Cryptology—CRYPTO’99, ed. by M. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 537–554 Google Scholar
  23. [23]
    R. Gennaro, V. Shoup, A note on an encryption scheme of Kurosawa and Desmedt. Technical Report 2004/194, IACR ePrint archive, 2004 Google Scholar
  24. [24]
    C. Gentry, How to compress Rabin ciphertexts and signatures (and more), in Advances in Cryptology—CRYPTO 2004, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 179–200 Google Scholar
  25. [25]
    O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in Proceedings of the 19th annual ACM Symposium on the Theory of Computing, New York City, pp. 218–229, 1987 Google Scholar
  26. [26]
    J. Herranz, D. Hofheinz, E. Kiltz, The Kurosawa-Desmedt key encapsulation is not chosen-ciphertext secure. IACR e-print Archive 2006/207, 2005 Google Scholar
  27. [27]
    S. Jarecki, A. Lysyanskaya, Adaptively secure threshold cryptography: introducing concurrency, removing erasures (extended abstract), in Advances in Cryptology—EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 221–242 Google Scholar
  28. [28]
    E. Kiltz, Chosen-ciphertext security from tag-based encryption, in Theory of Cryptography—TCC’06, ed. by S. Halevi, T. Rabin. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp. 581–600 CrossRefGoogle Scholar
  29. [29]
    K. Kurosawa, Y. Desmedt, A new paradigm of hybrid encryption scheme, in Advances in Cryptology—CRYPTO 2004, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 426–442 Google Scholar
  30. [30]
    P. MacKenzie, M.K. Reiter, K. Yang, Alternatives to non-malleability: definitions, constructions, and applications, in Theory of Cryptography—TCC’04, ed. by M. Naor. Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 171–190 Google Scholar
  31. [31]
    W. Nagao, Y. Manabe, T. Okamoto, A universally composable secure channel based on the KEM-DEM framework, in Theory of Cryptography—TCC’05. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 426–444 Google Scholar
  32. [32]
    M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks. In Proceedings of the 22nd annual ACM Symposium on the Theory of Computing, pp. 427–437, 1990 Google Scholar
  33. [33]
    T. Okamoto, D. Pointcheval, REACT: Rapid enhanced-security asymmetric cryptosystem transform, in RSA’2001. Lecture Notes in Computer Science (Springer, Berlin, 2001) Google Scholar
  34. [34]
    C. Rackoff, D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology—CRYPTO’91. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1992), pp. 433–444 Google Scholar
  35. [35]
    V. Shoup, Using hash functions as a hedge against chosen ciphertext attack, in Advances in Cryptology—EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 275–288 Google Scholar
  36. [36]
    V. Shoup, OAEP reconsidered, in Advances in Cryptology—CRYPTO 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 239–259 CrossRefGoogle Scholar
  37. [37]
    V. Shoup, ISO 18033-2: An emerging standard for public-key encryption (committee draft). Available at http://shoup.net/iso/, June 3 2004
  38. [38]
    V. Shoup, R. Gennaro, Securing threshold cryptosystems against chosen ciphertext attack. J. Cryptol. 15(2), 75–96 (2002) zbMATHMathSciNetGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2007

Authors and Affiliations

  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationTokyoJapan
  2. 2.IBM T.J.Watson Research CenterYorktown HeightsUSA
  3. 3.Ibaraki UniversityHitachiJapan

Personalised recommendations