Securing RSA-KEM via the AES

  • Jakob Jonsson
  • Matthew J. B. Robshaw
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3386)


RSA-KEM is a popular key encapsulation mechanism that combines the RSA trapdoor permutation with a key derivation function (KDF). Often the details of the KDF are viewed as orthogonal to the RSA-KEM construction and the RSA-KEM proof of security models the KDF as a random oracle. In this paper we present an AES-based KDF that has been explicitly designed so that we can appeal to currently held views on the ideal behaviour of the AES when proving the security of RSA-KEM. Thus, assuming that encryption with the AES provides a permutation of 128-bit input blocks that is chosen uniformily at random for each key k, the security of RSA-KEM against chosen-ciphertext attacks can be related to the hardness of inverting RSA.


RSA-KEM AES key derivation function 


  1. 1.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  2. 2.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proceedings of the First Annual Conference on Computer and Communications Security. ACM, New York (1993)Google Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Optimal Asymmetric encryption - How to Encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  4. 4.
    Biham, E., Chen, R.: Near-collisions of SHA-0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 290–305. Springer, Heidelberg (2004)Google Scholar
  5. 5.
    Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Daemen, J., Rijmen, V.: AES Proposal: Rijndael. Version 2 (1999)Google Scholar
  7. 7.
    Dai, W.: Performance figures. Available via,
  8. 8.
    Dent, A.W.: A designer’s guide to kEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  10. 10.
    Meyer, C.H., Schilling, M.: Secure program load with manipulation detection code. In: Proceedings of SECURICOM 1988, pp. 111–130 (1998)Google Scholar
  11. 11.
    Okamoto, T., Pointcheval, D.: REACT: Rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–175. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    National Institute of Standards and Technology. FIPS 196: The Advanced Encryption Standard (October 2001)Available via,
  13. 13.
    National Institute of Standards and Technology. FIPS 46-2: The Data Encryption Standard (December 1993)Available via,
  14. 14.
    National Institute of Standards and Technology. FIPS 180-2: The Secure Hash Standard (August 2002)Available via,
  15. 15.
    National Institute of Standards and Technology. Special Publication SP-800-38A: Recommondation for Block Cipher Modes of Operation – Methods and Techniques (December 2001)Available via,
  16. 16.
    Rivest, R., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Laboratories, R.S.A.: PKCS #1 v2.1: RSA Cryptography Standard, June 14 (2002)Available via,
  18. 18.
    Shoup, V.: A Proposal for an ISO Standard for Public Key Encryption. Preprint (December 2001)Available via,
  19. 19.
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for hash functions MD4, MD5, Haval-128 and RIPEMD. Available via,
  20. 20.
    Zheng, Y., Seberry, J.: Practical approaches to attaining security against adaptively chosen ciphertext attacks. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 292–304. Springer, Heidelberg (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jakob Jonsson
    • 1
  • Matthew J. B. Robshaw
    • 2
  1. 1.Department of MathematicsKTHStockholmSweden
  2. 2.Information Security Group, Royal HollowayUniversity of LondonEgham, SurreyUK

Personalised recommendations