KEM Combiners

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10769)

Abstract

Key-encapsulation mechanisms (KEMs) are a common stepping stone for constructing public-key encryption. Secure KEMs can be built from diverse assumptions, including ones related to integer factorization, discrete logarithms, error correcting codes, or lattices. In light of the recent NIST call for post-quantum secure PKE, the zoo of KEMs that are believed to be secure continues to grow. Yet, on the question of which is the most secure KEM opinions are divided. While using the best candidate might actually not seem necessary to survive everyday life situations, placing a wrong bet can actually be devastating, should the employed KEM eventually turn out to be vulnerable.

We introduce KEM combiners as a way to garner trust from different KEM constructions, rather than relying on a single one: We present efficient black-box constructions that, given any set of ‘ingredient’ KEMs, yield a new KEM that is (CCA) secure as long as at least one of the ingredient KEMs is.

As building blocks our constructions use cryptographic hash functions and blockciphers. Some corresponding security proofs require idealized models for these primitives, others get along on standard assumptions.

Keywords

Secure combiners CCA security Practical constructions 

Notes

Acknowledgments

We are grateful to the anonymous PKC reviewers for their valuable comments.

Federico Giacon was supported by ERC Project ERCC (FP7/615074). Felix Heuer was supported by Mercator Research Center Ruhr project “LPN-Krypt: Das LPN-Problem in der Kryptographie”. Bertram Poettering conducted part of this work at Ruhr University Bochum, supported by ERC Project ERCC (FP7/615074).

References

  1. 1.
    Ananth, P., Jain, A., Naor, M., Sahai, A., Yogev, E.: Universal constructions and robust combiners for indistinguishability obfuscation and witness encryption. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 491–520. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_17 CrossRefGoogle Scholar
  2. 2.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 17–21 May 2015, pp. 553–570. IEEE Computer Society Press (2015)Google Scholar
  3. 3.
    Brzuska, C., Farshim, P., Mittelbach, A.: Random-oracle uninstantiability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 428–455. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46497-7_17 CrossRefGoogle Scholar
  4. 4.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003).  https://doi.org/10.1137/S0097539702403773 MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Diffie, W., Hellman, M.E.: Special feature exhaustive cryptanalysis of the NBS data encryption standard. Computer 10(6), 74–84 (1977).  https://doi.org/10.1109/C-M.1977.217750 CrossRefGoogle Scholar
  6. 6.
    Dodis, Y., Katz, J.: Chosen-ciphertext security of multiple encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 188–209. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30576-7_11 CrossRefGoogle Scholar
  7. 7.
    Even, S., Goldreich, O.: On the power of cascade ciphers. ACM Trans. Comput. Syst. 3(2), 108–116 (1985). http://doi.acm.org/10.1145/214438.214442 CrossRefGoogle Scholar
  8. 8.
    Fischlin, M., Herzberg, A., Bin-Noon, H., Shulman, H.: Obfuscation combiners. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 521–550. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_18 CrossRefGoogle Scholar
  9. 9.
    Fischlin, M., Lehmann, A.: Security-amplifying combiners for collision-resistant hash functions. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 224–243. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_13 CrossRefGoogle Scholar
  10. 10.
    Fischlin, M., Lehmann, A.: Multi-property preserving combiners for hash functions. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 375–392. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78524-8_21 CrossRefGoogle Scholar
  11. 11.
    Fischlin, M., Lehmann, A., Pietrzak, K.: Robust multi-property combiners for hash functions revisited. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 655–666. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-70583-3_53 CrossRefGoogle Scholar
  12. 12.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Giacon, F., Heuer, F., Poettering, B.: KEM combiners. Cryptology ePrint Archive, Report 2018/024 (2018). https://eprint.iacr.org/2018/024
  14. 14.
    Harnik, D., Kilian, J., Naor, M., Reingold, O., Rosen, A.: On robust combiners for oblivious transfer and other primitives. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 96–113. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_6 CrossRefGoogle Scholar
  15. 15.
    Herzberg, A.: On tolerant cryptographic constructions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 172–190. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30574-3_13 CrossRefGoogle Scholar
  16. 16.
    Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70500-2_12 CrossRefGoogle Scholar
  17. 17.
    Hohenberger, S., Lewko, A., Waters, B.: Detecting dangerous queries: a new approach for chosen ciphertext security. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 663–681. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_39 CrossRefGoogle Scholar
  18. 18.
    Manulis, M., Poettering, B., Stebila, D.: Plaintext awareness in identity-based key encapsulation. Int. J. Inf. Secur. 13(1), 25–49 (2014).  https://doi.org/10.1007/s10207-013-0218-5 CrossRefGoogle Scholar
  19. 19.
    Merkle, R.C., Hellman, M.E.: On the security of multiple encryption. Commun. ACM 24(7), 465–467 (1981). http://doi.acm.org/10.1145/358699.358718 MathSciNetCrossRefGoogle Scholar
  20. 20.
    NIST: Post-Quantum Cryptography Standardization Project (2017). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
  21. 21.
    Shannon, C.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656–715 (1949)MathSciNetCrossRefMATHGoogle Scholar
  22. 22.
    Zhang, C., Cash, D., Wang, X., Yu, X., Chow, S.S.M.: Combiners for chosen-ciphertext security. In: Dinh, T.N., Thai, M.T. (eds.) COCOON 2016. LNCS, vol. 9797, pp. 257–268. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-42634-1_21 CrossRefGoogle Scholar
  23. 23.
    Zhang, R., Hanaoka, G., Shikata, J., Imai, H.: On the security of multiple encryption or CCA-security+CCA-security=CCA-security? In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 360–374. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24632-9_26 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Federico Giacon
    • 1
  • Felix Heuer
    • 1
  • Bertram Poettering
    • 2
  1. 1.Ruhr University BochumBochumGermany
  2. 2.Royal Holloway, University of LondonLondonUK

Personalised recommendations