Constructing Better KEMs with Partial Message Recovery

  • Rui Zhang
  • Hideki Imai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6151)


In this paper, we consider the problem of building efficient key encapsulation mechanism (KEM) with partial message recovery, in brief, PKEM, which aims at providing better bandwidth for standard KEM. We demonstrate several practical issues that were not considered by the previous research, e.g., the additional security loss due to loose reduction of OAEP, and the ciphertext overhead caused by the corresponding data encapsulation mechanism (DEM). We give solutions to these problems, furthermore, we consider the multi-challenge model for PKEMs, where an adversary can obtain up to multiple challenge ciphertexts. Apparently, this is a more severe and more realistic model for PKEM. We then show two generic constructions of PKEMs and prove their security in the multi-challenge model. Our constructions are natural and simple. Finally, we give some instantiations of our generic constructions, and compare their efficiency. Our results demonstrate that there are strong ties between PKEM and public key encryption.


Random Oracle Random Coin Challenge Ciphertext Decryption Oracle Choose Ciphertext Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abdalla, M., Bellare, M., Rogaway, P.: DHIES: An Encryption Scheme Based on the Diffie-Hellman Problem. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001)Google Scholar
  2. 2.
    Abe, M., Gennaro, R., Kurosawa, K.: Tag-KEM/DEM: A New Framework for Hybrid Encryption. Cryptology ePrint Archive, Preliminary version appeared in Eurocrypt 2005 (2005),
  3. 3.
    Bellare, M., Boldyreva, A., Micali, S.: Public-Key Encryption in a Multi-user Setting: Security Proofs and Improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A Concrete Security Treatment of Symmetric Encryption: Analysis of the DES modes of operation. In: FOCS 1997. IEEE, Los Alamitos (1997)Google Scholar
  5. 5.
    Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption – How to encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  7. 7.
    Bjørstad, T.E., Dent, A.W., Smart, N.P.: Efficient KEMs with Partial Message Recovery. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 233–256. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Boldyreva, A.: Strengthening Security of RSA-OAEP. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 399–413. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP Is Secure under the RSA Assumption. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 260–274. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP Is Secure under the RSA Assumption. Journal of Cryptology 17(2), 81–104 (2004); Full version of [9] zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Halevi, S., Rogaway, P.: A Tweakable Enciphering Mode. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 482–499. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Kobara, K., Imai, H.: Semantically Secure McEliece Public-Key Cryptosystems-Conversions for McEliece PKC. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 19–35. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Kurosawa, K., Matsuo, T.: How to Remove MAC from DHIES. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 236–247. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Kurosawa, K., Schmidt-Samoa, K., Takagi, T.: A Complete and Explicit Security Reduction Algorithm for RSA-Based Cryptosystems. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 474–491. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Naor, M., Yung, M.: Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. In: STOC 1990, pp. 427–437. ACM, New York (1990)CrossRefGoogle Scholar
  17. 17.
    National Institute of Standards and Technology. Recommendation for Key Management - Part 1: General (Revised). NIST Special Publication 800-57 (2007),
  18. 18.
    Pointcheval, D.: How to Encrypt Properly with RSA. RSA Laboratories’ CryptoBytes 5(1), 9–19 (Winter/Spring 2002)Google Scholar
  19. 19.
    Rackoff, C., Simon, D.R.: Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  20. 20.
    Shoup, V.: ISO 18033-2: An Emerging Standard for Public-Key Encryption (committee draft) (June 2001),
  21. 21.
    Shoup, V.: OAEP Reconsidered. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 239–259. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Shoup, V.: ISO/IEC FCD 18033-2 - Information technology - Security techniques - Encryption algorithms - Part 2: Asymmetic ciphers. Technical report, International Organization for Standardization (2004),
  23. 23.
    Wander, A.S., Gura, N., Eberle, H., Gupta, V., Shanz, S.C.: Energy Analysis of Public-Key Cryptgraphy for wireless Sensor Network. In: 3rd IEEE Internatinal Conference on Pervasive Computing and Communications (PerCom), pp. 324–328. IEEE, Los Alamitos (2005)Google Scholar
  24. 24.
    Zhang, R., Imai, H.: Constructing Better KEMs with Partial Message Recovery (full version). In: Extended abstract appeared in Inscrypt 2009 (2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Rui Zhang
    • 1
  • Hideki Imai
    • 1
  1. 1.Research Center for Information Security (RCIS)National Institute of Advanced Industrial Science and Technology (AIST)Japan

Personalised recommendations