Key Encapsulation: An Emerging Paradigm for PublicKey Cryptography

1
Key EncapsulationAn Emerging Paradigm for
Public-Key Cryptography

• Burt Kaliski, RSA Laboratories
• RSA Conference 2002 Japan
• May 2930, 2002

2
Summary

• Most specifications of public-key encryption
  follow the original encrypt/decrypt model from
  25 years ago
• New model is emerging, based on work of Shoup and
  others key encapsulation, with better
  flexibility and security proofs
• Recommend transition over time to new model

3
Original Model

• Bob has public key / private key pair
• Alice encrypts message M with Bobs public key to
  produce a ciphertext C
• C E( PubKeyB, M )
• Bob decrypts C with his private key
• M D( PrivKeyB, C )

4
Limitations

• Message length Length of M may be limited
• Malleability Encryption may not protect message
  integrity
• Mathematical properties Encryption of related
  messages may be related
• Modeling DH doesnt fit well

5
Traditional Remedies

• Typically, some message padding is applied to
  address these limitations, but current approaches
  to RSA encryption are less than ideal
• PKCS 1 v1.5 padding is ad hoc, doesnt provide
  integrity
• RSA-OAEP provides integrity and is provably
  secure, but bounds arent tight
• Message length is still bounded, and DH needs its
  own method

6
New Remedy Two Layers

• Public-key layer (key encapsulation)
  establishes a random symmetric key
• Symmetric-key layer protects data with the
  established symmetric key and symmetric algorithm
• data can be of any length
• Layers are independent

7
Two-Layer Approach
Symmetric-Key Layer
symmetric key
Public-Key Layer
8
Public-Key LayerKey Encapsulation (Shoup 2001)

• Encryption Alice generates a symmetric key W and
  a ciphertext C that encapsulates W
• (C, W) E( PubKeyB )
• Decryption Bob regenerates W from C
• W D( PrivKeyB, C )

9
Two Layers with Key Encapsulation
Symmetric-Key Layer
symmetric keyW
E
D
C
public key
private key
10
Addressing the Limitations

• Modeling DH, PSEC, RSA, other PKC all fit
• Message length Length of M not limited
• Malleability Symmetric layer can provide
  integrity protection
• Mathematical properties Symmetric keys are
  unrelated symmetric layer avoids mathematical
  properties

11
Dont We Do This Already?

• Many specifications (including S/MIME) have two
  layers
• message encrypted with symmetric key
• symmetric key encrypted with public key
• But the symmetric key is generated first then
  encrypted more than needed, and results in a
  looser (or no) proof of security

12
Related Research

• Damgard, Zheng-Seberry, Bellare-Rogaway
  (1991-1993) early constructions
• Abdalla-Bellare-Rogaway (1998) DH scheme
• Fujisaki-Okamoto (1999) new general conversion
• Okamoto-Pointcheval (2001) REACT transformation
• Shoup (2001) key encapsulation for ISO proposal
• Coron-Handschuh-et al. (2002) GEM

13
Encapsulation Using RSA(RSA-KEM)

• Encrypt with public key (n, e) ? (C, W)
• r ?R 0, n-1
• C ? re mod n
• W ? KDF(r)
• Decrypt with private key (n, d) C ? W
• r ? Cd mod n
• W ? KDF(r)
• (KDF key derivation function)

14
Security Sketch RSA-KEM

• Encrypt C ? re mod n, W ? KDF(r)
• Decrypt r ? Cd mod n, W ? KDF(r)
• Goal Distinguish (C, W) from (C, random), given
  access to Decrypt
• Distinguisher ? RSA-inverter in random oracle
  model
• adversary must recover r ( invert) to
  distinguish
• inverter simulates Decrypt by looking up (C, W)
  from old KDF call or making new one
• tight bounds distinguish, invert in ?same time

15
Encapsulation Using DH

• Encrypt with public key (p, q, g, y) ? (C, W)
• r ?R 1, q-1
• C ? gr mod p
• Z ? yr mod p
• W ? KDF(C Z)
• Decrypt with private key (p, q, g, x) C ? W
• Z ? Cx mod p
• W ? KDF(C Z)

16
Symmetric-Key Layer

• Depends on overall objective

17
Asymmetric Encryptionw/Integrity
Symmetric Encryptionw/Integrity
M
M
symmetric keyW
E
D
C
public key
private key
18
Symmetric Encryption w/Integrity

• Encrypt message M with integrity protection
• optional label L
• Data encapsulation, in Shoups terminology
• In IEEE P1363a, ISO/IEC 18033-2, et al., hash
  function-based stream cipher MAC
• Alternatively, block cipher mode with integrity
  protection (e.g., OCB, CCM)

19
Asymmetric Key Transport(1-pass)
Symmetric Key Wrapping
K
K
symmetric keyW
E
D
C
public key
private key
20
Symmetric Key Wrapping

• Encrypt (wrap) key K with integrity protection
• optional label L
• Special case of symmetric encryption w/integrity
• Symmetric encryption methods, or
• In ANSI X9.44 draft, AES Key Wrap

21
AES Key Wrap

• NIST-proposed method for wrapping key data with
  an AES key
• six-pass iterative construction
• confidentiality and integrity
• With new model, AES Key Wrap can be a common
  method for asymmetric and symmetric key transport

22
Asymmetric Key Transport(1-pass) with AES Key
Wrap
AES Key Wrap
K
K
symmetric keyW
E
D
C
public key
private key
23
RSA-KEM AES Key Wrap

• Asymmetric key wrapping with only RSA primitive
  and AES
• Wrap with public key K ? (C0, C1)
• r ?R 0, n-1
• C0 ? re mod n
• W ? AES-KDF(r)
• C1 ? AES-KeyWrap(W, K)
• Unwrap with private key (C0, C1) ? K
• r ? C0d mod n
• W ? AES-KDF(r)
• K ? AES-KeyUnwrap(W, C1)
• (AES-KDF to be defined)

24
Key Agreement in Two Layers(one key-pair case)
Symmetric Key Derivation Confirmation
K
K
symmetric keyW
E
D
C
public key
private key
25
Symmetric Key Derivation Confirmation

• Derive and confirm new key K
• In SSL/TLS, three passes with MAC, KDF
• Other approaches may be applied

26
More on SSL/TLS Handshake

• Symmetric-key level protects against weaknesses
  in PKCS 1 v1.5 encryption
• PKCS 1 v1.5 encryption plus KDF, client
  finished can be modeled as key encapsulation
• New research result (Crypto 2002) provably
  secure under variant of RSA assumption
• gap-partial-RSA problem find part of RSA
  inverse, given oracle that checks whether part is
  correct

27
RSA Encapsulation in SSL/TLS Handshake (some
details omitted)

• Encrypt with public key ? (C, W, T)
• (r0 r1) ?R 0, n-1
• C ? (r0 r1)e mod n
• W ? KDF(r1)
• T ? MAC(r1)
• Decrypt with private key (n, d) (C, T) ? W
• (r0 r1) ? Cd mod n
• W ? KDF(r1)
• T ? MAC(r1)
• (r0 is padding r1 is pre-master secret W is
  session key T is client finished message W, T
  derived via master secret, not shown)

28
Security Sketch RSA Encapsulation in SSL/TLS

• Encrypt C ? (r0 r1)e mod n, W ? KDF(r1), T ?
  MAC(r1)
• Decrypt (r0 r1) ? Cd mod n, W ? KDF(r1), T ?
  MAC(r1)
• Goal Distinguish (C, W, T) from (C, random),
  given access to Decrypt
• Distinguisher ? partial-RSA-inverter given
  partial-RSA-inverse-checker in r.o. model
• adversary must recover r1 ( partial-invert) to
  distinguish
• inverter simulates Decrypt by looking up (r1, W,
  T) from old KDF, MAC calls, checking r1 against C
• (reasonably) tight bounds given full details

29
Standardization

• Many standards already use key encapsulation in
  some form, though most dont use the term
• Key encapsulation is being proposed for several
  standards, particularly for use of RSA with AES
  keys

30
Key Encapsulation in Standards
31
What about RSA-OAEP?

• RSA-OAEP, in many standards already, is fine for
  current and new applications
• asymmetric encryption w/integrity
• provably secure in r.o. model
• But security bounds arent ideal
• inverting RSA (i.e., factoring) is fastest attack
  known, but bounds dont exclude faster ones
• q2 ratio in bounds, where q is number of queries
  to Decrypt or random oracles
• Also, architecture is not as flexible
• AES Key Wrap cant be employed directly
• length of message is limited

32
A Gradual Transition

• Improving the infrastructure over time

1991
1995
2000
2005
2010
PKCS 1 v1.5
new
standards products
analysis
old
RSA-OAEP
new
standards analysis
products
old
RSA-KEM
new analysis
standards products
more
33
Conclusions

• Key encapsulation is a convenient way of
  positioning public-key cryptography
• A flexible model for new standards
• Gradual transition recommended as standards are
  upgraded, e.g., to support AES