## Tag-KEM/DEM: a New Framework for Hybrid Encryption and a New Analysis of Kurosawa-Desmedt KEM (2005)

### Cached

### Download Links

- [eprint.iacr.org]
- [shoup.net]
- [www.shoup.net]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | in Proc. Eurocrypt |

Citations: | 63 - 7 self |

### BibTeX

@INPROCEEDINGS{Abe05tag-kem/dem:a,

author = {Masayuki Abe and Rosario Gennaro and Kaoru Kurosawa},

title = {Tag-KEM/DEM: a New Framework for Hybrid Encryption and a New Analysis of Kurosawa-Desmedt KEM},

booktitle = {in Proc. Eurocrypt},

year = {2005},

pages = {128--146},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract This paper presents a novel framework for the generic construction of hybrid encryptionschemes which produces more efficient schemes than the ones known before. A previous

### Citations

1443 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, P
- 1993
(Show Context)
Citation Context ...-secure hybrid encryption, while being a sufficient condition, may not be a necessary one, and might indeed be an overkill. Moreover, there are other hybrid encryption schemes in the literature, e.g.,=-=[4, 34]-=- in the random oracle model, which are very efficient, but do not fit to the CCA-secure KEM/DEM framework. Our Contribution. Prompted by the above observation, we set out to investigate another KEM/DE... |

540 |
How to play any mental game – or – a completeness theorem for protocols with honest majority
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...is allowed to corrupt up to k - 1 of them. A corrupted player provides all its view to the adversary and is completely controlled by the adversary. Results from general multi-party computation, e.g., =-=[26, 5]-=-, imply that any (hybrid) PKE can be converted to its threshold version in several settings. Since such a generic conversion suffers from unrealistic complexity, dedicated construction has been pursue... |

486 | A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...ure cryptosystems were presented in [33, 35, 22], but they were quite impractical, as they rely on generic techniques for non-interactive zero-knowledge. In a breakthrough result, Cramer and Shoup in =-=[16]-=- presented the first truly practical CCA-secure cryptosystem, whose security was based on the hardness of the decisional Diffie-Hellman problem. This construction was generalized in [17], using a new ... |

475 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 2000
(Show Context)
Citation Context ...(see for example [7]). To model this type of attacks, the notion of chosen-ciphertext security was introduced by Naor and Yung [33] and developed by Rackoff and Simon [35], and Dolev, Dwork, and Naor =-=[22]-=-. Security against a chosen ciphertext attack (CCA security, in short) means that, even if the adversary is allowed to query a decryption oracle on ciphertext of her choosing, then she obtains no usef... |

363 |
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
- Racko, Simon
- 1992
(Show Context)
Citation Context ...hard to combat than passive ones (see for example [7]). To model this type of attacks, the notion of chosen-ciphertext security was introduced by Naor and Yung [33] and developed by Rackoff and Simon =-=[35]-=-, and Dolev, Dwork, and Naor [22]. Security against a chosen ciphertext attack (CCA security, in short) means that, even if the adversary is allowed to query a decryption oracle on ciphertext of her c... |

272 |
Threshold cryptosystems
- Desmedt, Frankel
- 1990
(Show Context)
Citation Context ... (hybrid) PKE can be converted to its threshold version in several settings. Since such a generic conversion suffers from unrealistic complexity, dedicated construction has been pursued starting from =-=[20]-=-. In the standard model, the first CCA-secure threshold PKE is presented in [13] followed by, e.g., [1, 28, 2, 10, 12]. However, no efficient threshold hybrid PKE, is known in the standard model, via ... |

263 | Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context ... be proven to be much more powerful and hard to combat than passive ones (see for example [7]). To model this type of attacks, the notion of chosen-ciphertext security was introduced by Naor and Yung =-=[33]-=- and developed by Rackoff and Simon [35], and Dolev, Dwork, and Naor [22]. Security against a chosen ciphertext attack (CCA security, in short) means that, even if the adversary is allowed to query a ... |

250 | A Chosen Ciphertext Attack against Protocols based on the RSA Encryption Standard PKCS #1
- Bleichenbacher
- 1998
(Show Context)
Citation Context ...ossibly related to the ciphertexts she intends to decrypt) and analyze their response. Such active attacks can be proven to be much more powerful and hard to combat than passive ones (see for example =-=[7]-=-). To model this type of attacks, the notion of chosen-ciphertext security was introduced by Naor and Yung [33] and developed by Rackoff and Simon [35], and Dolev, Dwork, and Naor [22]. Security again... |

221 | Chosen-ciphertext security from identity-based encryption
- Boneh, Canetti, et al.
(Show Context)
Citation Context ...ure when it is secure against chosen ciphertext and chosen ID attacks provided that the target ID is committed at the beginning and the ID must not be included in any decryption query. It is shown in =-=[14]-=- that selective-ID ID-based encryption schemes (sIBE in short) can be strengthened to a full CCA-secure PKE by using strong one-time signature. In [11], Boneh and Katz improved the efficiency of [14] ... |

208 | Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ... a random key. Then a Data Encapsulation Mechanism is performed: the random key is used to encrypt the message using a symmetric encryption scheme. A formal treatment of this paradigm can be found in =-=[38, 18]-=- and we refer to it as the KEM/DEM framework. As mentioned in the literature, it is sufficient that both KEM and DEM are CCA-secure to obtain CCA-secure hybrid encryption. This indeed looks quite reas... |

182 | Secure Integration of Asymmetric and Symmetric Encryption Schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ... thoroughly explained by our framework and their design approach is validated. 5.3 Refined Fujisaki-Okamoto Conversion and More Fujisaki-Okamoto Conversion: We revisit the Fujisaki-Okamoto conversion =-=[23]-=- that provides secure construction of hybrid encryption in the random oracle model. By fitting their scheme into our framework, we can see that one of their assumptions can be eliminated and a refined... |

151 | Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption
- Cramer, Shoup
- 2002
(Show Context)
Citation Context ... and Shoup in [16] presented the first truly practical CCA-secure cryptosystem, whose security was based on the hardness of the decisional Diffie-Hellman problem. This construction was generalized in =-=[17]-=-, using a new cryptographic primitive called projective hash functions. Public-key encryption schemes often limit the message space to a particular group, which can be restrictive when one wants to en... |

112 | Securing Threshold Cryptosystems against Chosen Ciphertext Attack
- Shoup, Gennaro
- 1998
(Show Context)
Citation Context ...hared it among the servers, though distributed key generation protocols can be used. Threshold CCA-security is defined as a natural extension of the CCA-security for regular (non-threshold) PKE as in =-=[39]-=-. The decryption oracle is replaced by n decryption servers and 13sthe adversary is allowed to corrupt up to k - 1 of them. A corrupted player provides all its view to the adversary and is completely ... |

102 | OAEP Reconsidered
- Shoup
- 2001
(Show Context)
Citation Context ...ind, the security proof is essentially unchanged 11sfrom that of the original KEM (or PKE). Therefore, we only show two concrete constructions of Tag-KEM based on well known encryption schemes; OAEP+ =-=[37]-=- and Cramer-Shoup encryption [16]. In the following, the description of the original schemes are obtained just by dropping the tag o/ . 4.4.1 From OAEP+. Let f be a one-way trapdoor permutation. OAEP+... |

79 | B.: Direct chosen ciphertext security from identitybased techniques
- Boyen, Mei, et al.
(Show Context)
Citation Context ...sion suffers from unrealistic complexity, dedicated construction has been pursued starting from [20]. In the standard model, the first CCA-secure threshold PKE is presented in [13] followed by, e.g., =-=[1, 28, 2, 10, 12]-=-. However, no efficient threshold hybrid PKE, is known in the standard model, via a generic construction like KEM/DEM. If a threshold CCA KEM and a threshold CCA DEM are available, their simple combin... |

79 | Pointcheval D. REACT: Rapid enhanced-security asymmetric cryptosystem transform
- Okamoto
- 2001
(Show Context)
Citation Context ...-secure hybrid encryption, while being a sufficient condition, may not be a necessary one, and might indeed be an overkill. Moreover, there are other hybrid encryption schemes in the literature, e.g.,=-=[4, 34]-=- in the random oracle model, which are very efficient, but do not fit to the CCA-secure KEM/DEM framework. Our Contribution. Prompted by the above observation, we set out to investigate another KEM/DE... |

78 | Improved efficiency for cca-secure cryptosystems built using identity based encryption
- Boneh, Katz
- 2005
(Show Context)
Citation Context ...included in any decryption query. It is shown in [14] that selective-ID ID-based encryption schemes (sIBE in short) can be strengthened to a full CCA-secure PKE by using strong one-time signature. In =-=[11]-=-, Boneh and Katz improved the efficiency of [14] by replacing the one-time signature with a commitment scheme (using hash function) and a MAC. We show that the conversion from sIBE to full-CCA PKE als... |

70 | Using hash functions as a hedge against chosen ciphertext attack
- Shoup
- 2000
(Show Context)
Citation Context ...hertext and use the decryption oracle to get useful information. Recently in [30], Kurosawa and Desmedt introduced a hybrid encryption scheme which is a modification of the hybrid scheme presented in =-=[36]-=-. Their scheme is interesting from a theoretical point of view: when one looks at it as a KEM/DEM scheme, their KEM is not CCA-secure [27]. Nevertheless, the resulting scheme is CCA-secure and more ef... |

68 | E cient selective-ID secure identity based encryption without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...d to the first-level ID and vk is assigned to the second-level ID.) ID-based KEM is also studied in [6]. For efficient implementations of sIBE based on standard cryptographic assumptions, we refer to =-=[9]-=-. 5 Applications In this section, we show how our framework yields new hybrid encryption schemes, captures some known schemes, and even finds ways to improve them. 5.1 Threshold Hybrid PKE Roughly, a ... |

66 | An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack
- Canetti, Goldwasser
- 1999
(Show Context)
Citation Context ...ce such a generic conversion suffers from unrealistic complexity, dedicated construction has been pursued starting from [20]. In the standard model, the first CCA-secure threshold PKE is presented in =-=[13]-=- followed by, e.g., [1, 28, 2, 10, 12]. However, no efficient threshold hybrid PKE, is known in the standard model, via a generic construction like KEM/DEM. If a threshold CCA KEM and a threshold CCA ... |

60 |
Simplified OAEP for the RSA and Rabin Functions
- Boneh
(Show Context)
Citation Context ...cure and H is target collision-free, the above Tag-KEM is CCA-secure. In particular, ffltkem <= fflpke + ffltch. Proof is given in Appendix A. One efficient implementation would be to use Rabin-SAEP+ =-=[8]-=- encryption, where the message length is known to be shorter than that of RSA but sufficient for encrypting a standard DEM key and hashed tag. One can also apply the technique of [25] to shorten the c... |

57 | Chosen-ciphertext security from tag-based encryption
- Kiltz
- 2006
(Show Context)
Citation Context ...own in [31]. Though it does not fit into our framework, one of the constructions in [31] is identical as the one presented in Section 5.3 and indeed achieves our higher level of security. The work in =-=[29]-=- introduces an even weaker definition where the adversary commits itself to a tag at the beginning of the attack game. It then shows how to convert such weak security into full CCA-security by using a... |

49 | A new paradigm of hybrid encryption scheme
- Kurosawa, Desmedt
- 2004
(Show Context)
Citation Context ...CCA-secure, then the adversary trying to decrypt a target ciphertext may be able to alter the corresponding part of the ciphertext and use the decryption oracle to get useful information. Recently in =-=[30]-=-, Kurosawa and Desmedt introduced a hybrid encryption scheme which is a modification of the hybrid scheme presented in [36]. Their scheme is interesting from a theoretical point of view: when one look... |

45 |
Generic constructions of identity-based and certificateless KEMs
- Bentahar, Farshim, et al.
(Show Context)
Citation Context ...ective-ID secure in the second level and fully CCA secure in the first level. (A given ID is assigned to the first-level ID and vk is assigned to the second-level ID.) ID-based KEM is also studied in =-=[6]-=-. For efficient implementations of sIBE based on standard cryptographic assumptions, we refer to [9]. 5 Applications In this section, we show how our framework yields new hybrid encryption schemes, ca... |

40 | Randomness Extraction and Key Derivation Using the CBC, Cascade and HMAC Modes - Dodis, Gennaro, et al. - 2004 |

35 | Relaxing chosen-ciphertext security
- Canetti, Krawczyk, et al.
- 2003
(Show Context)
Citation Context ...ur framework. Hence the DEM no longer need to provide CCA security when combined with those KEMs as suggested by our framework. 5.4 Revisiting RCCA-secure PKE This section revisits RCCA-secure PKE in =-=[15]-=- and show that their construction of CCA-secure hybrid PKE from RCCA-secure PKE can be improved by following our Tag-KEM/DEM framework. The notion of RCCA-secure PKE is introduced in [15]. RCCA is a v... |

35 | Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks
- Fouque, Pointcheval
- 2001
(Show Context)
Citation Context ... DEM part to be CPA, it immediately yields a threshold hybrid PKE once a shared Tag-KEM is available. Decrypting the DEM part is a local task. By defining CCA security for threshold PKE and DEM as in =-=[28, 18]-=-, we can translate and prove Theorem 1 in the threshold setting. Accordingly, one can concentrate on constructing threshold Tag-KEM. A threshold KEM or PKE can be converted into a threshold TagKEM by ... |

33 | Adaptively secure threshold cryptography: introducing concurrency, removing erasures
- Jarecki, Lysyanskaya
- 2000
(Show Context)
Citation Context ...sion suffers from unrealistic complexity, dedicated construction has been pursued starting from [20]. In the standard model, the first CCA-secure threshold PKE is presented in [13] followed by, e.g., =-=[1, 28, 2, 10, 12]-=-. However, no efficient threshold hybrid PKE, is known in the standard model, via a generic construction like KEM/DEM. If a threshold CCA KEM and a threshold CCA DEM are available, their simple combin... |

26 | Chosen ciphertext secure public key threshold encryption without random oracles
- Boneh, Boyen, et al.
- 2006
(Show Context)
Citation Context ...sion suffers from unrealistic complexity, dedicated construction has been pursued starting from [20]. In the standard model, the first CCA-secure threshold PKE is presented in [13] followed by, e.g., =-=[1, 28, 2, 10, 12]-=-. However, no efficient threshold hybrid PKE, is known in the standard model, via a generic construction like KEM/DEM. If a threshold CCA KEM and a threshold CCA DEM are available, their simple combin... |

26 | M.: Design, implementation, and deployment of the iKP secure electronic payment system
- Bellare, Garay, et al.
- 2000
(Show Context)
Citation Context ... seen as an instance of this method in the random oracle model. Applying Theorem 1 yields a hybrid PKE that is a special case of [15]. Also, similar hybrid PKE is found in legendary protocols such as =-=[4]-=-. 4.2 Based on CCA-Secure KEM and MAC In this section we present a CCA-secure Tag-KEM based on a CCA-secure KEM and a secure message authentication code (MAC). Here, MAC is assumed to be strongly unfo... |

23 | A Designer’s Guide to KEMs
- Dent
- 2003
(Show Context)
Citation Context ...Since some methods are available to convert a weak PKE to a CCA-secure one in various setting, we assume CCA-secure PKE is available. Construction of KEM directly from weaker components is studied in =-=[19]-=-. 4.1 Based on PKE with Long Plaintext When CCA-secure PKE is available, the first idea would be to encrypt the tag as a part of the plaintext together with the DEM key to encapsulate. It indeed works... |

20 | A Note on An Encryption Scheme of Kurosawa and Desmedt - Gennaro, Shoup |

16 |
Robust distributed multiplication without interaction
- Abe
- 1999
(Show Context)
Citation Context |

16 | Adaptively secure Feldman VSS and applications to universally-composable threshold cryptography
- Abe, Fehr
- 2004
(Show Context)
Citation Context |

15 |
The Kurosawa-Desmedt Key Encapsulation is not Chosen-Ciphertext Secure. IACR Cryptology ePrint Arhive, Report 2006/207. Available at http://eprint.iacr.org/2006/207
- Herranz, Hofheinz, et al.
- 1998
(Show Context)
Citation Context ...eme which is a modification of the hybrid scheme presented in [36]. Their scheme is interesting from a theoretical point of view: when one looks at it as a KEM/DEM scheme, their KEM is not CCA-secure =-=[27]-=-. Nevertheless, the resulting scheme is CCA-secure and more efficient than [38, 18] both in computation and bandwidth. Thus the Kurosawa-Desmedt scheme suggests that requiring both KEM/DEM to be CCA-s... |

15 |
ISO 18033-2: An emerging standard for public-key encryption. December 2004. Final Committee Draft. A Proof of Theorem 7 This proof goes with a sequence of games, starting from G0 which represents the real attack game (with a mix of passive and active atta
- Shoup
(Show Context)
Citation Context ... a random key. Then a Data Encapsulation Mechanism is performed: the random key is used to encrypt the message using a symmetric encryption scheme. A formal treatment of this paradigm can be found in =-=[38, 18]-=- and we refer to it as the KEM/DEM framework. As mentioned in the literature, it is sufficient that both KEM and DEM are CCA-secure to obtain CCA-secure hybrid encryption. This indeed looks quite reas... |

14 | Alternatives to non-malleability: Definitions, constructions, and applications
- MacKenzie, Reiter, et al.
- 2004
(Show Context)
Citation Context ...takes a tag as an input and outputs a DEM key.) Despite their limitations, this particular implementation also fits into our model without essential modifications. Tag-based PKE is also introduced in =-=[31]-=- with the same syntax as that of [39, 38] but with a weaker security notion. In their work, the adversary is restricted from sending the same tag associated to the challenge ciphertext to the decrypti... |

10 | Concealment and Its Applications to Authenticated Encryption
- Dodis, An
- 2003
(Show Context)
Citation Context .... Especially, ɛtkem ≤ ɛpke + ɛtch. The RSA-based simple KEM [27] can be seen as an instance of this method in the random oracle model. Applying Theorem 1 yields a hybrid PKE that is a special case of =-=[15]-=-. Also, similar hybrid PKE is found in legendary protocols such as [4]. 4.2 Based on CCA-Secure KEM and MAC In this section we present a CCA-secure Tag-KEM based on a CCA-secure KEM and a secure messa... |

6 | How to compress rabin ciphertexts and signatures (and more
- Gentry
- 2004
(Show Context)
Citation Context ...o use Rabin-SAEP+ [8] encryption, where the message length is known to be shorter than that of RSA but sufficient for encrypting a standard DEM key and hashed tag. One can also apply the technique of =-=[25]-=- to shorten the ciphertext. 4.2 Based on CCA-Secure KEM and MAC In this section we present a CCA-secure Tag-KEM based on a CCA-secure KEM and a secure message authentication code (MAC) scheme (see App... |

1 |
Completeness theorems for non-cyptographic fault-tolerant distributed computation
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ...is allowed to corrupt up to k - 1 of them. A corrupted player provides all its view to the adversary and is completely controlled by the adversary. Results from general multi-party computation, e.g., =-=[26, 5]-=-, imply that any (hybrid) PKE can be converted to its threshold version in several settings. Since such a generic conversion suffers from unrealistic complexity, dedicated construction has been pursue... |

1 |
A universally composable secure channel based on the KEM-DEM framework
- Nagao, Manabe, et al.
- 2005
(Show Context)
Citation Context ...ture if needed (The scheme based on Cramer-Shoup shown in Section 4.4 is an example). It is also known that the CCA KEM/DEM framework can be extended to establish some limited form of secure channels =-=[32]-=- (where no forward security is considered) while such extension is not available in Tag-KEM/DEM. 2Note that, however, streaming encryption/decryption does not necessarily allow the receiver to use a p... |

1 |
Relaxing chosen-ciphertext security. IACR ePrint archive
- Canetti, Krawczyk, et al.
(Show Context)
Citation Context ...bservation applies to Bellare-Rogaway scheme [5], which is a special case of Fujisaki-Okamoto construction, and REACT-RSA [23]. 5.3 Revisiting RCCA-Secure PKE This section revisits RCCA-secure PKE in =-=[11]-=- and show that their construction of CCA-secure hybrid PKE from RCCA-secure PKE can be improved by following our Tag-KEM/DEM framework. The notion of RCCA-secure PKE is introduced in [11]. RCCA is a v... |