A Constructive Perspective on Key Encapsulation [chapter]

Sandro Coretti, Ueli Maurer, Björn Tackmann
2013 Lecture Notes in Computer Science  
A key-encapsulation mechanism (KEM) is a cryptographic primitive that allows anyone in possession of some party's public key to securely transmit a key to that party. A KEM can be viewed as a key-exchange protocol in which only a single message is transmitted; the main application is in combination with symmetric encryption to achieve public-key encryption of messages of arbitrary length. The security of KEMs is usually defined in terms of a certain game that no efficient adversary can win with
more » ... non-negligible advantage. A main drawback of game-based definitions is that they often do not have clear semantics, and that the security of each higher-level protocol that makes use of KEMs needs to be proved by showing a tailor-made security reduction from breaking the security of the KEM to breaking the security of the combined protocol. We propose a novel approach to the security and applications of KEMs, following the constructive cryptography paradigm by Maurer and Renner (ICS 2011). The goal of a KEM is to construct a resource that models a shared key available to the honest parties. This resource can be used in designing and proving higher-level protocols; the composition theorem guarantees the security of the combined protocol without the need for a specific reduction. Introduction Key establishment is a cryptographic primitive that allows two parties to obtain a shared secret key, which can subsequently be used in cryptographic mechanisms such as encryption schemes or message authentication codes (MACs). The most important application of key-establishment protocols is in the setup phases of protocols for secure communication, such as TLS or IPSec, but, furthermore, their unidirectional variant-key-encapsulation mechanisms (KEMs)-are an important building block in most practical public-key encryption schemes. This paper is dedicated to Johannes Buchmann on the occasion of his 60 th birthday. The topic of the paper, the key-establishment problem, a fundamental problem in cryptography, is one of the areas to which he has contributed significantly (e.g., [3] [4] [5] 21] ). In this paper, we focus on the particular case where keys are established using KEMs and only unidirectional communication. We build on [8], where public-key encryption is treated in constructive cryptography, and some parts of this work are taken from that paper. Security Notions for Key-Encapsulation Mechanisms An important question for the application of KEMs is which level of KEM security is required in order for a higher-level protocol that makes use of a KEM to be secure. To define KEM security, game-based security notions for public-key encryption have been adapted to work with KEMs. A game-based definition is usually characterized by a security property that is to be maintained in the presence of an adversary launching a certain attack against the scheme in question. Both security property and attack are encoded only implicitly into the security game. As a consequence, the traditional answer to the above question is that for each protocol one needs to identify the appropriate security notion and provide a reduction proof to show that a KEM satisfying this notion yields a secure protocol. An alternative approach is to capture the semantics of a security notion by characterizing directly what it achieves, making explicit in which applications it can be used securely. The constructive cryptography framework [15, 16] was proposed with this general goal in mind. Resources such as different types of communication channels and keys are modeled explicitly, and the goal of a cryptographic protocol or scheme π is to construct a stronger or more useful resource S from an assumed resource R, denoted as R π
doi:10.1007/978-3-642-42001-6_16 fatcat:jtdoh6gqf5ca7nt73m2monsryu