Abstract
This paper presents a novel framework for the generic construction of hybrid encryption schemes which produces more efficient schemes than the ones known before. A previous framework introduced by Shoup combines a key encapsulation mechanism (KEM) and a data encryption mechanism (DEM). While it is sufficient to require both components to be secure against chosen ciphertext attacks (CCA-secure), Kurosawa and Desmedt showed a particular example of KEM that is not CCA-secure but can be securely combined with a specific type of CCA-secure DEM to obtain a more efficient, CCA-secure hybrid encryption scheme. There are also many other efficient hybrid encryption schemes in the literature that do not fit into Shoup’s framework. These facts serve as motivation to seek another framework.
The framework we propose yields more efficient hybrid scheme, and in addition provides insightful explanation about existing schemes that do not fit into the previous framework. Moreover, it allows immediate conversion from a class of threshold public-key encryption to a threshold hybrid one without considerable overhead, which may not be possible in the previous approach.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
M. Abe, Robust distributed multiplication without interaction, in Advances in Cryptology—CRYPTO’99, ed. by M. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 130–147
M. Abe, S. Fehr, Adaptively secure Feldman VSS and applications to universally-composable threshold cryptography. IACR ePrint Archive 2004/119, June 10 2004. Preliminary version was presented in CRYPTO 2004
M. Abe, R. Gennaro, K. Kurosawa, V. Shoup, Tag-KEM/DEM: a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM, in Advances in Cryptology—EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 128–146. Also available at IACR e-print 2005/027 and 2004/194
M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in First ACM Conference on Computer and Communication Security (Association for Computing Machinery, 1993), pp. 62–73
M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, in Proceedings of the 20th Annual ACM Symposium on the Theory of Computing, pp. 1–10, 1988
K. Bentahar, P. Farshim, M. Malone-Lee, N. Smart, Generic constructions of identity-based and certificateless KEMs. IACR e-print Archive 058/2005, 2005
D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Advances in Cryptology—CRYPTO’98, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 1–12
D. Boneh, Simplified OAEP for the RSA and Rabin functions, in Advances in Cryptology—CRYPTO 2001, ed. by J. Killian. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 275–291
D. Boneh, X. Boyen, Efficient selective-ID secure identity based encryption, in Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 223–238
D. Boneh, J. Katz, Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. Technical Report 2004/261, IACR ePrint archive, 2004
X. Boyen, Q. Mei, B. Waters, Direct chosen ciphertext security from identity-based techniques, in ACM Conference on Computer and Communications Security (ACM, 2005), pp. 320–329. Also available at IACR e-print 2005/288
D. Boneh, X. Boyen, S. Halevi, Chosen ciphertext secure public key threshold encryption without random oracles, in Topics in Cryptology—CT-RSA 2006, ed. by T. Rabin, S. Halevi. Lecture Notes in Computer Science, vol. 3860 (Springer, Berlin, 2006), pp. 226–243
R. Canetti, S. Goldwasser, An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack, in Advances in Cryptology—EUROCRYPT’99, ed. by J. Stern. Lecture Notes in Computer Science, vol. 1592 (Springer, Berlin, 1999), pp. 90–106
R. Canetti, H. Krawczyk, J. Nielsen, Relaxing chosen-ciphertext security, in Advances in Cryptology—CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 565–582. Also available at IACR ePrint archive 2003/174
R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption, in Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 207–222
R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in Advances in Cryptology—CRYPTO’98, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 13–25
R. Cramer, V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption, in Advances in Cryptology—EUROCRYPTO 2002, ed. by L. Knudsen. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 45–64
R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
A. Dent, A designer’s guide to KEMs, in 9th IMA International Conference on Cryptography and Coding, ed. by K.G. Paterson. Lecture Notes in Computer Science, vol. 2898 (Springer, Berlin, 2003), pp. 133–151
Y.G. Desmedt, Y. Frankel, Threshold cryptosystems, in Advances in Cryptology—CRYPTO’89, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 307–315
D. Dolev, C. Dwork, M. Naor, Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)
E. Fujisaki, T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, in Advances in Cryptology—CRYPTO’99, ed. by M. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 537–554
R. Gennaro, V. Shoup, A note on an encryption scheme of Kurosawa and Desmedt. Technical Report 2004/194, IACR ePrint archive, 2004
C. Gentry, How to compress Rabin ciphertexts and signatures (and more), in Advances in Cryptology—CRYPTO 2004, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 179–200
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in Proceedings of the 19th annual ACM Symposium on the Theory of Computing, New York City, pp. 218–229, 1987
J. Herranz, D. Hofheinz, E. Kiltz, The Kurosawa-Desmedt key encapsulation is not chosen-ciphertext secure. IACR e-print Archive 2006/207, 2005
S. Jarecki, A. Lysyanskaya, Adaptively secure threshold cryptography: introducing concurrency, removing erasures (extended abstract), in Advances in Cryptology—EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 221–242
E. Kiltz, Chosen-ciphertext security from tag-based encryption, in Theory of Cryptography—TCC’06, ed. by S. Halevi, T. Rabin. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp. 581–600
K. Kurosawa, Y. Desmedt, A new paradigm of hybrid encryption scheme, in Advances in Cryptology—CRYPTO 2004, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 426–442
P. MacKenzie, M.K. Reiter, K. Yang, Alternatives to non-malleability: definitions, constructions, and applications, in Theory of Cryptography—TCC’04, ed. by M. Naor. Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 171–190
W. Nagao, Y. Manabe, T. Okamoto, A universally composable secure channel based on the KEM-DEM framework, in Theory of Cryptography—TCC’05. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 426–444
M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks. In Proceedings of the 22nd annual ACM Symposium on the Theory of Computing, pp. 427–437, 1990
T. Okamoto, D. Pointcheval, REACT: Rapid enhanced-security asymmetric cryptosystem transform, in RSA’2001. Lecture Notes in Computer Science (Springer, Berlin, 2001)
C. Rackoff, D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology—CRYPTO’91. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1992), pp. 433–444
V. Shoup, Using hash functions as a hedge against chosen ciphertext attack, in Advances in Cryptology—EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 275–288
V. Shoup, OAEP reconsidered, in Advances in Cryptology—CRYPTO 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 239–259
V. Shoup, ISO 18033-2: An emerging standard for public-key encryption (committee draft). Available at http://shoup.net/iso/, June 3 2004
V. Shoup, R. Gennaro, Securing threshold cryptosystems against chosen ciphertext attack. J. Cryptol. 15(2), 75–96 (2002)
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Ronald Cramer
Rights and permissions
About this article
Cite this article
Abe, M., Gennaro, R. & Kurosawa, K. Tag-KEM/DEM: A New Framework for Hybrid Encryption. J Cryptol 21, 97–130 (2008). https://doi.org/10.1007/s00145-007-9010-x
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-007-9010-x