Security of the KEM-DEM Paradigm

Many definitions below are taken verbatim from an upcoming new edition of The Joy of Cryptography.

1 Symmetric-key encryption

Definition 1.1 (Syntax of symmetric-key encryption)

A symmetric-key encryption (SKE) scheme consists of the following algorithms:

  • Enc\Enc: a (possibly randomized) algorithm that takes a key KK\key \in \K and plaintext MM\ptxt \in \M as input, and outputs a ciphertext CC\ctxt \in \C.

  • Dec\Dec: a deterministic algorithm that takes a key KK\key \in \K and ciphertext CC\ctxt \in \C as input, and outputs a plaintext MM\ptxt \in \M.

An SKE scheme is correct if encryption and decryption are inverses, in the following sense:

Pr[Dec(K,Enc(K,M))=M]=1, \PR{ \Dec\bigl(\key,\Enc(\key,\ptxt)\bigr) = \ptxt } = 1,

for all MM\ptxt \in \M and KK\key \in \K.

Definition 1.2 (Computational one-time secrecy)

An encryption scheme Σ\Sigma has computational one-time secrecy (cOTS) if the following two libraries are indistinguishable:

Lske-ots-realΣ\lib{ske-ots-real}^\Sigma
ske.ots.enc(M)\subname{ske.ots.enc}(\ptxt):
KΣ.K\key \gets \Sigma.\K
C:=Σ.Enc(K,M)\ctxt := \Sigma.\Enc(\key,\ptxt)
return C\ctxt
\indist
Lske-ots-randΣ\lib{ske-ots-rand}^\Sigma
ske.ots.enc(M)\subname{ske.ots.enc}(\ptxt):
CΣ.C\ctxt \gets \Sigma.\C
return C\ctxt

Note that Lske-ots-rand\lib{ske-ots-rand} does not use any information about M\ptxt, even its length! Thus, the definition is suitable when all plaintexts have a known, fixed length.

In particular, we implicitly assume that every SKE performs key generation by sampling uniformly from Σ.K\Sigma.\K.

2 Public-key encryption

Definition 2.1 (Syntax & correctness of public-key encryption)

A public-key encryption (PKE) scheme consists of the following algorithms:

  • KeyGen\KeyGen: a randomized algorithm that takes no inputs (besides the security parameter, which we never write explicitly) and outputs a key pair (PK,SK)(\pk,\sk), where PK\pk is a public key and SK\sk is a private key.

  • Enc\Enc: a randomized algorithm that takes a public key PK\pk and plaintext MM\ptxt \in \M as input and returns a ciphertext CC\ctxt\in \C.

  • Dec\Dec: a deterministic algorithm that takes a private key SK\sk and ciphertext CC\ctxt\in\C as input, and returns a plaintext MM\ptxt\in \M (or raises an error).

A PKE scheme is correct if the following program outputs true\mytrue with probability 1, for all MM\ptxt \in \M:

(PK,SK):=KeyGen()(\pk,\sk) := \KeyGen()
C:=Enc(PK,M)\ctxt := \Enc(\pk,\ptxt)
return M==Dec(SK,C)\ptxt == \Dec(\sk,\ctxt)
Definition 2.2 (CPA security for public-key encryption)

A PKE scheme Σ\Sigma has security against chosen-plaintext attacks (CPA security) if the following two libraries are indistinguishable:

Lpke-cpa-realΣ\lib{pke-cpa-real}^\Sigma
(PK,SK):=Σ.KeyGen()(\pk,\sk) := \Sigma.\KeyGen()
pke.cpa.pk()\subname{pke.cpa.pk}(\,):
return PK\pk
pke.cpa.enc(M)\subname{pke.cpa.enc}(\ptxt):
C:=Σ.Enc(PK,M)\ctxt := \Sigma.\Enc(\pk, \ptxt)
return C\ctxt
\indist
Lpke-cpa-randΣ\lib{pke-cpa-rand}^\Sigma
(PK,SK):=Σ.KeyGen()(\pk,\sk) := \Sigma.\KeyGen()
pke.cpa.pk()\subname{pke.cpa.pk}(\,):
return PK\pk
pke.cpa.enc(M)\subname{pke.cpa.enc}(\ptxt):
CΣ.C\ctxt \gets \Sigma.\C
return C\ctxt

As above, the definition is suitable when plaintexts have a known, fixed length, since pke.cpa.enc\subname{pke.cpa.enc} of Lpke-cpa-rand\lib{pke-cpa-rand} does not even use the length of M\ptxt in its computation.

3 Key encapsulation mechanisms

Definition 3.1 (Key encapsulation mechanism)

A key encapsulation mechanism (KEM) consists of the following algorithms:

  • KeyGen\KeyGen: same as in a PKE scheme, a randomized algorithm that takes no inputs and outputs a keypair (PK,SK)(\pk,\sk).

  • Encaps\Encaps: a randomized algorithm that takes only a public key PK\pk as input and returns both a ciphertext CC\ctxt\in \C and plaintext MM\ptxt\in\M.

  • Decaps\Decaps: same as in a PKE scheme, a deterministic algorithm that takes a private key SK\sk and ciphertext CC\ctxt\in\C as input, and returns a plaintext MM\ptxt\in \M (or raises an error).

A KEM is correct if the following process outputs true\mytrue with probability 1:

(PK,SK):=KeyGen()(\pk,\sk) := \KeyGen()
(C,M):=Encaps(PK)(\ctxt, \ptxt) := \Encaps(\pk)
M:=Decaps(SK,C)\ptxt' := \Decaps(\sk,\ctxt)
return M==M\ptxt == \ptxt'
Definition 3.2 (CPA security for key encapsulation)

A KEM Σ\Sigma has security against chosen-plaintext attacks (CPA security) if the following two libraries are indistinguishable:

Lkem-cpa-realΣ\lib{kem-cpa-real}^\Sigma
(PK,SK):=Σ.KeyGen()(\pk,\sk) := \Sigma.\KeyGen()
kem.cpa.pk()\subname{kem.cpa.pk}(\,):
return PK\pk
kem.cpa.enc()\subname{kem.cpa.enc}(\,):
return Σ.Encaps(PK)\Sigma.\Encaps(\pk)
\indist
Lkem-cpa-randΣ\lib{kem-cpa-rand}^\Sigma
(PK,SK):=Σ.KeyGen()(\pk,\sk) := \Sigma.\KeyGen()
kem.cpa.pk()\subname{kem.cpa.pk}(\,):
return PK\pk
kem.cpa.enc()\subname{kem.cpa.enc}(\,):
CΣ.C\ctxt \gets \Sigma.\C
MΣ.M\ptxt \gets \Sigma.\M
return (C,M)(\ctxt, \ptxt)

4 Hybrid encryption

Construction 4.1 (Hybrid encryption)

Let KEM\textsf{KEM} be a KEM scheme and DEM\textsf{DEM} be a SKE scheme, such that KEM.M=DEM.K\textsf{KEM}.\M = \textsf{DEM}.\K (i.e., KEM\textsf{KEM} payloads can be interepreted as keys in DEM\textsf{DEM}). Then hybrid encryption Hyb=Hyb[KEM,DEM]\textsf{Hyb} = \textsf{Hyb}[\textsf{KEM},\textsf{DEM}] is defined by the following algorithms:

Hyb.K=KEM.KHyb.M=DEM.MHyb.C=KEM.C×DEM.CHyb.KeyGen=KEM.KeyGen\begin{aligned} \textsf{Hyb}.\K &= \textsf{KEM}.\K \\ \textsf{Hyb}.\M &= \textsf{DEM}.\M \\ \textsf{Hyb}.\C &= \textsf{KEM}.\C \times \textsf{DEM}.\C \\[8pt] \textsf{Hyb}.\KeyGen &= \textsf{KEM}.\KeyGen \end{aligned}
Hyb.Enc(PK,M)\textsf{Hyb}.\Enc(\pk,\ptxt):
(Ckem,K)KEM.Encaps(PK)(\ctxt_{\text{kem}}, K) \gets \textsf{KEM}.\Encaps(\pk)
CdemDEM.Enc(K,M)\ctxt_{\text{dem}} \gets \textsf{DEM}.\Enc(\key,\ptxt)
return (Ckem,Cdem)(\ctxt_{\text{kem}}, \ctxt_{\text{dem}})
Hyb.Dec(SK,(Ckem,Cdem))\textsf{Hyb}.\Dec(\sk,(\ctxt_{\text{kem}},\ctxt_{\text{dem}})):
K:=KEM.Decaps(SK,Ckem)\key := \textsf{KEM}.\Decaps(\sk,\ctxt_{\text{kem}})
if K==\key == \bot: return \bot
return DEM.Dec(K,Cdem)\textsf{DEM}.\Dec(\key,\ctxt_{\text{dem}})
Claim 4.2 (Security of hybrid encryption)

If KEM\textsf{KEM} is a CPA-secure KEM and DEM\textsf{DEM} is a computational one-time secret (cOTS) SKE, then the hybrid encryption scheme Hyb=Hyb[KEM,DEM]\textsf{Hyb} = \textsf{Hyb}[\textsf{KEM},\textsf{DEM}] is a CPA-secure PKE.

Proof:

Hybrid Sequence:
The starting point is Lpke-cpa-realHyb\lib{pke-cpa-real}^{\textsf{Hyb}}.
Rewrite in a logically equivalent way so that an instance of Lkem-cpa-realKEM\lib{kem-cpa-real}^{\textsf{KEM}} appears.
KEM\textsf{KEM} is CPA-secure, so Lkem-cpa-realKEM\lib{kem-cpa-real}^{\textsf{KEM}} can be replaced by Lkem-cpa-randKEM\lib{kem-cpa-rand}^{\textsf{KEM}} with only negligible effect on the calling program.
Inline the instance of Lkem-cpa-randKEM\lib{kem-cpa-rand}^{\textsf{KEM}}.
By our assumption, KEM.M=DEM.K\textsf{KEM}.\M = \textsf{DEM}.\K.
Rewrite in a logically eqivalent way, so that an instance of Lske-ots-realDEM\lib{ske-ots-real}^{\textsf{DEM}} appears.
DEM\textsf{DEM} has cOTS security, so Lske-ots-realDEM\lib{ske-ots-real}^{\textsf{DEM}} can be replaced by Lske-ots-randDEM\lib{ske-ots-rand}^{\textsf{DEM}} with only negligible effect on the calling program.
Inline the instance of Lske-ots-randDEM\lib{ske-ots-rand}^{\textsf{DEM}}.
What remains is exactly Lpke-cpa-randHyb\lib{pke-cpa-rand}^{\textsf{Hyb}}, after suitably renaming things.
Lpke-cpa-realHyb\lib{pke-cpa-real}^{\textsf{Hyb}}
// Hyb.KeyGen()\textsf{Hyb}.\KeyGen():
(PK,SK):=(\pk,\sk) := {}
KEM.KeyGen()\textsf{KEM}.\KeyGen()
Hyb.KeyGen()\textsf{Hyb}.\KeyGen()
pke.cpa.pk( ):
return PK\pk
pke.cpa.enc(M\ptxt):
// Hyb.Enc(PK,M)\textsf{Hyb}.\Enc(\pk,\ptxt):
(Ckem,K)(\ctxt_{\text{kem}}, K)
KEM.Encaps(PK){}\gets \textsf{KEM}.\Encaps(\pk)
:=kem.cpa.enc(){}:= \subname{kem.cpa.enc}()
Cdem\ctxt_{\text{dem}}
DEM.Enc(K,M){}\gets \textsf{DEM}.\Enc(\key,\ptxt)
:=ske.ots.enc(M){}:= \subname{ske.ots.enc}(\ptxt)
DEM.C{}\gets \textsf{DEM}.\C
return (Ckem,Cdem)(\ctxt_{\text{kem}}, \ctxt_{\text{dem}})
\link
Lkem-cpa-realKEM\lib{kem-cpa-real}^{\textsf{KEM}}
(PK,SK):=KEM.KeyGen()(\pk,\sk) := \textsf{KEM}.\KeyGen()
kem.cpa.pk( ):
return PK\pk
kem.cpa.enc( ):
return KEM.Encaps(PK)\textsf{KEM}.\Encaps(\pk)
Lkem-cpa-randKEM\lib{kem-cpa-rand}^{\textsf{KEM}}
(PK,SK):=KEM.KeyGen()(\pk,\sk) := \textsf{KEM}.\KeyGen()
pke.cpa.pk( ):
return PK\pk
kem.cpa.enc( ):
CKEM.C\ctxt \gets \textsf{KEM}.\C
MKEM.M\ptxt \gets \textsf{KEM}.\M
return (C,M)(\ctxt, \ptxt)
\link
Lske-ots-realDEM\lib{ske-ots-real}^{\textsf{DEM}}
ske.ots.enc(M\ptxt):
KDEM.K\key \gets \textsf{DEM}.\K
C:=DEM.Enc(K,M)\ctxt := \textsf{DEM}.\Enc(\key,\ptxt)
return C\ctxt
Lske-ots-randDEM\lib{ske-ots-rand}^{\textsf{DEM}}
ske.ots.enc(M\ptxt):
CDEM.C\ctxt \gets \textsf{DEM}.\C
return C\ctxt