Burt;
I agree that those are definitely advantages of KEM over OAEP. However, a
number of standards (1363, PKCS#1, etc.) have already specified OAEP and
some people have already implemented it. S/MIME is currently on the -04
version of a draft that mandates OAEP with AES. Thus, without a demonstrated
weakness with OAEP I still don't see a reason to change. I don't see the
tighter bounds for KEM and the better architectural fit as being worth the
trouble of starting to specify a new encryption padding method. Doing so
will necessarily cause additional interoperability and implementation
issues. We already have an adequate replacement for PKCS #1 v1.5, why do we
need another one?
Robert.
-----Original Message-----
From: Kaliski, Burt [mailto:BKaliski(_at_)rsasecurity(_dot_)com]
Sent: Monday, May 06, 2002 2:20 PM
To: 'ietf-smime(_at_)imc(_dot_)org'
Cc: Housley, Russ; Kaliski, Burt
Subject: RE: Why KEM?, RE: Charter Update
Russ asked me to join this discussion to explain the
motivation for KEM.
(Please cc: me on further messages on this thread as I'm not
a subscriber to
the ietf-smime list.)
RSA-KEM's primary advantages over RSA-OAEP are:
1. RSA-KEM's security bounds are tighter. RSA-KEM has been
proved (in the
random oracle model) to be very close in security to the RSA problem.
RSA-OAEP has been proved (in the same model) to offer
security that grows in
proportion to the security of the RSA problem, but for
typical RSA key sizes
the provable level of security is not very high. While no
attacks faster
than solving the RSA problem are known against RSA-OAEP if it
is properly
implemented, it would be better if faster attacks could be ruled out
explicitly.
2. RSA-KEM fits better architecturally. RSA-KEM follows the
model described
by Victor Shoup, which combines a public-key "encapsulation"
operation with
a symmetric key operation, such as the AES KeyWrap. The same
symmetric key
operation can be combined with different public-key methods (RSA,
Diffie-Hellman, elliptic curve). It can also be used for wrapping a
symmetric key with another symmetric key. Thus, in future versions of
S/MIME, AES content-encryption keys can all be wrapped with
AES KeyWrap. The
only difference among the public key methods would be how the
wrapping key
is derived. RSA-OAEP, in contrast, uses a different technique
than other
public-key methods (OAEP formatting) for processing the
symmetric keys.
RSA-OAEP is still fine to use, but RSA-KEM is better. As part
of continually
improving the infrastructure, I believe it is worthwhile to introduce
support for RSA-KEM as standards are updated. Since S/MIME
implementations
are being upgraded to support AES, this is a convenient time
to introduce a
more robust public-key method as well.
-- Burt Kaliski
RSA Laboratories