On the Equivalence of Several Security Notions of Key Encapsulation Mechanism
نویسندگان
چکیده
KEM (Key Encapsulation Mechanism) was introduced by Shoup to formalize the asymmetric encryption specified for key distribution in ISO standards on public-key encryption. Shoup defined the “semantic security (IND) against adaptively chosen ciphertext attacks (CCA2)” as a desirable security notion of KEM. This paper introduces ”nonmalleability (NM)” of KEM, a stronger security notion than IND. We provide three definitions of NM, and show that these three definitions are equivalent. We then show that NM-CCA2 KEM is equivalent to IND-CCA2 KEM. That is, we show that NM is equivalent to IND under CCA2 attacks, although NM is stronger than IND in the definition (or under some attacks like CCA1). In addition, this paper defines the universally composable (UC) security of KEM and shows that NM-CCA2 KEM is equivalent to UC KEM.
منابع مشابه
On the Equivalence of Several Security Notions of KEM and DEM
KEM (Key Encapsulation Mechanism) and DEM (Data Encapsulation Mechanism) were introduced by Shoup to formalize the asymmetric encryption specified for key distribution and the symmetric encryption specified for data exchange in ISO standards on public-key encryption. Shoup defined the “semantic security (IND) against adaptive chosen ciphertext attacks (CCA2)” as a desirable security notion of K...
متن کاملSome (in)sufficient conditions for secure hybrid encryption
In hybrid public key encryption (PKE), first a key encapsulation mechanism (KEM) is used to fix a random session key that is then fed into a highly efficient data encapsulation mechanism (DEM) to encrypt the actual message. A well-known composition theorem states that if both the KEM and the DEM have a high enough level of security (i.e. security against chosenciphertext attacks), then so does ...
متن کاملKEM/DEM: Necessary and Sufficient Conditions for Secure Hybrid Encryption
The KEM/DEM hybrid encryption paradigm combines the efficiency and large message space of secret key encryption with the advantages of public key cryptography. Due to its simplicity and flexibility, the approach has ever since gained increased popularity and has been successfully adapted in encryption standards. In hybrid public key encryption (PKE), first a key encapsulation mechanism (KEM) is...
متن کاملSubtleties in Security Definitions for Predicate Encryption with Public Index
We take a critical look at established security definitions for predicate encryption (PE) with public index under chosen-plaintext attack (CPA) and under chosen-ciphertext attack (CCA). In contrast to conventional public-key encryption (PKE), security definitions for PE have to deal with user collusion which is modeled by an additional key generation oracle. We identify three different formaliz...
متن کاملProcess algebraic modeling of authentication protocols for analysis of parallel multi-session executions
Many security protocols have the aim of authenticating one agent acting as initiator to another agent acting as responder and vice versa. Sometimes, the authentication fails because of executing several parallel sessions of a protocol, and because an agent may play both the initiator and responder role in parallel sessions. We take advantage of the notion of transition systems to specify authen...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2006 شماره
صفحات -
تاریخ انتشار 2006