Paper 2018/526

Towards KEM Unification

Daniel J. Bernstein and Edoardo Persichetti

Abstract

This paper highlights a particular construction of a correct KEM without failures and without ciphertext expansion from any correct deterministic PKE, and presents a simple tight proof of ROM IND-CCA2 security for the KEM assuming merely OW-CPA security for the PKE. Compared to previous proofs, this proof is simpler, and is also factored into smaller pieces that can be audited independently. In particular, this paper introduces the notion of ``IND-Hash'' security and shows that this allows a new separation between checking encryptions and randomizing decapsulations. The KEM is easy to implement in constant time, given a constant-time implementation of the PKE.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
PKEOW-CPAOW-PassiveIND-HashrigidKEMIND-CCA2ROM
Contact author(s)
authorcontact-tightkem @ box cr yp to
History
2018-06-04: received
Short URL
https://ia.cr/2018/526
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2018/526,
      author = {Daniel J.  Bernstein and Edoardo Persichetti},
      title = {Towards KEM Unification},
      howpublished = {Cryptology ePrint Archive, Paper 2018/526},
      year = {2018},
      note = {\url{https://eprint.iacr.org/2018/526}},
      url = {https://eprint.iacr.org/2018/526}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.