Paper 2006/268

On the Equivalence of Several Security Notions of Key Encapsulation Mechanism

Waka Nagao, Yoshifumi Manabe, and Tatsuaki Okamoto


KEM (Key Encapsulation Mechanism) was introduced by Shoup to formalize the asymmetric encryption specified for key distribution in ISO standards on public-key encryption. Shoup defined the ``semantic security (IND) against adaptively chosen ciphertext attacks (CCA2)'' as a desirable security notion of KEM. This paper introduces ''non-malleability (NM)'' of KEM, a stronger security notion than IND. We provide three definitions of NM, and show that these three definitions are equivalent. We then show that NM-CCA2 KEM is equivalent to IND-CCA2 KEM. That is, we show that NM is equivalent to IND under CCA2 attacks, although NM is stronger than IND in the definition (or under some attacks like CCA1). In addition, this paper defines the universally composable (UC) security of KEM and shows that NM-CCA2 KEM is equivalent to UC KEM.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
key encapsulation mechanismnon-malleabilityuniversal composability
Contact author(s)
okamoto tatsuaki @ lab ntt co jp
2006-08-12: received
Short URL
Creative Commons Attribution


      author = {Waka Nagao and Yoshifumi Manabe and Tatsuaki Okamoto},
      title = {On the Equivalence of Several Security Notions of Key Encapsulation Mechanism},
      howpublished = {Cryptology ePrint Archive, Paper 2006/268},
      year = {2006},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.