## Cryptology ePrint Archive: Report 2018/526

Towards KEM Unification

Daniel J. Bernstein and Edoardo Persichetti

Abstract: This paper highlights a particular construction of a correct KEM without failures and without ciphertext expansion from any correct deterministic PKE, and presents a simple tight proof of ROM IND-CCA2 security for the KEM assuming merely OW-CPA security for the PKE. Compared to previous proofs, this proof is simpler, and is also factored into smaller pieces that can be audited independently. In particular, this paper introduces the notion of IND-Hash'' security and shows that this allows a new separation between checking encryptions and randomizing decapsulations. The KEM is easy to implement in constant time, given a constant-time implementation of the PKE.

Category / Keywords: public-key cryptography / PKE, OW-CPA, OW-Passive, IND-Hash, rigid, KEM, IND-CCA2, ROM