Cryptology ePrint Archive: Report 2021/844

A note on IND-qCCA security in the ROM and its applications

Los Huguenin-Dumittan and Serge Vaudenay

Abstract: We show in this note that bounded KEM IND-CCA security (IND-qCCA) is easily obtained from any passively secure PKE in the (Q)ROM. That is, simply adding a confirmation hash or computing the key as the hash of the plaintext and ciphertext holds an IND-qCCA KEM. In particular, there is no need for derandomization or re-encryption as in the Fujisaki-Okamoto transform. Such KEMs could be used in the recently proposed KEMTLS protocol [ACM CCS 2020] that requires IND-1CCA ephemeral key-exchange mechanisms. We also highlight and briefly discuss several use cases of IND-1CCA KEMs in TLS and ratcheting primitives.

Category / Keywords:

Date: received 21 Jun 2021

Contact author: lois huguenin-dumittan at epfl ch,serge vaudenay@epfl ch

Available format(s): PDF | BibTeX Citation

Version: 20210621:193845 (All versions of this report)

Short URL: ia.cr/2021/844


[ Cryptology ePrint archive ]