Paper 2023/127

Sender-binding Key Encapsulation

Rebecca Schwerdt, Karlsruhe Institute of Technology
Laurin Benz, Karlsruhe Institute of Technology
Wasilij Beskorovajnov, Research Center for Information Technology
Sarai Eilebrecht, Research Center for Information Technology
Jörn Müller-Quade, Karlsruhe Institute of Technology
Astrid Ottenhues, Karlsruhe Institute of Technology

Secure communication is gained by combining encryption with authentication. In real-world applications encryption commonly takes the form of KEM-DEM hybrid encryption, which is combined with ideal authentication. The pivotal question is how weak the employed key encapsulation mechanism (KEM) is allowed to be to still yield universally composable (UC) secure communication when paired with symmetric encryption and ideal authentication. This question has so far been addressed for public-key encryption (PKE) only, showing that encryption does not need to be stronger than sender-binding CPA, which binds the CPA secure ciphertext non-malleably to the sender ID. For hybrid encryption, prior research unanimously reaches for CCA2 secure encryption which is unnecessarily strong. Answering this research question is vital to develop more efficient and feasible protocols for real-world secure communication and thus enable more communication to be conducted securely. In this paper we use ideas from the PKE setting to develop new answers for hybrid encryption. We develop a new and significantly weaker security notion—sender-binding CPA for KEMs—which is still strong enough for secure communication. By using game-based notions as building blocks, we attain secure communication in the form of ideal functionalities with proofs in the UC-framework. Secure communication is reached in both the classic as well as session context by adding authentication and one-time/replayable CCA secure symmetric encryption respectively. We furthermore provide an efficient post-quantum secure LWE-based construction in the standard model giving an indication of the real-world benefit resulting from our new security notion. Overall we manage to make significant progress on discovering the minimal security requirements for hybrid encryption components to facilitate secure communication.

Note: This is the full version of the paper published at PKC 2023.

Available format(s)
Public-key cryptography
Publication info
Published elsewhere. PKC 2023
IND-SB-CPAKey EncapsulationSecure CommunicationAuthenticated ChannelsUC
Contact author(s)
schwerdt @ kit edu
laurin benz @ kit edu
beskorovajnov @ fzi de
eilebrecht @ fzi de
mueller-quade @ kit edu
ottenhues @ kit edu
2023-02-07: approved
2023-02-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Rebecca Schwerdt and Laurin Benz and Wasilij Beskorovajnov and Sarai Eilebrecht and Jörn Müller-Quade and Astrid Ottenhues},
      title = {Sender-binding Key Encapsulation},
      howpublished = {Cryptology ePrint Archive, Paper 2023/127},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.