## Abstract

We revisit the construction of IND-CCA secure key encapsulation mechanisms (KEM) from public-key encryption schemes (PKE).

We give new, tighter security reductions for several constructions. Our

main result is a tight reduction for the security of the U 6⊥-transform of

Hofheinz, H¨ovelmanns, and Kiltz (TCC’17) which turns OW-CPA secure

deterministic PKEs into IND-CCA secure KEMs. This result is enabled

by a new one-way to hiding (O2H) lemma which gives a tighter bound

than previous O2H lemmas in certain settings and might be of independent interest. We extend this result also to the case of PKEs with non-zero decryption failure probability, partially non-injective PKEs, and non-deterministic PKEs. In addition, we analyze the impact of different variations of the U 6⊥- transform discussed in the literature on the security of the final scheme. We consider the difference between explicit (U ⊥) and implicit (U

6⊥) rejection, proving that security of the former implies security of the latter. We show that the opposite direction holds if the scheme with explicit rejection also uses key confirmation. Finally, we prove that (at least from

a theoretic point of view) security is independent of whether the session keys are derived from message and ciphertext (U 6⊥) or just from the message (U

6⊥ m)

We give new, tighter security reductions for several constructions. Our

main result is a tight reduction for the security of the U 6⊥-transform of

Hofheinz, H¨ovelmanns, and Kiltz (TCC’17) which turns OW-CPA secure

deterministic PKEs into IND-CCA secure KEMs. This result is enabled

by a new one-way to hiding (O2H) lemma which gives a tighter bound

than previous O2H lemmas in certain settings and might be of independent interest. We extend this result also to the case of PKEs with non-zero decryption failure probability, partially non-injective PKEs, and non-deterministic PKEs. In addition, we analyze the impact of different variations of the U 6⊥- transform discussed in the literature on the security of the final scheme. We consider the difference between explicit (U ⊥) and implicit (U

6⊥) rejection, proving that security of the former implies security of the latter. We show that the opposite direction holds if the scheme with explicit rejection also uses key confirmation. Finally, we prove that (at least from

a theoretic point of view) security is independent of whether the session keys are derived from message and ciphertext (U 6⊥) or just from the message (U

6⊥ m)

Original language | English |
---|---|

Number of pages | 29 |

Publication status | Published - 2019 |