A Universally Composable Secure Channel Based on the KEM-DEM Framework

  • Waka Nagao
  • Yoshifumi Manabe
  • Tatsuaki Okamoto
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3378)


For ISO standards on public-key encryption, Shoup introduced the framework of KEM (Key Encapsulation Mechanism), and DEM (Data Encapsulation Mechanism), for formalizing and realizing one-directional hybrid encryption; KEM is a formalization of asymmetric encryption specified for key distribution, and DEM is a formalization of symmetric encryption. This paper investigates a more general hybrid protocol, secure channel, using KEM and DEM, such that KEM is used for distribution of a session key and DEM, along with the session key, is used for multiple bi-directional encrypted transactions in a session. This paper shows that KEM semantically secure against adaptively chosen ciphertext attacks (IND-CCA2) and DEM semantically secure against adaptively chosen plaintext/ciphertext attacks (IND-P2-C2) along with secure signatures and ideal certification authority are sufficient to realize a universally composable (UC) secure channel. To obtain the main result, this paper also shows several equivalence results: UC KEM, IND-CCA2 KEM and NM-CCA2 (non-malleable against CCA2) KEM are equivalent, and UC DEM, IND-P2-C2 DEM and NM-P2-C2 DEM are equivalent.


Secure Channel Security Notion Decryption Oracle Hybrid Encryption Encryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 26. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Bellare, M., Sahai, A.: Non-malleable encryption: Equivalence between two notions, and an indistinguishability-based characterization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 519. Springer, Heidelberg (1999)Google Scholar
  3. 3.
    Canetti, R.: Universally Composable Security: A New paradigm for Cryptographic Protocols. In: 42nd FOCS (2001); Full version available at
  4. 4.
    Canetti, R.: Universally Composable Signature, Certification, and Authentication (August 2004),
  5. 5.
    Canetti, R., Krawczyk, H.: Analysis of key-exchange protocols and their use for building secure channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 453. Springer, Heidelberg (2001); Full version at CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 337. Springer, Heidelberg (2002), CrossRefGoogle Scholar
  7. 7.
    Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003), CrossRefGoogle Scholar
  8. 8.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack (December 2001),
  9. 9.
    Dolev, D., Dwork, C., Naor, M.: Non-Malleable Cryptography. In: 23rd STOC (1991); Also Technical Report CS95-27, Weizmann Institute of Science (1995)Google Scholar
  10. 10.
    Katz, J., Yung, M.: Characterization of Security Notions for Probabilistic Private-Key Encryption (to appear); Full version available at
  11. 11.
    Shoup, V.: A Proposal for an ISO Standard for Public Key Encryption (version 2.1), ISO/IEC JTC1/SC27, N2563 (December 2001),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Waka Nagao
    • 1
  • Yoshifumi Manabe
    • 1
    • 2
  • Tatsuaki Okamoto
    • 1
    • 2
  1. 1.Graduate School of InformaticsKyoto UniversityKyotoJapan
  2. 2.NTT LabsNippon Telegraph and Telephone CorporationYokosukaJapan

Personalised recommendations