A Constructive Perspective on Key Encapsulation

  • Sandro Coretti
  • Ueli Maurer
  • Björn Tackmann
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8260)


A key-encapsulation mechanism (KEM) is a cryptographic primitive that allows anyone in possession of some party’s public key to securely transmit a key to that party. A KEM can be viewed as a key-exchange protocol in which only a single message is transmitted; the main application is in combination with symmetric encryption to achieve public-key encryption of messages of arbitrary length.

The security of KEMs is usually defined in terms of a certain game that no efficient adversary can win with non-negligible advantage. A main drawback of game-based definitions is that they often do not have clear semantics, and that the security of each higher-level protocol that makes use of KEMs needs to be proved by showing a tailor-made security reduction from breaking the security of the KEM to breaking the security of the combined protocol.

We propose a novel approach to the security and applications of KEMs, following the constructive cryptography paradigm by Maurer and Renner (ICS 2011). The goal of a KEM is to construct a resource that models a shared key available to the honest parties. This resource can be used in designing and proving higher-level protocols; the composition theorem guarantees the security of the combined protocol without the need for a specific reduction.


Constructive Perspective Symmetric Encryption Honest Party Composition Theorem Security Notion 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A Concrete Security Treatment of Symmetric Encryption. In: 38th FOCS, pp. 394–403 (1997)Google Scholar
  2. 2.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations Among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Buchmann, J., Düllmann, S., Williams, H.C.: On the Complexity and Efficiency of a New Key Exchange System. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 597–616. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  4. 4.
    Buchmann, J., Williams, H.C.: A Key-Exchange System Based on Imaginary Quadratic Fields. Journal of Cryptology 1(2), 107–118 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Buchmann, J., Williams, H.C.: A Key Exchange System Based on Real Quadratic Fields. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 335–343. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols. Cryptology ePrint Archive, Report 2000/067 (2000)Google Scholar
  7. 7.
    Canetti, R., Krawczyk, H.: Universally Composable Notions of Key Exchange and Secure Channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337–351. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Coretti, S., Maurer, U., Tackmann, B.: Constructing Confidential Channels from Authenticated Channels—Public-Key Encryption Revisited. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. Springer, Heidelberg (2013)Google Scholar
  9. 9.
    Cramer, R., Shoup, V.: Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. SIAM Journal on Computing 33, 167–226 (2001)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Goldreich, O., Micali, S., Wigderson, A.: How to Play any Mental Game or A Completeness Theorem for Protocols with Honest Majority. In: 19th ACM STOC, pp. 218–229 (1987)Google Scholar
  11. 11.
    Goldwasser, S., Micali, S., Rackoff, C.: The Knowledge Complexity of Interactive Proof-Systems (Extended Abstract). In: 17th ACM STOC, pp. 291–304 (1985)Google Scholar
  12. 12.
    Herranz, J., Hofheinz, D., Kiltz, E.: Some (in)sufficient conditions for secure hybrid encryption. Cryptology ePrint Archive, Report 2006/265 (2006),
  13. 13.
    Hofheinz, D., Shoup, V.: GNUC: A New Universal Composability Framework. Cryptology ePrint Archive, Report 2011/303 (2011)Google Scholar
  14. 14.
    Maurer, U.: Indistinguishability of Random Systems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 110–132. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Maurer, U.: Constructive Cryptography—A New Paradigm for Security Definitions and Proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  16. 16.
    Maurer, U., Renner, R.: Abstract Cryptography. In: Chazelle, B. (ed.) The Second Symposium in Innovations in Computer Science, ICS 2011, pp. 1–21. Tsinghua University Press (January 2011)Google Scholar
  17. 17.
    Maurer, U., Rüedlinger, A., Tackmann, B.: Confidentiality and Integrity: A Constructive Perspective. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 209–229. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Maurer, U., Schmid, P.E.: A Calculus for Security Bootstrapping in Distributed Systems. Journal of Computer Security 4(1), 55–80 (1996)Google Scholar
  19. 19.
    Maurer, U., Tackmann, B., Coretti, S.: Key Exchange with Unilateral Authentication: Composable Security Definition and Modular Protocol Design. Cryptology ePrint Archive, Report 2013/555 (2013)Google Scholar
  20. 20.
    Nagao, W., Manabe, Y., Okamoto, T.: A Universally Composable Secure Channel Based on the KEM-DEM Framework. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 426–444. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Scheidler, R., Buchmann, J., Williams, H.C.: Implementation of a Key Exchange Protocol Using Some Real Quadratic Fields. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 98–109. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  22. 22.
    Shoup, V.: A Proposal for an ISO Standard for Public Key Encryption. IACR Cryptology ePrint Archive 2001, 112 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Sandro Coretti
    • 1
  • Ueli Maurer
    • 1
  • Björn Tackmann
    • 1
  1. 1.Department of Computer ScienceETH ZürichSwitzerland

Personalised recommendations