On the Equivalence of Several Security Notions of KEM and DEM

KEM (Key Encapsulation Mechanism) and DEM (Data Encapsulation Mechanism) were introduced by Shoup to formalize the asymmetric encryption specified for key distribution and the symmetric encryption specified for data exchange in ISO standards on public-key encryption. Shoup defined the “semantic security (IND) against adaptive chosen ciphertext attacks (CCA2)” as a desirable security notion of KEM and DEM, that is, IND-CCA2 KEM and IND-CCA2 DEM. This paper defines “non-malleability (NM)” for KEM, which is a stronger security notion than IND. We provide three definitions of NM for KEM, and show that these three definitions are equivalent. We then show that NM-CCA2 KEM is equivalent to IND-CCA2 KEM. That is, we show that NM is equivalent to IND for KEM under CCA2 attacks, although NM is stronger than IND in the definition (or under some attacks like CCA1). In addition, this paper defines the universally composable (UC) security of KEM and DEM, and shows that IND-CCA2 KEM (or NM-CCA2 KEM) is equivalent to UC KEM and that “IND against adaptive chosen plaintext/ciphertext attacks (IND-P2-C2)” DEM is equivalent to UC DEM. key words: universal composability, KEM, DEM, ISO, IND-CCA2, NMCCA2, IND-P2-C2, NM-P2-C2