Key Encapsulation Mechanism with Tight Enhanced Security in the Multi-user Setting: Impossibility Result and Optimal Tightness

“…We also show that, by hashing its encapsulated key, a OW-ChCCA secure KEM is tightly indistinguishable against enhanced chosen-ciphertext attacks (IND-ECCA) in the ROM. IND-ECCA is a notion proposed by Han et al [HLG21] to rule out constructing Open Problems. We initiate the first step in constructing efficient lattice-based tightly secure AKE protocols.…”

“…The resulting AKE protocol, AKE in , is described as in Figure 8; • A public-key encryption scheme with simulation-based bi-selective opening security; • A key encapsulation mechanism with enhanced CCA security [HLG21]. Since it is not the main result of our paper, we postpone this application to Appendix F.…”

Lattice-Based Authenticated Key Exchange with Tight Security

“…We also show that, by hashing its encapsulated key, a OW-ChCCA secure KEM is tightly indistinguishable against enhanced chosen-ciphertext attacks (IND-ECCA) in the ROM. IND-ECCA is a notion proposed by Han et al [HLG21] to rule out constructing Open Problems. We initiate the first step in constructing efficient lattice-based tightly secure AKE protocols.…”

“…The resulting AKE protocol, AKE in , is described as in Figure 8; • A public-key encryption scheme with simulation-based bi-selective opening security; • A key encapsulation mechanism with enhanced CCA security [HLG21]. Since it is not the main result of our paper, we postpone this application to Appendix F.…”

Lattice-Based Authenticated Key Exchange with Tight Security

Key Encapsulation Mechanism with Tight Enhanced Security in the Multi-user Setting: Impossibility Result and Optimal Tightness

Tightness Subtleties for Multi-user PKE Notions