A Universally Composable Secure Channel Based on the KEM-DEM Framework Waka Nagao1 , Yoshifumi Manabe1,2 , and Tatsuaki Okamoto1,2 1 2 Graduate School of Informatics, Kyoto University, Yoshida-honmachi, Kyoto, 606-8501 Japan NTT Labs, Nippon Telegraph and Telephone Corporation, 1-1 Hikari-no-oka Yokosuka, 239-0847 Japan Abstract. For ISO standards on public-key encryption, Shoup introduced the framework of KEM (Key Encapsulation Mechanism), and DEM (Data Encapsulation Mechanism), for formalizing and realizing one-directional hybrid encryption; KEM is a formalization of asymmetric encryption specified for key distribution, and DEM is a formalization of symmetric encryption. This paper investigates a more general hybrid protocol, secure channel, using KEM and DEM, such that KEM is used for distribution of a session key and DEM, along with the session key, is used for multiple bi-directional encrypted transactions in a session. This paper shows that KEM semantically secure against adaptively chosen ciphertext attacks (IND-CCA2) and DEM semantically secure against adaptively chosen plaintext/ciphertext attacks (IND-P2-C2) along with secure signatures and ideal certification authority are sufficient to realize a universally composable (UC) secure channel. To obtain the main result, this paper also shows several equivalence results: UC KEM, IND-CCA2 KEM and NM-CCA2 (nonmalleable against CCA2) KEM are equivalent, and UC DEM, IND-P2-C2 DEM and NM-P2-C2 DEM are equivalent. 1 1.1 Introduction Background Key Encapsulation Mechanism (KEM) is a key distribution mechanism in public-key cryptosystems, that was proposed by Shoup for ISO standards on public-key encryption [11]. The difference between KEM and public-key encryption (PKE) is as follows: PKE’s encryption procedure, on input plaintext M and receiver R’s public-key P KR , outputs ciphertext C, while KEM’s encryption procedure, on input receiver R’s public-key P KR , outputs ciphertext C and key K, where C is sent to R, and K is kept secret inside the sender, and employed in the subsequent process of data encryption. PKE’s decryption procedure, on input C and secret-key SKR , outputs plaintext M , while KEM’s decryption procedure, on input C and secret-key SKR , outputs key K. Although KEM is a mechanism for key distribution and the applications of KEM are not specified, the most typical application is hybrid encryption, where a key shared via a KEM is employed for symmetric-key encryption. Shoup also formulated the symmetric-key encryption as the Data Encapsulation Mechanism (DEM)[11]. J. Kilian (Ed.): TCC 2005, LNCS 3378, pp. 426–444, 2005. c Springer-Verlag Berlin Heidelberg 2005
A Universally Composable Secure Channel Based on the KEM-DEM Framework 427 Shoup defined the security, “indistinguishable (semantically secure) against adaptively chosen-ciphertext attacks,” for KEM and DEM, respectively, (we call them INDCCA2-KEM and IND-CCA2-DEM, respectively), and showed that hybrid encryption (HPKE) implemented by combining KEM with IND-CCA2-KEM and DEM with INDCCA2-DEM is a PKE with IND-CCA2-PKE [8, 11]. 1 Since the KEM-DEM hybrid encryption specified by Shoup is one-directional (or equivalent to public-key encryption in functionality), it is applicable for secure email and single direction transactions. However, in many secure protocols (e.g., SSL, IPSec, SSH), asymmetric and symmetric encryption schemes are employed in a different manner as a secure channel such that an asymmetric encryption scheme is used for distribution of a session key while a symmetric encryption scheme with the session key is used for many bi-directional encrypted transactions in a session. The KEM-DEM framework can be modified for such a hybrid usage, secure channel; KEM can be used for key distribution of a session key and DEM with the session key is used for secure communications in a session. Since the KEM-DEM framework will be standardized in a near future, it is a promising way to employ the abovementioned modified KEM-DEM framework to realize a secure channel. However, no research has been done on the security requirements of KEM and DEM such that a secure channel based on the modified KEM-DEM framework can guarantee a sufficient level of security, although KEM with IND-CCA2-KEM and DEM with IND-CCA2DEM have been shown to be sufficient for an IND-CCA2-PKE single-directional KEMDEM-hybrid scheme [8, 11]. That is, we have the following problems: – What are the security requirements of KEM and DEM to construct a secure channel? – How to define the satisfactory level of security of a secure channel? (since it cannot be characterized by just public-key encryption, but should require more complicated security definition.) 1.2 Our Results This paper answers the above-mentioned problems: – This paper shows that KEM with IND-CCA2-KEM and DEM with IND-P2-C2DEM along with secure signatures and ideal certification authority are sufficient to realize a universally composable secure channel. – We follow the definition of a universally composable secure channel by Canetti and Krawczyk [6]. There are two major merits in using the universal composability paradigm. Firstly, the paradigm provides a clear and unified (or standard) approach to defining the security of any cryptographic functionality including a secure channel. Second, our concrete construction of a secure channel based on the KEM-DEM 1 Originally, the notion of IND-CCA2 was defined for PKE. The way to provide analogous definitions and to use the same name, “indistinguishable (semantically secure) against adaptively chosen-ciphertext attacks”, for KEM and DEM follows that of [8]. In this paper, however, we explicitly distinguish them by the terms, IND-CCA2-PKE, IND-CCA2-KEM, and INDCCA2-DEM. 428 W. Nagao, Y. Manabe, and T. Okamoto framework guarantees not only stand-alone security but also universal composable security. Since a secure protocol like SSL, IPSec and SSH is often employed as an element of a large-scale security system, the universal composability of a secure protocol is especially important. In order to obtain the above-mentioned main result, we firstly show that UC KEM, IND-CCA2 KEM and NM-CCA2 KEM are equivalent, and that UC DEM, IND-P2C2 DEM and NM-P2-C2 DEM are equivalent. We then present that UC KEM and UC KEM as well as UC signatures and ideal certification authority are sufficient for realizing a UC secure channel. Although in this paper we consider only protocols for a single session, the same result for the multi-session case is obtained automatically via the UC with joint state (JUC) [7]. 1.3 Related Works Canetti and Krawczyk [6] showed a UC secure channel protocol consisting of an authenticated Diffie-Hellman key exchange scheme, message authentication code, and pseudorandom generator. Accordingly, their results are specific to their construction, which uses an authenticated Diffie-Hellman key exchange scheme, message authentication code and pseudorandom generator. Our result is based on the general notions of KEM, DEM and signatures, but not on any specific scheme. The equivalence of UC PKE and IND-CCA2 PKE has been suggested by Canetti [3], and the equivalence of NM-CCA2 PKE and IND-CCA2 PKE has been shown by Bellare et.al. [1, 2]. The relationship among several security notions of symmetric encryptions has been investigated by Katz and Yung [10]. However, no results have been reported on the equivalence among UC KEM, IND-CCA2 KEM and NM-CCA2 KEM, and that among UC DEM, IND-CCA2 DEM and NM-CCA2 DEM. 2 The KEM-DEM Framework We describe probabilistic algorithms and experiments with standard notations and conventions. For probabilistic algorithm A, A(x1 , x2 , · · · ; r) is the result of running A that takes as inputs x1 , x2 , · · · and coins r. We let y ← A(x1 , x2 , · · · ) denote the experiment of picking r at random and letting y equal the output of A(x1 , x2 , · · · ; r). If S is a finite set, then x ← S denotes the experiment of assigning to x an element uniformly chosen from S. If α is neither an algorithm nor a set, then x ← α indicates that we assign α to x. We say that y can be output by A(x1 , x2 , · · · ) if there is some r such that A(x1 , x2 , · · · ; r) = y. 2.1 Key Encapsulation Mechanism Formally, a key encapsulation mechanism KEM is given by the triple of algorithms KEM.KeyGen(), KEM.Encrypt(pk, options) and KEM.Decrypt(sk, C0 ), where: A Universally Composable Secure Channel Based on the KEM-DEM Framework 429 1. KEM.KeyGen(), the key generation algorithm, is a polynomial time and probabilistic algorithm that takes a security parameter k ∈ N (provided in unary) and returns a pair (pk, sk) of matching public and secret keys. 2. KEM.Encrypt(pk, options), the encryption algorithm, is a polynomial time and probabilistic algorithm that takes as input a public key pk, along with an optional options argument, and outputs a key/ciphertext pair (K, C0 ). The role of options is analogous to that in public-key encryption. 3. KEM.Decrypt(sk, C0 ), the decryption algorithm, is a polynomial time and deterministic algorithm that takes as input secret key sk and ciphertext C0 , and outputs key K or special symbol ⊥ (⊥ implies that the ciphertext was invalid). We require that for all (pk, sk) output by KEM.KeyGen(1k ), and for all C0 output by KEM.Encrypt(pk, options), KEM.Decrypt(sk, C0 ) = K (|K| is denoted KEM.OutputKeyLen — the length of the key output by KEM.Encrypt and KEM.Decrypt). A function ǫ : N → R is negligible if for every constant c ≥ 0 there exists an integer kc such that ǫ(k) ≤ k −c for all z ≥ kc . We write vectors in boldface, as in x. We also denote the number of components in x by |x|, and the i-th component by x[i], so that x = (x[1],· · · ,x[|x|]). Additionally, we denote a component of a vector as x ∈ x or x ∈ x, which mean, respectively, mean that x is in or is not in the set { x[i] : 1 ≤ i ≤ |x|}. Such notions provide convenient descriptions. For example, we can simply write x ← KEM.Decrypt(y) as the shorthand form of 1 ≤ i ≤ | y | do x[i] ← KEM.Decrypt(y[i]). We will consider relations of amity t where t is polynomial in the security parameter k. Rather than writing R(x1 , · · · , xt ) we write R(x, x), meaning the first argument is special and the rest are bunched into vector x with |x| = t − 1. Attack Types of KEM. We state following three attack types of KEM. First, we state CPA (Chosen Plaintext Attack). CPA is an attack type that an adversary is allowed to access to only encryption oracle but not decryption oracle. Secondly, we state CCA1 (Chosen Ciphertext Attack). CCA1 is an attack type that an adversary is allowed to access to both encryption and decryption oracle. However the adversary cannot access to decryption oracle after getting target ciphertext. Thirdly, we state CCA2 (Adaptive Chosen Ciphertext Attack). CCA2 is an attack type that an adversary is allowed to access to both encryption and decryption oracle even if after the adversary gets target ciphertext. Indistinguishability of KEM. We use IND-ATK-KEM to describe the security notion of indistinguishability for KEM against ATK ∈ {CPA, CCA1, CCA2}[11]. We redescribe the security notion of IND-CCA2-KEM by considering following attack scenario. First, the key generation algorithm is run to generate the public and private key for the protocol. The adversary can get the public key, but not the private key. Secondly, the adversary generates some queries of plaintexts/ciphertexts and sends the queries to encryption/decryption oracle. Each oracle encrypts/decrypts the queries and returns the results of ciphertexts/plaintexts to the adversary. If the algorithm fails, this information is informed to the adversary, and the attack continues. Thirdly, encryption oracle does the following: 430 1. 2. 3. 4. W. Nagao, Y. Manabe, and T. Okamoto Runs the encryption algorithm, generating pair (K ∗ , C0∗ ).
of length KEM.OutputKeyLen. Generates a random string K Chooses b ∈ {0, 1} at random.
C ∗ ). If b = 0, outputs (K ∗ , C0∗ ), otherwise outputs (K, 0 Fourth, the adversary generates plaintexts/ciphertexts to get information from each oracle on the condition of the ciphertext C0 = C0∗ . Finally, the adversary outputs b̂ ∈ {0, 1}. Let ΠKEM = (KEM.KeyGen, KEM.Encrypt, KEM.Decrypt) be an encryption protocol and let A be an adversary. The advantage of ΠKEM for adversary A, IND-ATK is defined as follows: AdvA,Π KEM IND-ATK (k) = |Pr[b̂ = b] − 21 |. AdvA,Π KEM is secure in the sense of IND-ATK if Adv IND-ATK (k) is negligible for any ΠKEM PPT adversary A. A,ΠKEM Non-malleability of KEM. We state formal definition of non-malleability for KEM in Fig.1 following [1], which we call NM-KEM. We also use NM-ATK-KEM to describe the security notion of non-malleability for KEM against ATK ∈ {CPA, CCA1, CCA2}. Let A = (A1 , A2 ) be an adversary. (We state two more definitions in the full paper version.) NM-ATK NM-ATK NM-ATK
A,Π AdvA,Π (k) ≡ Pr[ExptA,Π (k) = 1] − Pr[Expt (k) = 1] KEM KEM KEM where -ATK ExptNM A,ΠKEM (k) NM-ATK
A,Π Expt (k) KEM (pk, sk)←KEM.KeyGen(1k ) 1 (K, s)←AO 1 (pk) ∗ ∗ (K , C0 )←KEM.Encrypt(pk) ∧ K ∗ ∈K ∗ 2 (R, C0 )←AO 2 (s, C0 ) K←KEM.Decrypt(sk, C0 ) return 1 iff (C0∗ ∈ C0 ) ∧ R(K ∗ , K) (pk, sk)←KEM.KeyGen(1k ) 1 (K, s)←AO 1 (pk) ∗ K ←K
C 0 )←KEM.Encrypt(pk) ∧ K∈K
(K, O2   (R, C0 )←A2 (s, C0 )  0 ) K←KEM.Decrypt(sk, C    return 1 iff (C0 ∈ C0 ) ∧ R(K ∗ , K) and If ATK = CPA then O1 = ε and O2 = ε. If ATK = CCA1 then O1 = KEM.Decrypt(sk, ·) and O2 = ε. If ATK = CCA2 then O1 = KEM.Decrypt(sk, ·) and O2 = KEM.Decrypt(sk, ·). Fig. 1. NM-KEM Definition ΠKEM is secure in the sense of NM-ATK-KEM, where ATK∈ {CPA, CCA1, CCA2}, if for every polynomial p(k), A runs in p(k), outputs a valid key space K in p(k), and NM-ATK outputs relation R computable in p(k), and AdvA,Π (k) is negligible. We insist that KEM the adversary is unsuccessful if some ciphertext C0 [i] does not have a valid decryption (that is, ⊥ ∈ K). A Universally Composable Secure Channel Based on the KEM-DEM Framework 431 Equivalence Results. We can obtain the equivalence of all three formal definitions and a following Theorem 1 between IND-CCA2-KEM and NM-CCA2-KEM. (See more details and proofs in the full paper version.) Theorem 1. (IND-CCA2-KEM ⇔ NM-CCA2-KEM) If encryption scheme ΠKEM is secure in the sense of IND-CCA2-KEM, then ΠKEM is secure in the sense of NM-CCA2-KEM. 2.2 Data Encapsulation Mechanism Formally, a data encapsulation mechanism DEM is given by a pair of algorithms DEM. Encrypt(K, M ) and DEM.Decrypt(K, C), where: 1. The encryption algorithm DEM.Encrypt(K, M ) takes as input a secret key K, and a plaintext M . It outputs a ciphertext C. Here, K, M and C are byte strings, and M may have arbitrary length, and K’s length is DEM.KeyLen. 2. The decryption algorithm DEM.Decrypt(K, C) takes as input secret key K and ciphertext C. It outputs plaintext M . DEM must satisfy the soundness, DEM.Decrypt(K, DEM.Encrypt(K, M )) = M. Attack Types of DEM. We state following six attack types of DEM. In the first, we consider the first three attack types, these are for access to encryption oracle. First, we state P0, that is an attack type with no access to encryption oracle by adversary. Secondly, we state P1 (Chosen Plaintext Attack). P1 is an attack type with access to encryption oracle. However the adversary cannot access to encryption oracle after getting target ciphertext. Thirdly, we state P2 (Adaptive Chosen Plaintext Attack). In this type, an adversary can access to encryption oracle even if after the adversary gets target ciphertext. Moreover, we consider the last three attack types, these are for access to decryption oracle. First, we state C0, that is an attack type with no access to decryption oracle by adversary. Secondly, we state C1 (Chosen Ciphertext Attack). C1 is an attack type with access to decryption oracle. However the adversary cannot access to decryption oracle after getting target ciphertext. Thirdly, we state C2 (Adaptive Chosen Ciphertext Attack). In this type, an adversary can access to decryption oracle even if after the adversary gets target ciphertext. Indistinguishability of DEM. We state formal definition of indistinguishability for DEM in Fig.2 following [10], which we call IND-DEM. We also use IND-PX-CYDEM to describe the security notion of indistinguishability for DEM against ATK ∈ {CPA, CCA1, CCA2}. Let ΠDEM = (DEM.Encrypt, DEM.Decrypt) be an encryption scheme over message space M and let A = (A1 , A2 ) be an adversary. We insist that A1 (1k ) outputs {x0 , x1 } ∈ M with |x0 | = |x1 |, where k is security parameter. Furthermore, when Y = 2, we insist that A2 does not ask for the decryption of challenge ciphertext y. IND-PX-CY ΠDEM is secure in the sense of IND-PX-CY for {X, Y} ∈ {0, 1, 2} if AdvA,Π DEM (·) is negligible for any PPT adversary A. 432 W. Nagao, Y. Manabe, and T. Okamoto where IND-PX-CY IND-PX-CY AdvA,Π (k) ≡ 2 · Pr[ExptA,Π (k)] − 1 DEM DEM IND-PX-CY Expt (k) A,ΠDEM ′ O ,O1 K←{0, 1}k ; (x0 , x1 , s)←A1 1 ′ O ,O2 g←A2 2 (1k ); b ← {0, 1}; y←DEM.Encrypt(K, xb ); (1k , s, y); return 1 iff g = b and If X = 0 then O1 (·) = ε and O2 (·) = ε. If X = 1 then O1 (·) = DEM.Encrypt(K, ·) and O2 (·) = ε. If X = 2 then O1 (·) = DEM.Encrypt(K, ·) and O2 (·) = DEM.Encrypt(K, ·). If Y = 0 then O1′ (·) = ε and O2′ (·) = ε. If Y = 1 then O1′ (·) = DEM.Decrypt(K, ·) and O2′ (·) = ε. If Y = 2 then O1′ (·) = DEM.Decrypt(K, ·) and O2′ (·) = DEM.Decrypt(K, ·). Fig. 2. IND-DEM Definition Non-malleability of DEM. We state formal definition of non-malleability for DEM in Fig.3 following Bellare[2] and Katz[10], which we call NM-DEM. We also use NM- NM-PX-CY NM-PX-CY NM-PX-CY
A,Π AdvA,Π (k) ≡ Pr[ExptA,Π (k) = 1] − Pr[Expt (k) = 1] DEM DEM DEM where NM-PX-CY ExptA,Π (k) DEM NM-PX-CY
A,Π Expt (k) DEM K←{0, 1}k K←{0, 1}k O ,O ′ (M, s)←A1 1 1 (1k ) O ,O ′ x←M y←DEM.Encrypt(K, x) (M, s)←A1 1 1 (x, x̃)←M ỹ←DEM.Encrypt(K, x̃) O ,O ′ O ,O ′
)←A2 2 2 (s, y
) (R, y (R, y)←A2 2 2 (s, y)
←DEM.Decrypt(K, y
) x x←DEM.Decrypt(K, y)
) ∧ R(x, x
) return 1 iff (y ∈ y) ∧ R(x, x) return 1 iff (
y ∈ y and If X = 0 then O1 (·) = ε and O2 (·) = ε. If X = 1 then O1 (·) = DEM.Encrypt(K, ·) and O2 (·) = ε. If X = 2 then O1 (·) = DEM.Encrypt(K, ·) and O2 (·) = DEM.Encrypt(K, ·). If Y = 0 then O1′ (·) = ε and O2′ (·) = ε. If Y = 1 then O1′ (·) = DEM.Decrypt(K, ·) and O2′ (·) = ε. If Y = 2 then O1′ (·) = DEM.Decrypt(K, ·) and O2′ (·) = DEM.Decrypt(K, ·). Fig. 3. NM-DEM Definition A Universally Composable Secure Channel Based on the KEM-DEM Framework 433 PX-CY-DEM to describe the security notion of non-malleability for DEM for {X, Y} ∈ {0, 1, 2}. In Fig.3, M is a distribution over messages and R is some relation and k is security parameter. We require that |x| = |x′ | for all x, x′ in the support of M . We also require that the vector of ciphertexts y output by A2 should be non-empty. Furthermore, when Y = 2, we insist that A2 does not ask for the decryption of y. NM-PX-CY (k) ΠDEM is secure in the sense of NM-PX-CY for {X, Y} ∈ {0, 1, 2} if AdvA,Π DEM is negligible for any PPT adversary A. We obtain that the two above security notions of DEM yield the following Theorem 2. (Proof is in the full paper version. ) Theorem 2. (NM-P2-C2-DEM ⇔ IND-P2-C2-DEM) Encryption scheme ΠDEM is secure in the sense of NM-P2-C2 if and only if ΠDEM is secure in the sense of IND-P2-C2. 3 3.1 Universally Composable KEM Is Equivalent to IND-CCA2 KEM The Key Encryption Mechanithm Functionality FKEM We define key encapsulation mechanism (KEM) functionality FKEM in Fig.4. FKEM is a functionality of KEM-key-generation, KEM-encryption and KEM-decryption. Here note that there is no functionality of data transmission between parties in FKEM . 3.2 UC KEM Is Equivalent to IND-CCA2 KEM Let KEM= (KEM.KeyGen, KEM.Encrypt, KEM.Decrypt) be a key encapsulation mechanism. Consider the following transformation from KEM to protocol πKEM that is constructed for realizing FKEM : 1. Upon input (KEM.KeyGen, sid) within some party Pj , Pj obtains the public key pk and secret key sk by running the algorithm KEM.KeyGen(), then outputs (KEM Key, sid, pk). 2. Upon input (KEM.Encrypt, sid, pk ′ ) within some party Pi , Pi obtains pair (K ∗ , C0 ∗ ) of a key and a ciphertext by running the algorithm KEM.Encrypt(pk ′ ) and outputs (Encrypted Shared Key, sid, pk ′ , K ∗ , C0 ∗ ). (Note that it does not necessarily hold that pk ′ = pk). 3. Upon input (KEM.Decrypt, sid, C0 ∗ ) within Pj , Pj obtains K ∗ = KEM.Decrypt (sk, C0 ∗ ) and output (Shared Key, sid, K ∗ ). Theorem 3. πKEM securely realizes FKEM with respect to non-adaptive adversaries if and only if KEM is indistinguishable against adaptive chosen ciphertext attacks (INDCCA2 KEM). Proof. (“only if” part) Because NM-CCA2-KEM equals to IND-CCA2-KEM by Theorem 1, we prove that if πKEM is not NM-CCA2-KEM secure, then πKEM does not 434 W. Nagao, Y. Manabe, and T. Okamoto Functionality FKEM FKEM proceed as follows, running with parties P1 , . . . , Pn and an adversary S. KEM.KeyGen In the first activation, expect to receive (KEM.KeyGen, sid) from some party Pj . Then, 1. Send (KEM.KeyGen, sid) to S. 2. Upon receiving (KEM Key, sid, pk) from S, send (KEM Key, sid, pk) to Pj . 3. If this is the first activation then record the pair (Pj , pk), otherwise pk is discarded. KEM.Encrypt Upon receiving (KEM.Encrypt, sid, pk′ ) from some party Pi , proceed as follows: – Check the memory, if pk′ = pk, and if Pj is not corrupted, then proceeds as follows: 1. Send (KEM.Encrypt, sid, pk′ ) to S. 2. Receive (Encrypted Shared Key, sid, pk′ , C0 ) from S. 3. If C0 is stored in memory then halt. R 4. Choose Shared Key K ← − {0, 1}∗ randomly. 5. Send (Encrypted Shared Key, sid, pk′ , K, C0 ) to Pi . 6. Store the pair (K, C0 ) in memory. – Otherwise (includes pk′ = pk or pk is not yet recorded, or Pj is corrupted), 1. Send (KEM.Encrypt with Key, sid, pk′ ) to S. 2. Receive (Encrypted Shared Key, sid, pk′ , K, C0 ) from S. 3. Send (Encrypted Shared Key, sid, pk′ , K, C0 ) to Pi . KEM.Decrypt Upon receiving (KEM.Decrypt, sid, C0′ ) from Pj (and Pj only), hand (KEM.Decrypt, sid, C0′ ) to S. Upon receiving (Shared Key, sid, K ′ ) from S, proceed as follows: 1. If a pair (K, C0′ ) exists in memory, send (Shared Key, sid, K) to Pj . 2. Otherwise, send (Shared Key, sid, K ′ ) to Pj . Fig. 4. The Key Encapsulation Mechanism Functionality securely realize FKEM . More details, we prove that we can construct an environment Z and a real life adversary A such that for any ideal process adversary (simulator) S, Z can tell whether it is interacting with A and πKEM or with S in the ideal process for FKEM by using the adversary G that breaks NM-CCA2-KEM. Z proceeds as follows: 1. 2. 3. 4. 5. Activates key receiver Pj with (KEM.KeyGen, sid), and obtains pk. Activates Pi with (KEM.Encrypt, sid, pk), and obtains (K ∗ , C0 ∗ ). Activates G with pk and C0 ∗ , obtains (R, C0 ), where R is some relation. Activates Pj with (KEM.Decrypt, sid, C0 [i]) for each i, and obtains K ′ [i]. Return 1 iff R(K ∗ , K ′ ). When Z interacts with A and πKEM , Z obtains corresponding pair (K ∗ , C0 ∗ ) in Step 2. In this case, Z returns 1 in Step 5. On the other hand, Z interacts with S in the A Universally Composable Secure Channel Based on the KEM-DEM Framework 435 ideal process for FKEM , Z obtains non-corresponding pair (K ⋆ , C0 ∗ ) in Step 2, where R − {0, 1}∗ by FKEM and C0 ∗ is generated by S. For C0 ∗ , G successfully obtains K⋆ ← (R, C0 ). However Z cannot output 1 in Step 5 because there is no relation R(K ⋆ , K ′ ). (“if” part) We show that if πKEM does not securely realize FKEM , then πKEM is not IND-CCA2-KEM. More details, we assume that for any simulator S there is an adversary and an environment Z that can distinguish with non-negligible probability whether it interacts with S in the ideal process for FKEM or with parties running πKEM and the adversary A in the real-life world. Then we prove that πKEM is not IND-CCA2secure by using the distinguishable environment Z. We will show that Z can distinguish only when receiver Pj is not corrupted. We discuss all the cases as follows. (Case 1: Receiver Pj is corrupted.) In this case, we can make simulator S such that the environment Z cannot distinguish the real life world from the ideal process world. j . However receiver Pi is not Once A corrupts Pj , simulator S corrupts dummy party P corrupted, that is, Pi is honest. Simulator S proceeds as follows: 1. When S receives (KEM.KeyGen, sid), it obtains (pk, sk) by running KEM.KeyGen(), and returns pk to FKEM . 2. When S receives (KEM.Encrypt with Key, sid, pk), then S generates a corresponding pair (K, C0 ) and returns C0 to FKEM . 3. When S receives (KEM.Decrypt, sid, C0 ), S generates key K and returns K to FKEM . In this case Z cannot distinguish the real world from the ideal world because S can reconstruct by using the simulated copy of A. Note that, A can do stopping the protocol πKEM . Even if this situation happens, Z cannot distinguish the real world from the ideal world, because S can also stop the protocol. (Case 2: Pj is not corrupted.) We look at the generated key and ciphertext by Pi in each world. – In the real life world, πKEM runs among the honest parties, Pi generates corresponding pair (K ∗ , C0∗ ) by running the algorithm KEM.Encrypt(pk). – In the ideal process world, when P
i sends (KEM.Encrypt, sid, pk) to FKEM , R − {0, 1}∗ at ranFKEM obtains C0 from S, and FKEM chooses shared key K ← dom. Then sends (Encrypted Shared Key, sid, pk, K, C0 ) to Pi . It is easily seen that C0 is not concerned to the key K (because FKEM randomly generates the key K). In the real world, Z obtains the corresponding pair (K ∗ , C0 ∗ ). However, in the ideal world, Z obtains the non-corresponding pair (K, C0 ). Consequently, we can construct environment Z that can distinguish the real world from the ideal world. Recall the formal settings, there are three types of messages between Z and A. That is, Z sends A a message either to corrupt parties, or to report on messages sending, or to deliver some message. In this protocol, no party corruption occurs during execution since we consider non-adaptive adversaries. Furthermore, parties don’t send messages each other. Therefore, there are no request to report on or deliver messages. So, the way that S affects the output of Z is only the communication via FKEM . As a result, S proceeds as follows: 436 W. Nagao, Y. Manabe, and T. Okamoto 1. When S receives a message (KEM.KeyGen, sid) from FKEM , it runs the key generation algorithms KEM.KeyGen(), obtains the public key pk and the secret key sk, and returns pk to FKEM . 2. When S receives a message (KEM.Encrypt, sid, pk) from FKEM , then it generates C0 from the output of the algorithm KEM.Encrypt(pk), and returns C0 to FKEM . 3. When S receives a message (KEM.Encrypt with Key, sid, pk) from FKEM , then it generates key (K, C0 ) = KEM.Encrypt(pk), and returns (K, C0 ) to FKEM . 4. When S receives a message (KEM.Decrypt, sid, C0 ) from FKEM , it obtains K = KEM.Decrypt(sk, C0 ) and returns K to FKEM . We assume that there is an environment Z that can distinguish the interaction in the real life world from that in the ideal process world. We prove that we can construct an adversary F that breaks IND-CCA2-KEM by using the distinguishable environment Z. Precisely, for some value of the security parameter z for Z, we assume that there is an environment Z such that IDEALF,S,Z (z) - REALπKEM ,A,Z (z) > σ, then we show σ that F correctly guesses the bit b with probability 21 + 2l in the CCA2 game, where l is the total number of times invoking encryption oracle. F is given a public key pk, and is allowed to query to decryption oracle and enR − {1, . . . , l} at random. Secondly, F cryption oracle. First, F chooses a number h ← simulates Z on the following simulated interaction with a system running πKEM . Let Ki and C0 i denote the i-th key and ciphertext that Z asks to encrypt in this simulation, respectively. 1. When Z activates some party Pj with (KEM.KeyGen, sid), F lets Pj output the value pk from F ′ s input. 2. For the first h − 1 times that Z asks some party Pi to generate shared key Ki , F lets Pi return (Ki , C0i ) by using algorithm (Ki , C0i ) = KEM.Encrypt(pk). 3. The h-th time that Z asks to generate key Kh , F queries its encryption oracle with pk, then obtains corresponding pair X= (Kh , C0h ) or non-corresponding pair X = (Kh′ , C0 h ) from encryption oracle. Accordingly, F hands X to Z as the test pair. 4. For the remaining l − h times that Z asks Pi to generate shared key Ki , F lets R − {0, 1}∗ randomly and C0 from the output of Pi return (Ki , C0 i ), where Ki ← algorithm KEM.Encrypt(pk). 5. Whenever Z activates decryptor Pj with (KEM.Decrypt, sid, C0 ), where C0 = C0 i for some i, F lets Pi return the corresponding key Ki for any i. If C0 is different from all the C0i ’s, then F queries C0 to its decryption oracle, obtains value v, and lets Pj return v to Z. 6. When Z halts, F outputs whatever Z outputs and halts. We apply a standard hybrid argument for analyzing the success probability of F . Let the random variable Di denote the output of Z from an interaction that is identical to an interaction with S in the ideal process, except that the first i pairs are computed with correctly generation, and the last pair are computed with non-corresponding generation. We can see that D0 is identical to the output of Z in the ideal process world, and Dl is identical to the output of Z in the real life world. (This follows from the fact that the mechanism KEM guarantees that KEM.Decrypt(sk, C0 ) = K, where C0 = A Universally Composable Secure Channel Based on the KEM-DEM Framework 437 KEM.Encrypt(pk), this is called “soundness”.) Furthermore, in the simulation of F , if the value C0h that F obtains from its encryption oracle is an encryption of Kh then the output of the simulated Z has the distribution of Dh−1 . If C0h does not correspond to the encryption of the key then the output of the simulated Z has the distribution of Dh . As discussed above, we can construct attacker F by using the distinguishable environment Z. We can conclude that if πKEM does not securely realize FKEM , then ⊓ ⊔ πKEM is not IND-CCA2-KEM. 4 4.1 Universally Composable DEM Is Equivalent to IND-P2-C2 DEM The KEM-DEM Functionality FKEM-DEM We define KEM-DEM functionality FKEM-DEM in Fig.5 and Fig.6. FKEM-DEM is a functionality of hybrid usage of KEM and DEM, KEM-key-generation, KEM-encryption, KEM-decryption, DEM-encryption and DEM-decryption. Information obtained in KEMencryption and KEM-decryption is transfered to DEM-encryption and DEM-decryption inside FKEM-DEM . Here note that there is no functionality of data transmission between parties in FKEM-DEM . 4.2 UC DEM Is Equivalent to IND-P2-C2 DEM First, we define a protocol πKEM-DEM in Fig.7 that is constructed on an algorithm DEM = (DEM.Encrypt, DEM.Decrypt) in the FKEM -hybrid model. We say that the underlying DEM is UC secure if and only if πKEM-DEM securely realizes FKEM-DEM in the FKEM -hybrid model. Therefore, the following theorem implies that UC DEM is equivalent to IND-P2-C2 DEM. Theorem 4. Protocol πKEM-DEM securely realizes FKEM-DEM with respect to nonadaptive adversaries in the FKEM -hybrid model if and only if DEM is indistinguishable against adaptive chosen plaintext/ciphertext attacks(IND-P2-C2 DEM). Proof. (sketch) (“only if” part) Because NM-P2-C2-DEM equals to IND-P2-C2-DEM by Theorem 2, we prove that if πDEM is not NM-P2-C2-DEM secure, then πKEM-DEM does not securely realize FKEM-DEM in the FKEM - hybrid model. More details, we prove that we can construct an environment Z and a real life adversary A such that for any ideal process adversary (simulator) S, Z can tell whether it is interacting with A and πKEM-DEM or with S in the ideal process for FKEM-DEM by using the adversary which breaks NM-P2-C2-DEM. Note that A corrupts no party and Z sends no messages to A. We assume that there exists a successful attacker G for πDEM in the sense of NMP2-C2-DEM. Environment Z proceeds as usual, except that Z runs a copy of G. Z proceeds as above, except that Z runs a simulated copy of G. For more details: 1. Activates key receiver Pj with (KEM.KeyGen, sid), then obtains pk. 2. Activates key encrypter Pi with (KEM.Encrypt, sid, pk), then obtains C0 ∗ . 3. Activates Pj with (KEM.Decrypt, sid, C0 ). 438 W. Nagao, Y. Manabe, and T. Okamoto Functionality FKEM-DEM FKEM-DEM proceeds as follows, running with parties P1 , . . . , Pn and an adversary S. KEM.KeyGen In the first activation, expect to receive (KEM.KeyGen, sid) from some party Pj . Then, 1. Send (KEM.KeyGen, sid) to S. 2. Upon receiving (KEM Key, sid, pk) from S, send (KEM Key, sid, pk) to Pj . KEM.Encrypt Upon receiving (KEM.Encrypt, sid, pk′ ) from some party Pi , proceed as follows: – If an entry (Pi , C, active) is not in memory for any C, 1. Send (KEM.Encrypt, sid, pk′ ) to S, and receive (Encrypted Shared Key, sid, pk′ , C0 ) from S. 2. Send (Encrypted Shared Key, sid, pk′ , C0 ) to Pi , and store the pair (pk′ , C0 ) and (Pi , C0 , active) in memory. – Otherwise, do nothing. KEM.Decrypt Upon receiving (KEM.Decrypt, sid, C0′ ) from Pj (and Pj only), hand (KEM.Decrypt, sid, ′ C0 ) to S. Upon receiving ok from S, proceed as follows: – If an entry (Pj , C, active) is not in memory for any C, send ok to Pj and store the pair (Pj , C0′ , active) in memory. – Otherwise, do nothing. DEM.Encrypt Upon receiving (DEM.Encrypt, sid, m) from party Pe (e ∈ {i, j} only), proceed as follows: – If (Pe , C0 , active) is stored in memory. • If both Pe are uncorrupted, then proceeds as follows: 1. Send (DEM.Encrypt, sid, |m|) to S, where |m| denotes the length of m and receive (DEM.Ciphertext, sid, c′ ) from S. 2. Send (DEM.Ciphertext, sid, c′ ) to Pe , and store the entry (m, c′ , C0 ) in memory. • Otherwise, proceeds as follows: 1. Send(DEM.Encrypt, sid, m) to S, and receive (DEM.Ciphertext, sid, c′ ) from S. 2. Send (DEM.Ciphertext, sid, c′ ) to Pe , and store the entry (m, c′ , C0 ) in memory. – Otherwise, do nothing. Fig. 5. The KEM-DEM Functionality 4. 5. 6. 7. Activates message encrypter Pi with (DEM.Encrypt, sid, m), then obtains c. Activates G on c, obtains (R, c), where R is some relation. Activates Pj with (DEM.Decrypt, sid, c[i]) for each i, and obtains m′ [i]. Return 1 iff R(m, m′ ). A Universally Composable Secure Channel Based on the KEM-DEM Framework 439 Functionality FKEM-DEM (continued) DEM.Decrypt Upon receiving (DEM.Decrypt, sid, c′ ) from Pe (e ∈ {i, j} only), hand (DEM.Decrypt, sid, c′ ) to S. Upon receiving (DEM.Plaintext, sid, φ) from S, proceed as follows: – If an entry (Pe , C, active) exists in memory for some C: 1. If the entry (m, c′ , C) is stored in the memory, then send (DEM.Plaintext, sid, m) to Pj . 2. Else, if Pi and Pj is not corrupted, and if (m, c′ , C) doesn’t recorded in the memory, then store the entry (⊥, c′ , C) and send (DEM.Plaintext, sid, ⊥) to Pe . 3. Else, if an entry (⊥, c′ , C) is recorded, then send (DEM.Plaintext, sid, ⊥) to Pe . 4. Otherwise, send (DEM.Plaintext, sid, φ) to Pe , and record the entry (φ, c′ , C) in memory. – Otherwise, do nothing. Fig. 6. The KEM-DEM Functionality When Z interacts with A and πKEM-DEM , Z obtains ciphertext c in Step 4. In this case, Z return 1 in Step 7. Therefore when Z interacts with A and πKEM-DEM , Z outputs 1 with non-negligible probability. On the other hand, Z interacts with S in the ideal process for FKEM , Z also obtains ciphertext c in Step 4. For ciphertext c, G successfully obtains (R, c). However Z cannot output 1 in Step 7 because there is no relation R(m, m′ ). (“if” part) We prove that if πKEM-DEM does not securely realize FKEM-DEM , then πDEM is not IND-P2-C2-DEM. More details, we assume that there is an adversary A such that for any simulator S, there is an environment Z can tell with non-negligible probability whether it is interacting with FKEM-DEM and S in the ideal process world or with parties running πKEM-DEM and the adversary A in the real life world. Then, we prove that there is adversary F breaks IND-P2-C2-DEM by using distinguishable Z. Note that there are three cases of party corruption since we take account of nonadaptive adversaries. Recall the formal settings, there are three types of messages between Z and A. That is, Z sends A a message either to corrupt parties, or to report on messages sending, or to deliver some message. In this protocol, no party corruption occurs during execution since we consider non-adaptive adversaries. Furthermore, parties don’t send messages each other. Therefore, there are no request to report on or deliver messages. In fact, there is no communication between Z and A at all. So, the way that S affects the output of Z is only the communication via FKEM-DEM . We will show that Z can distinguish is only when both sender Pi and receiver Pj are not corrupted. We discuss all the cases for the following simulator S as follows: 1. When S receives (KEM.KeyGen, sid), S obtains (pk, sk) by running KEM.KeyGen(), and returns (KEM Key, sid, pk) to FKEM-DEM . 2. When S receives (KEM.Encrypt, sid, pk), S generates a corresponding pair (K, C0 ), and returns (Encrypted Shared Key, sid, pk, C0 ) to FKEM-DEM . 440 W. Nagao, Y. Manabe, and T. Okamoto Protocol πKEM-DEM Key Encapsulation Mechanithm KEM KEM.KeyGen 1. Upon input (KEM.KeyGen, sid), Pj sends (KEM.KeyGen, sid1 ) to FKEM . 2. Upon receiving (KEM Key, sid1 , pk) from FKEM , Pj outputs pk. KEM.Encrypt Upon input (KEM.Encrypt, sid, pk) within party Pi , – If boolean variable active is not set, 1. Pi sends (KEM.Encrypt, sid1 , pk) to FKEM . 2. Upon receiving (Encrypted Shared key, sid1 , pk, K, C0 ) from FKEM , then Pi outputs C0 and stores the key K in memory and sets a boolean variable active in memory. – Otherwise, do nothing. KEM.Decrypt Upon input (KEM.Decrypt, sid, C0 ) within Pj , – If boolean variable active is not set, 1. Pj sends (KEM.Decrypt, sid1 , C0 ) to FKEM . 2. Upon receiving (Shared Key sid1 , K), Pj stores K in memory and outputs ok and sets a boolean variable active in memory. – Otherwise, do nothing. Data Encapsulation Mechanithm DEM DEM.Encrypt Upon input (DEM.Encrypt, sid, m) from Pe (e ∈ {i, j}), proceeds as follows: – If the boolean variable is active in Pe ’s memory, Pe obtains ciphertext c = DEM.Encrypt(K, m) and outputs (DEM Ciphertext, sid, c). – Otherwise do nothing. DEM.Decrypt Upon input (DEM.Decrypt, sid, c) from Pe (e ∈ {i, j}), proceeds as follows: – If the boolean variable is active in Pe ’s memory, Pe obtains m = DEM.Decrypt (K, c) and outputs (DEM Plaintext, sid, m). – Otherwise do nothing. Fig. 7. The KEM-DEM Protocol 3. When S receives (KEM.Decrypt, sid, C0 ), S obtains key K by KEM.Decrypt(sk, C0 ), and returns ok to FKEM-DEM . 4. When S receives (DEM.Encrypt, sid, |m|), S generates c′ by output of DEM.Encry pt(K, 0|m| ), and returns (DEM.Ciphertext, sid, c′ ) to FKEM-DEM . A Universally Composable Secure Channel Based on the KEM-DEM Framework 441 5. When S receives (DEM.Encrypt, sid, m), S generates c′ by the output of DEM.Enc rypt(K, m) and returns (DEM.Ciphertext, sid, c′ ) to FKEM-DEM . 6. When S receives (DEM.Decrypt, sid, c′ ), S generates φ by DEM.Decrypt(K, c′ ), and sends (DEM.Plaintext, sid, φ). (Case 1: Sender Pi is corrupted.) In this case, once A corrupts Pi , simulator S corrupts dummy party P
i . However receiver Pj is not corrupted, that is, Pj is honest. Environment Z cannot distinguish the real life world from the ideal process world for the above simulator S because S can reconstruct by using the simulated copy of A. Note that, A can do stopping the protocol πKEM-DEM . Even if this situation is happened, Z cannot distinguish the real world from the ideal world, because S can also stop the protocol. (Case 2: Receiver Pj is corrupted.) In this case, once A corrupts Pj , simulator S j . However sender Pi is not corrupted, that is, Pi is honest. corrupts dummy party P Environment Z cannot distinguish the real life world from the ideal process world by the above simulator S because simulator S can reconstruct by using the simulated copy of A. (Case 3: No party is corrupted.) In this case, sender Pi and receiver Pj are not corrupted i.e., they are honest parties. We look at the generated key and ciphertext by Pi in each world. – In the real life world, πKEM-DEM runs among the honest parties, Pi generates c by running the algorithm DEM.Encrypt(K, m). Note that c is corresponding to m. – In the ideal process world, FKEM-DEM send (DEM.Encrypt, sid, |m|) to S. Pi obtains c′ from S via FKEM-DEM . Note that c is non-corresponding to m because S sees only the length of m. By applying a hybrid argument similar to the one in the proof of Theorem 3, we can obtain adversary F that attacks IND-P2-C2-DEM by using the environment Z that can distinguish the real world from the ideal world. ⊓ ⊔ 5 A Universally Composable Secure Channel Based on the KEM-DEM Framework To realize secure channel functionality, FSC , defined in [4], we define a secure channel protocol πSC in Fig.8 in the (FKEM-DEM , FSIG , FCA )-hybrid model, where FSIG is a signature functionality [4], and FCA is certification authority functionality [4]. (Due to the page limitation, we omit the description of FSIG and FCA . See [4] for the definitions.) Combining with the previous theorems, the following theorem implies that INDCCA2 KEM, IND-P2-C2 DEM, secure signatures and ideal CA are sufficient to securely realize FSC . Theorem 5. Protocol πSC securely realizes FSC in the (FKEM-DEM , FSIG , FCA )hybrid model. 442 W. Nagao, Y. Manabe, and T. Okamoto Protocol πSC Session Set-up 1. Upon input (Establish-session, sid, Pj , initiator), Pi sends (KEM.KeyGen, sid1 ) to FKEM-DEM , and stores (sid, Pj ). 2. Upon receiving (KEM Key, sid1 , P Ki ) from FKEM-DEM , Pi sends (Register, Pi , P Ki ) to FCA . 3. Upon input (Establish-session, sid, Pi , responder), Pj sends (Retrieve, Pi ) to FCA . 4. Upon receiving (Retrieve, Pi , P Ki ) from FCA , Pj sends (KEM.Encrypt, sid1 , P Ki ) to FKEM-DEM , and receives (Encrypted Shared key, sid1 , P Ki , C0 ) from FKEM-DEM . 5. Pj sends (KeyGen, (Pj , sid′ )) to FSIG , receives (Verification Key, (Pj , sid′ ), P Kj ). 6. Pj sends (Register, Pj , P Kj ) to FCA , then sends (Sign, Pj , C0 ) to FSIG , receives (Signature, (Pj , sid′ ), C0 , σ) from FSIG . 7. Pj sends (sid, C0 , σ, Pj ) to Pi , and set a boolean variable active. 8. Upon receiving (sid, C0 , σ, Pj ), Pi checks whether (sid, Pj ) is stored. If it is not stored, discard the message. Otherwise, Pi sends (Retrieve, Pj ) to FCA and receives (Retrieve, Pj , P Kj ), then sends (Verify, (Pj , sid′ ), C0 , σ, P Kj ) to FSIG and receives (Verified, (Pj , sid′ ), C0 , f ). If f is 1 then Pi goes to next step. Else finish the protocol. 9. Pi sends (KEM.Decrypt, sid1 , C0 ) to FKEM-DEM . If ok is returned from FKEM-DEM , set a boolean variable active. Data Exchange 1. Upon input (Send, sid, m), to Pe , if Pe is active (i.e., e ∈ {i, j}), Pe sends the message (DEM.Encrypt, sid1 , m) to FKEM-DEM . 2. Upon receiving (DEM.Ciphertext, c) from FKEM-DEM , Pe sends c to Pē . 3. Upon receiving c, if Pē is active (i.e., ē ∈ {i, j}), Pē sends (DEM.Decrypt, sid1 , c) to FKEM-DEM . 4. Pē receives (DEM.Plaintext, m) from FKEM-DEM and outputs m. Session Ending 1. Upon input (Expire-session, sid), Pe sends (Expire-session, sid) to Pē and erases the session state (including all keys and local values) and terminates this protocol. 2. Upon receiving (Expire-session, sid), Pē erases the session state (including all keys and local values) and terminates this protocol. Fig. 8. The Secure Channel Protocol πSC Proof. (sketch) Let A be an adversary that interacts with parties running πSC in the (FKEM-DEM , FSIG , FCA )-hybrid model, and S be an ideal process adversary (simulator) that interacts with the ideal process for FSC . We construct S such that any environment Z cannot tell whether it is interacting with A in πSC or with S in the ideal process for FSC . S invokes a simulated copy of A, and proceeds as follows: 1. Inputs from Z are forwarded to A and outputs from A are forwarded to Z. 2. (Simulating the interaction of A in the session set-up) Upon receiving a message (sid, Pi , Pj ) from FSC (which means that Pi and Pj have set-up a session), A Universally Composable Secure Channel Based on the KEM-DEM Framework 443 simulates for A the process of exchanging shared key between Pi and Pj . That is, play functionalities, FCA , FKEM-DEM , FSIG , for A as follows: send to A (in the name of FKEM-DEM ) the message (KEM.KeyGen, sid1 , P Ki ), obtain the response (KEM Key, sid1 , P Ki ) from A; send to A (in the name of FCA ) the message (Registered, Pi , P Ki ), obtain the response ok from A; send to A (in the name of FCA ) the message (Retrieve, Pi , Pj ), obtain the response ok from A; send to A (in the name of FKEM-DEM ) the message (KEM.Encrypt, sid1 , P Ki ), obtain the response (Encrypted Shared key, sid1 , P Ki , C0 ) from A; send to A (in the name of FSIG ) the message (KeyGen, (Pj , sid′ )), obtain the response (Verification Key, (Pj , sid′ ), P Kj ) from A; send to A (in the name of FCA ) the message (Registered, Pj , P Kj ), obtain the response ok from A; send to A (in the name of FSIG ) the message (Sign, (Pj , sid′ ), C0 ), obtain the response (Signature, (Pj , sid′ ), C0 , σ) from A; send to A (in the name of FCA ) the message (Retrieve, Pj , Pi ), obtain the response ok from A; send to A (in the name of FSIG ) the message (Verify, (Pj , sid′ ), C0 , σ, P Kj ), obtain the response (Verified, (Pj , sid′ ), C0 , φ) from A; send to A (in the name of FKEM-DEM ) the message (KEM.Decrypt, sid1 , C0 , P Ki ), obtain the response ok from A. 3. (Simulating the interaction of A in the data exchange) Upon receiving a message (sid, Pe , u) (e ∈ {i, j}) from FSC (which means that Pe sent a message of length u to Pē ), simulates for A the process of exchanging shared key between Pi and Pj . That is, play functionality FKEM-DEM for A as follows: send to A (in the name of FKEM-DEM ) the message (DEM.Encrypt, sid1 , |m|), obtain the response (DEM.Ciphertext, c) from A; send to A (in the name of FKEM-DEM ) the message (DEM.Decrypt, sid1 , c), obtain the response (DEM.Plaintext, ψ) from A. 4. (Simulating the interaction of a corrupted party) Simulating the interaction of a corrupted party can be done by simulating the functionalities and transmissions in the natural way. So, we omit the precise description here. 5. (Simulating party corruption) When A corrupts a party, S corrupts that party in the ideal process, and forwards the obtained information to A. This poses no problem since none of the parties maintains any secret information. It is straightforward to verify that the simulation is perfect. That is, for any environment Z and A, it holds that the view of Z interacting with S and FSC is distributed identically to the view of Z interacting with A and parties running protocol πSC in the (FKEM-DEM , FSIG , FCA )-hybrid model. ⊓ ⊔ 6 Conclusion The KEM-DEM framework is a promising formulation for hybrid encryption based on symmetric and asymmetric encryption, and will be standardized in ISO in the near future. This paper studied the possibility of constructing a UC secure channel using the KEM-DEM framework. We presented that IND-CCA2 KEM and IND-P2-C2 DEM along with secure signatures and ideal certification authority are sufficient to realize a UC secure channel. This paper also shows several equivalence results: UC KEM, INDCCA2 KEM and NM-CCA2 KEM are equivalent, and UC DEM, IND-P2-C2 DEM and NM-P2-C2 DEM are equivalent. 444 W. Nagao, Y. Manabe, and T. Okamoto References 1. M.Bellare, A.Desai, D.Pointcheval, and P.Rogaway, “Relations Among Notions of Security for Public-Key Encryption Schemes, Crypto’98 LNCS 1462. 2. M.Bellare and A.Sahai, “Non-Malleable Encryption: Equivalence between Two Notions, and an Indistinguishability-Based Characterisation, Crypto’99 LNCS 1666. 3. R. Canetti, “Universally Composable Security: A New paradigm for Cryptographic Protocols, 42nd FOCS, 2001. Full version available at http://eprint.iacr.org/2000/067. 4. R. Canetti, “Universally Composable Signature, Certification, and Authentication, August, 2004. http://eprint.iacr.org/2003/239/. 5. R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels, Eurocrypt 01, 2001. Full version at http://eprint.iacr.org/2001. 6. R. Canetti and H. Krawczyk, “Universally Composable Notions of Key Exchange and Secure Channels, Eurocrypt 02, LNCS, Springer, 2002. http://eprint.iacr.org/2002. 7. R. Canetti and T. Rabin, “Universal Composition with Joint State,” Proceedings of Crypto 03, LNCS, Springer, 2003. available at http://eprint.iacr.org/2002. 8. R.Cramer and V.Shoup, “Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack, http://shoup.net/papers/, 2001 Dec. 9. D.Dolev, C.Dwork, and M.Naor, “Non-Malleable Cryptography, 23rd STOC, 1991. Also Technical Report CS95-27, Weizmann Institute of Science, 1995. 10. J. Katz and M.Yung, “Characterization of Security Notions for Probabilistic Private-Key Encryption,” to appear. Full version available at http://www.cs.umd.edu/˜jkatz/. 11. V.Shoup, “A Proposal for an ISO Standard for Public Key Encryption (version 2.1), ISO/IEC JTC1/SC27, N2563, http://shoup.net/papers/, 2001 Dec.