Security on Hybrid Encryption with the Tag-KEM/DEM Framework
The tag-KEM/DEM framework has been proposed by Abe, Gennaro, Kurosawa, and Shoup to explain why the Kurosawa-Desmedt PKE is
secure in the sense of IND-CCA2, yet the KEM part are not secure in the sense of IND-CCA2. They have concluded that the Kurosawa-Desmedt
KEM satisfies the IND-CCA2 security for tag-KEM. They have shown that an IND-CCA2 secure PKE system can be constructed from
an IND-CCA2 tag-KEM system and an IND-OT secure DEM system.
Herranz, Hofheinz and Kiltz have shown the necessary and sufficient conditions for the KEM/DEM framework. They also have studied
implications and separations among the security notions of KEM.
In this paper, we study the necessary and sufficient conditions for the tag-KEM/DEM framework. Moreover, we study implications
and separations among the security notions of tag-KEM. By these studies, we show gaps between KEM and tag-KEM about weak and
strong non-malleability with respect to the necessary and sufficient conditions in order to obtain the same security levels.