On the Equivalence of Several Security Notions of Key Encapsulation Mechanism
KEM (Key Encapsulation Mechanism) was introduced by Shoup to formalize the asymmetric encryption specified for key distribution in ISO standards on public-key encryption. Shoup defined the ``semantic security (IND) against adaptively chosen ciphertext attacks (CCA2)'' as a desirable security notion of KEM. This paper introduces ''non-malleability (NM)'' of KEM, a stronger security notion than IND. We provide three definitions of NM, and show that these three definitions are equivalent. We then show that NM-CCA2 KEM is equivalent to IND-CCA2 KEM. That is, we show that NM is equivalent to IND under CCA2 attacks, although NM is stronger than IND in the definition (or under some attacks like CCA1). In addition, this paper defines the universally composable (UC) security of KEM and shows that NM-CCA2 KEM is equivalent to UC KEM.