Constructing Better Kems With Partial Message Recovery

In this paper, we consider the problem of building efficient key encapsulation mechanism (KEM) with partial message recovery, in brief, PKEM, which aims at providing better bandwidth for standard KEM. We demonstrate several practical issues that were not considered by the previous research, e.g., the additional security loss due to loose reduction of OAEP, and the ciphertext overhead caused by the corresponding data encapsulation mechanism (DEM). We give solutions to these problems, furthermore, we consider the multi-challenge model for PKEMs, where an adversary can obtain up to multiple challenge ciphertexts. Apparently, this is a more severe and more realistic model for PKEM. We then show two generic constructions of PKEMs and prove their security in the multi-challenge model. Our constructions are natural and simple. Finally, we give some instantiations of our generic constructions, and compare their efficiency. Our results demonstrate that there are strong ties between PKEM and public key encryption.