{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,4]],"date-time":"2026-04-04T18:18:30Z","timestamp":1775326710632,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3670283","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"1046-1060","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":13,"title":["Keeping Up with the KEMs: Stronger Security Notions for KEMs and Automated Analysis of KEM-based Protocols"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0322-2293","authenticated-orcid":false,"given":"Cas","family":"Cremers","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-3415-5579","authenticated-orcid":false,"given":"Alexander","family":"Dax","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-0494-6137","authenticated-orcid":false,"given":"Niklas","family":"Medinger","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Michel Abdalla Mihir Bellare and Gregory Neven. 2008. Robust Encryption. Cryptology ePrint Archive Paper 2008\/440. https:\/\/eprint.iacr.org\/2008\/440."},{"key":"e_1_3_2_1_2_1","volume-title":"NIST PQC Second Round","volume":"2","author":"Albrecht Martin","year":"2019","unstructured":"Martin Albrecht, Carlos Cid, Kenneth G Paterson, Cen Jung Tjhai, and Martin Tomlinson. 2019. NTS-KEM. NIST PQC Second Round, Vol. 2 (2019). https:\/\/nts-kem.io\/ (Accessed December 2023)."},{"key":"e_1_3_2_1_3_1","volume-title":"Slim Bettaieb, Loic Bidoux, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit, Shay Gueron, Tim Guneysu, Carlos Aguilar Melchor, et al.","author":"Aragon Nicolas","year":"2017","unstructured":"Nicolas Aragon, Paulo SLM Barreto, Slim Bettaieb, Loic Bidoux, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit, Shay Gueron, Tim Guneysu, Carlos Aguilar Melchor, et al. 2017. BIKE: bit flipping key encapsulation. (2017)."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"crossref","unstructured":"Atsushi Fujioka and Koutarou Suzuki and Keita Xagawa and Kazuki Yoneyama. 2012. Strongly Secure Authenticated Key Exchange from Factoring Codes and Lattices. Cryptology ePrint Archive Paper 2012\/211. https:\/\/eprint.iacr.org\/2012\/211.","DOI":"10.1007\/978-3-642-30057-8_28"},{"key":"e_1_3_2_1_5_1","volume-title":"Aaron Kaiser, Peter Schwabe, Karoline Varner, and Bas Westerbaan.","author":"Barbosa Manuel","year":"2024","unstructured":"Manuel Barbosa, Deirdre Connolly, Jo\u00e3o Diogo Duarte, Aaron Kaiser, Peter Schwabe, Karoline Varner, and Bas Westerbaan. 2024. X-Wing: The Hybrid KEM You've Been Looking For. Cryptology ePrint Archive, Paper 2024\/039. https:\/\/eprint.iacr.org\/2024\/039."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-45724-2_1"},{"key":"e_1_3_2_1_7_1","unstructured":"Daniel J Bernstein Tung Chou Tanja Lange Ingo von Maurich Rafael Misoczki Ruben Niederhagen Edoardo Persichetti Christiane Peters Peter Schwabe Nicolas Sendrier et al. 2017. Classic McEliece: conservative code-based cryptography. NIST submissions (2017)."},{"key":"e_1_3_2_1_8_1","volume-title":"An Analysis of Signal's PQXDH. https:\/\/cryspen.com\/post\/pqxdh\/ (Accessed","author":"Bhargavan Karthikeyan","year":"2024","unstructured":"Karthikeyan Bhargavan, Charlie Jacomme, Franziskus Kiefer, and Rolfe Schmidt. 2023. An Analysis of Signal's PQXDH. https:\/\/cryspen.com\/post\/pqxdh\/ (Accessed Jan 2024)."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-49162-7_12"},{"key":"e_1_3_2_1_10_1","volume-title":"An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14)","author":"Blanchet Bruno","year":"2001","unstructured":"Bruno Blanchet. 2001. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14). IEEE Computer Society, Cape Breton, Nova Scotia, Canada, 82--96."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978425"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00032"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00042"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"crossref","unstructured":"Ran Canetti and Hugo Krawczyk. 2001. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. Cryptology ePrint Archive Paper 2001\/040. https:\/\/eprint.iacr.org\/2001\/040.","DOI":"10.1007\/3-540-44987-6_28"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Ran Canetti and Hugo Krawczyk. 2002. Security Analysis of IKE's Signature-based Key-Exchange Protocol. Cryptology ePrint Archive Paper 2002\/120. https:\/\/eprint.iacr.org\/2002\/120.","DOI":"10.1007\/3-540-45708-9_10"},{"key":"e_1_3_2_1_16_1","volume-title":"USENIX","author":"Cheval Vincent","year":"2023","unstructured":"Vincent Cheval, Cas Cremers, Alexander Dax, Lucca Hirschi, Charlie Jacomme, and Steve Kremer. 2023. Hash Gone Bad: Automated discovery of protocol attacks that exploit hash function weaknesses. In USENIX 2023."},{"key":"e_1_3_2_1_17_1","volume-title":"Gonzalez Nieto and Kenneth G. Paterson","author":"Boyd Colin","year":"2008","unstructured":"Colin Boyd and Yvonne Cliff and Juan M. Gonzalez Nieto and Kenneth G. Paterson. 2008. Efficient One-round Key Exchange in the Standard Model. Cryptology ePrint Archive, Paper 2008\/007. https:\/\/eprint.iacr.org\/2008\/007."},{"key":"e_1_3_2_1_18_1","unstructured":"Ronald Cramer and Victor Shoup. 2001. Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. Cryptology ePrint Archive Paper 2001\/108. https:\/\/eprint.iacr.org\/2001\/108."},{"key":"e_1_3_2_1_19_1","volume-title":"USENIX","author":"Cremers Cas","year":"2023","unstructured":"Cas Cremers, Alexander Dax, Charlie Jacomme, and Mang Zhao. 2023. Automated Analysis of Protocols that use Authenticated Encryption: Analysing the Impact of the Subtle Differences between AEADs on Protocol Security. In USENIX 2023."},{"key":"e_1_3_2_1_20_1","unstructured":"Cas Cremers Alexander Dax and Niklas Medinger. 2023. Keeping Up with the KEMs: Stronger Security Notions for KEMs and automated analysis of KEM-based protocols. Cryptology ePrint Archive Paper 2023\/1933. https:\/\/eprint.iacr.org\/2023\/1933"},{"key":"e_1_3_2_1_21_1","unstructured":"Cas Cremers Alexander Dax and Niklas Medinger. 2024. KEM library and Case Studies. https:\/\/github.com\/FormalKEM\/Symbolic_KEM_Models."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00093"},{"key":"e_1_3_2_1_23_1","volume-title":"USENIX","author":"Dax Cas","year":"2023","unstructured":"Cremers, Cas and Dax, Alexander and Naska, Aurora. 2023. Formal Analysis of SPDM: Security Protocol and Data Model version 1.2. In USENIX 2023."},{"issue":"3","key":"e_1_3_2_1_24_1","first-page":"0","article-title":"DSP0274: Security Protocol and Data Model (SPDM) Specification","volume":"1","author":"DMTF.","year":"2023","unstructured":"DMTF. 2023. DSP0274: Security Protocol and Data Model (SPDM) Specification, Version 1.3.0. https:\/\/www.dmtf.org\/sites\/default\/files\/standards\/documents\/DSP0274_1.3.0.pdf. accessed: 2024-01--26.","journal-title":"Version"},{"key":"e_1_3_2_1_25_1","volume-title":"Advances in Cryptology--CRYPTO 2018: 38th Annual International Cryptology Conference.","author":"Dodis Yevgeniy","unstructured":"Yevgeniy Dodis, Paul Grubbs, Thomas Ristenpart, and Joanne Woodage. 2018. Fast message franking: From invisible salamanders to encryptment. In Advances in Cryptology--CRYPTO 2018: 38th Annual International Cryptology Conference."},{"key":"e_1_3_2_1_26_1","volume-title":"Sujoy Sinha Roy, and Frederik Vercauteren","author":"D'Anvers Jan-Pieter","year":"2018","unstructured":"Jan-Pieter D'Anvers, Angshuman Karmakar, Sujoy Sinha Roy, and Frederik Vercauteren. 2018. Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In Progress in Cryptology--AFRICACRYPT 2018: 10th International Conference on Cryptology in Africa, Marrakesh, Morocco, May 7--9, 2018, Proceedings 10. Springer, 282--305."},{"key":"e_1_3_2_1_27_1","volume-title":"Quaglia","author":"Farshim Pooya","year":"2012","unstructured":"Pooya Farshim, Beno\u00eet Libert, Kenneth G. Paterson, and Elizabeth A. Quaglia. 2012. Robust Encryption, Revisited. Cryptology ePrint Archive, Paper 2012\/673. https:\/\/eprint.iacr.org\/2012\/673."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"crossref","unstructured":"Eiichiro Fujisaki and Tatsuaki Okamoto. 1999. Secure integration of asymmetric and symmetric encryption schemes. In Annual international cryptology conference.","DOI":"10.1007\/3-540-48405-1_34"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"crossref","unstructured":"Paul Grubbs Jiahui Lu and Thomas Ristenpart. 2017. Message Franking via Committing Authenticated Encryption. Cryptology ePrint Archive Paper 2017\/664. https:\/\/eprint.iacr.org\/2017\/664.","DOI":"10.1007\/978-3-319-63697-9_3"},{"key":"e_1_3_2_1_30_1","volume-title":"Paterson","author":"Grubbs Paul","year":"2021","unstructured":"Paul Grubbs, Varun Maram, and Kenneth G. Paterson. 2021. Anonymous, Robust Post-Quantum Public Key Encryption. Cryptology ePrint Archive, Paper 2021\/708. https:\/\/eprint.iacr.org\/2021\/708."},{"key":"e_1_3_2_1_31_1","volume-title":"Theory of Cryptography,","author":"Hofheinz Dennis","unstructured":"Dennis Hofheinz, Kathrin H\u00f6velmanns, and Eike Kiltz. 2017. A Modular Analysis of the Fujisaki-Okamoto Transformation. In Theory of Cryptography,, Yael Kalai and Leonid Reyzin (Eds.). Springer International Publishing, Cham, 341--371."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66787-4_12"},{"key":"e_1_3_2_1_33_1","volume-title":"Zimmermann","author":"H\u00fclsing Andreas","year":"2020","unstructured":"Andreas H\u00fclsing, Kai-Chun Ning, Peter Schwabe, Florian Weber, and Philip R. Zimmermann. 2020. Post-quantum WireGuard. Cryptology ePrint Archive, Paper 2020\/379. https:\/\/eprint.iacr.org\/2020\/379."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3339813"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/978--3--540--45146--4_24"},{"key":"e_1_3_2_1_36_1","unstructured":"Julia Len Paul Grubbs and Thomas Ristenpart. 2022. Authenticated Encryption with Key Identification. Cryptology ePrint Archive Paper 2022\/1680. https:\/\/eprint.iacr.org\/2022\/1680."},{"key":"e_1_3_2_1_37_1","volume-title":"Hamming quasi-cyclic (HQC). NIST PQC Round","author":"Melchor Carlos Aguilar","year":"2018","unstructured":"Carlos Aguilar Melchor, Nicolas Aragon, Slim Bettaieb, Loic Bidoux, Olivier Blazy, Jean-Christophe Deneuville, Philippe Gaborit, Edoardo Persichetti, Gilles Z\u00e9mor, and IC Bourges. 2018. Hamming quasi-cyclic (HQC). NIST PQC Round (2018)."},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1007\/978--3--642--17373--8_29"},{"key":"e_1_3_2_1_39_1","unstructured":"NIST. [n. d.]. NIST Post-Quantum Cryptography. https:\/\/csrc.nist.gov\/projects\/post-quantum-cryptography. Accessed: 2024-01--16."},{"key":"e_1_3_2_1_40_1","volume-title":"Date Published","author":"NIST.","year":"2023","unstructured":"NIST. 2023. Module-Lattice-Based Key-Encapsulation Mechanism Standard (Initial Public Draft). https:\/\/csrc.nist.gov\/pubs\/fips\/203\/ipd. Accessed: 2024-02--23. Date Published: August 24, 2023."},{"key":"e_1_3_2_1_41_1","unstructured":"Chris Peikert. 2014. Lattice Cryptography for the Internet. Cryptology ePrint Archive Paper 2014\/070. https:\/\/eprint.iacr.org\/2014\/070."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1007\/11496137_10"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2012.25"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"Peter Schwabe Douglas Stebila and Thom Wiggers. 2020. Post-quantum TLS without handshake signatures. Cryptology ePrint Archive Paper 2020\/534. https:\/\/eprint.iacr.org\/2020\/534.","DOI":"10.1145\/3372297.3423350"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"crossref","unstructured":"Peter Schwabe Douglas Stebila and Thom Wiggers. 2021. More efficient post-quantum KEMTLS with pre-distributed public keys. Cryptology ePrint Archive Paper 2021\/779. https:\/\/eprint.iacr.org\/2021\/779.","DOI":"10.1007\/978-3-030-88418-5_1"},{"key":"e_1_3_2_1_46_1","first-page":"112","article-title":"A Proposal for an ISO Standard for Public Key Encryption","volume":"2001","author":"Shoup Victor","year":"2001","unstructured":"Victor Shoup. 2001. A Proposal for an ISO Standard for Public Key Encryption. IACR Cryptology ePrint Archive, Vol. 2001 (2001), 112. http:\/\/dblp.uni-trier.de\/db\/journals\/iacr\/iacr2001.html#Shoup01","journal-title":"IACR Cryptology ePrint Archive"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"crossref","unstructured":"Sof\u00eda Celi and Jonathan Hoyland and Douglas Stebila and Thom Wiggers. 2022. A tale of two models: formal verification of KEMTLS via Tamarin. Cryptology ePrint Archive Paper 2022\/1111. https:\/\/eprint.iacr.org\/2022\/1111.","DOI":"10.1007\/978-3-031-17143-7_4"},{"key":"e_1_3_2_1_48_1","unstructured":"Sophie Schmieg. 2024. Unbindable Kemmy Schmidt: ML-KEM is neither MAL-BIND-K-CT nor MAL-BIND-K-PK. Cryptology ePrint Archive Paper 2024\/523. https:\/\/eprint.iacr.org\/2024\/523."},{"key":"e_1_3_2_1_49_1","volume-title":"Post Quantum KEM authentication in SPDM for secure session establishment. Design & Test","author":"Yao Jiewen","year":"2023","unstructured":"Jiewen Yao, Anas Hlayhel, and Krystian Matusiewicz. 2023. Post Quantum KEM authentication in SPDM for secure session establishment. Design & Test (2023)."},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.3390\/cryptography6040048"}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670283","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3670283","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:10:39Z","timestamp":1755843039000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670283"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":50,"alternative-id":["10.1145\/3658644.3670283","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3670283","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}