{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:15:51Z","timestamp":1778040951236,"version":"3.51.4"},"reference-count":18,"publisher":"International Association for Cryptologic Research","issue":"1","license":[{"start":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T00:00:00Z","timestamp":1769731200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Science Foundation","award":["2452804"],"award-info":[{"award-number":["2452804"]}]},{"name":"National Science Foundation","award":["2236784"],"award-info":[{"award-number":["2236784"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2026,4,27]]},"abstract":"<jats:p>This short paper formally specifies and analyzes the UG hybrid KEM construction from the IRTF CFRG's recent draft on hybrid (post-quantum\/traditional) KEMs. The UG construction is an optimized hybrid of a Diffie-Hellman (DH)-based KEM in a nominal group and a generic IND-CCA KEM. The main optimization is that the group elements derived in the DH-based KEM are \u201cinlined\u201d in the key derivation, saving unnecessary hashing. We perform two security analyses of the UG construction: one shows UG is IND-CCA even if the generic IND-CCA KEM is broken; the other complementary analysis shows UG is IND-CCA even if the DH assumptions in the nominal group are broken (by, e.g., a cryptographically-relevant quantum computer).<\/jats:p>","DOI":"10.62056\/ahmp-49p1","type":"journal-article","created":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T18:09:08Z","timestamp":1777918148000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["StarFortress:"],"prefix":"10.62056","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-5745-1432","authenticated-orcid":false,"given":"Deirdre","family":"Connolly","sequence":"first","affiliation":[{"name":"Oracle","place":["USA"]},{"name":"Selkie Cryptography","place":["USA"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0985-5956","authenticated-orcid":false,"given":"Paul","family":"Grubbs","sequence":"additional","affiliation":[{"name":"University of Michigan","place":["USA"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2026,5,4]]},"reference":[{"key":"ref1:EC:CasDec23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1007\/978-3-031-30589-4_15","article-title":"An Efficient Key Recovery Attack on SIDH","volume":"14008","author":"Wouter Castryck","year":"2023"},{"key":"ref2:irtf-cfrg-hybrid-kems-07","volume-title":"Hybrid PQ\/T key encapsulation mechanisms","author":"Deirdre Connolly","year":"2025"},{"key":"ref3:rfcdraft","volume-title":"X-Wing: general-purpose hybrid post-quantum KEM","author":"Deirdre Connolly","year":"2024"},{"key":"ref4:CiC:BCDKSV24","doi-asserted-by":"publisher","first-page":"21","DOI":"10.62056\/a3qj89n4e","article-title":"X-Wing","volume":"1","author":"Manuel Barbosa","year":"2024","journal-title":"CiC"},{"key":"ref5:PKC:GiaHeuPoe18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"190","DOI":"10.1007\/978-3-319-76578-5_7","article-title":"KEM Combiners","volume":"10769","author":"Federico Giacon","year":"2018"},{"key":"ref6:CCS:CreDaxMed24","doi-asserted-by":"publisher","first-page":"1046","DOI":"10.1145\/3658644.3670283","article-title":"Keeping Up with the KEMs: Stronger Security Notions for\n  KEMs and Automated Analysis of KEM-based Protocols","author":"Cas Cremers","year":"2024"},{"key":"ref7:EC:ABHKLR21","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"87","DOI":"10.1007\/978-3-030-77870-5_4","article-title":"Analysing the HPKE Standard","volume":"12696","author":"Jo\u00ebl Alwen","year":"2021"},{"key":"ref8:EPRINT:GlaHovSte25","volume-title":"Tight Multi-challenge Security Reductions for Key\n  Encapsulation Mechanisms","author":"Lewis Glabush","year":"2025"},{"key":"ref9:RFC7748","series-title":"Request for Comments","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7748","volume-title":"Elliptic Curves for Security","author":"Adam Langley","year":"2016"},{"key":"ref10:NIST.SP.800.186","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-186","volume-title":"Recommendations for discrete logarithm-based cryptography:\n  Elliptic curve domain parameters","author":"National Institute of Standards","year":"2023"},{"key":"ref11:FIPS203","series-title":"FIPS Draft Standard","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.FIPS.203.ipd","volume-title":"Module-Lattice-Based Key-Encapsulation Mechanism\n  Standard","author":"NIST","year":"2023"},{"key":"ref12:EUROSP:BDKLLSSSS18","doi-asserted-by":"publisher","first-page":"353","DOI":"10.1109\/EuroSP.2018.00032","article-title":"CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based\n  KEM","author":"Joppe W. Bos","year":"2018"},{"key":"ref13:FIPS202","doi-asserted-by":"publisher","DOI":"10.6028\/nist.fips.202","volume-title":"SHA-3 Standard: Permutation-Based Hash and\n  Extendable-Output Functions","author":"Morris J. Dworkin","year":"2015"},{"key":"ref14:EC:BDPV08","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1007\/978-3-540-78967-3_11","article-title":"On the Indifferentiability of the Sponge Construction","volume":"4965","author":"Guido Bertoni","year":"2008"},{"key":"ref15:EPRINT:ACMT25","volume-title":"The Sponge is Quantum Indifferentiable","author":"Gorjan Alagic","year":"2025"},{"key":"ref16:C:Krawczyk10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"631","DOI":"10.1007\/978-3-642-14623-7_34","article-title":"Cryptographic Extraction and Key Derivation: The HKDF\n  Scheme","volume":"6223","author":"Hugo Krawczyk","year":"2010"},{"key":"ref17:EUROSP:LipBlaBha19","doi-asserted-by":"publisher","first-page":"231","DOI":"10.1109\/EuroSP.2019.00026","article-title":"A Mechanised Cryptographic Proof of the WireGuard Virtual\n  Private Network Protocol","author":"Benjamin Lipp","year":"2019"},{"key":"ref18:C:DRST12","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"348","DOI":"10.1007\/978-3-642-32009-5_21","article-title":"To Hash or Not to Hash Again? (In)Differentiability\n  Results for $H^2$ and HMAC","volume":"7417","author":"Yevgeniy Dodis","year":"2012"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,5,6]],"date-time":"2026-05-06T04:03:33Z","timestamp":1778040213000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/3\/1\/25"}},"subtitle":["Hybrid KEMs with Diffie-Hellman Inlining"],"short-title":[],"issued":{"date-parts":[[2026,5,4]]},"references-count":18,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,5,4]]}},"URL":"https:\/\/doi.org\/10.62056\/ahmp-49p1","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,4]]},"assertion":[{"value":"2026-01-30","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-27","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc3-1-65"}}