{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T21:32:38Z","timestamp":1767994358254,"version":"3.49.0"},"reference-count":46,"publisher":"International Association for Cryptologic Research","issue":"2","license":[{"start":{"date-parts":[[2025,4,7]],"date-time":"2025-04-07T00:00:00Z","timestamp":1743984000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,6,2]]},"abstract":" In this work, we continue the analysis of the binding properties of implicitly-rejecting key-encapsulation mechanisms (KEMs) obtained via the Fujisaki-Okamoto (FO) transform. These binding properties, in earlier literature known under the term robustness, thwart attacks that can arise when using KEMs in complex protocols. Recently, Cremers et al. (CCS'24) introduced a framework for binding notions, encompassing previously existing but also new ones. While implicitly-rejecting FO-KEMs have been analyzed with respect to multiple of these notions, there are still several gaps. We complete the picture by providing positive and negative results for the remaining notions. Further, we show how to apply our results to the code-based KEMs BIKE and HQC, which were round-4 candidates in NIST's PQC standardization process. Through this, we close a second gap as our results complete the analysis of the binding notions for the NIST round-4 KEMs. Finally, we give a modified version of the FO transform that achieves all binding notions. <\/jats:p>","DOI":"10.62056\/ak2i893y6","type":"journal-article","created":{"date-parts":[[2025,7,7]],"date-time":"2025-07-07T21:09:09Z","timestamp":1751922549000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":2,"title":["Binding Security of Implicitly-Rejecting KEMs and Application to BIKE and HQC"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3599-4215","authenticated-orcid":false,"given":"Juliane","family":"Kr\u00e4mer","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/01eezs655","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Regensburg","place":["Bajuwarenstra\u00dfe 4, Regensburg, 93053, Germany"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7738-2017","authenticated-orcid":false,"given":"Patrick","family":"Struck","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/0546hnb39","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Konstanz","place":["Universit\u00e4tsstra\u00dfe 10, Konstanz, 78457, Germany"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Maximiliane","family":"Weish\u00e4upl","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/01eezs655","id-type":"ROR","asserted-by":"publisher"}],"name":"University of Regensburg","place":["Bajuwarenstra\u00dfe 4, Regensburg, 93053, Germany"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"48349","published-online":{"date-parts":[[2025,7,7]]},"reference":[{"key":"ref1:STANDARDIZATION:PostQuantumCryptoNIST","volume-title":"Post-Quantum Cryptography Standardization Process","author":"NIST","year":"2017"},{"key":"ref2:C:FujOka99","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"537","DOI":"10.1007\/3-540-48405-1_34","article-title":"Secure Integration of Asymmetric and Symmetric Encryption\n Schemes","volume":"1666","author":"Eiichiro Fujisaki","year":"1999"},{"key":"ref3:CCS:JCCS19","doi-asserted-by":"publisher","first-page":"2165","DOI":"10.1145\/3319535.3339813","article-title":"Seems Legit: Automated Analysis of Subtle Attacks on\n Protocols that Use Signatures","author":"Dennis Jackson","year":"2019"},{"key":"ref4:LetsEncryptAttack","volume-title":"Duplicate Signature Key Selection Attack in Let's\n Encrypt","author":"Andrew Ayer","year":"2015"},{"key":"ref5:C:DGRW18","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"155","DOI":"10.1007\/978-3-319-96884-1_6","article-title":"Fast Message Franking: From Invisible Salamanders to\n Encryptment","volume":"10991","author":"Yevgeniy Dodis","year":"2018"},{"key":"ref6:USENIX:ADGKLS22","first-page":"3291","article-title":"How to Abuse and Fix Authenticated Encryption Without Key\n Commitment","author":"Ange Albertini","year":"2022"},{"key":"ref7:USENIX:LenGruRis21","first-page":"195","article-title":"Partitioning Oracle Attacks","author":"Julia Len","year":"2021"},{"key":"ref8:CCS:CreDaxMed24","doi-asserted-by":"publisher","first-page":"1046","DOI":"10.1145\/3658644.3670283","article-title":"Keeping Up with the KEMs: Stronger Security Notions for\n KEMs and Automated Analysis of KEM-based Protocols","author":"Cas Cremers","year":"2024"},{"key":"ref9:EUROSP:BDKLLSSSS18","doi-asserted-by":"publisher","first-page":"353","DOI":"10.1109\/EuroSP.2018.00032","article-title":"CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based\n KEM","author":"Joppe W. Bos","year":"2018"},{"key":"ref10:EC:BelHoa22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"845","DOI":"10.1007\/978-3-031-07085-3_29","article-title":"Efficient Schemes for Committing Authenticated Encryption","volume":"13276","author":"Mihir Bellare","year":"2022"},{"key":"ref11:EC:MLGR23","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"379","DOI":"10.1007\/978-3-031-30634-1_13","article-title":"Context Discovery and Commitment Attacks - How to Break\n CCM, EAX, SIV, and More","volume":"14007","author":"Sanketh Menda","year":"2023"},{"key":"ref12:C:BelHoa24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1007\/978-3-031-68385-5_10","article-title":"Succinctly-Committing Authenticated Encryption","volume":"14923","author":"Mihir Bellare","year":"2024"},{"key":"ref13:ToSC:StrWei24","doi-asserted-by":"publisher","first-page":"497","DOI":"10.46586\/tosc.v2024.i1.497-528","article-title":"Constructing Committing and Leakage-Resilient Authenticated\n Encryption","volume":"2024","author":"Patrick Struck","year":"2024","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"ref14:ToSC:KraStrWei24","doi-asserted-by":"publisher","first-page":"191","DOI":"10.46586\/tosc.v2024.i4.191-248","article-title":"Committing AE from Sponges Security Analysis of the NIST\n LWC Finalists","volume":"2024","author":"Juliane Kr\u00e4mer","year":"2024","journal-title":"IACR Trans. Symm. Cryptol."},{"key":"ref15:SP:CDFFJ21","doi-asserted-by":"publisher","first-page":"1696","DOI":"10.1109\/SP40001.2021.00093","article-title":"BUFFing signature schemes beyond unforgeability and the\n case of post-quantum signatures","author":"Cas Cremers","year":"2021"},{"key":"ref16:PQCRYPTO:ADMSW24","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1007\/978-3-031-62746-0_13","article-title":"Hash Your Keys Before Signing - BUFF Security of the\n Additional NIST PQC Signatures","author":"Thomas Aulbach","year":"2024"},{"key":"ref17:C:DFHS24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"246","DOI":"10.1007\/978-3-031-68376-3_8","article-title":"On the (In)Security of the BUFF Transform","volume":"14920","author":"Jelle Don","year":"2024"},{"key":"ref18:SAC:DuzFieFis24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1007\/978-3-031-82852-2_6","article-title":"BUFFing FALCON Without Increasing the Signature Size","volume":"15516","author":"Samed D\u00fczl\u00fc","year":"2024"},{"key":"ref19:TCC:DFHLS24","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"347","DOI":"10.1007\/978-3-031-78020-2_12","article-title":"Hide-and-Seek and the Non-resignability of the BUFF\n Transform","volume":"15366","author":"Jelle Don","year":"2024"},{"key":"ref20:STANDARDIZATION:NISTaccordionMode","volume-title":"Accordion Mode","author":"NIST","year":"2024"},{"key":"ref21:STANDARDIZATION:CallForAdditionalSignatures","volume-title":"Call for Additional Digital Signature Schemes for the\n Post-Quantum Cryptography Standardization Process","author":"NIST","year":"2022"},{"key":"ref22:EC:GruMarPat22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"402","DOI":"10.1007\/978-3-031-07082-2_15","article-title":"Anonymous, Robust Post-quantum Public Key Encryption","volume":"13277","author":"Paul Grubbs","year":"2022"},{"key":"ref23:NISTPQC-R4:ClassicMcEliece22","volume-title":"Classic McEliece","author":"Martin R. Albrecht","year":"2022"},{"key":"ref24:NISTPQC-R3:HQC20","volume-title":"HQC","author":"Carlos Aguilar-Melchor","year":"2020"},{"key":"ref25:NISTPQC-R3:SABER20","volume-title":"SABER","author":"Jan-Pieter D'Anvers","year":"2020"},{"key":"ref26:NISTPQC-R3:FrodoKEM20","volume-title":"FrodoKEM","author":"Michael Naehrig","year":"2020"},{"key":"ref27:NIST:FIPS-203","volume-title":"Module-Lattice-based Key-Encapsulation Mechanism\n Standard","author":"NIST","year":"2023"},{"key":"ref28:EPRINT:Schmieg24","volume-title":"Unbindable Kemmy Schmidt: ML-KEM is neither\n MAL-BIND-K-CT nor MAL-BIND-K-PK","author":"Sophie Schmieg","year":"2024"},{"key":"ref29:NISTPQC-R4:BIKE22","volume-title":"BIKE","author":"Nicolas Aragon","year":"2022"},{"key":"ref30:NISTPQC-R4:HQC24","volume-title":"HQC","author":"Carlos Aguilar-Melchor","year":"2024"},{"key":"ref31:NISTPQC-R4:HQC22","volume-title":"HQC","author":"Carlos Aguilar-Melchor","year":"2022"},{"key":"ref32:TCC:AbdBelNev10","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"480","DOI":"10.1007\/978-3-642-11799-2_28","article-title":"Robust Encryption","volume":"5978","author":"Michel Abdalla","year":"2010"},{"key":"ref33:AC:BBDP01","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"566","DOI":"10.1007\/3-540-45682-1_33","article-title":"Key-Privacy in Public-Key Encryption","volume":"2248","author":"Mihir Bellare","year":"2001"},{"key":"ref34:EC:Xagawa22","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"551","DOI":"10.1007\/978-3-031-07082-2_20","article-title":"Anonymity of NIST PQC Round 3 KEMs","volume":"13277","author":"Keita Xagawa","year":"2022"},{"key":"ref35:NISTPQC-R3:ClassicMcEliece20","volume-title":"Classic McEliece","author":"Martin R. Albrecht","year":"2020"},{"key":"ref36:NISTPQC-R3:CRYSTALS-KYBER20","volume-title":"CRYSTALS-KYBER","author":"Peter Schwabe","year":"2020"},{"key":"ref37:CIC:BCDKSVW24","doi-asserted-by":"publisher","DOI":"10.62056\/a3qj89n4e","article-title":"X-Wing","volume":"1","author":"Manuel Barbosa","year":"2024","journal-title":"IACR Communications in Cryptology","ISSN":"https:\/\/id.crossref.org\/issn\/3006-5496","issn-type":"electronic"},{"key":"ref38:CCS:AHKMS23","doi-asserted-by":"publisher","first-page":"1108","DOI":"10.1145\/3576915.3623185","article-title":"Post-Quantum Multi-Recipient Public Key Encryption","author":"Jo\u00ebl Alwen","year":"2023"},{"key":"ref39:PKC:FieGun25","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"137","DOI":"10.1007\/978-3-031-91823-0_5","article-title":"Security Analysis of Signal's PQXDH Handshake","volume":"15675","author":"Rune Fiedler","year":"2025"},{"key":"ref40:IMA:Dent03","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1007\/978-3-540-40974-8_12","article-title":"A Designer's Guide to KEMs","volume":"2898","author":"Alexander W. Dent","year":"2003"},{"key":"ref41:TCC:HofHovKil17","series-title":"LNCS","doi-asserted-by":"publisher","first-page":"341","DOI":"10.1007\/978-3-319-70500-2_12","article-title":"A Modular Analysis of the Fujisaki-Okamoto\n Transformation","volume":"10677","author":"Dennis Hofheinz","year":"2017"},{"key":"ref42:NISTPQC-R2:LEDAcrypt19","volume-title":"LEDAcrypt","author":"Marco Baldi","year":"2019"},{"key":"ref43:NISTPQC-R2:NTS-KEM19","volume-title":"NTS-KEM","author":"Martin Albrecht","year":"2019"},{"key":"ref44:EPRINT:BerPer18","volume-title":"Towards KEM Unification","author":"Daniel J. Bernstein","year":"2018"},{"key":"ref45:PQCRYPTO:Sendrier11","doi-asserted-by":"publisher","first-page":"51","DOI":"10.1007\/978-3-642-25405-5_4","article-title":"Decoding One Out of Many","author":"Nicolas Sendrier","year":"2011"},{"key":"ref46:EPRINT:Sendrier21","volume-title":"Secure Sampling of Constant-Weight Words \u2013 Application to\n BIKE","author":"Nicolas Sendrier","year":"2021"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2025,7,7]],"date-time":"2025-07-07T21:09:54Z","timestamp":1751922594000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/2\/19"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,7]]},"references-count":46,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2025,7,7]]}},"URL":"https:\/\/doi.org\/10.62056\/ak2i893y6","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,7,7]]},"assertion":[{"value":"2025-04-07","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-06-02","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-2-43"}}