Home

KEMs

A key encapsulation mechanism (KEM) is a public-key cryptographic primitive designed to securely establish a symmetric key between two parties. Using the recipient’s public key, a sender encapsulates a randomly chosen secret key into a ciphertext. The recipient, possessing the corresponding private key, decapsulates the ciphertext to recover the same secret key. The recovered key is then used to derive a symmetric encryption key for subsequent data confidentiality. KEMs enable public-key cryptography to provide confidential key exchange without directly encrypting the actual data.

A KEM defines three core operations: KeyGen, Encapsulate, and Decapsulate. KeyGen generates a public/private key pair.

Security and design considerations rely on hardness assumptions from underlying mathematics, such as lattice problems for

Applications include post-quantum secure key exchange and standardized efforts like the NIST post-quantum cryptography program. Notable

Encapsulate
takes
a
recipient’s
public
key
and
outputs
a
pair
(K,
C),
where
K
is
the
shared
secret
and
C
is
the
encapsulation
ciphertext.
Decapsulate
takes
C
and
the
private
key
to
recover
K.
Many
KEMs
aim
for
IND-CCA
security,
meaning
that
even
with
access
to
a
decryption
oracle,
an
adversary
cannot
distinguish
the
derived
key
from
random,
provided
the
ciphertext
has
not
been
tampered
with.
lattice-based
KEMs,
coding
theory
problems
for
code-based
KEMs,
or
isogeny
problems
for
isogeny-based
KEMs.
In
practice,
KEMs
are
often
used
in
conjunction
with
a
key
derivation
function
to
produce
a
robust
symmetric
key
and
are
a
component
of
hybrid
encryption
schemes.
families
include
lattice-based
KEMs
(e.g.,
Kyber,
FrodoKEM),
code-based
variants,
and
isogeny-based
variants
derived
from
SIDH/SIKE.
KEMs
are
commonly
used
to
enable
secure
key
exchange
before
symmetric
encryption
of
the
message.