Two  topics:

1. A key-encapsulation mechanism (KEM) is a set of algorithms that can be used by two parties under certain conditions to securely establish a shared secret key over a public channel. A shared secret key that is established using a KEM can then be used with symmetric-key cryptographic algorithms to perform essential tasks in secure communications, such as encryption and authentication. 

The recent standardization efforts of the National Institute of Standards and Technology (NIST) paved the road for the widespread usage of post-quantum secure KEMs in various applications. 

While the standard security notion for KEMs is IND-CCA security, it turns out that several applications require further security properties from the underlying KEM. The goal of this seminar project is to collect the different KEM security properties and to systematize our knowledge about them. This would include, example applications where the given property is relevant, relation between the properties, known KEMs that satisfy the given requirement, etc. 

Resources: 
[1] Cas Cremers, Alexander Dax, Niklas Medinger: Keeping Up with the KEMs: Stronger Security Notions for KEMs and Automated Analysis of KEM-based Protocols. CCS 2024: 1046-1060 
https://eprint.iacr.org/2023/1933.pdf 

[2] Felix Günther, Michael Rosenberg, Douglas Stebila, Shannon Veitch: Hybrid Obfuscated Key Exchange and KEMs. CRYPTO (3) 2025: 575-609 
https://eprint.iacr.org/2025/408.pdf

2. A key-encapsulation mechanism (KEM) is a set of algorithms that can be used by two parties under certain conditions to securely establish a shared secret key over a public channel. A shared secret key that is established using a KEM can then be used with symmetric-key cryptographic algorithms to perform essential tasks in secure communications, such as encryption and authentication. 

The recent standardization efforts of the National Institute of Standards and Technology (NIST) lead to the ML-KEM standard. The task of the student is to understand 
- how ML-KEM algorithms work, 
- what kind of security is achieved by ML-KEM, 
- how can we prove that ML-KEM is secure, 
- what kind of assumptions are required by the security proof and why do we trust these assumptions? 

Resources: 
[1] Jonathan Katz, Yehuda Lindell: 
Introduction to Modern Cryptography, Second Edition. CRC Press 2014, ISBN 9781466570269 

[2] Vadim Lyubashevsky: 
Basic Lattice Cryptography: The concepts behind Kyber (ML-KEM) and Dilithium (ML-DSA). IACR Cryptol. ePrint Arch. 2024 
https://ia.cr/2024/1287 

[3] National Institute of Standards and Technology. Module-lattice-based keyencapsulation mechanism standard. Technical Report Federal Information 
Processing Standards Publications (FIPS PUBS) 203, U.S. Department of Commerce, Washington, D.C., 2024. 
https://csrc.nist.gov/pubs/fips/203/final