Non-Interactive RDMPF Encapsulation

• The paper introduces a novel non-interactive key encapsulation mechanism employing RDMPF to achieve sender anonymity, content confidentiality, and forward secrecy.
• The protocol uses ephemeral intermediaries and rigorous formal proofs to ensure IND-CPA security, hint privacy, and uninterrupted key derivation.
• The deployment on the Internet Computer demonstrates practical system enhancements, including cross-subnet canister integration and certified destruction protocols.

A non-interactive RDMPF-based encapsulation is a cryptographic scheme that utilizes the rank-deficient matrix power function (RDMPF) for key encapsulation and transport key establishment in privacy-preserving architectures. Its design targets sender anonymity, content confidentiality, unlinkability, and forward secrecy, and it is implemented with ephemeral intermediaries and secure destruction protocols. Most notably, the protocol is adopted in production on the Internet Computer (ICP) as the ICPP system and features exhaustive formal security arguments and operational enhancements (Salazar, 29 Dec 2025).

1. Formal Definitions and Setup of RDMPF-KEM

The scheme operates over modular arithmetic and matrix constructs:

• Parameters: A prime $p$ (approx. 192 bits), dimension $d$ ($8 \leq d \leq 24$), $\mathbb{Z}_p = \mathbb{Z}/p\mathbb{Z}$, $\mathbb{Z}_{p-1} = \mathbb{Z}/(p-1)\mathbb{Z}$.
• Matrix Selection: Public rank-deficient base matrices $BaseX, BaseY \in \mathbb{Z}_{p-1}^{d\times d}$ with rank $d-1$ and a full-rank mixing matrix $W \in \mathbb{Z}_p^{d\times d}$.
• Public Setup: The tuple $\pi_{pub} = (p, d, BaseX, BaseY, W)$ is published.

Key Generation

Each user $U$ (sender or recipient):

• Samples %%%%10%%%%.
• Computes public matrices:
  • $P_U = (\lambda_U \cdot BaseX) \bmod (p-1)$,
  • $Q_U = (\omega_U \cdot BaseY) \bmod (p-1)$.
• The public key is $epk_U = (P_U, Q_U)$; secret key is $(\lambda_U, \omega_U)$.

Rank-deficient sampling uses random matrices to ensure target rank properties, critical for subsequent scalar-action commutativity.

Encapsulation (Non-Interactive KEM)

Given a recipient public key $epk_R$ and public context $ctx$:

1. Ephemeral sender key generation as above.
2. Nonce $\mathsf{nonce} \in \{0,1\}^{256}$ sampled.
3. Compute RDMPF tokens:
   • $T_1 = \mathrm{RDMPF}(P_S, W, Q_R)$
   • $T_2 = \mathrm{RDMPF}(P_R, W, Q_S)$
4. Compose shared secret matrix: $K_{mat} = T_1 \triangleright T_2$, where the $(i,j)$th element is $\prod_{k=1}^d T_2[k,j]^{T_1[i,k]} \bmod p$.
5. Hash $K_{mat}$ via SHA3; derive KEM seed $Z$.
6. Generate transport keys $(K_{enc}, K_{auth})$ using HKDF with info and salt.
7. Authentication tag: $$\mathsf{tag} = \mathrm{HMAC}_{K_{auth}}(\mathsf{ctx})$$.
8. Capsule formed as $C = (P_S, Q_S, \mathsf{nonce}, \mathsf{tag})$.
9. Public hint $HINT = \mathrm{SHA3}(C)$.
10. Optionally, apply AEAD encryption with $K_{enc}$.

Decapsulation

Recipient uses $sk_R$ and capsule $C$:

• Recompute $T_1, T_2$ as above.
• Compute $K_{mat}$, hash and derive $K_{enc}, K_{auth}$.
• Verify authentication tag; output $K_{enc}$ if valid, else $\bot$.

2. Mathematical Properties of the RDMPF Construction

RDMPF Definition

For $X, W, Y \in \mathbb{Z}_p^{d\times d}$:

$$\mathrm{RDMPF}(X, W, Y)_{jk} = \prod_{\ell=1}^{d}\prod_{m=1}^{d} W_{\ell m}^{X_{j\ell} Y_{mk} \bmod (p-1)} \bmod p$$

Composition Law: For $T_1, T_2 \in \mathbb{Z}_p^{d\times d}$,

$$(T_1 \triangleright T_2)_{ij} = \prod_{k=1}^{d} T_2[k,j]^{T_1[i,k]} \bmod p$$

Rank Deficiency

Rank deficiency in $BaseX, BaseY$ (rank $d-1$) enforces scalar-action commutativity (Lemma 4.1). Full rank in $W$ ensures unpredictability and security of $K_{mat}$.

This suggests the scalar-action commutativity enabled by rank deficiency is required to guarantee decaps/encaps correctness and the non-interactive property.

Correctness

Encapsulation and decapsulation steps yield identical $K_{mat}$, and hence derived $(K_{enc}, K_{auth})$ (Theorems 4.2–4.3), ensuring functional consistency.

Non-Interactivity

All computations depend solely on public keys and ephemeral random choices; no rounds of interaction are required.

3. Security Arguments and Guarantees

Confidentiality and IND-CPA

The encapsulation achieves IND-CPA security for transport key derivation (Theorem 4.10):

• $K_{mat}$ possesses high conditional min-entropy for any PPT adversary given public information.
• HKDF produces $(K_{enc}, K_{auth})$ indistinguishable from uniform.
• AEAD under $K_{enc}$ ensures IND-CPA security for the payload.

The combination $\{C, \mathrm{AEAD}_{K_{enc}}(\mathsf{payload})\}$ prevents leakage of $K_{enc}$ and message contents.

Hint Privacy

$HINT = \mathrm{SHA3}(C)$ is a 256-bit digest. Security arguments (Theorem 4.13) assert that in absence of a SHA3 inversion, adversaries cannot correlate HINT with $epk_R$ except with negligible probability ($\approx 2^{-256}$).

Forward Secrecy

Ephemeral secrets $(P_S, Q_S, \lambda_S, \omega_S, K_{enc}, K_{auth})$ persist only in memory of short-lived canisters ("I₁"/"I₂"). Witness $W$ attests to destruction ("DestructProof"). After teardown, past secrets are irrecoverable—even if RDMPF is later compromised.

4. Protocol Architecture and System Integration

Ephemeral Intermediaries and Storage

• I₁ (deposit): Receives $\{HINT, C, \mathrm{AEAD}(\mathsf{payload})\}$, writes sealed payload to storage canisters $C_i$, announces $HINT$ publicly.
• I₂ (retrieval): Pulls capsule from $C_i$ quorum, authorizes user via $\mathrm{SHA3}(K_{auth})$, delivers decrypted payload.

Public Notice and Discovery

HINT serves as the sole public identifier on the noticeboard. It does not reveal identity information for participants. Retrieval is a "pull" operation where recipients scan for HINT.

Destruction Proofs and Attestation

Each ephemeral canister issues a destruction intent, is torn down by Factory, and the ephemeral witness $W$ records proofs of destruction. Finalization binds HINT to the published proofset.

ICP-Specific Enhancements

• Dual ($n=2$) canister storage for minimal cost; the protocol generalizes to $t$-of-$n$ quorums.
• Cross-subnet deployment and distinctness enforced via $ctx$.
• Canister-Signed Receipt Nonces (CSRN) enable mutual confirmation without identity leakage.
• Zeroization of transient memory before canister destruction.

5. Security and Correctness Proofs

The protocol's security is formalized via theorems and definitions provided in the reference paper (Salazar, 29 Dec 2025):

Security Property	Mechanism/Argument	Statement
Encaps/Decaps correctness	Composition law, NIKA correctness	Both sides derive identical transport keys
IND-CPA for KEM/AEAD	cRDMPF entropy, HKDF extraction	Keys indistinguishable from uniform
Hint privacy	Non-invertibility of SHA3	HINT uncorrelated to public keys
Forward secrecy	Ephemeral secrets, attested destruction	Past keys inaccessible post-teardown
Authorization soundness	HMAC verification	Authentication tag verifies context
Timeout reclaim	DestructProof protocol	Intent and proof auditable on noticeboard

Context and Significance

These proofs establish that sender anonymity, content confidentiality, and unlinkability are maintained under standard cryptographic and threat assumptions. The protocol is tailored for the operational environment of ICP, but the design principles generalize to any infrastructure permitting ephemeral, certified-destruction components.

6. Operational Deployment and Enhancements

The non-interactive RDMPF-based encapsulation described here is implemented in production as ICPP on the Internet Computer. Extensive testing and targeted enhancements address operational features unique to ICP, including cross-subnet canister placement, low-cost quorum, and robust memory zeroization protocols. The noticeboard architecture affords public auditability, while certified destruction mechanisms provide verifiable liveness and finality.

This suggests that the RDMPF-based encapsulation can be adapted to other contexts with similar ephemeral computation and attestation capabilities, although performance and deployment details are contingent on system-level primitives.