Skip to main content
Log in

Plaintext awareness in identity-based key encapsulation

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The notion of plaintext awareness (\({\mathsf{PA}}\)) has many applications in public key cryptography: it offers unique, stand-alone security guarantees for public key encryption schemes, has been used as a sufficient condition for proving indistinguishability against adaptive chosen-ciphertext attacks (\({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)), and can be used to construct privacy-preserving protocols such as deniable authentication. Unlike many other security notions, plaintext awareness is very fragile when it comes to differences between the random oracle and standard models; for example, many implications involving \({\mathsf{PA}}\) in the random oracle model are not valid in the standard model and vice versa. Similarly, strategies for proving \({\mathsf{PA}}\) of schemes in one model cannot be adapted to the other model. Existing research addresses \({\mathsf{PA}}\) in detail only in the public key setting. This paper gives the first formal exploration of plaintext awareness in the identity-based setting and, as initial work, proceeds in the random oracle model. The focus is laid mainly on identity-based key encapsulation mechanisms (IB-KEMs), for which the paper presents the first definitions of plaintext awareness, highlights the role of \({\mathsf{PA}}\) in proof strategies of \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\) security, and explores relationships between \({\mathsf{PA}}\) and other security properties. On the practical side, our work offers the first, highly efficient, general approach for building IB-KEMs that are simultaneously plaintext-aware and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure. Our construction is inspired by the Fujisaki-Okamoto (FO) transform, but demands weaker and more natural properties of its building blocks. This result comes from a new look at the notion of \(\gamma \)-uniformity that was inherent in the original FO transform. We show that for IB-KEMs (and PK-KEMs), this assumption can be replaced with a weaker computational notion, which is in fact implied by one-wayness. Finally, we give the first concrete IB-KEM scheme that is \({\mathsf{PA}}\) and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure by applying our construction to a popular IB-KEM and optimizing it for better performance.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

Notes

  1. By \({\mathsf{CCA}}\) in this paper, we mean adaptive chosen-ciphertext attacks, often referred to \({\mathsf{CCA2}}\).

  2. Alternative definitions of plaintext awareness in the standard model were earlier proposed by Herzog et al. [30]. They consider a specialized PKE setting where both senders and receivers generate individual secret/public key pairs and register their public keys with a trusted authority. In contrast, definitions from [35] are more standard in that they do not rely on registration authorities and assume that only recipients have public keys.

  3. Strictly speaking, naming a KEM’s property “plaintext awareness” can be misleading: KEMs do not process messages in the classical sense, but only keys. Although one could argue that key awareness would be a better name for the intended property, in this paper we stick to “plaintext awareness” that has been around in the context of PKE for the last two decades.

  4. Consider, for a justification, the following example (see also Lemma 13 for a more detailed discussion). Given an IB-KEM \(\varPi \), derive from it IB-KEM \(\varPi '\) such that \({\mathsf{Setup}}'\equiv {\mathsf{Setup}},\,{\mathsf{Extract}}'\equiv {\mathsf{Extract}}, \,{\mathsf{Encap}}'_{mpk}(id)\equiv [(c,K)\leftarrow {\mathsf{Encap}}_{mpk}(id),K'\leftarrow H(c,K),\text {return }(c,K')], \,{\mathsf{Decap}}'_{sk}(c)\equiv [K\leftarrow {\mathsf{Decap}}_{sk}(c),\text {return }H(c,K)]\), where \(H\) is an independent random oracle. Intuitively, if \(\varPi \) is plaintext-aware then so is \(\varPi '\), as a plaintext extractor \({\mathcal {K}}\) could extract \(K\) from \(c\) and then derive \(K'\leftarrow H(c,K)\). This reasoning, however, assumes that \({\mathcal {K}}\) has access to random oracle \(H\).

  5. More precisely, the schemes presented in [11, 38] are not IB-KEMs, but rather IBE schemes. In this paper we consider the IB-KEMs that underlie their (hybrid) constructions.

  6. On first sight it seems that by applying the \(H'\) hash function to intermediate key \(\overline{K}\) we lose a factor of \(q_{H'}\) in the security reduction. However, Remark 9 shows that this is not true: as \(H'(\overline{K})\) is an \(\mathsf{IND}\)-secure key, we correspondingly get tighter security for the \(\mathcal {F}\) construction.

  7. A plaintext creator is necessary when considering encryption instead of a KEM.

References

  1. Abe, M., Gennaro, R., Kurosawa, K., Shoup, V.: Tag-KEM/DEM: a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 128–146. Springer, Berlin (2005)

  2. Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K. (ed.) 30th International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2011). LNCS, vol. 6632, pp. 48–68. Springer, (2010)

  3. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO’98. LNCS, vol. 1462, pp. 26–45. Springer, Berlin (1998)

  4. Bellare, M., Palacio, A.: Towards plaintext-aware public-key encryption without random oracles. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 37–52. Springer, Berlin (2004), full version available as http://cseweb.ucsd.edu/users/mihir/papers/pa.pdf

  5. Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: Santis, A.D. (ed.) EUROCRYPT’94. LNCS, vol. 950, pp. 92–111. Springer, Berlin (1994), full version available as http://www-cse.ucsd.edu/mihir/papers/oaep.html

  6. Bentahar, K., Farshim, P., Malone-Lee, J., Smart, N.P.: Generic constructions of identity-based and certificateless KEMs. J. Cryptol. 21(2), 178–199 (2008)

    Article  MATH  MathSciNet  Google Scholar 

  7. Birkett, J., Dent, A.W.: Relations among notions of plaintext awareness. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 47–64. Springer, Berlin (2008)

  8. Birkett, J., Dent, A.W.: Security models and proof strategies for plaintext-aware encryption. Manuscript. http://www.isg.rhul.ac.uk/alex/papers/plaintext_journal.pdf (2011)

  9. Blake, I., Seroussi, G., Smart, N., Cassels, J.W.S.: Advances in Elliptic Curve Cryptography (London Mathematical Society Lecture Note Series). Cambridge University Press, New York (2005)

    Book  Google Scholar 

  10. Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007)

    Article  MathSciNet  Google Scholar 

  11. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Berlin (2001)

  12. Boneh, D., Katz, J.: Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. In: Menezes, A.J. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 87–103. Springer, Berlin (2005)

  13. Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identity-based techniques. In: ACM CCS 2005. pp. 320–329. ACM (2005)

  14. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Berlin (2004)

  15. Chen, L., Cheng, Z.: Security proof of Sakai-Kasahara’s identity-based encryption scheme. In: Smart, N.P. (ed.) Cryptography and Coding—10th IMA International Conference. LNCS, vol. 3796, pp. 442–459. Springer, Berlin (2005)

  16. Chen, L., Cheng, Z., Malone-Lee, J., Smart, N.P.: Efficient ID-KEM based on the Sakai–Kasahara key construction. IEE Proceedings-Information Security 153(1), 19–26 (2006, March), http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1613725&isnumber=33872

    Google Scholar 

  17. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Berlin (2002)

  18. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)

    Article  MATH  MathSciNet  Google Scholar 

  19. Dent, A.W.: A designer’s guide to KEMs. In: Paterson, K.G. (ed.) Cryptography and Coding. LNCS, vol. 2898, pp. 133–151. Springer, Berlin (2003), updated version available at http://eprint.iacr.org/2002/174

  20. Dent, A.W.: The Cramer-Shoup encryption scheme is plaintext aware in the standard model. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 289–307. Springer, Berlin (2006)

  21. Desmedt, Y., Gennaro, R., Kurosawa, K., Shoup, V.: A new and improved paradigm for hybrid encryption secure against chosen-ciphertext attack. J. Cryptol. 23(1), 91–120 (2010)

    Article  MATH  MathSciNet  Google Scholar 

  22. Di Raimondo, M., Gennaro, R., Krawczyk, H.: Deniable authentication and key exchange. In: Wright, R., De Capitani de Vimercati, S., Shmatikov, V. (eds.) ACM CCS 2006. pp. 400–409. ACM (2006), full version available as http://eprint.iacr.org/2006/280

  23. Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)

    Article  MATH  MathSciNet  Google Scholar 

  24. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO. Lecture Notes in Computer Science, vol. 196, pp. 10–18. Springer, Berlin (1984)

  25. Elkind, E., Sahai, A.: A Unified Methodology For Constructing Public-Key Encryption Schemes Secure Against Adaptive Chosen-Ciphertext Attack. Cryptology ePrint Archive, Report 2002/042 (2002), http://eprint.iacr.org/

  26. Fujisaki, E., Okamoto, T.: How to enhance the security of public-key encryption at minimum cost. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 53–68. Springer, Belin (1999)

  27. Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO’99. LNCS, vol. 1666, pp. 537–554. Springer, Berlin (1999)

  28. Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)

    Article  MATH  MathSciNet  Google Scholar 

  29. Herranz, J., Hofheinz, D., Kiltz, E.: Some (in)sufficient conditions for secure hybrid encryption. Inf. Comput. 208(11), 1243–1257 (2010)

    Article  MATH  MathSciNet  Google Scholar 

  30. Herzog, J., Liskov, M., Micali, S.: Plaintext awareness via key registration. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 548–564. Springer, Berlin (2003)

  31. Jiang, S., Wang, H.: Plaintext-awareness of hybrid encryption. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 57–72. Springer, Berlin (2010), full version available at http://sites.google.com/site/shaoquan0825/DHIES-8.pdf

  32. Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Berlin (2006)

  33. Kiltz, E., Galindo, D.: Direct chosen-ciphertext secure identity-based key encapsulation without random oracles. Theor. Comput. Sci. 410(47–49), 5093–5111 (2009)

    Google Scholar 

  34. Kitagawa, T., Yang, P., Hanaoka, G., Zhang, R., Watanabe, H., Matsuura, K., Imai, H.: Generic transforms to acquire CCA-security for identity based encryption: the cases of FOpkc and REACT. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 348–359. Springer, Berlin (2006)

  35. Kurosawa, K., Desmedt, Y.: A new paradigm of hybrid encryption scheme. In: Franklin, M. (ed.) CRYPTO. LNCS, vol. 3152, pp. 426–442. Springer, Berlin (2004)

  36. Okamoto, T., Pointcheval, D.: REACT: rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–175. Springer, Berlin (2001). vol.

  37. Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS 1999. pp. 543–553 (1999)

  38. Sakai, R., Kasahara, M.: ID based cryptosystems with pairing on elliptic curve. Cryptology ePrint archive, report 2003/054 (2003) http://eprint.iacr.org/

  39. Shoup, V.: Using hash functions as a hedge against chosen ciphertext attack. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 275–288. Springer, Berlin (2000)

  40. Teranishi, I., Ogata, W.: Relationship between standard model plaintext awareness and message hiding. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 226–240. Springer, Berlin (2006)

  41. Teranishi, I., Ogata, W.: Cramer-shoup satisfies a stronger plaintext awareness under a weaker assumption. In: Ostrovsky, R., Prisco, R.D., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 109–125. Springer, Berlin (2008)

  42. Yang, P., Kitagawa, T., Hanaoka, G., Zhang, R., Matsuura, K., Imai, H.: Applying Fujisaki-Okamoto to identity-based encryption. In: Fossorier, M.P., Imai, H., Lin, S., Poli, A. (eds.) AAECC-16 2006. LNCS, vol. 3857, pp. 183–192 (2006)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Douglas Stebila.

Additional information

This research work is part of the bilateral research project between Germany and Australia, funded jointly by the German Academic Exchange Service (DAAD) through Grant No. 53361649 and by Australia’s Department of Innovation, Industry, Science and Research (DIISR). Mark Manulis was also supported by the German Research Foundation (DFG) through Grant MA 4096. He and Bertram Poettering wish further to acknowledge support from the Center of Advanced Security Research Darmstadt (CASED) and the European Center for Security and Privacy by Design (EC SPRIDE).

Appendices

Appendix A: Extending our results to PK-KEMs

We explore the applicability of our IB-KEM-related results from Sects. 37 to the setting of public key KEMs. A PK-KEM is generally given by a set of three algorithms: \({\mathsf{KeyGen}},\,{\mathsf{Encap}}\), and \({\mathsf{Decap}}\). We observe that IB-KEM-related definitions of syntax, secrecy (\({\mathsf{OW}[\hbox {-}{\mathsf{CCA}}]}\) and \({\mathsf{IND}[\hbox {-}{\mathsf{CCA}}]}\)), computational uniformity (\({\mathsf{cU}}\)), and plaintext awareness (\({\mathsf{PA}}\)) can readily be adapted to the PK-KEM setting by replacing in the security experiments \(({mpk}, {msk})\mathop {\leftarrow }\limits ^{\,\$}{\mathsf{Setup}}(1^k)\) by \(({pk}, {sk})\mathop {\leftarrow }\limits ^{\,\$}{\mathsf{KeyGen}}(1^k)\), and by further leaving out identities and availability of \({{\mathcal {O}}_{X}}\) oracles.

We prove in “Computational uniformity of PK-KEMs and its relation to one-wayness” in section that for these adapted definitions the implication \({\mathsf{OW}}\Rightarrow {\mathsf{cU}}\) still holds (cf. Corollary 1 in Sect. 4). Under this premise, a close inspection of our lemmas and proofs from Sects. 3 and 57 shows that their statements remain valid in the PK-KEM world. In particular, we have correspondence for Theorem 1 (\({\mathsf{OW}}\wedge {\mathsf{PA}}\Rightarrow {\mathsf{OW}\hbox {-}{\mathsf{CCA}}}\)), Corollary 2 (\(\mathcal {F}:{\mathsf{OW}}\mapsto {\mathsf{PA}}\wedge {\mathsf{OW}\hbox {-}{\mathsf{CCA}}}\)) and Theorem 3 (\(\#\circ \mathcal {F}:{\mathsf{OW}}\mapsto {\mathsf{PA}}\wedge {\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)), with slightly adapted \(\mathcal {F}\) and \(\#\) transformations. We refrain here from giving corresponding proofs as it would suffice to marginally adjust those from named sections to fit the public key setting.

In “Appendix A2” section, we adapt the optimized \(\#\circ \mathcal {F}\) transformation from Sect. 7 to the PK-KEM setting, and, for concreteness, apply this transformation to ElGamal-KEM, in “Appendix A3” section.

1.1 A.1 Computational uniformity of PK-KEMs and its relation to one-wayness

We define the notion of computational uniformity (\({\mathsf{cU}}\)) for PK-KEMs and show that it is implied by one-way security. As we did for IB-KEMs in Sect. 4, we prove this implication via an intermediate notion (\({\mathsf{CU}}\)), i.e., we prove \({\mathsf{OW}}\Rightarrow {\mathsf{CU}}\) and \({\mathsf{CU}}\Rightarrow {\mathsf{cU}}\) separately. Observe that \({\mathsf{CU}}\) is an information-theoretic notion, while the intermediate notion \({\mathsf{cCU}}\) in the identity-based setting was computational (cf. Definition 7). This difference comes from the fact that \({\mathsf{cCU}}\) is based on an adversary \({\mathcal {B}}\) that outputs an identity for which collisions among ciphertexts become noticeable. In the public key setting, however, this step becomes obsolete and we are only interested in collisions among ciphertexts generated for one specific (randomly generated) public key. As the notion of \({\mathsf{OW}}\) security is readily derived from Definition 2 by “stripping off” all parameters and oracles related to the identity-based setting, we start by defining the notion of collision uniformity (\({\mathsf{CU}}\)).

Definition 15

(Collision uniformity (\({\mathsf{CU}}\))) Let \(\varPi \) be a PK-KEM with associated spaces \(\mathtt{CoinSp},\,\mathtt{CipherSp}\), and \(\mathtt{KeySp}\). For \(k\in \mathbb {N},\,{\mathcal {H}}\in \mathsf{Hash}(k)\), and \(({pk}, {sk}) \in {\mathsf{KeyGen}}^{\mathcal {H}}(1^{k})\) define

$$\begin{aligned} \varGamma ^{\mathcal {H}}_{{pk}}\!=\!\Pr \left[ r_1,r_2\mathop {\leftarrow }\limits ^{\,\$}\mathtt{CoinSp}(k) ; {\mathsf{Encap}}^{\mathcal {H}}_{{pk}}(r_1) = {\mathsf{Encap}}^{\mathcal {H}}_{{pk}}(r_2)\right] . \end{aligned}$$

We say that \(\varPi \) is \(\varGamma \)-collision-uniform for a given function \(\varGamma :\mathbb {N}\rightarrow \mathbb {R}^{\ge 0}\) if the following probability is negligible in \(k\):

$$\begin{aligned} {\mathop {\Pr }\limits _{\mathop {{\mathcal {H}}\ \mathop {\leftarrow }\limits ^{\,\$}\ \mathsf{Hash}(k)}\limits _{({pk}, {sk})\ \mathop {\leftarrow }\limits ^{\,\$}\ {\mathsf{KeyGen}}^{\mathcal {H}}(1^{k})}}}\left[ \varGamma ^{\mathcal {H}}_{{pk}} > \varGamma (k)\right] . \end{aligned}$$

\(\varPi \) is called collision-uniform (\({\mathsf{CU}}\)) if \(\varPi \) is \(\varGamma \)-collision-uniform for all non-negligible \(\varGamma \).

Lemma 14

\(({\mathsf{OW}}\Rightarrow {\mathsf{CU}})\) Let \(\varPi \) be a PK-KEM. If \(\varPi \) is \({\mathsf{OW}}\)-secure, then \(\varPi \) is collision-uniform.

Proof

Assume that \(\varPi \) is not collision-uniform, i.e., there exists a non-negligible \(\varGamma \) such that \(\varPi \) is not \(\varGamma \)-collision-uniform. Consider adversary \({\mathcal {A}}\) against \({\mathsf{OW}}\) of \(\varPi \) from Fig. 16.

Denote by \(E\) the event that \(c'=c^*\) in line (b) of adversary \({\mathcal {A}}\). Clearly, if \(E\) occurs then also \(K'=K^*\) by correctness of \(\varPi \), and hence, \({\mathrm {Succ}}^{\mathsf{OW}}_{\varPi ,{\mathcal {A}}}(k)=\Pr [E]\). On the other hand, inspection of adversary \({\mathcal {A}}\) and \({\mathsf{OW}}\) experiment reveals that \(\Pr [E]=\varGamma ^{\mathcal {H}}_{pk}\). Let \(B\) denote the event that \(\varGamma ^{\mathcal {H}}_{pk}>\varGamma (k)\) in the execution of \({\mathsf{OW}}\) experiment. By assumption we have \(\Pr [B]>{\mathrm {negl}}(k)\). We thus obtain

$$\begin{aligned} {\mathrm {Succ}}^{\mathsf{OW}}_{\varPi ,{\mathcal {A}}}(k)&= \Pr [E] \ge \Pr [E \wedge B] = \Pr [E|B]\Pr [B]\\&> \varGamma (k) \cdot \Pr [B] > {\mathrm {negl}}(k) \end{aligned}$$

and conclude that \(\varPi \) is not \({\mathsf{OW}}\)-secure. \(\square \)

Fig. 16
figure 16

Construction of \({\mathsf{OW}}\) adversary \({\mathcal {A}}\) against \(\varPi \)

We next adapt the notion of computational uniformity (\({\mathsf{cU}}\), Definition 6) from the identity-based to the public key setting. Note that it is a (strictly weaker) variant of the uniformity notion for PKE schemes, as put forward by Fujisaki and Okamoto in [27].

Definition 16

(Computational uniformity (\({\mathsf{cU}}\))) Let \(\varPi \) be a PK-KEM with associated spaces \(\mathtt{CoinSp},\,\mathtt{CipherSp}\), and \(\mathtt{KeySp}\). For \(k\in \mathbb {N},\,{\mathcal {H}}\in \mathsf{Hash}(k),\,({pk}, {sk}) \in {\mathsf{KeyGen}}^{\mathcal {H}}(1^{k})\), and \(c\in \mathtt{CipherSp}(k)\) define

$$\begin{aligned} \gamma ^{\mathcal {H}}_{{pk}}(c)=\Pr \left[ r\mathop {\leftarrow }\limits ^{\,\$}\mathtt{CoinSp}(k);(c,\cdot )={\mathsf{Encap}}^{\mathcal {H}}_{{pk}}(r)\right] . \end{aligned}$$

For any algorithm \({\mathcal {A}}\) and function \(\gamma :\mathbb {N}\rightarrow \mathbb {R}^{\ge 0}\), consider experiment \({\mathrm {Expt}}_{\varPi , {\mathcal {A}}}^{{\mathsf{cU}},\gamma }\) from Fig. 17 and define the success probability of \({\mathcal {A}}\) as

$$\begin{aligned} {\mathrm {Succ}}^{{\mathsf{cU}},\gamma }_{\varPi ,{\mathcal {A}}}(k)=\Pr \left[ {\mathrm {Expt}}^{{\mathsf{cU}},\gamma }_{\varPi ,{\mathcal {A}}}(k) = {{\textsc {win}}}\right] . \end{aligned}$$

PK-KEM \(\varPi \) is computationally \(\gamma \)-uniform if \({\mathrm {Succ}}^{{\mathsf{cU}},\gamma }_{\varPi ,{\mathcal {A}}}(k)\) is negligible in \(k\), for all adversaries \({\mathcal {A}}\). PK-KEM \(\varPi \) is simply called computationally uniform \(({\mathsf{cU}})\) if \(\varPi \) is computationally \(\gamma \)-uniform for all non-negligible \(\gamma \).

Fig. 17
figure 17

Experiment for computational uniformity (\({\mathsf{cU}}\)) of PK-KEMs

Analogously to what we show in the identity-based setting (cf. Lemma 7), collision uniformity of PK-KEMs implies computational uniformity:

Lemma 15

\(({\mathsf{CU}}\Rightarrow {\mathsf{cU}})\) Let \(\varPi \) be a PK-KEM and \(\gamma ,\varGamma :\mathbb {N}\rightarrow \mathbb {R}^{\ge 0}\) be functions such that \(\varGamma (k)=\gamma ^2(k)\) for all \(k\). If \(\varPi \) is \(\varGamma \)-collision-uniform, then \(\varPi \) is computationally \(\gamma \)-uniform. In particular, if \(\varPi \) is collision-uniform, then \(\varPi \) is computationally uniform.

Proof

For any \(k\in \mathbb {N},\,{\mathcal {H}}\in \mathsf{Hash}(k),\,({pk}, {sk})\! \in \! {\mathsf{KeyGen}}^{\mathcal {H}}(1^{k})\), and \(c\in \mathtt{CipherSp}(k)\) we have

$$\begin{aligned} \varGamma ^{\mathcal {H}}_{{pk}}&\ge \Pr \left[ r_1,r_2\mathop {\leftarrow }\limits ^{\,\$}\mathtt{CoinSp}(k) ; {\mathsf{Encap}}^{\mathcal {H}}_{{pk}}(r_1) = (c,\cdot ) \right. \\&\quad \quad \left. = {\mathsf{Encap}}^{\mathcal {H}}_{{pk}}(r_2)\right] =\gamma ^{\mathcal {H}}_{{pk}}(c)^2. \end{aligned}$$

Now, if an adversary \({\mathcal {A}}\) against computational \(\gamma \)-uniformity of \(\varPi \) manages to output a ciphertext \(c\) such that \(\gamma ^{\mathcal {H}}_{{pk}}(c)>\gamma (k)\), then \(\varGamma ^{\mathcal {H}}_{{pk}}\ge \gamma ^{\mathcal {H}}_{{pk}}(c)^2>\gamma ^2(k)=\varGamma (k)\) holds as well. Hence, we have

$$\begin{aligned} {\mathrm {Succ}}^{{\mathsf{cU}},\gamma }_{\varPi ,{\mathcal {A}}}(k) \le {\mathop {\Pr }\limits _{\mathop {{\mathcal {H}}\ \mathop {\leftarrow }\limits ^{\,\$}\ \mathsf{Hash}(k)}\limits _{({pk}, {sk})\ \mathop {\leftarrow }\limits ^{\,\$}\ {\mathsf{KeyGen}}^{\mathcal {H}}(1^{k})}}}\left[ \varGamma ^{\mathcal {H}}_{{pk}} > \varGamma (k)\right] . \end{aligned}$$

If \(\varPi \) is \(\varGamma \)-collision-uniform then the right term is negligible, i.e., \(\varPi \) is computationally \(\gamma \)-uniform. \(\square \)

Taken together, Lemmas 14 and 15 imply the following corollary:

Corollary 3

\(({\mathsf{OW}}\Rightarrow {\mathsf{cU}})\) Let \(\varPi \) be a PK-KEM. If \(\varPi \) is \({\mathsf{OW}}\)-secure, then \(\varPi \) is computationally uniform.

1.2 A.2 Obtaining plaintext awareness for PK-KEMs

In Sects. 5 and 6, we developed techniques that convert any \({\mathsf{OW}}\)-secure IB-KEM into a plaintext-aware \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure one. This conversion was further optimized (in regards to efficiency) in Sect. 7. In the PK-KEM setting, we directly propose an optimized transformation that turns any \({\mathsf{OW}}\)-secure PK-KEM into one that offers plaintext awareness and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\) security.

Definition 17

(Optimized transformation for PK-KEMs) Let \(\varPi =({\mathsf{KeyGen}}, {\mathsf{Encap}}, {\mathsf{Decap}})\) be a PK-KEM with random oracles \({\mathcal {H}}\) and associated spaces \(\mathtt{CoinSp},\,\mathtt{CipherSp}\), and \(\mathtt{KeySp}\). Let \(H:\{0,1\}^k\rightarrow \mathtt{CoinSp},\,H',H^\#:\mathtt{KeySp}\rightarrow \{0,1\}^k\) be three hash functions (independent of \({\mathcal {H}}\)), modeled as random oracles in the security analysis. Then PK-KEM \(\varPi ^+=({\mathsf{KeyGen}}^{+}, {\mathsf{Encap}}^{+}, {\mathsf{Decap}}^{+})\) is specified in Fig. 18, with random oracles \({\mathcal {H}}' = {\mathcal {H}}\cup \{ H,H',H^{\#} \}\) and associated spaces \(\mathtt{CoinSp}^+=\{0,1\}^k,\mathtt{CipherSp}^+{\!=}\mathtt{CipherSp}\times \{0,1\}^k\), and \(\mathtt{KeySp}^+{\!=}\{0,1\}^k\).

Fig. 18
figure 18

Adaption of the optimized transformation for IB-KEMs from Fig. 13 to the PK-KEM setting. Queries to hash functions other than \(H,H',H^\#\) are relayed without modification

As, in Fig. 18, hash functions \(H'\) and \(H^\#\) are evaluated solely on \(\overline{K}\) (respectively, on \(\hat{K}\)), computing them via a single call to a double-length hash function \(H'\!\parallel \!H^\#:\mathtt{KeySp}(k)\rightarrow \{0,1\}^k\times \{0,1\}^k\) is possible and reduces the total number of required hash functions to just two. The security of the transformation is established as in Theorem 4:

Theorem 7

(Def. 17 : \({\mathsf{OW}}\mapsto {\mathsf{PA}}\wedge {\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)) Let \(\varPi \) be a PK-KEM and \(\varPi ^+\) its conversion. If \(\varPi \) is \({\mathsf{OW}}\)-secure, then PK-KEM \(\varPi ^+\) is plaintext-aware and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure.

1.3 A.3 Plaintext-aware and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure ElGamal-PK-KEM

We apply the transformation from Definition 17 to ElGamal’s PK-KEM [24]. The latter scheme is \({\mathsf{OW}}\)-secure under the CDH assumption.

Definition 18

(ElGamal-PK-KEM) Let \(G=\langle g\rangle \) denote a cyclic group of prime order \(q\). The ElGamal key encapsulation mechanism \(\varPi = ({\mathsf{KeyGen}}, {\mathsf{Encap}},{\mathsf{Decap}})\) is specified in Fig. 19 (left part). We have \(\mathtt{CoinSp}(k)=\mathbb {Z}_q,\,\mathtt{CipherSp}(k)=G\), and \(\mathtt{KeySp}(k)=G\).

Fig. 19
figure 19

Specification of \(\varPi =\) ElGamal-PK-KEM and \(\varPi ^+=\) ElGamal-PK-KEM\(^+\). Observe that \(\varPi ^+\) is constructed from \(\varPi \) following the stencil from Fig. 18

Our transformation turns ElGamal-PK-KEM into ElGamal-PK-KEM\(^+\):

Definition 19

(ElGamal-PK-KEM \(^+\)) Let \(G=\langle g\rangle \) denote a cyclic group of prime order \(q\). ElGamal-PK-KEM\(^+\) is specified in Fig. 19 (right part), where \(H:\{0,1\}^k\rightarrow \mathbb {Z}_q\) and \(H',H^\#:G\rightarrow \{0,1\}^k\) denote hash functions, \(\mathtt{CoinSp}^+(k)=\{0,1\}^k,\,\mathtt{CipherSp}^+(k)=G\times \{0,1\}^k\), and \(\mathtt{KeySp}^+(k)=\{0,1\}^k\).

Security of ElGamal-PK-KEM\(^+\) is established by Theorem 7:

Theorem 8

ElGamal-PK-KEM\(^+\) is plaintext-aware \(({\mathsf{PA}})\) and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure under the CDH assumption in the random oracle model.

Decapsulation in ElGamal-PK-KEM\(^+\) takes one more exponentiation than decapsulation in the original scheme, i.e., the overhead introduced by the transformation is small. The length of ciphertexts is increased by only \(k\) bits and all newly introduced hash functions \(H,H',H^\#\) are straight-forward to instantiate.

Appendix B: An approach toward identity-based plaintext awareness in standard model

For completeness, we briefly discuss the feasibility of lifting the standard model definition of plaintext awareness of PKE to the identity-based setting. We will focus only on the strongest variant (\({\mathsf{PA2}}\)), studied extensively by Bellare and Palacio in [4]. In particular, it is proven in [4] that, for PKE, notions \({\mathsf{PA2}}\) and \({\mathsf{IND}\hbox {-}\mathsf{CPA}}\) together imply \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\), in standard model.

Plaintext awareness in the standard model is defined through the interplay of four efficient algorithms: \(C,\,C^*,\,P\), and \(D\). The roles of the ciphertext creator \(C\) and plaintext extractor \(C^*\) remain as in Definition 4 (we drop the names \({\mathcal {A}}\) and \({\mathcal {K}}\) for consistency with [4]); new are the plaintext creator \(P\) that provides \(C\) with fresh ciphertexts of (partially) unknown content,Footnote 7 and a distinguisher \(D\). We formalize our variant of \({\mathsf{PA2}}\) for an IBE scheme \(\varPi \) in Definition 20 and Fig. 20, basing on [4, Definition 3]. The intuition is as follows.

Fig. 20
figure 20

Plaintext awareness experiment \({\mathsf{PA2}}\) (standard model) for IBE. We require that \(C\) does not query \({{\mathcal {O}}_D}\) on \((id,c)\) pairs contained in \(\mathsf {CList}\). We further assume that \(\mathsf {XList}\) and \(\mathsf {CList}\) implicitly add the number of the corresponding query to the entries they hold. This is required to allow \(C^*\) to recover the order in which the two lists are populated

Considering first experiment \({\mathrm {Expt}}^{{\mathsf{PA2}}-\mathsf{d}}\), the ciphertext creator \(C\) is run on input a master public key and given access to extraction, decryption, and encryption oracles. As the experiment has access to \({msk}\), queries to \({{\mathcal {O}}_{X}}\) and \({{\mathcal {O}}_D}\) can be perfectly simulated. Observe that encryption oracle \({{\mathcal {O}}_E}\) employs plaintext creator \(P\) to craft ciphertexts for which \(C\) does not know the randomness used in the encryption, and for which \(C\) has only partial control over the encrypted message (think of a distribution of messages being encoded in \(Q\); for details see [4]). Eventually, \(C\) outputs a string \(x\) which is converted by distinguisher \(D\) into the output of the experiment. Now, if IBE \(\varPi \) is plaintext-aware, then all queries to \({{\mathcal {O}}_D}\) should be simulatable by \(C\) itself. This ability is explored in \({\mathrm {Expt}}^{{\mathsf{PA2}}-\mathsf{x}}\), where plaintext extractor \(C^*\) aims at correctly answering decryption queries posed by \(C\). To have a fair chance in fulfilling this task, \(C^*\) gets the same inputs as \(C\), including \(C\)’s random coins \(R_C\) and all answers of oracle queries. Intuitively, \(\varPi \) is plaintext-aware if \(C^*\) succeeds in simulating \({{\mathcal {O}}_D}\) without \(C\) noticing it, i.e., if \({\mathrm {Expt}}^{{\mathsf{PA2}}-\mathsf{d}}\) and \({\mathrm {Expt}}^{{\mathsf{PA2}}-\mathsf{x}}\) are indistinguishable.

Definition 20

(\({\mathsf{PA2}}\) for IBE) Let \(\varPi \) be an IBE scheme. Let \(C\) be a ciphertext creator, \(P\) be a plaintext creator, \(D\) be a distinguisher, and \(C^*\) be a plaintext extractor. We define the \({\mathsf{PA2}}\)-advantage of \((C,P,D,C^*)\) for \(\varPi \) as

$$\begin{aligned} {\mathrm {Advt}}_{\varPi ,C,P,D,C^{*}}^{{\mathsf{PA2}}}(k)&= \left| \Pr \left[ {\mathrm {Expt}}_{\varPi , C,P,D}^{{\mathsf{PA2}}-\mathsf{d}}(k) = 1 \right] \right. \\&- \left. \Pr \left[ {\mathrm {Expt}}_{\varPi ,C,P,D,C^{*}}^{{\mathsf{PA2}}-\mathsf{x}}(k) = 1 \right] \right| . \end{aligned}$$

We say that \(C^*\) is successful for \(C\) if, for all efficient \(P\) and \(D\), function \({\mathrm {Advt}}_{\varPi ,C,P,D,C^{*}}^{{\mathsf{PA2}}}\) is negligible. Further, we say that \(\varPi \) is plaintext-aware (in the standard model) if for all efficient \(C\) there exists a successful \(C^*\).

The analyses of [4] do not cover the case of \({\mathsf{PA2}}\) in the IBE setting. The following result can be obtained by adapting the corresponding proof of [4, Theorem 2].

Conjecture 1

(\({\mathsf{IND}\hbox {-}\mathsf{CPA}}\wedge {\mathsf{PA2}}\Rightarrow {\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\) for IBE) Let \(\varPi \) be an IBE scheme. If \(\varPi \) is both \({\mathsf{IND}\hbox {-}\mathsf{CPA}}\)-secure and \({\mathsf{PA2}}\)-plaintext-aware, then \(\varPi \) is also \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure.

Appendix C: Auxiliary lemmas

Lemma 16

Let \(0\le p\le 1\) be a real number. Let \(E_1,\ldots ,E_n\) be a set of events that occur with at least probability \(p\), i.e., \(\Pr [E_i]\ge p\) for all \(1\le i\le n\). Then event \(E=E_1\wedge \ldots \wedge E_n\) occurs with probability at least \(1-n(1-p)\).

Proof

We have \(\Pr [E]=1-\Pr [\lnot E]=1-\Pr [\lnot E_1\vee \ldots \vee \lnot E_n]\ge 1-\sum _{i=1}^n\Pr [\lnot E_i]\ge 1-n(1-p)\). \(\square \)

Lemma 17

Let \(S_0,S_1,E\) be events that satisfy \(\Pr [S_0\vert \lnot E]=\Pr [S_1\vert \lnot E]\). Then we have \(\Pr [E]\ge \left| \Pr [S_0]-\Pr [S_1]\right| \).

Proof

We have

$$\begin{aligned} |\Pr [S_0]-\Pr [S_1]|&= |\Pr [S_0\vert E]\Pr [E]+\Pr [S_0\vert \lnot E]\Pr [\lnot E]\\&-\Pr [S_1\vert E]\Pr [E]-\Pr [S_1\vert \lnot E]\Pr [\lnot E]|\\&= |\Pr [S_0\vert E]\Pr [E]-\Pr [S_1\vert E]\Pr [E]|\\&= |\Pr [S_0\vert E]-\Pr [S_1\vert E]|\cdot \Pr [E]\\&\le \Pr [E]. \end{aligned}$$

\(\square \)

Rights and permissions

Reprints and permissions

About this article

Cite this article

Manulis, M., Poettering, B. & Stebila, D. Plaintext awareness in identity-based key encapsulation. Int. J. Inf. Secur. 13, 25–49 (2014). https://doi.org/10.1007/s10207-013-0218-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-013-0218-5

Keywords

Navigation