Abstract

The notion of plaintext awareness (\({\mathsf{PA}}\)) has many applications in public key cryptography: it offers unique, stand-alone security guarantees for public key encryption schemes, has been used as a sufficient condition for proving indistinguishability against adaptive chosen-ciphertext attacks (\({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)), and can be used to construct privacy-preserving protocols such as deniable authentication. Unlike many other security notions, plaintext awareness is very fragile when it comes to differences between the random oracle and standard models; for example, many implications involving \({\mathsf{PA}}\) in the random oracle model are not valid in the standard model and vice versa. Similarly, strategies for proving \({\mathsf{PA}}\) of schemes in one model cannot be adapted to the other model. Existing research addresses \({\mathsf{PA}}\) in detail only in the public key setting. This paper gives the first formal exploration of plaintext awareness in the identity-based setting and, as initial work, proceeds in the random oracle model. The focus is laid mainly on identity-based key encapsulation mechanisms (IB-KEMs), for which the paper presents the first definitions of plaintext awareness, highlights the role of \({\mathsf{PA}}\) in proof strategies of \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\) security, and explores relationships between \({\mathsf{PA}}\) and other security properties. On the practical side, our work offers the first, highly efficient, general approach for building IB-KEMs that are simultaneously plaintext-aware and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure. Our construction is inspired by the Fujisaki-Okamoto (FO) transform, but demands weaker and more natural properties of its building blocks. This result comes from a new look at the notion of \(\gamma \)-uniformity that was inherent in the original FO transform. We show that for IB-KEMs (and PK-KEMs), this assumption can be replaced with a weaker computational notion, which is in fact implied by one-wayness. Finally, we give the first concrete IB-KEM scheme that is \({\mathsf{PA}}\) and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure by applying our construction to a popular IB-KEM and optimizing it for better performance.