International Journal of Information Security

, Volume 13, Issue 1, pp 25–49

Plaintext awareness in identity-based key encapsulation

  • Mark Manulis
  • Bertram Poettering
  • Douglas Stebila
Regular Contribution

DOI: 10.1007/s10207-013-0218-5

Cite this article as:
Manulis, M., Poettering, B. & Stebila, D. Int. J. Inf. Secur. (2014) 13: 25. doi:10.1007/s10207-013-0218-5


The notion of plaintext awareness (\({\mathsf{PA}}\)) has many applications in public key cryptography: it offers unique, stand-alone security guarantees for public key encryption schemes, has been used as a sufficient condition for proving indistinguishability against adaptive chosen-ciphertext attacks (\({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)), and can be used to construct privacy-preserving protocols such as deniable authentication. Unlike many other security notions, plaintext awareness is very fragile when it comes to differences between the random oracle and standard models; for example, many implications involving \({\mathsf{PA}}\) in the random oracle model are not valid in the standard model and vice versa. Similarly, strategies for proving \({\mathsf{PA}}\) of schemes in one model cannot be adapted to the other model. Existing research addresses \({\mathsf{PA}}\) in detail only in the public key setting. This paper gives the first formal exploration of plaintext awareness in the identity-based setting and, as initial work, proceeds in the random oracle model. The focus is laid mainly on identity-based key encapsulation mechanisms (IB-KEMs), for which the paper presents the first definitions of plaintext awareness, highlights the role of \({\mathsf{PA}}\) in proof strategies of \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\) security, and explores relationships between \({\mathsf{PA}}\) and other security properties. On the practical side, our work offers the first, highly efficient, general approach for building IB-KEMs that are simultaneously plaintext-aware and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure. Our construction is inspired by the Fujisaki-Okamoto (FO) transform, but demands weaker and more natural properties of its building blocks. This result comes from a new look at the notion of \(\gamma \)-uniformity that was inherent in the original FO transform. We show that for IB-KEMs (and PK-KEMs), this assumption can be replaced with a weaker computational notion, which is in fact implied by one-wayness. Finally, we give the first concrete IB-KEM scheme that is \({\mathsf{PA}}\) and \({\mathsf{IND}\hbox {-}{\mathsf{CCA}}}\)-secure by applying our construction to a popular IB-KEM and optimizing it for better performance.


Plaintext awareness Identity-based encryption Key encapsulation mechanism  Generic transformation 

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Mark Manulis
    • 1
  • Bertram Poettering
    • 2
  • Douglas Stebila
    • 3
  1. 1.Department of ComputingUniversity of SurreyGuildfordUK
  2. 2.Information Security GroupRoyal Holloway, University of LondonEghamUK
  3. 3.School of Electrical Engineering and Computer Science, Science and Engineering FacultyQueensland University of TechnologyBrisbaneAustralia

Personalised recommendations