Abstract
In this paper we investigate the topic of integrated publickey encryption (PKE) and publickey encryption with keyword search (PEKS) schemes (PKE–PEKS as shorthand). We first formalize the strongest security notion to date for PKE–PEKS schemes, named joint CCAsecurity. We then propose two simple constructions of jointly CCAsecure PKE–PEKS schemes from anonymous (hierarchical) identitybased encryption schemes. Besides, we also define the notion of consistency for PKE–PEKS schemes, as well as revisit its related notions (including consistency of PEKS schemes, robustness and collisionfreeness of IBE schemes), which may be of independent interest.
This is a preview of subscription content, access via your institution.
Notes
In the PEKS setting, “plaintext” in fact means “keyword”. We will slightly abuse this term where it is clear from the context.
Integrated PKE and PEKS scheme is also known as combined PKE/PEKS scheme.
This combined CCAsecurity notion could be made stronger by giving the adversary access to an additional token oracle. We believe the absence of the token oracle is probably a careless mistake.
Our constructions also make use of a onetime signature scheme, but it can be derived from oneway functions which in turn implied by CPAsecure encryption.
We believe the two key PKE–PEKS construction sketched in [3] is also jointly CCAsecure.
Here, “noninteractive” means both token generation and keyword search are done in a noninteractive manner. We emphasize that indistinguishablestyle keyword hiding is possible in interactive setting. Boneh et al. [14] constructed a PEKS scheme allowing Private Information Retrieval [36], which hides all the information including the keyword.
According to the convention of IBE, decryption key \(dk\) is usually denoted by \(sk\) and referred to as private key. In this work we reserve the symbol \(sk\) for secret key of PKE, PEKS, and PKE–PEKS schemes and call private key in IBE schemes as decryption key to avoid confusion.
References
Abdalla M., Bellare M., Rogaway P.: The oracle Diffie–Hellman assumptions and an analysis of dhies. In: Naccache D. (ed.) Topics in CryptologyCTRSA 2001. Lecture Notes in Computer Science, vol. 2020, pp. 143–158. Springer, Berlin (2001).
Abdalla M., Bellare M., Catalano D., Kiltz E., Kohno T., Lange T., MaloneLee J., Neven G., Paillier P., Shi H.: Searchable encryption revisited: Consistency properties, relation to anonymous ibe, and extensions. J. Cryptol. 21(3), 350–391 (2008).
Abdalla M., Bellare M., Neven G.: Robust encryption. In: Micciancio D. (ed.) TCC 2010. Lecture Notes in Computer Science, vol. 5978, pp. 480–497. Springer, Berlin (2010).
Agrawal S., Boneh D., Boyen X.: Efficient lattice (h)ibe in the standard model. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 553–572. Springer, Berlin (2010).
Baek J., SafaviNaini R., Susilo W.: On the integration of public key data encryption and public key encryption with keyword search. In: Katsikas S.K., Lopez J., Backes M., Gritzalis S., Preneel B., (eds.) Information Security, 9th International Conference, ISC 2006. Lecture Notes in Computer Science, vol. 4176, pp. 217–232. Springer, Berlin (2006).
Boneh D., Boyen X.: Efficient selectiveid secure identity based encryption without random oracles. In: Cachin C., Camenisch J.L. (eds.) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 223–238. Springer, Berlin (2004).
Boneh D., Boyen X.: Short signatures without random oracles. In: Cachin C., Camenisch J. (eds.) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 56–73. Springer, Berlin (2004).
Boneh D., Boyen X.: Short signatures without random oracles and the sdh assumption in bilinear groups. J. Cryptol. 21(2), 149–177 (2008).
Boneh D., Franklin M.K.: Identitybased encryption from the weil pairing. SIAM J. Comput. 32, 586–615 (2003).
Boneh D., Waters B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan S.P. (ed.) Theory of Cryptography, 4th Theory of Cryptography Conference, TCC 2007. Lecture Notes in Computer Science, vol. 4392, pp. 535–554. Springer, Beriln (2007).
Boneh D., Canetti R., Halevi S., Katz J.: Chosenciphertext security from identitybased encryption. SIAM J. Comput. 36(5), 1301–1328 (2007).
Boneh D., Di Crescenzo G., Ostrovsky R., Persiano G.: Public key encryption with keyword search. In: Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3621, pp. 506–522. Springer, Berlin (2004).
Boneh D., Gentry C., Hamburg M.: Spaceefficient identity based encryption without pairings. In: 48th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2007, pp. 647–657. IEEE Computer Society (2007).
Boneh D., Kushilevitz .E, Ostrovsky R., Skeith III W.E.: Public key encryption that allows pir queries. In: Menezes A. (ed.) Advances in Cryptology—CRYPTO 2007. Lecture Notes in Computer Science, vol. 4622, pp. 50–67. Springer, Berlin (2007).
Boneh D., Raghunathan A., Segev G.: Functionprivate identitybased encryption: hiding the function in functional encryption. In: Canetti R., Garay J.A. (eds.) Advances in Cryptology—CRYPTO 2013. Lecture Notes in Computer Science, vol. 8043, pp. 461–478. Springer, Berlin (2013).
Boyen X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval D. (eds.) Public Key Cryptography—PKC 2010. Lecture Notes in Computer Science, vol. 6056, pp. 499–517. Springer, Berlin (2010).
Boyen X., Waters B.: Anonymous hierarchical identitybased encryption (without random oracles). In: Dwork C. (ed.) Advances in Cryptology—CRYPTO 2006. Lecture Notes in Computer Science, vol. 4117, pp. 290–307. Springer, Berlin (2006).
Canetti R., Halevi S., Katz J.: Chosenciphertext security from identity based encryption. In: Cachin C., Camenisch J.L. (eds.) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 207–222. Springer, Berlin (2004).
Cash D., Hofheinz D., Kiltz E., Peikert C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 523–552. Springer, Berlin (2010).
Cocks C.: An indentity based encryption scheme based on quadratic residues. In: Cryptography and Coding, 8th IMA International Conference. Lecture Notes in Computer Science, vol. 2260, pp. 360–363. Springer, Berlin (2001).
Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure publickey encryption. In: Knudsen L.R. (ed.) Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332, pp. 45–64. Springer, Berlin (2002).
De Caro A., Iovino V., and Persiano G.: Fully secure anonymous hibe and secretkey anonymous Ibe with short ciphertexts. In: 4th International Conference—PairingBased Cryptography—Pairing 2010. Lecture Notes in Computer Science, vol. 6487, pp. 347–366. Springer, Beriln (2010).
Di Crescenzo G., Saraswat V.: Public key encryption with searchable keywords based on jacobi symbols. In: Srinathan K., Rangan C.P., Yung M., (eds.) Progress in Cryptology—INDOCRYPT 2007. Lecture Notes in Computer Science, vol. 4859, pp. 282–296. Springer, Berlin (2007).
Dodis Y., Katz J.: Chosenciphertext security of multiple encryption. In: Kilian J. (ed.) Theory of Cryptography, TCC 2005. Lecture Notes in Computer Science, vol. 3378, pp. 188–209. Springer, Berlin (2005).
Dolev D., Dwork C., Naor M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000).
ElGamal T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31, 469–472 (1985).
Farshim P., Libert B., Paterson K.G., Quaglia E.A.: Robust encryption, revisited. In: Kurosawa K., Hanaoka G. (eds.) PublicKey Cryptography—PKC 2013. Lecture Notes in Computer Science, vol. 7778, pp. 352–368. Springer, Berlin (2013).
Fuhr T., Paillier P.: Decryptable searchable encryption. In: Susilo W., Liu J.K., Mu Y. (eds.) Provable Security, First International Conference, ProvSec 2007. Lecture Notes in Computer Science, vol. 4784, pp. 228–236. Springer, Berli (2007).
Gentry C., Silverberg A.: Hierarchical idbased cryptography. In: Zheng Y. (ed.) Advances in Cryptology—ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 548–566. Springer, Berlin (2002).
Gentry C.: Practical identitybased encryption without random oracles. In: Vaudenay S. (ed.) Advances in Cryptology—EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004, pp. 445–464. Springer, Berlin (2006).
Gentry C., Peikert C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC 2008), pp. 197–206. ACM Press, New York (2008).
Haber S., Pinkas B.: Securely combining publickey cryptosystems. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS 2001), pp. 215–224. ACM Press, New York (2001).
Hofheinz D., Weinreb E.: Searchable encryption with decryption in the standard model. IACR Cryptology ePrint Archive, Report 2008/423 (2008). http://eprint.iacr.org/2008/423. Accessed 25 June 2012.
Horwitz J., Lynn B.: Toward hierarchical identitybased encryption. In: Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2322, pp. 466–481. Springer, Berlin (2002).
Krawczyk H., Rabin T.: Chameleon signatures. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2000). The Internet Society, San Diego (2000).
Kushilevitz E., Ostrovsky R.: Replication is not needed: single database, computationallyprivate information retrieval. In: 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), pp. 364–373. IEEE Computer Society, Los Alamitos (1997).
Micciancio D., Peikert C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval D., Johansson T. (eds.) Advances in Cryptology—EUROCRYPT 2012. Lecture Notes in Computer Science, vol. 7237, pp. 700–718. Springer, Berlin (2012).
Mohassel P.: A closer look at anonymity and robustness in encryption schemes. In: Masayuki A. (ed.) Advances in Cryptology—ASIACRYPT 2010. Lecture Notes in Computer Science, vol. 6477, pp. 501–518. Springer, Berlin (2010).
Nishioka M.: Perfect keyword privacy in peks systems. In: Provable Security—6th International Conference (ProvSec 2012). Lecture Notes in Computer Science, vol. 7496, pp. 175–192. Springer, Berlin (2012).
Okamoto T., Pointcheval D.: The gapproblems: a new class of problems for the security of cryptographic schemes. In: Kim K. (ed.) Proceedings of Public Key Cryptography—PKC 2001. Lecture Notes in Computer Science, vol. 1992, pp. 104–118. Springer, Berlin (2001).
Paterson K.G., Schuldt J.C.N., Stam M., Thomson S.: On the joint security of encryption and signature, revisited. In: Lee D.H., Wang X. (eds.) Advances in Cryptology—ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 161–178. Springer, Berlin (2011).
Sakai R., Kasahara M.: Id based cryptosystems with pairing on elliptic curve. Cryptology ePrint Archive, Report 2003/054 (2003). http://eprint.iacr.org/2003/054. Accessed 25 June 2012.
Seo J.H., Cheon J.H.: Fully secure anonymous hierarchical identitybased encryption with constant size ciphertexts. IACR Cryptology ePrint Archive, Report 2011/021 (2011). http://eprint.iacr.org/2011/021. Accessed 25 June 2012.
Shoup V.: A proposal for an iso standard for public key encryption. IACR Cryptology ePrint Archive, Report 2001/112 (2001). http://eprint.iacr.org/2001/112. Accessed 25 June 2012.
Waters B.: Efficient identitybased encryption without random oracles. In: Advances in Cryptology—EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494, pp. 114–127. Springer, Berlin (2005).
Zhang R., Imai H.: Generic combination of public key encryption with keyword search and public key encryption. In: Wang H., Xing C. (eds.) Cryptology and Network Security, 6th International Conference, CANS 2007. Lecture Notes in Computer Science, vol. 4856, pp. 159–174. Springer, Berlin (2007).
Acknowledgments
Yu Chen is supported by the National Natural Science Foundation of China under Grant No. 61303257, 61379141, the Strategic Priority Research Program of CAS under Grant No. XDA06010701, and the National 973 Program of China under Grant No.2011CB302400. Jiang Zhang and Zhenfeng Zhang are sponsored by the National Basic Research Program of China under Grant No. 2013CB338003, and the National Natural Science Foundation of China under Grant No. 61170278, 91118006. We are grateful to Zongyang Zhang, Qiong Huang, and Sherman S.M. Chow for helpful discussions. We also thank the anonymous DCC reviewers for many useful comments.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by R. Steinwandt.
Appendix: Review of standard definitions
Appendix: Review of standard definitions
1.1 Publickey encryption with keyword search
A noninteractive PEKS scheme [12] consists of four PPT algorithms as follows:

\(\mathsf {KeyGen}(\kappa )\): take as input a security parameter \(\kappa \), output a public/secret key pair \((pk, sk)\). Let \(W\) be the set of all possible keywords.

\(\mathsf {Encrypt}(pk, w)\): take as input a public key \(pk\) and a keyword \(w \in W\), output a ciphertext \(s\).

\(\mathsf {TokenGen}(sk, w)\): take as input a secret key \(sk\) and a keyword \(w \in W\), output a token \(t_w\).

\(\mathsf {Test}(t_w, s)\): take as input a token \(t_w\) and a ciphertext \(s \leftarrow \mathsf {Encrypt}(pk, w')\), output 1 if \(w' = w\) and 0 otherwise.
The INDPEKSCPA security for PEKS schemes is defined by the following experiment:
Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa )\) to generate \((pk, sk)\) and gives \(\mathcal {A}\) the public key \(pk\).
Phase 1: \(\mathcal {A}\) can adaptively make token queries \(\langle w \rangle \). \(\mathcal {CH}\) responds with \(t_w \leftarrow \mathsf {TokenGen}(sk, w)\).
Challenge: \(\mathcal {A}\) outputs two distinct keywords \(w_0^*, w_1^* \in W\) subject to the restriction that they had not been asked for tokens in Phase 1. \(\mathcal {CH}\) picks a random bit \(b\) and sends \(c^* \leftarrow \mathsf {Encrypt}(pk, w_b^*)\) to \(\mathcal {A}\) as the challenge ciphertext.
Phase 2: \(\mathcal {A}\) can adaptively make more token queries \(\langle w \rangle \) subject to the restriction that \(w \ne w_0^*, w_1^*\). \(\mathcal {CH}\) responds the same way as in Phase 1.
Guess: \(\mathcal {A}\) outputs a guess \(b'\) for \(b\) and succeeds if \(b' = b\). We denote this event by \({\mathsf {SuccA}}\) and define \(\mathcal {A}\)’s advantage as \(\mathrm {Adv}_{\mathcal {A}, \text {PEKS}}^{\text {INDCPA}}(\kappa ) \mathop {=}\limits ^{def }\Pr [{\mathsf {SuccA}}]  1/2\).
Definition 8.1
A PEKS scheme is \((t, q_w, \epsilon )\) INDPEKSCPA secure if for all \(t\)time adversaries making at most \(q_w\) token queries have advantage at most \(\epsilon \) in the above experiment.
The INDPEKSCCA security for PEKS schemes can be defined by a similar experiment by giving the adversary access to an additional test oracle which can determine if \(c\) is an encryption of \(w\). To avoid triviality, test queries \(\langle c^*, w_0^* \rangle \) and \(\langle c^*, w_1^* \rangle \) are not allowed in Phase 2.
Definition 8.2
A PEKS scheme is \((t, q_w, q_t, \epsilon )\) INDPEKSCCA secure if for all \(t\)time adversaries making at most \(q_w\) token queries and at most \(q_t\) test queries have advantage at most \(\epsilon \) in the INDPEKSCCA experiment.
1.2 Hierarchical identitybased encryption
Hierarchical identitybased encryption (HIBE) [29, 34] is a generalization of IBE [9] to identities supporting hierarchical structures. In an HIBE scheme, identities are hierarchical and take the form \(id = (id_1, id_2, \dots )\). Each user in the hierarchy can act as a local keygeneration authority for all subordinate hierarchical identities. An HIBE scheme consists of five PPT algorithms as follows:

\(\mathsf {KeyGen}(\kappa , \ell )\): take as input a security parameter \(\kappa \) and a parameter \(\ell \) for the maximum depth of the HIBE, output a master public/secret key pair \((mpk, msk)\). Let \(I\) be the identity space, \(M\) be the message space, and \(C\) be the ciphertext space. We assume \(mpk\) is used as an implicit input for algorithms \(\mathsf {Extract}\), \(\mathsf {Derive}\), as well as \(\mathsf {Decrypt}\),

\(\mathsf {Extract}(msk, id)\): take as input \(msk\) and an identity \(id \in I\), output a decryption key \(dk_{id}\).^{Footnote 8}

\(\mathsf {Derive}(dk_{id}, id')\): take as input a decryption key \(dk_{id}\) for identity \(id = (id_1, \dots , id_{j1})\) of depth \(j1\) and an identity \(id' = (id_1, \dots , id_j)\) of depth \(j\), output a decryption key \(dk_{id'}\) for \(id'\).

\(\mathsf {Encrypt}(mpk, id, m)\): take as input \(mpk\), an identity \(id \in I\), and a message \(m \in M\), output a ciphertext \(c \in C\).

\(\mathsf {Decrypt}(dk_{id}, c)\): take as input a decryption key \(dk_{id}\) for identity \(id\) and a ciphertext \(c \in C\), output a message \(m \in M\) or a reject symbol \(\bot \) indicating \(c\) is invalid.
The basic security notion for HIBE schemes is indistinguishability against adaptive chosenplaintext attack (INDHIBECPA), which is defined by the following experiment:
Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa , \ell )\) to generate \((pk, sk)\) and gives \(\mathcal {A}\) the master public key \(mpk\).
Phase 1: \(\mathcal {A}\) can adaptively make decryption key extraction queries \(\langle id \rangle \). \(\mathcal {CH}\) responds with \(dk_{id} \leftarrow \mathsf {Extract}(msk, id)\).
Challenge: \(\mathcal {A}\) outputs two distinct messages \(m_0^*\), \(m_1^*\) and an identity \(id^*\) subject to the restriction that any prefix of \(id^*\) had not been queried for decryption keys in Phase 1. \(\mathcal {CH}\) randomly picks a bit \(b\) and sends \(c^* \leftarrow \mathsf {Encrypt}(mpk, id^*, m_b^*)\) to \(\mathcal {A}\) as the challenge ciphertext.
Phase 2: \(\mathcal {A}\) can adaptively make more decryption key extraction queries \(\langle id \rangle \) subject to the restriction that \(id\) is not a prefix of \(id^*\). \(\mathcal {CH}\) responds the same way as in Phase 1.
Guess: \(\mathcal {A}\) outputs a guess \(b'\) for \(b\) and succeeds if \(b' = b\). We denote this event by \({\mathsf {SuccA}}\) and define \(\mathcal {A}\)’s advantage as \(Adv _{\mathcal {A}, \text {HIBE}}^{\text {INDCPA}}(\kappa ) \mathop {=}\limits ^{def }\Pr [{\mathsf {SuccA}}] 1/2\).
Definition 8.3
A HIBE scheme is \((t, q_k, \epsilon )\) INDHIBECPA secure if for all \(t\)time adversaries making at most \(q_k\) decryption key extraction queries have advantage at most \(\epsilon \) in the above experiment.
Selectiveidentity INDHIBECPA security can be defined similarly. The difference is that the adversary has to commit a target identity \(id^*\) before seeing \(mpk\) and is not allowed to query decryption keys for any prefix of \(id^*\) throughout the experiment.
Orthogonal to security, anonymity is introduced to capture identity privacy, which ensures the ciphertext reveals no information about the recipient’s identity. To allow a finegrained treatment, Abdalla et al. [2] defined anonymity regarding to a set \(L\) of levels, meaning that in the anonymous experiment the adversary is challenged to distinguished two distinct identities differing only at levels \(l \in L\). For ease of notation, we will write \(l\) rather than \(\{l\}\) when \(L = \{l\}\) is a singleton set. Let \(\mathsf {diff}(\cdot , \cdot )\) be a function outputting the set of levels at which the two input identities differ. We recall the definition of anonymity for HIBE schemes as follows:
Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa )\) to generate \((pk, sk)\) and gives \(\mathcal {A}\) the master public key \(mpk\).
Phase 1: \(\mathcal {A}\) can adaptively make decryption key queries \(\langle id \rangle \). \(\mathcal {CH}\) responds with \(dk_{id} \leftarrow \mathsf {Extract}(msk, id)\).
Challenge: \(\mathcal {A}\) outputs a message \(m^*\) and two distinct identities \(id_0^*\), \(id_1^*\) subject to the restrictions that any prefix of \(id_0^*\) and \(id_1^*\) had not been asked for decryption keys and \(\mathsf {diff}(id_0^*, id_1^*) \subset L\). \(\mathcal {CH}\) picks a random \(b \in \{0,1\}\) and gives \(c^* \leftarrow \mathsf {Encrypt}(mpk, id_b^*, m^*)\) to \(\mathcal {A}\) as the challenge ciphertext.
Phase 2: \(\mathcal {A}\) can adaptively make more decryption key extraction queries for any identity \(id\) subject to the restriction that \(id\) is not a prefix of \(id_0^*\) or \(id_1^*\). \(\mathcal {CH}\) responds the same way as in Phase 1.
Guess: \(\mathcal {A}\) outputs a guess \(b'\) for \(b\) and succeeds if \(b'=b\). We denote this event by \({\mathsf {SuccA}}\) and define \(\mathcal {A}\)’s advantage as \(Adv _{\mathcal {A}, \text {HIBE}}^{\text {ANOCPA}}(\kappa ) \mathop {=}\limits ^{def }\Pr [{\mathsf {SuccA}}] 1/2\).
Definition 8.4
A HIBE scheme is \((t, q_k, \epsilon )\) ANOHIBECPA \([L]\)anonymous if for all \(t\)time adversaries making at most \(q_k\) decryption key extraction queries have advantage at most \(\epsilon \) in the above experiment.
When considering anonymity for HIBE schemes in the presence of chosenciphertext attack, we obtain the ANOPEKSCCA security [3], which is defined by a similar experiment as above by giving the adversary additional access to a decryption oracle subject the natural restriction that decryption queries \(\langle id_0^*, c^* \rangle \) and \(\langle id_1^*, c^* \rangle \) are not allowed in Phase 2.
Definition 8.5
A HIBE scheme is \((t, q_k, q_d, \epsilon )\) ANOHIBECCA \([L]\)anonymous if for all \(t\)time adversaries making at most \(q_k\) decryption key extraction queries and at most \(q_d\) decryption queries have advantage at most \(\epsilon \) in the ANOHIBECCA experiment.
1.3 Signatures
A signature scheme consists of three PPT algorithms as follows:

\(\mathsf {KeyGen}(\kappa )\): take as input a security parameter \(\kappa \), output a verification key \(vk\) and a signing key \(sk_\sigma \). Let \(M\) be the message space.

\(\mathsf {Sign}(sk_\sigma , m)\): take as input a signing key \(sk_\sigma \) and a message \(m \in M\), output a signature \(\sigma \).

\(\mathsf {Verify}(vk, m, \sigma )\): take as input a verification key \(vk\), a message \(m\), and a signature \(\sigma \), output \(1\) indicates “acceptance” and \(0\) indicates “rejection”.
For the correctness of a signature scheme, we require that for all \((vk,sk_\sigma ) \leftarrow \mathsf {KeyGen}(\kappa )\) and all \(m \in M\), \(\mathsf {Verify}(vk, m, \mathsf {Sign}(sk_\sigma ,m)) = 1\) always holds. If \((\sigma , m)\) satisfies \(\mathsf {Verify}(vk, m, \sigma ) = 1\), then \(\sigma \) is said to be a valid signature of message \(m\) under the verification key \(vk\).
A strong notion of security for signature schemes is strong existential unforgeability under adaptive chosenmessage attack (sEUFCMA), which is defined by the following experiment:
Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa )\) to generate \((vk, sk_\sigma )\) and gives \(\mathcal {A}\) the verification key \(vk\).
Forgery: \(\mathcal {A}\) may do one of the following:

\(\mathcal {A}\) adaptively make signing queries \(\langle m_i \rangle \), and is then given in return \(\sigma _i \leftarrow \mathsf {Sign}(sk_\sigma , m_i)\). After this, \(\mathcal {A}\) outputs \((m^*, \sigma ^*)\).

\(\mathcal {A}\) outputs \((m^*, \sigma ^*)\) without making any signing queries. In this case \((m_i, \sigma _i)\) are undefined.
We denote the event that \(\mathcal {A}\) outputs \((m^*, \sigma ^*)\) such that \(\mathsf {Verify}(vk, m^*, \sigma ^*) = 1\) but \((m^*, \sigma ^*) \ne (m_i, \sigma _i)\) (if \((m_i, \sigma _i)\) are defined) as \({\mathsf {SuccA}}\), and define \(\mathcal {A}\)’s advantage as \(\mathrm {Adv}_{\mathcal {A}, \text {SIG}}^{\text {sEUFCMA}} \mathop {=}\limits ^{def }\Pr [{\mathsf {SuccA}}]\).
Definition 8.6
A signature scheme is \((t, q_s, \epsilon )\) sEUFCMA secure if for all \(t\)time adversaries making at most \(q_s\) signing queries have advantage at most \(\epsilon \) in the above experiment. Particularly, a signature scheme is onetime strongly unforgeable if it is \((t, 1, \epsilon )\) sEUFCMA secure.
Rights and permissions
About this article
Cite this article
Chen, Y., Zhang, J., Lin, D. et al. Generic constructions of integrated PKE and PEKS. Des. Codes Cryptogr. 78, 493–526 (2016). https://doi.org/10.1007/s106230140014x
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s106230140014x