Key Encapsulation Mechanisms from Extractable Hash Proof Systems, Revisited

  • Takahiro Matsuda
  • Goichiro Hanaoka
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7778)


In CRYPTO 2010, Wee proposed the notion of ‘‘extractable hash proof systems” (XHPS), and its richer version, ‘‘all-but-one XHPS” (ABO-XHPS), and showed that chosen ciphertext secure (CCA secure) key encapsulation mechanisms (KEM) can be constructed from them. This elegantly explains several recently proposed practical KEMs constructed based on the ‘‘all-but-one” simulation paradigm in a unified framework. Somewhat frustratingly, however, there still exist popular KEMs whose construction and security proofs are not captured by this framework. In this paper, we revisit the framework of the ABO-XHPS-based KEM. Firstly, we show that to prove CCA security of the ABO-XHPS-based KEM, some requirements can be relaxed. This relaxation widens the applicability of the original framework, and explains why many known practical KEMs can be proved CCA secure. Moreover, we introduce new properties for ABO-XHPS, and show how one of the properties leads to KEMs that achieve ‘‘constrained” CCA security, which is a useful security notion of KEMs for obtaining CCA secure public key encryption via hybrid encryption. Thirdly, we investigate the relationships among computational properties that we introduce in this paper, and derive a useful theorem that enables us to understand the structure of KEMs of a certain type in a modular manner. Finally, we show that the ABO-XHPS-based KEM can be extended to efficient multi-recipient KEMs. Our results significantly extend the framework for constructing a KEM from ABO-XHPS, enables us to capture and explain more existing practical CCA secure schemes (most notably those based on the decisional Diffie-Hellman assumption) in the framework, and leads to a number of new instantiations of (single- and multi-recipient) KEMs.


key encapsulation mechanism extractable hash proof system chosen ciphertext security constrained chosen ciphertext security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Boldyreva, A., Kurosawa, K., Staddon, J.: Multirecipient encryption schemes: How to save on bandwidth and computation without sacrificing security. IEEE Trans. Inf. Theory 53(11), 3927–3943 (2007)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identity-based techniques. In: ACMCCS 2005, pp. 320–329 (2005)Google Scholar
  5. 5.
    Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identity-based techniques. Updated version of [4]. Cryptology ePrint Archive: Report 2005/288 (2005),
  6. 6.
    Cash, D., Kiltz, E., Shoup, V.: The Twin Diffie-Hellman Problem and Applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Cramer, R., Shoup, V.: Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography. In: STOC 1991, pp. 542–552 (1991)Google Scholar
  10. 10.
    Elkind, E., Sahai, A.: A unified methodology for constructing public-key encryption schemes secure against adaptive chosen-ciphertext attack. Cryptology ePrint Archive: Report 2002/042 (2002),
  11. 11.
    Gennaro, R., Krawczyk, H., Rabin, T.: Secure Hashed Diffie-Hellman over Non-DDH Groups. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 361–381. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Hanaoka, G., Kurosawa, K.: Efficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 308–325. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  13. 13.
    Hanaoka, G., Kurosawa, K.: Efficient chosen ciphertext secure public key encryption under the computational Diffie-Hellman assumption. Full version of [12]. Cryptology ePrint Archive: Report 2008/211 (2008),
  14. 14.
    Hanaoka, G., Kurosawa, K.: Between hashed DH and computational DH: Compact encryption from weaker assumption. IEICE Transactions E93-A(11), 1994–2006 (2010)CrossRefGoogle Scholar
  15. 15.
    Haralambiev, K., Jager, T., Kiltz, E., Shoup, V.: Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 1–18. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  16. 16.
    Hiwatari, H., Tanaka, K., Asano, T., Sakumoto, K.: Multi-recipient Public-Key Encryption from Simulators in Security Proofs. In: Boyd, C., González Nieto, J. (eds.) ACISP 2009. LNCS, vol. 5594, pp. 293–308. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Hofheinz, D., Kiltz, E.: Secure Hybrid Encryption from Weakened Key Encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Hofheinz, D., Kiltz, E.: Practical Chosen Ciphertext Secure Encryption from Factoring. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 313–332. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  19. 19.
    Kiltz, E.: Chosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 282–297. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    Kurosawa, K., Desmedt, Y.: A New Paradigm of Hybrid Encryption Scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. 21.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: STOC 1989, pp. 33–43 (1989)Google Scholar
  22. 22.
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC 1990, pp. 427–437 (1990)Google Scholar
  23. 23.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC 2008, pp. 187–196 (2008)Google Scholar
  24. 24.
    Rackoff, C., Simon, D.R.: Non-interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  25. 25.
    Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS 1999, pp. 543–553 (1999)Google Scholar
  26. 26.
    Smart, N.P.: Efficient Key Encapsulation to Multiple Parties. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 208–219. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  27. 27.
    Wee, H.: Efficient Chosen-Ciphertext Security via Extractable Hash Proofs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 314–332. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  28. 28.
    Wee, H.: Threshold and Revocation Cryptosystems via Extractable Hash Proofs. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 589–609. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  29. 29.
    Yamada, S., Kawai, Y., Hanaoka, G., Kunihiro, N.: Public key encryption schemes from the (B)CDH assumption with better efficiency. IEICE Transactions 93-A(11), 1984–1993 (2010)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Takahiro Matsuda
    • 1
  • Goichiro Hanaoka
    • 1
  1. 1.Research Institute for Secure SystemsNational Institute of Advanced Industrial Science and Technology (AIST)Japan

Personalised recommendations