An Asymptotically Optimal Method for Converting Bit Encryption to MultiBit Encryption
Abstract
Myers and Shelat (FOCS 2009) showed how to convert a chosen ciphertext secure (CCA secure) PKE scheme that can encrypt only 1bit plaintexts into a CCA secure scheme that can encrypt arbitrarily long plaintexts (via the notion of key encapsulation mechanism (KEM) and hybrid encryption), and subsequent works improved efficiency and simplicity. In terms of efficiency, the best known construction of a CCA secure KEM from a CCA secure 1bit PKE scheme, has the public key size \(\varOmega (k) \cdot pk\) and the ciphertext size \(\varOmega (k^2) \cdot c\), where k is a security parameter, and pk and c denote the public key size and the ciphertext size of the underlying 1bit scheme, respectively.
In this paper, we show a new CCA secure KEM based on a CCA secure 1bit PKE scheme which achieves the public key size \(2 \cdot pk\) and the ciphertext size \((2k + o(k)) \cdot c\). These sizes are asymptotically optimal in the sense that they are the same as those of the simplest “bitwiseencrypt” construction (seen as a KEM by encrypting a kbit random sessionkey) that works for the chosen plaintext attack and nonadaptive chosen ciphertext attack settings. We achieve our main result by developing several new techniques and results on the “doublelayered” construction (which builds a KEM from an inner PKE/KEM and an outer PKE scheme) by Myers and Shelat and on the notion of detectable PKE/KEM by Hohenberger, Lewko, and Waters (EUROCRYPT 2012).
Keywords
Security Proof Security Notion Challenge Ciphertext Decryption Oracle Randomness Space1 Introduction
1.1 Background and Motivation
In this paper, we revisit the problem of how to construct a chosen ciphertext secure (CCA2, or just CCA) public key encryption (PKE) scheme that can encrypt plaintexts of arbitrary length from a CCA secure PKE scheme whose plaintext space is only 1bit. (Hereafter, we call a PKE scheme whose plaintext space is \(\{0,1\}^n\) an n bit PKE scheme.) It is wellknown that if we only consider chosen plaintext attack (CPA) and nonadaptive chosen ciphertext attack (CCA1) settings, then the simple(st) “bitwiseencrypt” construction suffices, in which a plaintext is encrypted bitbybit (under the same public key) by a 1bit PKE scheme, and the concatenation of all ciphertexts is regarded as a ciphertext of the construction. However, for the CCA setting, until recently, the simple question of how (and even whether) one can realize such a “1bittomultibit” conversion had been left open.
This open problem was resolved affirmatively by Myers and Shelat [20]. They actually constructed a CCA secure key encapsulation mechanism (KEM) which encrypts a random sessionkey, and can be used together with a CCA secure symmetric key encryption (SKE) scheme to achieve a fullfledged CCA secure PKE scheme via hybrid encryption [8]. One of the important steps of the approach by Myers and Shelat is to consider the “doublelayered” construction of a KEM from an “inner” PKE scheme and an “outer” PKE scheme, where the inner ciphertext encrypts a plaintext (or a sessionkey if one wants to construct a KEM) and a randomness used for outer encryption, and the outer ciphertext encrypts the inner ciphertext using the randomness encrypted in the inner ciphertext. To decrypt a ciphertext, one first decrypts the outer ciphertext, and then the resulting inner ciphertext, to recover a plaintext and a randomness (for outer encryption), and the plaintext is output if the reencryption of the inner ciphertext using the recovered randomness results in the outer ciphertext. Myers and Shelat showed that if the outer scheme that is built from a 1bit scheme satisfies the security notion called “unquoted CCA” (UCCA) security (which is a weaker security notion than CCA security that can be considered only for a PKE scheme constructed based on 1bit PKE scheme), and the inner scheme satisfies “1wise nonmalleability against UCCA” (which has a similar flavor to 1bounded CCA security [7]), the resulting construction achieves CCA security.
The efficiency and simplicity of the construction by Myers and Shelat were improved by Hohenberger, Lewko, and Waters [16]. Specifically, they introduced the notion of a detectable PKE scheme, which is a PKE scheme that has an efficiently computable predicate \(\mathsf {F}\) as part of the syntax, and whose security notions are defined with respect to this \(\mathsf {F}\). In particular, they introduced the notions of detectable CCA (DCCA) security (which is a relaxed variant of CCA security) and unpredictability, and considered a construction which has a mixed flavor of the doublelayered construction of Myers and Shelat, and the double (parallel) encryption of Naor and Yung [21] (this construction has two PKE schemes for the outer encryption). They showed that if the “inner” PKE scheme satisfies DCCA security and unpredictability, and the “outer” PKE schemes are CPA secure and 1bounded CCA secure [7], respectively, then the resulting PKE scheme is CCA secure. They also showed that the “bitwiseencrypt” construction based on a CCA secure 1bit PKE scheme yields a DCCA secure and unpredictable detectable PKE scheme for long plaintexts, and thus achieves a 1bittomultibit conversion for CCA security. (In their construction, in fact a 1bit scheme satisfying only DCCA security and unpredictability suffices as the building block.) The efficiency of the construction in [16] was further improved by Matsuda and Hanaoka [19] using the ideas and techniques of hybrid encryption.
Despite the elegant ideas employed in [16, 19, 20], however, even in the best construction of [19] (in terms of efficiency), the public key size is \(\varOmega (k) \cdot pk\) and the ciphertext size (when seen as a KEM) is \(\varOmega (k^2) \cdot c\), where k is a security parameter, and pk and c denote the public key size and the ciphertext size of a CCA secure 1bit scheme, respectively. On the other hand, for constructing a CPA (resp. CCA1) secure KEM from a CPA (resp. CCA1) secure 1bit scheme, one can use the above mentioned bitwiseencrypt construction in which one encrypts a kbit random string and regards this as a sessionkey of a KEM. Note that the public key size of this KEM is just pk and the ciphertext size is \(k \cdot c\). Compared to this simplest and most straightforward method, in the CCA setting, the known constructions have the public key size and the ciphertext size that are at least \(\varOmega (k)\) times larger.
Motivated by the above, in this paper we study the following question: How efficient can a 1bittomultibit conversion for CCA security be?
1.2 Our Contributions
As our main result, we show a new 1bittomultibit construction for the CCA setting, i.e., a construction of a CCA secure KEM based on a CCA secure 1bit PKE scheme, with much better asymptotic efficiency than the existing constructions. Specifically, our construction achieves the public key size \(2 \cdot pk\), and the ciphertext size \((2k + o(k)) \cdot c = O(k) \cdot c\), which are asymptotically optimal in the sense that these sizes are (except for a constant factor) the same as for the simple bitwiseencrypt construction for CPA and CCA1 security.
We achieve our main result by developing several new techniques and results on the doublelayered construction of Myers and Shelat [20] and on the notion of detectable PKE/KEM by Hohenberger, Lewko, and Waters [16]. Our technical contributions in this paper lie in (1) coming up with appropriate security notions for detectable PKE/KEM so that we can conduct CCA security proofs for the doublelayered construction using the language of detectable PKE/KEM (without addressing the details of how each of the inner and outer schemes is constructed) which we believe helps us understanding our proposed construction (and more generally the doublelayered approach itself) in a clearer manner, and (2) showing how one can realize the inner and outer schemes (satisfying the requirements of our security proofs) from a CCA secure 1bit PKE scheme, so that the resulting CCA secure KEM achieves asymptotically optimal efficiency with respect to the bitwiseencrypt construction.
Below we explain more technical details of our results.
New Security Notions for Detectable PKE/KEM. In Sect. 3, we introduce new security notions for detectable PKE and detectable KEMs. Recall that DCCA security of [16] is defined like ordinary CCA security, except that in the security experiment, the decryption oracle is restricted according to the predicate \(\mathsf {F}\) (which is a part of the syntax of detectable PKE/KEM): an adversary is not allowed to query a ciphertext c such that \(\mathsf {F}(c^*, c) = 1\) where \(c^*\) is the challenge ciphertext. The first notion we introduce is a weak form of nonmalleability [3, 12, 22] under DCCA that we simply name \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security, which is defined like DCCA security except that we allow an adversary to make one “unrestricted” decryption query (which is not affected by the restriction of \(\mathsf {F}\)). We also introduce an even weaker variant, which is a “replayable”CCAanalogue [4] of \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security, which we call \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security, that is defined like \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security except that the final unrestricted decryption query (and only this query) is answered like a decryption query in the replayable CCA security.
We also introduce a new security notion for detectable PKE/KEM that we call randomnessinextractability. Recall that a DCCA secure detectable PKE scheme is meaningful only if it also satisfies another security notion that prevents the predicate \(\mathsf {F}\) from outputting 1 for every input (which makes DCCA security equivalent to CPA security). Unpredictability [16] is one example of a security notion that prevents DCCA security from being trivial, which ensures that a ciphertext c satisfying \(\mathsf {F}(c^*, c) = 1\) is hard to find without seeing \(c^*\). Randomnessinextractability is another such security notion for detectable PKE: Informally, it requires that if an adversary is given a ciphertext \(c^*\) (that encrypts a plaintext m of the adversary’s choice), it cannot come up with a pair of a (possibly different) plaintext \(m'\) and randomness \(r'\) such that \(\mathsf {F}(c^*, c') = 1\), where \(c'\) is the encryption of \(m'\) generated using the randomness \(r'\). We also show that randomnessinextractability and unpredictability do not imply each other, even if we combine one notion with \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security. See Sect. 3 for the details.
New CCA Security Proofs for the DoubleLayered Construction Based on Detectable PKE/KEM. In Sect. 4, we show our main technical results: two new CCA security proofs for the doublelayered construction of Myers and Shelat [20]. Our first security proof shows that if the inner KEM is a detectable KEM satisfying DCCA security and unpredictability, and the outer PKE scheme is a detectable PKE scheme satisfying \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability, then the KEM obtained from the doublelayered construction is CCA secure. Our main result with asymptotically optimal efficiency is obtained from this security proof.
Our second security proof shows that if the inner KEM is \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) secure and unpredictable, and the outer PKE scheme is DCCA secure and randomnessinextractable, then the KEM obtained from the doublelayered construction is CCA secure. Interestingly, this security proof can be seen as a generalization of MyersShelat’s original security proof of their construction [20].
Both of the security proofs have similar flavors to the security proofs of [16, 19]. Namely, DCCA security of the inner KEM guarantees that a sessionkey (hidden in the challenge ciphertext) is random as long as an adversary does not submit a “dangerous” decryption query (which are defined with respect to the predicate \(\mathsf {F}\) from the inner detectable KEM), and we then upperbound the probability that the adversary comes up with such “dangerous” decryption queries to be negligible by the combination of the security properties of the outer PKE scheme and the inner KEM. However, unlike the previous works [16, 19] that use a “detectable” primitive only for the inner scheme, we employ a detectable primitive also for the outer scheme. Consequently, we have to deal with two types of “dangerous” decryption queries in the security proofs: an “innerdangerous” query and an “outerdangerous” query, which, as the names indicate, are related to the inner KEM and the outer PKE scheme, respectively. Our two security proofs differ in the treatment of the inner and outerdangerous queries, which lead to the difference between which of the inner KEM or the outer PKE scheme needs to be “nonmalleable” under DCCA. In both of the proofs, randomnessinextractability of the outer PKE scheme is used to show that the adversary’s outerdangerous queries do not help.
We also show an evidence that indicates that our reliance on “nonmalleability” under DCCA for either the inner KEM or the outer PKE scheme would be unavoidable, by showing a counterexample for the doublelayered construction that does not achieve CCA security if the inner and outer schemes only satisfy DCCA security, unpredictability, and randomnessinextractability. For the details, see Sect. 4.
A Detectable PKE Scheme Satisfying \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) Security and RandomnessInextractability from CCA Secure 1bit PKE. In Sect. 5, we show a construction of a detectable PKE scheme satisfying \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability, using a CCA secure 1bit PKE scheme and a nonmalleable code [13] for “bitwisetampering and bitlevel permutations” [1, 2]. The idea of this construction is based on the recent result by Agrawal et al. [2] who showed how to transform a 1bit commitment scheme secure against chosen commitment attacks (CCA) into a nonmalleable string commitment scheme: We first encode a plaintext by a nonmalleable code, and then do “bitwiseencryption” of the encoded value by a CCA secure 1bit PKE scheme. (Due to its structure, we call this construction the “EncodethenBitwiseEncrypt” (EtBE) construction.) Our contribution regarding this construction is to clarify that the approach of [2] also works well for detectable PKE as we require.
Agrawal et al. [1] recently constructed a nonmalleable code for the above mentioned class of functions with “optimal rate”, meaning that the ratio between the length n of a codeword and the length k of a message can be made arbitrarily close to 1 (i.e. \(n = k + o(k)\)). We employ this nonmalleable code to achieve the asymptotic efficiency of our proposed KEM.
The Proposed 1BittoMultiBit Conversion, and More. Our main result, i.e. a CCA secure KEM from a CCA secure 1bit PKE scheme that achieves optimal asymptotic efficiency in terms of the public key and ciphertext sizes, is obtained by using the above mentioned detectable PKE scheme (together with some hybrid encryption techniques) as the outer PKE scheme, and using the bitwiseencrypt construction of a detectable KEM as the inner KEM, in the doublelayered construction, via our first security proof. In Sect. 6, we show the full description of our construction. As noted above, our construction uses only two key pairs of the underlying 1bit PKE scheme.
Interestingly, there we also show that if a 2bit PKE scheme can be used instead of a 1bit PKE scheme, then one can construct a CCA secure KEM (with almost the same construction as our main construction) that uses only one key pair.
On the Necessity of Two Key Pairs. As mentioned above, our proposed KEM from a 1bit PKE scheme uses two key pairs of the underlying CCA secure 1bit PKE scheme. Given this, it is natural to ask if the number 2 of key pairs of the underlying 1bit scheme is optimal for 1bittomultibit constructions for CCA security. Although we could not answer this question affirmatively or negatively, we show that the onekey variant of our proposed construction is vulnerable to a CCA attack. (This result is shown in the full version.) This negative result shows a necessity of different techniques and ideas than ours towards answering the question. It also contrasts strikingly with our 2bittomultibit construction for CCA security that uses only one key pair of the underlying 2bit scheme.
We leave it as an open problem to clarify whether one can achieve a 1bittomultibit conversion using only one key pair of the underlying 1bit scheme, or it is generally impossible.
1.3 Related Work
The doublelayered construction [16, 20], and extension of the plaintext space of encryption schemes based on it, have been used in several works: Lin and Tessaro [18] showed how to turn a 1bit PKE scheme whose correctness is not perfect and which only satisfies weak CCA security (weak in the sense that an adversary may have bounded but nonnegligible CCA advantage), into a PKE scheme (with a large plaintext space) satisfying ordinary CCA security, via the construction of [16]. DachmanSoled et al. [9] studied the notion of “enhanced” CCA security for PKE schemes with randomness recovery property, where the decryption oracle in the security experiment returns not only the decryption result of a queried ciphertext but also a randomness that is consistent with the ciphertext, and (among other things) showed that the construction of [16] can be used to achieve a 1bittomultibit conversion for enhanced CCA security. Most recently, Kitagawa et al. [17] showed that a simpler variant of the doublelayered construction which does not have validity check by reencryption in the decryption algorithm, can be used to extend the plaintext space of PKE satisfying keydependent message (KDM) security against CCA with respect to projection functions (projectionKDMCCA security).
Very recently, Coretti et al. [6] showed a 1bittomultibit conversion for a PKE scheme. However, the security notion considered in their construction is socalled “selfdestruct” CCA security, which is defined like ordinary CCA security except that in the security experiment, once an adversary submits an invalid ciphertext (which does not decrypt to a valid plaintext) as a decryption query, the decryption oracle “selfdestructs”, i.e. it will not answer to subsequent decryption queries. This security notion is strictly weaker than ordinary CCA security. Furthermore, in another recent work, Coretti et al. [5] considered nonmalleability under selfdestruct CCA, which is also strictly weaker than ordinary CCA security, and showed a 1bittomultibit conversion for a PKE scheme satisfying this security notion. The 1bittomultibit constructions of [5, 6] share the same idea with Agrawal et al.’s conversion (and hence with our “outer” PKE scheme): first encode a plaintext by a suitable nonmalleable code, and then do bitwise encryption. The main differences between these works [5, 6] and our “doublelayered” construction are: (1) Ours achieves ordinary (full) CCA security, while they achieve weaker security notions. (2) Our construction uses only two key pairs of the underlying 1bit scheme, while the constructions in [5, 6] use O(k) key pairs, of the building block 1bit scheme. (3) The requirements of the used nonmalleable codes are all different: [5, 6] need stronger form of nonmalleability called “continuous” nonmalleability [15] (and its extension), while we only need the original definition of nonmalleability in [13] that captures “onetime” tampering.; The tampering functions with respect to which nonmalleability is considered in [5, 6] are based on bitwise tampering (extended to take into account continuous nonmalleability), while ours requires additionally nonmalleability against bitlevel permutation (as in [1, 2]).
Paper Organization. The rest of this paper is organized as follows: Sect. 2 reviews the basic notation and definitions of cryptographic primitives. In Sect. 3, we define new security notions for detectable PKE, and also show several facts on them. In Sect. 4, we show our main technical result: new security proofs for the “doublelayered” construction. We also explain some evidence that justifies our reliance on nonmalleability under DCCA. In Sect. 5, we show how to build a detectable PKE scheme satisfying our new security notions based on a CCA secure 1bit PKE scheme and a nonmalleable code. In Sect. 6, we provide the full description of our proposed 1bittomultibit construction. There we also explain our 2bittomultibit construction with a single key pair. We give a comparison among 1bittomultibit constructions in Sect. 7.
Due to space limitation, the proofs of the theorems and lemmas in this paper are omitted and will be given in the full version, and we only give proof sketches or intuitive explanations.
2 Preliminaries
In this section, we review the basic notation and the definitions for cryptographic primitives.
Basic Notation. \(\mathbb {N}\) denotes the set of all natural numbers. For \(n \in \mathbb {N}\), we define \([n] := \{1, \dots , n\}\). “\(x \leftarrow y\)” denotes that x is chosen uniformly at random from y if y is a finite set, x is output from y if y is a function or an algorithm, or y is assigned to x otherwise. If x and y are strings, then “x” denotes the bitlength of x, “\(x \Vert y\)” denotes the concatenation x and y, and “\((x \mathop {=}\limits ^{?}y)\)” is defined to be 1 if \(x=y\) and 0 otherwise. “(P)PTA” stands for a (probabilistic) polynomial time algorithm. For a finite set S, “S” denotes its size. If \(\mathcal {A}\) is a probabilistic algorithm then “\(y \leftarrow \mathcal {A}(x;r)\)” denotes that \(\mathcal {A}\) computes y as output by taking x as input and using r as randomness. If furthermore \(\mathcal {O}\) is an algorithm, then “\(\mathcal {A}^{\mathcal {O}}\)” denotes that \(\mathcal {A}\) has oracle access to \(\mathcal {O}\). A function \(\epsilon (\cdot ): \mathbb {N}\rightarrow [0,1]\) is said to be negligible if for all positive polynomials p(k) and all sufficiently large \(k \in \mathbb {N}\), we have \(\epsilon (k) < 1/p(k)\). Throughout this paper, we use the character “k” to denote a security parameter.
2.1 (Detectable) Public Key Encryption
Detectable PKE. In this paper, we use the notion of detectable PKE as defined in [16]. It is a PKE scheme that has a predicate \(\mathsf {F}\) that tests whether two ciphertexts c and \(c'\) are “related” in the sense that to decrypt c, the information of the decryption result of \(c'\) is useful (and hence, revealing the decryption result of \(c'\) is “dangerous”). This predicate \(\mathsf {F}\) is used to define multiple security notions of the primitive, and hence we explicitly define it as a part of the syntax of the primitive (this approach is also taken in [16, 19]).
Formally, a tuple of PPTAs \(\varPi = (\mathsf {PKG}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {F})\) is said to be a detectable PKE scheme if \((\mathsf {PKG}, \mathsf {Enc}, \mathsf {Dec})\) constitutes PKE, and \(\mathsf {F}\) is a predicate that takes a public key pk and two ciphertexts \(c, c'\) as input, and outputs either 0 or 1. We require that for all \(k \in \mathbb {N}\), all public keys pk output by \(\mathsf {PKG}(1^k)\), and all ciphertexts c output by \(\mathsf {Enc}(pk, \cdot )\), we have \(\mathsf {F}(pk, c, c) = 1\).^{1}
Security Notions. Here we recall chosen ciphertext security ( \(\mathtt {CCA}\) security) for PKE, and detectable CCA ( \(\mathtt {DCCA}\) ) security and unpredictability for detectable PKE [16].
Let \(\mathtt {ATK}\in \{\mathtt {CCA}, \mathtt {DCCA}\}\). For a (detectable) PKE scheme \(\varPi \) and an adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\), consider the \(\mathtt {ATK}\) experiment \(\mathsf {Expt}^{\mathtt {ATK}}_{\varPi , \mathcal {A}}(k)\) described in Fig. 1 (lefttop). In the experiment, it is required that \(m_0 = m_1\), and \(\mathcal {A}_2\) is not allowed to submit the “prohibited” queries to the decryption oracle: If \(\mathtt {ATK}= \mathtt {CCA}\), then the prohibited query is \(c^*\), and if \(\mathtt {ATK}= \mathtt {DCCA}\), then the prohibited queries are c satisfying \(\mathsf {F}(pk, c^*, c) = 1\). We say that a (detectable) PKE scheme \(\varPi \) is \(\mathtt {ATK}\) secure if for all PPTAs \(\mathcal {A}\), \(\mathsf {Adv}^{\mathtt {ATK}}_{\varPi , \mathcal {A}}(k):= 2 \cdot \Pr [\mathsf {Expt}^{\mathtt {ATK}}_{\varPi ,\mathcal {A}}(k) = 1]  1/2\) is negligible.
For a detectable PKE scheme \(\varPi \) (with predicate \(\mathsf {F}\)) and an adversary \(\mathcal {A}\), consider the unpredictability experiment \(\mathsf {Expt}^{\mathtt {UNP}}_{\varPi , \mathcal {A}}(k)\) described in Fig. 1 (leftbottom). We say that a detectable PKE scheme \(\varPi \) is unpredictable if for all PPTAs \(\mathcal {A}\), \(\mathsf {Adv}^{\mathtt {UNP}}_{\varPi , \mathcal {A}}(k) := \Pr [\mathsf {Expt}^{\mathtt {UNP}}_{\varPi , \mathcal {A}}(k)=1]\) is negligible.
2.2 (Detectable) Key Encapsulation Mechanism
We also define a KEManalogue of detectable PKE, which we call detectable KEM, as a KEM that has an efficiently computable predicate \(\mathsf {F}\) whose interface is exactly the same as that of detectable PKE.
Security Notions. Here we review the definition of \(\mathtt {CCA}\) security for a KEM, and the definitions of \(\mathtt {DCCA}\) security and unpredictability for a detectable KEM.
Let \(\mathtt {ATK}\in \{\mathtt {CCA}, \mathtt {DCCA}\}\). For a (detectable) KEM \(\varGamma \) and an adversary \(\mathcal {A}\), consider the \(\mathtt {ATK}\) experiment \(\mathsf {Expt}^{\mathtt {ATK}}_{\varGamma , \mathcal {A}}(k)\) described in Fig. 1 (centertop). In the experiment, \(\mathcal {A}\) is not allowed to submit the “prohibited” queries that are defined in the same way as those for the PKE case. We say that a (detectable) KEM \(\varGamma \) is \(\mathtt {ATK}\) secure if for all PPTAs \(\mathcal {A}\), \(\mathsf {Adv}^{\mathtt {ATK}}_{\varGamma , \mathcal {A}}(k):= 2 \cdot \Pr [\mathsf {Expt}^{\mathtt {ATK}}_{\varGamma , \mathcal {A}}(k) = 1]  1/2\) is negligible.
For a detectable KEM \(\varGamma \) (with predicate \(\mathsf {F}\)) and an adversary \(\mathcal {A}\), consider the unpredictability experiment \(\mathsf {Expt}^{\mathtt {UNP}}_{\varGamma , \mathcal {A}}(k)\) described in Fig. 1 (centerbottom). We say that a detectable KEM \(\varGamma \) is unpredictable if for all PPTAs \(\mathcal {A}\), \(\mathsf {Adv}^{\mathtt {UNP}}_{\varGamma , \mathcal {A}}(k) := \Pr [\mathsf {Expt}^{\mathtt {UNP}}_{\varGamma , \mathcal {A}}(k) = 1]\) is negligible.
2.3 Nonmalleable Codes
Here, we recall the definition of nonmalleable codes [13].
A code \(\mathcal {C}\) with message length \(\kappa = \kappa (k)\) and codeword length \(n = n(k)\) (called also an \((n,\kappa )\)code) consists of the two PPTAs \((\mathsf {E}, \mathsf {D})\): \(\mathsf {E}\) is the encoding algorithm that takes \(1^k\) and a message \(m \in \{0,1\}^{\kappa }\) as input, and outputs a codeword \(c \in \{0,1\}^n\).; \(\mathsf {D}\) takes \(1^k\) and c as input, and outputs \(m \in \{0,1\}^{\kappa }\) or the special symbol \(\bot \) indicating that c is invalid. We require for all \(k \in \mathbb {N}\) and all messages \(m \in \{0,1\}^{\kappa }\), it holds that \(\mathsf {D}(1^k, \mathsf {E}(1^k, m)) = m\).
Nonmalleability. Nonmalleability for codes, formalized by Dziembowski et al. [13], is defined with respect to a class of tampering functions \(\mathcal {F}\). Intuitively, nonmalleability guarantees that if an encoding c of a message m is modified into \(c' = f(c)\) by a function \(f \in \mathcal {F}\), then the decoded value \(m'\) of \(c'\) is either the original message m itself, or a completely unrelated message (or \(\bot \)). Here we recall the indistinguishabilitybased definition which is most convenient for us to work with, which is called the “alternativenonmalleability” in [14, Definition A.1]. It was shown in [14] that this definition is equivalent to the original simulationbased definition for codes whose message length \(\kappa \) is superlogarithmic in k.
Let \(n, \kappa : \mathbb {N}\rightarrow \mathbb {N}\) be positive polynomials of k such that \(n(k) \ge \kappa (k)\). For an \((n,\kappa )\)code \(\mathcal {C}= (\mathsf {E}, \mathsf {D})\), a class of functions \(\mathcal {F}= \{\mathcal {F}_k : \{0,1\}^k \rightarrow \{0,1\}^k \}_{k \in \mathbb {N}}\), and an adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\), consider the \(\mathcal {F}\texttt {}\mathtt {NM}\) experiment \(\mathsf {Expt}^{\mathcal {F}\texttt {}\mathtt {NM}}_{\mathcal {C}, \mathcal {A}}(k)\) described in Fig. 1 (right). In the experiment, “\(\mathsf {same}\)” is the special symbol indicating that the decoded message \(m'\) was either \(m_0\) or \(m_1\), and it is required that \(f \in \mathcal {F}_n\) and \(m_0 = m_1 = \kappa (k)\). We say that \(\mathcal {C}\) is nonmalleable with respect to the function class \(\mathcal {F}\) (\(\mathcal {F}\)nonmalleable, for short) if for all PPTAs^{2} \(\mathcal {A}\), \(\mathsf {Adv}^{\mathcal {F}\texttt {}\mathtt {NM}}_{\mathcal {C}, \mathcal {A}}(k):= 2 \cdot \Pr [\mathsf {Expt}^{\mathcal {F}\texttt {}\mathtt {NM}}_{\mathcal {C},\mathcal {A}}(k) = 1] 1/2\) is negligible. We also say that \(\mathcal {C}\) is an \(\mathcal {F}\)nonmalleable code.
Classes of Tampering Functions. In this paper, we consider the following classes of functions.
 Composition of “Bitwise Tampering” and “BitLevel Permutation” \(\mathcal {P}\): Let \(\mathtt {set}, \mathtt {reset}, \mathtt {forward}, \mathtt {toggle}: \{0,1\}\rightarrow \{0,1\}\) be the functions over a bit, defined by \(\mathtt {set}(x) := 1\), \(\mathtt {reset}(x) := 0\), \(\mathtt {forward}(x) := x\), and \(\mathtt {toggle}(x) := 1x\). We define \(\mathcal {F}_{\mathtt {BIT}}:= \{\mathtt {set}, \mathtt {reset}, \mathtt {forward}, \mathtt {toggle}\}\). Let \(\mathcal {P}= \{\mathcal {P}_n\}_{n \in \mathbb {N}}\) be the class of functions which first perform “bitwise tampering” to an input, followed by a “bitlevel permutation.” Namely, \(\mathcal {P}_n\) is the set of all functions \(f: \{0,1\}^n \rightarrow \{0,1\}^n\) that can be described by using n bitwisetampering functions \(f_1, \dots , f_n \in \mathcal {F}_{\mathtt {BIT}}\) and a permutation \(\pi : [n] \rightarrow [n]\), as follows:$$\begin{aligned} x = (x_1 \Vert \dots \Vert x_n) \mathop {\mapsto }\limits ^{f} \Bigl (~f_{\pi ^{1}(1)}(x_{\pi ^{1}(1)})~\Vert ~\dots ~\Vert ~f_{\pi ^{1}(n)}(x_{\pi ^{1}(n)})~\Bigr ). \end{aligned}$$

“BitFixing” or “Quoting an Input without Duplicated Positions” \(\mathcal {Q}\): Let \(\mathtt {one}: \{0,1\}^n \rightarrow \{0,1\}\) and \(\mathtt {zero}: \{0,1\}^n \rightarrow \{0,1\}\) be the constant functions that output 1 and 0 for any nbit inputs, respectively. Furthermore, for \(j \in [n]\), let \(\mathtt {quote}^j : \{0,1\}^n \rightarrow \{0,1\}\) be the “quoting” function that always outputs the jth bit of its input.
Let \(\mathcal {Q}= \{\mathcal {Q}_n\}_{n \in \mathbb {N}}\) be the class of functions each of whose output bits is either a “fixed value” or “quoting the input without duplicated positions.” More formally, \(\mathcal {Q}_n\) is the set of all functions \(f: \{0,1\}^n \rightarrow \{0,1\}^n\) that can be decomposed to n functions \(f_1, \dots , f_n: \{0,1\}^n \rightarrow \{0,1\}\) so that \(f(x) = (f_1(x) \Vert \dots \Vert f_n(x))\) for all \(x \in \{0,1\}^n\), and furthermore it holds that for every \(i \in [n]\):Note that the above guarantees that there exist no indices \(i, i', j \in [n]\) such that \(f_i = f_{i'} = \mathtt {quote}^j\) and \(i \ne i'\). We call this condition the no duplicated quoting condition.$$\begin{aligned} f_i \in \{\mathtt {one}, \mathtt {zero}\} \cup \Bigl (~\{\mathtt {quote}^j\}_{j \in [n]} \backslash \{f_j\}_{j \in [i1]}~\Bigr ). \end{aligned}$$
Agrawal et al. [1] showed the following elegant result, which is crucial for the efficiency of our proposed KEM:
Lemma 1
[1] There exists an explicit (n, k)code such that (1) it is \(\mathcal {P}\)nonmalleable, and (2) its “rate”, defined by k / n, asymptotically approaches to 1 as k increases (and hence \(n = k + o(k)\)).
Furthermore, the following is implicitly used by Agrawal et al. [2], and also is useful for our purpose. (Although it is almost straightforward from the definitions of \(\mathcal {P}\) and \(\mathcal {Q}\), we will show its formal proof in the full version.)
Lemma 2
For all \(n \in \mathbb {N}\), \(\mathcal {Q}_n \subseteq \mathcal {P}_n\). (This holds even if \(\mathcal {F}_{\mathtt {BIT}}\) does not contain \(\mathtt {toggle}\).) Hence, any \(\mathcal {P}\)nonmalleable code is also \(\mathcal {Q}\)nonmalleable.
2.4 Other Standard Primitives
In this paper we also use a pseudorandom generator (PRG) \(\mathsf {G}\), and a \(\mathtt {CCA}\) secure deterministic symmetric key encryption (SKE) \(E = (\mathsf {SEnc}, \mathsf {SDec})\): For notation, encryption of a plaintext m using a key \(K \in \{0,1\}^k\) is denoted by “\(c \leftarrow \mathsf {SEnc}(K,m)\)” where c is a ciphertext, and decryption of c using K is denoted by “\(m \leftarrow \mathsf {SDec}(K, c)\)” where m could be the invalid symbol \(\bot \). Since their security definitions are standard, we omit them in the proceedings version.
3 New Security Notions for Detectable PKE and KEM
In this section, we introduce new security notions for detectable PKE: \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security and \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security in Sect. 3.1, and randomnessinextractability in Sect. 3.2. We also show some useful facts regarding the new security notions in Sect. 3.3.
We also define \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability for detectable KEMs. Since their definitions are straightforward KEManalogues of those for detectable PKE in this section, we omit them here and formally provide them in the full version.
3.1 “Weak” Nonmalleability Under DCCA and Its “Replayable” Variant
Here, we define a “weak” form of nonmalleability against \(\mathtt {DCCA}\) for detectable PKE, which we call \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security, that captures the intuition that a \(\mathtt {DCCA}\) adversary who works in the \(\mathtt {DCCA}\) experiment cannot come up with a ciphertext that is “meaningfully related” to the challenge ciphertext. Recall that the original definitions of nonmalleability for PKE [3, 12, 22] ensure that an adversary cannot come up with even a vector of ciphertexts that are “meaningfully related” to the challenge ciphertext, while our notion here only requires that it cannot come up with only a single related ciphertext. Technically, following the formalizations in [3, 20, 22], we formalize \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security by modifying the original \(\mathtt {DCCA}\) experiment (in which originally the usage of the decryption oracle is restricted according the predicate \(\mathsf {F}\) of detectable PKE), so that at the end of the experiment an adversary is allowed to make a single “unrestricted” decryption query, regardless of \(\mathsf {F}\). Thus, it is like “1bounded” \(\mathtt {CCA}\) security [7], albeit an adversary has additionally access to \(\mathtt {DCCA}\) decryption oracle. Myers and Shelat [20] defined a security notion for PKEtoPKE constructions called “qwisenonmalleability under UCCA.” Our definition of \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security is a detectablePKEanalogue of their 1wisenonmalleability.
We also define a weaker variant of \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security, in the security experiment of which the final “unrestricted” decryption query is answered like a decryption query in the “replayable” \(\mathtt {CCA}\) experiment [4], namely, if the decryption result is one of the challenge plaintexts that an adversary uses, then the adversary is only informed so and is not given the actual decryption result. Due to the lack of a better name, we call it \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security (where \(\mathtt {R}\) stands for “Replayable”).
Fomally, for a detectable PKE scheme \(\varPi = (\mathsf {PKG}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {F})\) and an adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2, \mathcal {A}_3)\), we define the \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) experiment \(\mathsf {Expt}^{\mathtt {wNM}\texttt {}\mathtt {DCCA}}_{\varPi ,\mathcal {A}}(k)\) and the \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) experiment \(\mathsf {Expt}^{\mathtt {wRNM}\texttt {}\mathtt {DCCA}}_{\varPi ,\mathcal {A}}(k)\) described in Fig. 2 (left and center, respectively). In both of the experiments, it is required that \(m_0=m_1\), and as in the \(\mathtt {DCCA}\) experiment, \(\mathcal {A}_2\) is not allowed to submit a decryption query c satisfying \(\mathsf {F}(pk, c^*, c) = 1\) to the decryption oracle. The adversary’s final “unrestricted” decryption query is captured by the ciphertext \(c'\) that is finally output by \(\mathcal {A}_2\), and naturally it is required that \(c' \ne c^*\). However, we allow \(c'\) to be such that \(\mathsf {F}(pk, c^*, c') = 1\). In the \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) experiment, “\(\mathsf {same}\)” is the special symbol (which is distinguished from \(\bot \)) that indicates that \(\mathsf {Dec}(sk, c') \in \{m_0, m_1\}\).
Definition 1
We say that a detectable PKE scheme \(\varPi \) is \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) secure if for all PPTAs \(\mathcal {A}\), \(\mathsf {Adv}^{\mathtt {wNM}\texttt {}\mathtt {DCCA}}_{\varPi ,\mathcal {A}}(k) := 2 \cdot \Pr [\mathsf {Expt}^{\mathtt {wNM}\texttt {}\mathtt {DCCA}}_{\varPi ,\mathcal {A}}(k) = 1]  1/2\) is negligible. We define \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security analogously.
3.2 RandomnessInextractability
Here we introduce another security notion for detectable PKE that we call randomnessinextractability. Roughly, this security notion ensures that given the challenge ciphertext \(c^*\) (which is an encryption of a plaintext of an adversary’s choice), an adversary cannot come up with a pair \((m', r')\) of a plaintext and a randomness such that \(\mathsf {F}(pk, c^*, \mathsf {Enc}(pk, m'; r')) = 1\). If the predicate \(\mathsf {F}(pk, c^*, c')\) tests the equality \((c^* \mathop {=}\limits ^{?}c')\), then this notion exactly demands that the randomness used in \(c^*\) cannot be recovered, and hence we use the name “randomnessinextractability” (although we allow more general predicates for \(\mathsf {F}\)).
Formally, for a detectable PKE scheme \(\varPi = (\mathsf {PKG}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {F})\) and an adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2)\), consider the \(\mathtt {R}{} \texttt {}\mathtt {Inext}\) experiment described in Fig. 2 (right).
Definition 2
We say that a detectable PKE scheme \(\varPi \) satisfies randomnessinextractability if for all PPTAs \(\mathcal {A}\), \(\mathsf {Adv}^{\mathtt {R}{} \texttt {}\mathtt {Inext}}_{\varPi , \mathcal {A}}(k):= \Pr [\mathsf {Expt}^{\mathtt {R}{} \texttt {}\mathtt {Inext}}_{\varPi ,\mathcal {A}}(k) = 1]\) is negligible.
3.3 Useful Facts
Stretching a SessionKey. As in the case of ordinary KEMs, for a detectable KEM, sessionkeys can be stretched by using a PRG. More formally, let \(\varGamma = (\mathsf {KKG}, \mathsf {Encap}, \mathsf {Decap}, \mathsf {F})\) be a detectable KEM whose sessionkey space is \(\{0,1\}^k\). Let \(\mathsf {G}: \{0,1\}^k \rightarrow \{0,1\}^{\ell }\) be a PRG with \(\ell = \ell (k) > k\), where for convenience we define \(\mathsf {G}(\bot ):=\bot \). Then, consider the detectable KEM \(\varGamma ' = (\mathsf {KKG}, \mathsf {Encap}', \mathsf {Decap}', \mathsf {F})\) whose sessionkey space is \(\{0,1\}^{\ell }\), which is naturally constructed by combining \(\varGamma \) and \(\mathsf {G}\): \(\mathsf {Encap}'(pk)\) runs \((c, K) \leftarrow \mathsf {Encap}(pk)\) and outputs a ciphertext/session key pair \((c, \mathsf {G}(K))\).; We define \(\mathsf {Decap}'(sk, c) := \mathsf {G}(\mathsf {Decap}(sk, c))\). The following is straightforward, and thus its proof is omitted.
Lemma 3
If the detectable KEM \(\varGamma \) satisfies randomnessinextractability (resp. unpredictability), then so does the detectable KEM \(\varGamma '\). Furthermore, if \(\varGamma \) is \(\mathtt {DCCA}\) (resp. \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\)) secure and \(\mathsf {G}\) is a PRG, then \(\varGamma '\) is \(\mathtt {DCCA}\) (resp. \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\)) secure.
Hybrid Encryption. For a detectable PKE scheme, a straightforward application of hybrid encryption preserves \(\mathtt {w(R)NM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability, when combined with a \(\mathtt {CCA}\) secure SKE scheme. Since a \(\mathtt {CCA}\) secure SKE scheme with “zero” ciphertext overhead can be realized from a strong pseudorandom permutation [23] (which is in turn realized based on any oneway function), the ciphertext overhead of a detectable PKE scheme with \(\mathtt {w(R)NM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability, can be as small as the ciphertext size of the scheme for encrypting a random sessionkey (usually a kbit string).
Regarding the security of the hybrid encryption construction, the following lemma is straightforward to see.
Lemma 4
If the detectable PKE scheme \(\varPi \) is \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) secure (resp. \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) secure) and the SKE scheme E is \(\mathtt {CCA}\) secure, then the detectable PKE scheme \(\varPi _{\mathtt {HYB}}\) in Fig. 3 is \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) secure (resp. \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) secure). Furthermore, if \(\varPi \) satisfies randomnessinextractability (resp. unpredictability), then so does \(\varPi _{\mathtt {HYB}}\).
From \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) Security to \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) Security. Canetti, Krawczyk, and Nielsen [4] showed how to convert a “replayable” \(\mathtt {CCA}\) secure PKE scheme into an ordinary \(\mathtt {CCA}\) secure KEM, using a message authentication code (MAC), with almost no overhead. This method can be used for converting a \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) secure detectable PKE scheme into a \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) secure detectable KEM. We review this transformation in the full version.
On the Nontriviality of RandomnessInextractability. One might wonder whether there is an implication from randomnessinextractability to unpredictability and/or vice versa (especially in case if a detectable PKE scheme already satisfies \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security). We show that this is not the case, for both directions. Specifically, (via artificial counterexamples) we can show the following lemma that shows the nontriviality of these notions, which we formally show in the full version.
Lemma 5
A detectable PKE scheme satisfying \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security and unpredictability simultaneously does not necessarily satisfy randomnessinextractability. Furthermore, a detectable PKE scheme satisfying \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability simultaneously does not necessarily satisfy unpredictability.
4 Chosen Ciphertext Security of the DoubleLayered Construction
In this section, we show our main result: two new \(\mathtt {CCA}\) security proofs for the “doublelayered” construction \(\varGamma _{\mathtt {DL}}\) (of a KEM) constructed from the “inner” detectable KEM \(\varGamma _{\mathtt {in}}\) and the “outer” detectable PKE scheme \(\varPi _{\mathtt {out}}\). We also show a partial evidence that we need to rely on “nonmalleability” that we defined in the previous section.
Our First Security Proof. The \(\mathtt {CCA}\) security of \(\varGamma _{\mathtt {DL}}\) can be shown as follows.
Theorem 1
Assume that the “outer” PKE scheme \(\varPi _{\mathtt {out}}\) is a detectable PKE scheme satisfying \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability, and the “inner” KEM \(\varGamma _{\mathtt {in}}\) is a detectable KEM satisfying \(\mathtt {DCCA}\) security and unpredictability. Then, the KEM \(\varGamma _{\mathtt {DL}}\) in Fig. 4 is \(\mathtt {CCA}\) secure.
The structure of the proof is similar to the security proofs for the constructions by Hohenberger et al. [16] and by Matsuda and Hanaoka [19]. However, the details differ due to the difference in the construction and the used assumptions.
We explain the ideas for the proof of Theorem 1. (Here, the values with asterisk (*) represent those related to the challenge ciphertext \(c^*\).) As the first step, note that since a sessionkey K of \(\varGamma _{\mathtt {DL}}\) is part of a sessionkey \(\alpha = (r \Vert K)\) of the \(\mathtt {DCCA}\) secure inner KEM \(\varGamma _{\mathtt {in}}\), unless a \(\mathtt {CCA}\) adversary \(\mathcal {A}\) submits a decapsulation query c that simultaneously satisfies (1) \(\mathsf {Dec}_{\mathtt {out}}(sk_{\mathtt {out}}, c) = c_{\mathtt {in}}\ne \bot \) and (2) \(\mathsf {F}_{\mathtt {in}}(pk_{\mathtt {in}}, c_{\mathtt {in}}^*, c_{\mathtt {in}}) = 1\), \(\mathcal {A}\) has no chance in distinguishing the real sessionkey \(K^*_1\) from a random \(K^*_0\). Following [16, 19], we call this type of decapsulation query a dangerous query. If the probability that \(\mathcal {A}\) comes up with a dangerous query is negligible, then we can finish the proof. Furthermore, observe that since \(\varGamma _{\mathtt {in}}\) satisfies unpredictability, if we can ensure that the information of the inner ciphertext \(c_{\mathtt {in}}^*\) is hidden from \(\mathcal {A}\)’s view, then the probability that \(\mathcal {A}\) comes up with a dangerous query is negligible.
To show that the probability that \(\mathcal {A}\) comes up with a dangerous query in the original security game is negligibly close to that in the security game in which \(\mathcal {A}\)’s view does not contain \(c_{\mathtt {in}}^*\) at all (and hence we can invoke the unpredictability of \(\varGamma _{\mathtt {in}}\)), we rely on the security properties of the outer PKE scheme \(\varPi _{\mathtt {out}}\) to gradually change the security game for \(\mathcal {A}\) so that in the final game, \(c^*\) as well as other values in \(\mathcal {A}\)’s view contain no information on \(c_{\mathtt {in}}^*\). Note that in the actual encapsulation algorithm \(\mathsf {Encap}_{\mathtt {DL}}\), the randomness r used for outer encryption is also a part of the sessionkey \(\alpha \) of the inner KEM. Thus, once we invoke the \(\mathtt {DCCA}\) security of the inner KEM \(\varGamma _{\mathtt {in}}\) (which we have already done as the first step), not only the real sessionkey \(K^*_1\) but also the randomness \(r^*\) used to generate the challenge ciphertext \(c^*\) are made uniformly random values, which enables us to rely on the security properties of \(\varPi _{\mathtt {out}}\) from that point on.
Now, intuitively, the \(\mathtt {DCCA}\) security (which is implied by \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security) of \(\varPi _{\mathtt {out}}\) guarantees that \(c_{\mathtt {in}}^*\) is hidden from \(\mathcal {A}\)’s view as long as \(\mathcal {A}\) only submits a decapsulation query c such that \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 0\). However, \(\mathcal {A}\) is free to choose its own decapsulation query, and may submit c such that \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 1\). As mentioned in Sect. 1.2, this is another type of “dangerous” query, in the sense that the condition \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 1\) prevents us from relying on the \(\mathtt {DCCA}\) security of the outer PKE scheme \(\varPi _{\mathtt {out}}\). To distinguish this from the above mentioned type of dangerous queries with respect to the inner KEM, let us use the names “innerdangerous queries” and “outerdangerous queries” which are associated with the inner KEM and the outer PKE scheme, respectively.
In the full proof, we will show that the randomnessinextractability of the outer PKE scheme allows us to reject decapsulation queries c satisfying \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 1\), without being noticed by \(\mathcal {A}\). Intuitively, this is possible because in order for \(\mathcal {A}\) to notice the difference between a security game in which a decryption query c with \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) =1\) is not rejected and a security game in which such c is rejected, \(\mathcal {A}\) has to come up with a “valid” query c satisfying \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 1\) and \(\mathsf {Decap}_{\mathtt {DL}}(SK, c) \ne \bot \). However, the latter condition implies \(\mathsf {Dec}_{\mathtt {out}}(sk_{\mathtt {out}}, c) = c_{\mathtt {in}}\ne \bot \), \(\mathsf {Decap}_{\mathtt {in}}(sk_{\mathtt {in}}, c_{\mathtt {in}}) = (r \Vert K) \ne \bot \), and \(\mathsf {Enc}_{\mathtt {out}}(pk_{\mathtt {out}}, c_{\mathtt {in}}; r) = c\), among which the combination of \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 1\) and \(\mathsf {Enc}_{\mathtt {out}}(pk_{\mathtt {out}}, c_{\mathtt {in}}; r) = c\) is exactly the condition of violating randomnessinextractability, and thus such a valid query c must be hard to find.
If we can safely reject an outerdangerous query, one might wonder why we need nonmalleability for the outer PKE scheme, and why ordinary \(\mathtt {DCCA}\) security is not sufficient. The reason is that although \(\mathtt {DCCA}\) security of \(\varPi _{\mathtt {out}}\) intuitively ensures that \(\mathcal {A}\) cannot “see” the inner challenge ciphertext \(c_{\mathtt {in}}^*\), it does not prevent \(\mathcal {A}\) from coming up with an innerdangerous decapsulation query c such that \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 1\). From the viewpoint of the security proof, we may be able to come up with a \(\mathtt {DCCA}\) adversary (a reduction algorithm) for \(\varPi _{\mathtt {out}}\) that perfectly simulates the security game (in which queries c with \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 1\) are rejected) for \(\mathcal {A}\). However, such \(\mathtt {DCCA}\) adversary cannot check if \(\mathcal {A}\)’s query satisfying \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 1\) is an innerdangerous query due to the restriction on the decryption oracle.
This is the place where the nonmalleability of the outer PKE scheme comes into play. Note that an inner ciphertext is a “plaintext” of the outer PKE scheme, and the notion of “innerdangerous queries” is a “meaningful relation” between \(c_{\mathtt {in}}^*\) and another inner ciphertext. Therefore, the \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security of \(\varPi _{\mathtt {out}}\) ensures that \(\mathcal {A}\) cannot come up with even a single innerdangerous query c, as long as \(\mathcal {A}\) can only observe the decapsulation results of queries \(c'\) satisfying \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c') = 0\). From the viewpoint of the security proof, if a reduction algorithm is a \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) adversary for \(\varPi _{\mathtt {out}}\), it can check if \(\mathcal {A}\)’s query c is innerdangerous by its final “unrestricted” decryption query, even if \(\mathsf {F}_{\mathtt {out}}(pk_{\mathtt {out}}, c^*, c) = 1\) holds. This enables us to finally show that the probability that \(\mathcal {A}\) comes up with an innerdangerous query in the original security game, is negligibly close to the probability that \(\mathcal {A}\) does so in the game in which \(\mathcal {A}\)’s view does not contain the information on \(c_{\mathtt {in}}^*\).
Hence, combining all the security properties of the building blocks leads to \(\mathtt {CCA}\) security. However, the explanation so far hides some technical subtleties that arise due to the “replayableCCA”like nature of \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security, and the treatment of the cases where \(\mathcal {A}\)’s decapsulation query c satisfies \(\mathsf {Dec}_{\mathtt {out}}(sk_{\mathtt {out}}, c) = c_{\mathtt {in}}^*\), etc. For the details, see the proof in the full version.
Our Second Security Proof. We show an alternative security proof for the doublelayered construction based on slightly different assumptions on the building blocks.
Theorem 2
Assume that the “outer” PKE scheme \(\varPi _{\mathtt {out}}\) is a detectable PKE scheme satisfying \(\mathtt {DCCA}\) security and randomnessinextractability, and the “inner” KEM \(\varGamma _{\mathtt {in}}\) is a detectable KEM satisfying \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security and unpredictability. Then, the KEM \(\varGamma _{\mathtt {DL}}\) in Fig. 4 is \(\mathtt {CCA}\) secure.
Recall that Myers and Shelat’s original doublelayered construction uses an “unquoted” CCA (UCCA) secure construction of a PKE scheme for the outer PKE scheme and a construction of a KEM which is “1wisenonmalleable under UCCA” for the inner KEM, where UCCA security and its nonmalleable variant are security notions considered for PKEtoPKE constructions (i.e. constructions that use another PKE scheme as a building block). Recall also that \(\mathtt {DCCA}\) security is an abstraction of UCCA security [16], from a security notion for a PKEtoPKE construction to that of a wider notion of detectable PKE. Analogously, our definition of \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security can be seen as an abstraction of Myers and Shelat’s “1wise nonmalleability under UCCA”. Furthermore, we can easily see that the actual instantiations of the inner KEM and the outer PKE scheme used in the original MyersShelat construction [20], when respectively seen as a detectable KEM and a detectable PKE scheme, satisfy unpredictability and randomnessinextractability. Therefore, Theorem 2 can be seen as a generalization of Myers and Shelat’s result.
The structure of the proof of Theorem 2 is similar to our first proof. However, there are several subtle but crucial differences. In particular, the definitions of “inner/outerdangerous queries” are different from those used in the proof of Theorem 1, and correspondingly we consider a different ordering of the sequence of games for this proof. Furthermore, the role of the “nonmalleability” in this proof and that of the proof of Theorem 1 are different. Informally speaking, in this proof, the \(\mathtt {wNM}\texttt {}\mathtt {DCCA}\) security of the inner detectable KEM \(\varGamma _{\mathtt {in}}\) is used to ensure that the probability that a \(\mathtt {CCA}\) adversary comes up with an outerdangerous query is not noticeably different between the games in which we invoke (the indistinguishability property of) the \(\mathtt {DCCA}\) security of the inner KEM.
Can We Avoid \(\mathtt {w(R)NM}\texttt {}\mathtt {DCCA}\) Security? Both of our security proofs for the \(\mathtt {CCA}\) security of the doublelayered construction require either the inner detectable KEM or the outer detectable PKE scheme to be “nonmalleable” under \(\mathtt {DCCA}\).
Looking ahead, in the next section, we will see that the simplest “bitwiseencrypt” construction based on \(\mathtt {CCA}\) secure 1bit PKE satisfies \(\mathtt {DCCA}\) security, unpredictability, and randomnessinextractability. Thus, a natural question would be whether we can prove the \(\mathtt {CCA}\) security of the doublelayered construction without using the nonmalleability notions for both of the building blocks (and instead only requiring \(\mathtt {DCCA}\) security). If such a security proof were possible, then one can use the bitwiseencryptbased construction both for the inner KEM and the outer PKE scheme, and the resulting \(\mathtt {CCA}\) secure KEM would be fairly simple.
Unfortunately, however, we show that such a security proof for the doublelayered construction is impossible, as there is a counterexample.
Theorem 3
Assume there exists a detectable PKE scheme which is \(\mathtt {DCCA}\) secure and unpredictable. Then, there exist a detectable KEM \(\varGamma _{\mathtt {in}}\) and a detectable PKE scheme \(\varPi _{\mathtt {out}}\) such that the following simultaneously hold: (1) \(\varGamma _{\mathtt {in}}\) is \(\mathtt {DCCA}\) secure and unpredictable. (2) \(\varPi _{\mathtt {out}}\) is \(\mathtt {DCCA}\) secure and randomnessinextractable. (3) The doublelayered KEM \(\varGamma _{\mathtt {DL}}\) constructed using \(\varGamma _{\mathtt {in}}\) as the inner KEM and \(\varPi _{\mathtt {out}}\) as the outer PKE scheme, is not \(\mathtt {CCA}\) secure (in fact, not secure in the sense of onewayness under 1bounded \(\mathtt {CCA}\)).
Our counterexample is based on an observation that the combination of \(\mathtt {DCCA}\) security, unpredictability, and randomnessinextractability, does not rule out a doublelayered KEM with the following property: A ciphertext C is of the form \(C = (c_1, c_2)\) and the corresponding sessionkey K is of the form \(K = (K_1, K_2)\), and furthermore it is “blockwise” consistent, meaning that each pair \((c_i, K_i)\) is individually consistent as a ciphertext/sessionkey pair of the doublelayered construction. Thus, the decapsulation result of the “swapped” ciphertext \(\widehat{C} = (c_2, c_1)\) is the “swapped” sessionkey \(\widehat{K} = (K_2, K_1)\). Such a KEM is clearly malleable, and its onewayness is broken by just a single decapsulation query.
5 Concrete Instantiations of Building Blocks
In this section, we show how to construct a detectable PKE scheme, which we call “encodethenbitwiseencrypt” (EtBE) construction, that uses a \(\mathtt {CCA}\) secure 1bit PKE scheme and a \(\mathcal {Q}\)nonmalleable code as building blocks and simultaneously satisfies \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability. Since it is much easier to understand it if we first review the simple “bitwiseencrypt” construction, we first review it in Sect. 5.1 together with its security properties, and then we show the EtBE construction in Sect. 5.2.
5.1 BitwiseEncrypt Construction
Here, we show that the “bitwiseencrypt” construction of a detectable PKE scheme based on a 1bit PKE scheme, in which each bit of a plaintext is encrypted in a bitbybit fashion by the underlying 1bit scheme, can be shown to satisfy randomnessinextractability, \(\mathtt {DCCA}\) security, and unpredictability, if the underlying 1bit PKE scheme is \(\mathtt {CCA}\) secure.
The following result was shown by Hohenberger et al. [16]:
Lemma 6
[16] Let \(n = n(k) > 0\) be a polynomial. If the 1bit PKE scheme \(\varPi _1\) is \(\mathtt {CCA}\) secure, then the detectable PKE scheme \(\varPi _{\mathtt {BE}}^n\) scheme satisfies \(\mathtt {DCCA}\) security and unpredictability.
We show a similar statement regarding randomnessinextractability.
Lemma 7
Let \(n = n(k) > 0\) be a polynomial. If the PKE scheme \(\varPi _1\) is \(\mathtt {CCA}\) secure, then the detectable PKE scheme \(\varPi _{\mathtt {BE}}^n\) satisfies randomnessinextractability.
Here we explain an intuition why Lemma 7 is true, which is quite straightforward: Suppose an adversary \(\mathcal {A}\), given a public key pk and the challenge ciphertext \(C^* = (c^*_1, \dots , c^*_n)\) and access to the decryption oracle, succeeds in outputting a plaintext \(m' = (m'_1 \Vert \dots \Vert m'_n)\) and a randomness \(r' = (r'_1, \dots , r'_n)\) such that \(\mathsf {F}_{\mathtt {BE}}^n(pk, C^*, C') = 1\) with \(C' = (c'_1, \dots , c'_n) = \mathsf {Enc}_{\mathtt {BE}}^n(pk, m';r')\). Then, by definition, there must be a position \(i \in [n]\) such that \(c^*_i = c'_j\) holds for some \(j \in [n]\), where \(c'_a = \mathsf {Enc}_1(pk, m'_a; r'_a)\) for each \(a \in [n]\). Note that such \(\mathcal {A}\) is in fact “extracting” the randomness used for generating \(c^*_i\). Note also that extracting a randomness used for generating a ciphertext is a harder task than breaking indistinguishability. Thus, it is easy to construct another \(\mathtt {CCA}\) adversary (a reduction algorithm) \(\mathcal {B}\) for \(\varPi _1\) that initially guesses the position i such that \(c^*_i = c'_j\) holds with some j, embeds \(\mathcal {B}\)’s challenge ciphertext into the ith position of the challenge ciphertext for \(\mathcal {A}\), and has the \(\mathtt {CCA}\) advantage at least 1 / n times that of \(\mathcal {A}\)’s advantage in breaking randomnessinextractability.
5.2 EncodethenBitwiseEncrypt Construction
Here, we show the construction of detectable PKE that we call “EncodethenBitwiseEncrypt” (EtBE) construction, which simultaneously achieves \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability, based on the security properties of the bitwiseencrypt construction (which are in turn based on the underlying \(\mathtt {CCA}\) secure 1bit scheme) and a \(\mathcal {Q}\)nonmalleable code. Our construction is actually a direct “PKE”analogue of the transformation of a CCA secure 1bit commitment scheme into a nonmalleable string commitment scheme by Agrawal et al. [2]. We adapt their construction into the (detectable) PKE setting.
Let \(\mathcal {C}= (\mathsf {E}, \mathsf {D})\) be a code with message length k and codeword length \(n = n(k) \ge k\). Let \(\varPi _1 = (\mathsf {PKG}_1, \mathsf {Enc}_1, \mathsf {Dec}_1)\) be a 1bit PKE scheme. Let \(\varPi _{\mathtt {BE}}^n = (\mathsf {PKG}_{\mathtt {BE}}^n = \mathsf {PKG}_1, \mathsf {Enc}_{\mathtt {BE}}^n, \mathsf {Dec}_{\mathtt {BE}}^n, \mathsf {F}_{\mathtt {BE}}^n)\) be the bitwiseencrypt construction based on \(\varPi _1\). For convenience, we introduce the procedure “\(\mathtt {DUPCHK}(\cdot )\)” which takes a ciphertext \(C = (c_1, \dots , c_n)\) of \(\varPi _{\mathtt {BE}}^n\) as input, and returns 1 if there exist distinct \(i,j \in [n]\) such that \(c_i = c_j\), and returns 0 otherwise. (That is, \(\mathtt {DUPCHK}(C)\) checks a duplication in the component ciphertexts \((c_i)_{i \in [n]}\).)
Using \(\mathcal {C}\), \(\varPi _{\mathtt {BE}}^n\) (and \(\varPi _1\)), and \(\mathtt {DUPCHK}\), the EtBE construction \(\varPi _{\mathtt {EtBE}}= (\mathsf {PKG}_{\mathtt {EtBE}}:= \mathsf {PKG}_1, \mathsf {Enc}_{\mathtt {EtBE}}, \mathsf {Dec}_{\mathtt {EtBE}}, \mathsf {F}_{\mathtt {EtBE}})\) is constructed as in Fig. 5 (right). Like \(\varPi _{\mathtt {BE}}^n\), the key generation algorithm \(\mathsf {PKG}_{\mathtt {EtBE}}\) is \(\mathsf {PKG}_1\) itself, and we do not show it in the figure. The plaintext space of \(\varPi _{\mathtt {EtBE}}\) is \(\{0,1\}^k\).
On the Correctness of \(\varPi _{\mathtt {EtBE}}\). Note that the encryption algorithm \(\mathsf {Enc}_{\mathtt {EtBE}}\) returns \(\bot \) if it happens to be the case that \(\mathtt {DUPCHK}(C) = 1\). This check is to ensure that a valid ciphertext does not have “duplicated” components, which is required due to our use of a \(\mathcal {Q}\)nonmalleable code whose nonmalleability can only take care of a “nonduplicated” quoting. Since the probability (over the randomness of \(\mathsf {Enc}_{\mathtt {EtBE}}\)) that \(\mathsf {Enc}_{\mathtt {EtBE}}\) outputs \(\bot \) is not zero, our construction \(\varPi _{\mathtt {EtBE}}\) does not satisfy correctness in a strict sense. (The exactly same problem arises in the construction of string commitments in [2].) However, it is easy to show that if \(\varPi _1\) satisfies \(\mathtt {CCA}\) security (or even \(\mathtt {CPA}\) security), the probability of \(\mathsf {Enc}_{\mathtt {EtBE}}\) outputting \(\bot \) is negligible, and thus it does not do any harm in practice. (In practice, for example, in case \(\bot \) is output, one can reexecute \(\mathsf {Enc}_{\mathtt {EtBE}}\) with a fresh randomness. The expected execution time of \(\mathsf {Enc}_{\mathtt {EtBE}}\) is negligibly close to 1.) Furthermore, if one needs standard correctness, then instead of letting \(\mathsf {Enc}_{\mathtt {EtBE}}\) output \(\bot \) in case \(\mathtt {DUPCHK}(C) = 1\), one can let it output a plaintext m (being encrypted) as an “irregular ciphertext”, so that if the decryption algorithm \(\mathsf {Dec}_{\mathtt {EtBE}}\) takes an irregular ciphertext C as input, it outputs C as a “decryption result” of C. (In order to actually implement this, in case \(\mathtt {DUPCHK}(C) = 1\) occurs, \(m \in \{0,1\}^k\) needs to be padded to the length \(n \cdot c\) of an ordinary ciphertext, and we furthermore need to put a prefix for every ciphertext that tells the decryption algorithm whether the received ciphertext should be treated as a normal ciphertext or an irregular one.) Such a modification also does no harm to the security properties of \(\varPi _{\mathtt {EtBE}}\) (it only contributes to increasing an adversary’s advantage negligibly), thanks to the \(\mathtt {CCA}\) security of the building block \(\varPi _1\). For simplicity, in this paper we focus on the current construction of \(\varPi _{\mathtt {EtBE}}\).
Security of \(\varPi _{\mathtt {EtBE}}\). The security properties of the EtBE construction is guaranteed by the following lemmas.
Lemma 8
Assume that \(\varPi _1\) is \(\mathtt {CCA}\) secure and \(\mathcal {C}\) is a \(\mathcal {Q}\)nonmalleable code. Then, the detectable PKE scheme \(\varPi _{\mathtt {EtBE}}\) in Fig. 5 (right) is \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) secure.
Lemma 9
If \(\varPi _1\) is \(\mathtt {CCA}\) secure, then the detectable PKE scheme \(\varPi _{\mathtt {EtBE}}\) scheme in Fig. 5 (right) satisfies unpredictability and randomnessinextractabilty.
The proof of Lemma 9 is straightforward given the unpredictability (Lemma 6) and randomnessinextractability (Lemma 7) of the bitwiseencrypt construction \(\varPi _{\mathtt {BE}}^n\), and thus omitted.
The proof of Lemma 8 follows essentially the same story line as the security proof of the nonmalleable string commitment by Agrawal et al. [2]. A highlevel idea is as follows: In the \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) experiment, an adversary \(\mathcal {A}= (\mathcal {A}_1, \mathcal {A}_2, \mathcal {A}_3)\) is allowed to submit a single “unrestricted” decryption query \(C' = (c'_1, \dots c'_n)\), which is captured by the ciphertext finally output by \(\mathcal {A}_2\). In order for this query to be valid, however, \(C'\) has to satisfy \(\mathtt {DUPCHK}(C') = 0\), which guarantees that \(C'\) does not have duplicated components. Thus, since each component is a ciphertext of the \(\mathtt {CCA}\) secure scheme \(\varPi _1\), the best \(\mathcal {A}\) can do to generate \(C'\) that is “related” to the challenge ciphertext \(C^* = (c^*_1, \dots , c^*_n)\) is to “quote” some of \(c^*_i\)’s into \(C'\) in such a way that no \(c^*_i\) appears more than once. However, such “quoting without duplicated positions” is exactly the function class \(\mathcal {Q}\) with respect to which the code \(\mathcal {C}\) is nonmalleable. Specifically, the \(\mathcal {Q}\)nonmalleability of \(\mathcal {C}\) guarantees that even if an adversary observes the decryption result of such \(C'\) that quotes some of components of \(C^*\) without duplicated positions, \(\mathcal {A}\) gains essentially no information of the original content \(m_b\) of the encoding \(s^*\) encrypted in \(C^*\), and hence no information of the challenge bit b. Actually, it might be the case that \(\mathcal {A}\) succeeds in generating \(C'\) so that \(\mathsf {Dec}_{\mathtt {BE}}^n(sk, C')\) is \(s^*\) itself (and hence its decoded value is exactly the challenge plaintext \(m_b\)). According to the rule of the \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) experiment, however, in such a case \(\mathcal {A}\) is not given the actual decryption result \(\mathsf {Dec}_{\mathtt {EtBE}}(sk, C')\) directly but is given the symbol \(\mathsf {same}\) which only informs that the decryption result is either \(m_0\) or \(m_1\). Furthermore, all other queries without quoting do not leak the information of the challenge bit b because of the \(\mathtt {DCCA}\) security of the bitwiseencrypt construction \(\varPi _{\mathtt {BE}}^n\) (Lemma 6). These ideas lead to \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security of \(\varPi _{\mathtt {EtBE}}\). For the details, see the proof in the full version.
6 Full Description of Our 1bittoMultibit Conversion
Given the results in the previous sections, we are now ready to describe our proposed 1bittomultibit conversion, i.e. a \(\mathtt {CCA}\) secure KEM from a \(\mathtt {CCA}\) secure 1bit PKE scheme. Let \(\varPi _1 = (\mathsf {PKG}_1, \mathsf {Enc}_1, \mathsf {Dec}_1)\) be a 1bit PKE scheme whose public key size is “pk”, the ciphertext size is “c”, and the randomness space of whose encryption algorithm \(\mathsf {Enc}_1\) is \(\{0,1\}^{\ell }\). Let \(\mathcal {C}= (\mathsf {E}, \mathsf {D})\) be a \(\mathcal {Q}\)nonmalleable (n, k)code with \(n= n(k) \ge k\), and the randomness space of whose encoding algorithm \(\mathsf {E}\) is \(\{0,1\}^{\widehat{\ell }}\). Let \(\ell ' = n \cdot \ell + \widehat{\ell }+ 2k\), and \(\mathsf {G}: \{0,1\}^k \rightarrow \{0,1\}^{\ell '}\) be a PRG. Finally, let \(E = (\mathsf {SEnc}, \mathsf {SDec})\) be a deterministic SKE scheme whose plaintext space is \(\{0,1\}^{k \cdot c}\), and it has zero ciphertext overhead (i.e. its ciphertext size is the same as that of a plaintext).

\(\varGamma _{\mathtt {in}}\): Consider the bitwiseencrypt construction \(\varPi _{\mathtt {BE}}^k\) (Fig. 5) based on the PKE scheme \(\varPi _1\), and regard it as a detectable KEM by encrypting a random kbit string as a sessionkey. For this detectable KEM, use the PRG \(\mathsf {G}\) with the method explained in the first paragraph of Sect. 3.3 to stretch its sessionkey into \(\ell '\) bits. \(\varGamma _{\mathtt {in}}\) is the resultant KEM.
The public key size of \(\varGamma _{\mathtt {in}}\) is pk, its ciphertext size is \(k \cdot c\), and its sessionkey space is \(\{0,1\}^{\ell '}\). Due to Lemmas 3 and 6, \(\varGamma _{\mathtt {in}}\) satisfies \(\mathtt {DCCA}\) security and unpredictability based on the \(\mathtt {CCA}\) security of \(\varPi _1\) and the security of \(\mathsf {G}\).

\(\varPi _{\mathtt {out}}\): Consider the EtBE construction \(\varPi _{\mathtt {EtBE}}\) based on the code \(\mathcal {C}\) and the bitwiseencrypt construction \(\varPi _{\mathtt {BE}}^n\) (which is in turn based on \(\varPi _1\)) (Fig. 5). Combine this detectable PKE scheme with the SKE scheme E by the method explained in the second paragraph of Sect. 3.3 (see Fig. 3). \(\varPi _{\mathtt {out}}\) is the resultant PKE scheme.
The public key size of \(\varPi _{\mathtt {out}}\) is pk, its ciphertext overhead (the difference between the total ciphertext size minus the plaintext size) is \(n \cdot c\), its plaintext space is \(\{0,1\}^{k \cdot c}\), and the randomness space of its encryption algorithm is \(\{0,1\}^{\ell '  k}\). Due to Lemmas 4, 6, 7, 8, and 9, \(\varPi _{\mathtt {out}}\) satisfies \(\mathtt {wRNM}\texttt {}\mathtt {DCCA}\) security and randomnessinextractability, based on the \(\mathtt {CCA}\) security of \(\varPi _1\), \(\mathcal {Q}\)nonmalleability of \(\mathcal {C}\), and the \(\mathtt {CCA}\) security of E.
Our proposed KEM \(\widetilde{\varGamma }= (\widetilde{\mathsf {KKG}}, \widetilde{\mathsf {Encap}}, \widetilde{\mathsf {Decap}})\) is then obtained from the doublelayered construction \(\varGamma _{\mathtt {DL}}\) in which the inner KEM is \(\varGamma _{\mathtt {in}}\) and the outer PKE scheme is \(\varPi _{\mathtt {out}}\) explained above. More concretely, the description of \(\widetilde{\varGamma }\) is as in Fig. 6.
The public key size of \(\widetilde{\varGamma }\) is \(2 \cdot pk\), and its ciphertext size is \((n + k) \cdot c\) (where \(\varGamma _{\mathtt {in}}\) contributes \(k \cdot c\) and \(\varPi _{\mathtt {out}}\) contributes \(n \cdot c\)). Using the \(\mathcal {P}\)nonmalleable code with “optimal rate” (Lemma 1) by Agrawal et al. [1] which also satisfies \(\mathcal {Q}\)nonmalleability by Lemma 2, we have \(n = k + o(k)\). Thus, the ciphertext size of \(\widetilde{\varGamma }\) can be made asymptotically \((2k + o(k)) \cdot c\).
The following statement is obtained as a corollary of the combination of Theorem 1 and Lemmas 1, 2, 3, 4, 6, 7, 8, and 9.
Theorem 4
Assume that the PKE scheme \(\varPi _1\) is \(\mathtt {CCA}\) secure, \(\mathcal {C}\) is a \(\mathcal {Q}\)nonmalleable code, \(\mathsf {G}\) is a PRG, and the SKE scheme E is \(\mathtt {CCA}\) secure. Then, the KEM \(\widetilde{\varGamma }\) in Fig. 6 is \(\mathtt {CCA}\) secure.
2bittomultibit Construction with a Single Key Pair. Note that our proposed 1bittomultibit conversion \(\widetilde{\varGamma }\) uses two key pairs. It turns out that if we can use a 2bit PKE scheme as a building block instead of a 1bit scheme, then we can construct a \(\mathtt {CCA}\) secure KEM that uses only one key pair of the underlying 2bit scheme, with a very similar way to \(\widetilde{\varGamma }\). The idea of this 2bittomultibit conversion is to use the additional 1bit of the plaintext space as the “indicator bit” that indicates whether each component ciphertext is generated for the inner layer or the outer layer. That is, each inner ciphertext \(c_{\mathtt {in}}^{(i)}\) is an encryption of \((1 \Vert K_{\mathtt {in}}^{(i)})\), and each outer ciphertext \(c_i\) is an encryption of \((0 \Vert s_i)\), and in the decapsulation algorithm, we check whether the component ciphertexts \(\{c_i\}_{i \in [n]}\) and \(\{c_{\mathtt {in}}^{(i)}\}_{i \in [k]}\) have appropriate indicator bits (“1” for the inner layer and “0” for the outer layer). This additional indicator bit and its check prevent a quoting of an inner ciphertext into the outer layer and vice versa, and thus make the encryption/decryption operations for the inner layer and those of the outer layer virtually independent, as if each layer has an individual key pair. This enables us to conduct the security proof in essentially the same way as that of \(\widetilde{\varGamma }\). Due to the lack of space, we detail it in the full version.
On the Necessity of Two Key Pairs. As mentioned in Introduction, our positive results on the 1/2bittomultibit constructions for CCA security raise an interesting question in terms of the number of public keys: Is it necessary to use two key pairs in 1bittomultibit constructions for CCA security? Motivated by this question, in the full version we consider the onekey variant of our proposed KEM \(\widetilde{\varGamma }\), and show that it is vulnerable to a \(\mathtt {CCA}\) attack. Hence, using two key pairs of the underlying 1bit scheme is essential for our proposed construction \(\widetilde{\varGamma }\). Clarifying the optimality of the number of key pairs in 1bittomultibit constructions would be an interesting open problem.
7 Comparison
Table 1 compares the public key size and ciphertext size of the existing “1bittomultibit” constructions that achieve \(\mathtt {CCA}\) security (or related security). Specifically, in the table, “MS” represents the construction by Myers and Shelat [20].; “HLW” represents the construction by Hohenberger et al. [16] which uses a \(\mathtt {CPA}\) secure PKE scheme, a 1bounded \(\mathtt {CCA}\) secure [7] PKE scheme, and a detectable PKE scheme satisfying \(\mathtt {DCCA}\) security and unpredictability. We assume that for the 1bounded \(\mathtt {CCA}\) secure scheme, the construction by Dodis and Fiore [11, Appendix C] is used, which constructs such a scheme from a \(\mathtt {CPA}\) secure scheme and a onetime signature scheme, and we also assume that its detectable scheme and the \(\mathtt {CPA}\) secure scheme are realized by the bitwiseencrypt construction \(\varPi _{\mathtt {BE}}^k\). (If we need to encrypt a value longer than kbit, then we assume that hybrid encryption is used everywhere possible by encrypting a kbit random sessionkey and using it as a key for SKE (where the length of SKE ciphertexts are assumed to be the same as a plaintext [23]), which we do the same for the constructions explained below.); “MH” represents the construction by Matsuda and Hanaoka [19], which can be seen as an efficient version of HLW [16] due to hybrid encryption techniques, and we assume that the building blocks similar to HLW are used.; “CMTV” represents the construction by Coretti et al. [6], the size parameters of which are taken from the introduction of [6].; “CDTV” represents the construction by Coretti et al. [5], where the size parameters are estimated according to the explanations in [5, Sections 4.2 & 4.3].; “Ours” is the KEM \(\widetilde{\varGamma }\) shown in Fig. 6 in Sect. 6.
As is clear from Table 1, if one starts from a \(\mathtt {CCA}\) secure 1bit PKE scheme (and assuming that building blocks implied by oneway functions are available for free), then “Ours” achieves asymptotically the best efficiency. Notably, the public size and the ciphertext size of “Ours” are asymptotically “optimal” in the sense that they are asymptotically the same as the bitwiseencrypt construction \(\varPi _{\mathtt {BE}}^k\) that works as a 1bittomultibit conversion for the \(\mathtt {CPA}\) and nonadaptive \(\mathtt {CCA}\) (CCA1) settings. Note also that all the previous constructions that achieve ordinary \(\mathtt {CCA}\) security have the public key size \(\varOmega (k) \cdot pk\), and the ciphertext size \(\varOmega (k^2) \cdot c\).
We note that, as mentioned in Sect. 1.3, CMTV [6] and CDTV [5] achieve only indistinguishability under selfdestruct CCA (\(\mathtt {SDA}\)) and nonmalleability under selfdestruct CCA (\(\mathtt {NM}\texttt {}\mathtt {SDA}\)), respectively, which are both implied by ordinary \(\mathtt {CCA}\) security but are strictly weaker than it. Nonetheless, “Ours” actually achieves better asymptotic efficiency than them.
Comparison among the 1bittomultibit constructions for CCA (and related) security.
Scheme  PK size  Ciphertext size  Sec. of \(\varPi _1\)  Add. Bld. Blk 

MS [20]  \((20k^2 + 1) pk\)  \((10k^3c + vk + \sigma ) c\)  \(\mathtt {CCA}\)  Sig., PRG 
HLW [16]  \((2k+2) pk\)  \((k^2 + 3k) c + vk + \sigma  + 6k\)  \(\mathtt {DCCA}\)&\(\mathtt {UNP}\)  Sig., PRG, SKE 
MH [19]  \((2k+2) pk\)  \((k^2 + 2k)c + vk + \sigma \)  \(\mathtt {DCCA}\)&\(\mathtt {UNP}\)  Sig., PRG, SKE 
CMTV\(^{\dag }\) [6]  \(\approx k pk\)  \(\approx 5k c\)  \(\mathtt {SDA}\)  — 
CDTV\(^{\dag }\) [5]  O(k) pk  O(k) c  \(\mathtt {NM}\texttt {}\mathtt {SDA}\)  — 
Ours (Sect. 6)  2 pk  \((2k + o(k)) c\)  \(\mathtt {CCA}\)  PRG, SKE 
Footnotes
 1.
This requirement is not explicitly defined in [16], but is actually necessary for \(\mathtt {DCCA}\) security to be meaningful. Without this requirement, \(\mathtt {DCCA}\) security is unachievable, as an adversary can submit the challenge ciphertext to the decryption oracle.
 2.
The original definition [13] considered security against computationally unbounded adversaries. In this paper, however, we only need security against PPTAs.
Notes
Acknowledgement
The authors would like to thank the members of the study group “ShinAkaruiAngouBenkyouKai,” and the anonymous reviewers of ASIACRYPT 2015 for their helpful comments and suggestions.
References
 1.Agrawal, S., Gupta, D., Maji, H.K., Pandey, O., Prabhakaran, M.: A rateoptimizing compiler for nonmalleable codes against bitwise tampering and permutations. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 375–397. Springer, Heidelberg (2015) Google Scholar
 2.Agrawal, S., Gupta, D., Maji, H.K., Pandey, O., Prabhakaran, M.: Explicit nonmalleable codes against bitwise tampering and permutations. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 538–557. Springer, Heidelberg (2015) CrossRefGoogle Scholar
 3.Bellare, M., Sahai, A.: Nonmalleable encryption: equivalence between two notions, and an indistinguishabilitybased characterization. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 519–536. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 4.Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosenciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 5.Coretti, S., Dodis, Y., Tackmann, B., Venturi, D.: Nonmalleable encryption: simpler, shorter, stronger (2015). http://eprint.iacr.org/2015/772
 6.Coretti, S., Maurer, U., Tackmann, B., Venturi, D.: From singlebit to multibit publickey encryption via nonmalleable codes. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 532–560. Springer, Heidelberg (2015) Google Scholar
 7.Cramer, R., Hanaoka, G., Hofheinz, D., Imai, H., Kiltz, E., Pass, R., Shelat, A., Vaikuntanathan, V.: Bounded CCA2secure encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 502–518. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 8.Cramer, R., Shoup, V.: Design and analysis of practical publickey encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
 9.DachmanSoled, D., Fuchsbauer, G., Mohassel, P., O’Neill, A.: Enhanced chosenciphertext security and applications. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 329–344. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 10.Dodis, Y., Fiore, D.: Interactive encryption and message authentication. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 494–513. Springer, Heidelberg (2014) Google Scholar
 11.Dodis, Y., Fiore, D.: Interactive encryption and message authentication (2013). Full version of [10]. http://eprint.iacr.org/2013/817
 12.Dolev, D., Dwork, C., Naor, M.:Nonmalleable cryptography. In: STOC 1991, pp. 542–552. ACM (1991)Google Scholar
 13.Dziembowski, S., Pietrzak, K., Wichs, D.: Nonmalleable codes. In: ICS 2010, pp. 434–452 (2010)Google Scholar
 14.Dziembowski, S., Pietrzak, K., Wichs, D.: Nonmalleable codes. Full version of [13]. http://eprint.iacr.org/2009/608
 15.Faust, S., Mukherjee, P., Nielsen, J.B., Venturi, D.: Continuous nonmalleable codes. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 465–488. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 16.Hohenberger, S., Lewko, A., Waters, B.: Detecting dangerous queries: a new approach for chosen ciphertext security. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 663–681. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 17.Kitagawa, F., Matsuda, T., Hanaoka, G., Tanaka, K.: Completeness of singlebit projectionkdm security for public key encryption. In: Nyberg, K. (ed.) CTRSA 2015. LNCS, vol. 9048, pp. 201–219. Springer, Heidelberg (2015) Google Scholar
 18.Lin, H., Tessaro, S.: Amplification of chosenciphertext security. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 503–519. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 19.Matsuda, T., Hanaoka, G.: Achieving chosen ciphertext security from detectable public key encryption efficiently via hybrid encryption. In: Sakiyama, K., Terada, M. (eds.) IWSEC 2013. LNCS, vol. 8231, pp. 226–243. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 20.Myers, S., Shelat, A.: Bit encryption is complete. In: FOCS 2009, pp. 607–616 (2009)Google Scholar
 21.Naor, M., Yung, M.: Publickey cryptosystems provably secure against chosen ciphertext attacks. In: STOC 1990, pp. 427–437. ACM (1990)Google Scholar
 22.Pass, R., Shelat, A., Vaikuntanathan, V.: Relations among notions of nonmalleability for encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 519–535. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 23.Phan, D.H., Pointcheval, D.: About the security of ciphers (semantic security and pseudorandom permutations). In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 182–197. Springer, Heidelberg (2004) CrossRefGoogle Scholar