Paper 2015/118

Constructing and Understanding Chosen Ciphertext Security via Puncturable Key Encapsulation Mechanisms

Takahiro Matsuda and Goichiro Hanaoka


In this paper, we introduce and study a new cryptographic primitive that we call "puncturable key encapsulation mechanism" (PKEM), which is a special class of KEMs that satisfy some functional and security requirements that, combined together, imply chosen ciphertext security (CCA security). The purpose of introducing this primitive is to capture certain common patterns in the security proofs of the several existing CCA secure public key encryption (PKE) schemes and KEMs based on general cryptographic primitives which (explicitly or implicitly) use the ideas and techniques of the Dolev-Dwork-Naor (DDN) construction (STOC'91), and "break down" the proofs into smaller steps, so that each small step is easier to work with/verify/understand than directly tackling CCA security. To see the usefulness of PKEM, we show (1) how several existing constructions of CCA secure PKE/KEM constructed based on general cryptographic primitives can be captured as a PKEM, which enables us to understand these constructions via a unified framework, (2) its connection to detectable CCA security (Hohenberger et al. EUROCRYPT'12), and (3) a new security proof for a KEM-analogue of the DDN construction from a set of assumptions: "sender non-committing encryption" (SNCE) and non-interactive witness indistinguishable proofs. Then, as our main technical result, we show how to construct a PKEM satisfying our requirements (and thus a CCA secure KEM) from a new set of general cryptographic primitives: "SNCE" and "symmetric key encryption secure for key-dependent messages" (KDM secure SKE). Our construction realizes the "decrypt-then-re-encrypt"-style validity check of a ciphertext which is powerful but in general has a problem of the circularity between a plaintext and a randomness.We show how SNCE and KDM secure SKE can be used together to overcome the circularity. We believe that the connection among three seemingly unrelated notions of encryption primitives, i.e. CCA security, the sender non-committing property, and KDM security, to be of theoretical interest.

Available format(s)
Public-key cryptography
Publication info
A minor revision of an IACR publication in TCC 2015
public key encryptionpuncturable key encapsulation mechanismchosen ciphertext securitysender non-committing encryption
Contact author(s)
t-matsuda @ aist go jp
2015-02-24: revised
2015-02-24: received
See all versions
Short URL
Creative Commons Attribution


      author = {Takahiro Matsuda and Goichiro Hanaoka},
      title = {Constructing and Understanding Chosen Ciphertext Security via Puncturable Key Encapsulation Mechanisms},
      howpublished = {Cryptology ePrint Archive, Paper 2015/118},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.