To see the usefulness of PKEM, we show (1) how several existing constructions of CCA secure PKE/KEM constructed based on general cryptographic primitives can be captured as a PKEM, which enables us to understand these constructions via a unified framework, (2) its connection to detectable CCA security (Hohenberger et al. EUROCRYPT'12), and (3) a new security proof for a KEM-analogue of the DDN construction from a set of assumptions: "sender non-committing encryption" (SNCE) and non-interactive witness indistinguishable proofs.
Then, as our main technical result, we show how to construct a PKEM satisfying our requirements (and thus a CCA secure KEM) from a new set of general cryptographic primitives: "SNCE" and "symmetric key encryption secure for key-dependent messages" (KDM secure SKE). Our construction realizes the "decrypt-then-re-encrypt"-style validity check of a ciphertext which is powerful but in general has a problem of the circularity between a plaintext and a randomness.We show how SNCE and KDM secure SKE can be used together to overcome the circularity. We believe that the connection among three seemingly unrelated notions of encryption primitives, i.e. CCA security, the sender non-committing property, and KDM security, to be of theoretical interest.
Category / Keywords: public-key cryptography / public key encryption, puncturable key encapsulation mechanism, chosen ciphertext security, sender non-committing encryption, key-dependent message secure symmetric-key encryption. Original Publication (with minor differences): IACR-TCC-2015 Date: received 15 Feb 2015, last revised 23 Feb 2015 Contact author: t-matsuda at aist go jp Available format(s): PDF | BibTeX Citation Version: 20150224:044131 (All versions of this report) Short URL: ia.cr/2015/118