Paper 2019/291

CCA Security and Trapdoor Functions via Key-Dependent-Message Security

Fuyuki Kitagawa, Takahiro Matsuda, and Keisuke Tanaka


We study the relationship among public-key encryption (PKE) satisfying indistinguishability against chosen plaintext attacks (IND-CPA security), that against chosen ciphertext attacks (IND-CCA security), and trapdoor functions (TDF). Specifically, we aim at finding a unified approach and some additional requirement to realize IND-CCA secure PKE and TDF based on IND-CPA secure PKE, and show the following two main results. As the first main result, we show how to achieve IND-CCA security via a weak form of key-dependent-message (KDM) security. More specifically, we construct an IND-CCA secure PKE scheme based on an IND-CPA secure PKE scheme and a secret-key encryption (SKE) scheme satisfying one-time KDM security with respect to projection functions (projection-KDM security). Projection functions are elementary functions with respect to which KDM security has been widely studied. Since the existence of projection-KDM secure PKE implies that of the above two building blocks, as a corollary of this result, we see that the existence of IND-CCA secure PKE is implied by that of projection-KDM secure PKE. As the second main result, we extend the above construction of IND-CCA secure PKE into that of TDF by additionally requiring a mild requirement for each building block. Our TDF satisfies adaptive one-wayness. We can instantiate our TDF based on a wide variety of computational assumptions. Especially, we obtain the first TDF (with adaptive one-wayness) based on the sub-exponential hardness of the constant-noise learning-parity-with-noise (LPN) problem. In addition, we show that by extending the above constructions, we can obtain PKE schemes satisfying advanced security notions under CCA, that is, optimal rate leakage-resilience under CCA and selective-opening security under CCA. As a result, we obtain the first PKE schemes satisfying these security notions based on the computational Diffie-Hellman (CDH) assumption or the low-noise LPN assumption.

Note: The proceedings version of this paper appeared in CRYPTO 2019. In this version, we provide several additional results on advanced security notions under CCA, that is, optimal rate leakage resilience under CCA and selective-opening security under CCA. The additional results are explained in the "Further Results'' paragraph in Section 1.2.

Available format(s)
Public-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2019
chosen ciphertext securitytrapdoor functionskey dependent message security
Contact author(s)
fuyuki kitagawa yh @ hco ntt co jp
fuyuki kitagawa @ gmail com
t-matsuda @ aist go jp
keisuke @ is titech ac jp
2021-06-04: last of 2 revisions
2019-03-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {Fuyuki Kitagawa and Takahiro Matsuda and Keisuke Tanaka},
      title = {CCA Security and Trapdoor Functions via Key-Dependent-Message Security},
      howpublished = {Cryptology ePrint Archive, Paper 2019/291},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.