Keywords

1 Introduction

Secure encryption is the most basic task in cryptography, and some significant works have gone into defining and attaining it. In many commonly accepted definitions, such as chosen-plaintext attack (CPA) security and chosen-ciphertext attack (CCA) security, CCA security means that the adversary obtains no information about messages encrypted in other ciphertexts even she is allowed to query a decryption oracle on specifically chosen ciphertexts, therefore the CCA security has been accepted as the standard requirement for encryption schemes. However, in some conditions, randomness-recovering encryption is important, such as adaptive functions [8]and PKE with non-interactive opening [6]. ECCA security is motivated by the concept of randomness-recovering encryption, which was presented by Dana Dachman-Soled et al. [4]. The enhanced chosen ciphertext attack security means that the decryption oracle provided to the adversary not only outputs the decryption algorithm on a queried ciphertext but also a randomness-recovery algorithm associated to the scheme [11]. Furthermore, the authors have given many public-key encryptions satisfying ECCA security and the application of ECCA security. In this paper, our results mainly concern the case in which the randomness-recovering algorithm is efficient. ECCA security is of both practical and theoretical interest.

The first standard-model construction of CCA-secure randomness-recovering PKE was achieved by Peikert and Waters [11] but public key encryption is too slow for encrypting long messages and big data. Under such a circumstance, the hybrid encryption method, which means encrypting a key k used for symmetric encryption to encrypt the messages by asymmetric encryption, has been created. In order to obtain secure ECCA hybrid encryption, we consider the ECCA security of hybrid public key encryptions. Cramer and Shoup proved that the hybrid encryption scheme satisfies CCA secure if the part of \(\texttt {KEM}\) is CCA secure and the part of \(\texttt {DEM}\) also satisfies CCA secure [13]. Masayuki Abe, et al. presented a hybrid encryption scheme which provided a simple way to create threshold versions of CCA-secure hybrid encryption schemes [2]. R. Canetti, H. Krawczyk, and J. Nielsen proposed a relaxed variant of CCA security, called Replayable CCA (RCCA) security [3]. Chen and Dong considered RCCA security for the KEM+DEM paradigm. They also considered RCCA security for and paradigm [10]. Motivated by their work, we consider the ECCA security of the paradigm and its of the paradigm.

Organizations of the Paper. In Sect. 2, we introduce some basic notations and definitions of the building blocks. In Sect. 3, we recall the definition of well known hybrid encryptions, and . Then we prove its \(\texttt {ECCA}\) security in detail. Conclusions can be found in Sect. 4.

2 Preliminaries

In this section, we will review some useful notations and definitions.

Notations. Let \(\mathbb N\) be the set of natural numbers. If M is a set, then |M| denotes its size and \(m\xleftarrow {R} M\) denotes the operation of picking an element m uniformly at random from M. We denote \(\lambda \) as the security parameter. For notational clarity we usually omit it as an explicit parameter. PPT denotes probabilistic polynomial time. Let \(z\leftarrow A(x,y,\cdots )\) denote the operation of running an algorithm \(\mathcal {A}\) with inputs \((x,y,\cdots )\) and output z. We say a function \(\mathrm{negl}(\lambda )\) is negligible (in \(\lambda \)) if \(\lambda > k_0\) and \(k_0 \in \mathbb {Z}\), \(\mathrm{negl}(\lambda )<\lambda ^{-c}\) for any constant \(c>0\).

2.1 ECCA Security Definition

A public-key encryption scheme \(\texttt {PKE\,=\,(Gen,Enc,Dec)}\) consists of three algorithm. \(\texttt {Gen}\) is a probabilistic algorithm that on input the security parameter \(\lambda \), outputs public keys and privates keys (pksk) and pk defines the message space M. \(\texttt {Enc}\) is a probabilistic algorithm that encrypts a message \(m\in M\) into a ciphertext c. \(\texttt {Dec}\) is a deterministic algorithm that decrypts c and outputs either \(m\in M \) or a special symbol \(\perp \). An adversary \(\mathcal {A}=(\mathcal {A}_{1},\mathcal {A}_{2})\) is a probabilistic polynomial-time oracle query machine. We now describe the attack game between a challenger and an adversary \(\mathcal {A}=(\mathcal {A}_{1},\mathcal {A}_{2})\) used to define security against adaptive Enhanced chosen ciphertext attack.

  • stage 1: The adversary queries a key generation oracle. The key generation oracle runs \((pk,sk) \leftarrow \texttt {Gen}(\lambda )\) and responds adversary \(\mathcal {A}\) with pk.

  • stage 2: The adversary makes a sequence of calls to a decryption oracle. For each decryption oracle query, the adversary \(\mathcal {A}_{1}\) submits a ciphertext c to \(\texttt {Dec}^{*}\). The decryption oracle responds with \( m\leftarrow \texttt {Dec}(sk,c)\) and the random recovery algorithm \(\texttt {Dec}\) responds with \(r\leftarrow \texttt {Rec}(sk,c) \). We require that for all the messages \(m\in M\) (M is the space of message), \((pk,sk)\leftarrow \texttt {Gen}(1^{\lambda })\),

    $$\begin{aligned} \Pr [ \texttt {Enc}(pk,m;r^{'})\ne c;r\xleftarrow {R}\{0,1\}^{\lambda };c\leftarrow \texttt {Enc}(pk,r,m_{b});r^{'}\leftarrow \texttt {Rec}(c,sk)] \end{aligned}$$

    is negligible. Finally, if \(m=\,\perp \), responds \(\mathcal {A}\) with \(\perp \), else responds \(\mathcal {A}\) with (mr).

  • stage 3: The adversary \(\mathcal {A}_{1}\) queries \((m_{0},m_{1})\) to an encryption oracle with \({\mid }m_{0}{\mid }={\mid }{m_{1}}{\mid }\). The challenger chooses \(b\xleftarrow {R}\{0,1\}\), \(r \xleftarrow {R}\{0,1\}^{\lambda }\), computes \(Enc(pk,r,m_{b})=c^{*}\), and sends \(c^{*}\) to adversary \(\mathcal {A}_{1}\).

  • stage 4: The adversary \(\mathcal {A}_{2}\) continues to make calls c to the decryption oracle \(\texttt {Dec}\) and the random recovery algorithm \(\texttt {Rec}\), where c is subjected to the only restriction that a submitted ciphertext c is not identical to \(c^{*}\). The decryption oracle responds with \( m\leftarrow \texttt {Dec}(pk,c)\) and the random recovery algorithm \(\texttt {Dec}\) responds with \(r\leftarrow \texttt {Rec}(sk,c) \). Finally, if \(m=\,\perp \), responds \(\mathcal {A}_{2}\) with \(\perp \), else responds \(\mathcal {A}_{2}\) with (mr).

  • stage 5: The adversary \(\mathcal {A}\) outputs a guessing bit \( b^{'}\in \{0,1\}\).

We define \({\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {PKE},\mathcal {A}}(\lambda ) \) to be \({\mid }{\Pr [b=b^{'}] -\frac{1}{2}}{\mid }\) in the above attack game.

We say that \(\texttt {PKE\,=\,(KeyGen,Enc,Dec)}\) is secure against enhanced adaptive chosen ciphertext attack if for all probabilistic, polynomial-time adversary \(\mathcal {A}\), the function \({\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {PKE},\mathcal {A}}(\lambda ) \) grows negligibly in \(\lambda \). security is defined all the same except that the decryption oracle does not return a randomness-recovery algorithm associated to the scheme.

2.2 Key Encapsulation Mechanism and Its ECCA Security Notions

A key encapsulation mechanism \(\texttt {KEM}\) is a public key encryption scheme, which consists of the three polynomial-time algorithms \((\texttt {KEM.Gen},\texttt {KEM.Enc},\) \(\texttt {KEM.Dec})\) with the following interfaces:

figure a

where \(r\xleftarrow {R}\{0,1\}^{\lambda }\), \(K\leftarrow \mathcal {K}_{K}\), \(\mathcal {K}_{K}\) is the key space. \(\texttt {KDM.Dec}\) is a deterministic algorithm, (pksk) is a public/secret key pair and c is a ciphertext of the encapsulated key K under pk. We now describe the attack game between the challenger and an adversary \(\mathcal {A}=(\mathcal {A}_{1},\mathcal {A}_{2})\) used to define its security against adaptive enhanced chosen ciphertext attack.

  • stage 1: The adversary queries a key generation oracle. The key generation oracle runs \((pk,sk) \leftarrow \texttt {KEM.Gen}(\lambda )\) and responds adversary \(\mathcal {A}\) with pk.

  • stage 2: The adversary makes a sequence of calls to a decryption oracle. For each decryption oracle query, the adversary \(\mathcal {A}_{1}\) submits a ciphertext \(\psi \) to \(\texttt {Dec}\), the decryption oracle responds with \( K \leftarrow \texttt {Dec}(sk,\psi )\), and the random recovery algorithm Dec responds with \(r\leftarrow \texttt {Rec}(sk,\psi ) \). Finally, if \(K=\,\perp \), responds \(\mathcal {A}\) with \(\perp \), else responds \(\mathcal {A}\) with \((\texttt {K},r)\).

  • stage 3: The challenger chooses \(r \xleftarrow {R}\{0,1\}^{\lambda }\) and computes \(\psi ^{*}\leftarrow \texttt {KEM.Enc}(pk,r,K_{1})\), chooses \(K_{0}\xleftarrow {R} \mathcal {K}_{K}\), \(\sigma \xleftarrow {R}\{0,1\}\). Here, \(\mathcal {K}_{K}\) is the key space, \({\mid }{K_{0}}{\mid }={\mid }K_{1}{\mid }\) and sends \((K_{\sigma },\psi ^{*})\) to adversary \(\mathcal {A}_{1}\).

  • stage 4: The adversary \(\mathcal {A}_{2}\) continues to make calls \(\psi \) to the decryption oracle \(\texttt {Dec}\) and the random recovery algorithm \(\texttt {Rec}\), where \(\psi \) is subjected to the only restriction that a submitted ciphertext \(\psi \) is not identical to \(\psi ^{*}\). The decryption oracle responds with \( K \leftarrow \texttt {Dec}(sk,\psi )\) and the random recovery algorithm Dec responds with \(r\leftarrow \texttt {Rec}(sk,\psi ) \). Finally, if \(K=\,\perp \), responds \(\mathcal {A}_{2}\) with \(\perp \), else responds \(\mathcal {A}_{2}\) with (Kr).

  • stage 5: The adversary \(\mathcal {A}\) outputs a guessing bit \( \sigma ^{'}\in \{0,1\}\).

We define \({\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {KEM},\mathcal {A}}(\lambda ) \) to be \({\mid }\Pr [\sigma =\sigma ^{'}] -\frac{1}{2}{\mid }\) in the above attack game. We say that \(\texttt {KEM\,=\,(KEM.Gen,KEM.Enc,KEM.Dec)}\) is secure against enhanced adaptive chosen ciphertext attack if for all probabilistic polynomial-time adversary \(\mathcal {A}\), the function \({\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {KEM},\mathcal {A}}(\lambda )\) grows negligibly in \(\lambda \).

2.3 Date encapsution mechanism and its one time security

A \(\texttt {DEM\,=\,(DEM.Enc,DEM.Dec)}\) is a symmetric encryption scheme that consists of the two polynomial-time algorithms \((\texttt {DEM.Enc},\) \(\texttt {DEM.Dec})\). \(\texttt {DEM.ENC}\) and \(\texttt {DEM.Dec}\) are associated to a key-space \(K_{D}\) and message space M.

figure b

\(\texttt {DEM.Enc}\) is an encryption algorithm that encrypts \(m\in M\) by using symmetric-key \(K\in K_{D}\) and outputs cipher-text \(\chi \), where \(K\in K_{D}\). \(\texttt {DEM.Dec}\) is a corresponding decryption algorithm that recovers message m by using the same symmetric-key when the input cipher-text \(\chi \). An adversary \(\mathcal {A}\) is a probabilistic polynomial-time oracle query machine. We now describe the attack game between the challenger and an adversary \(\mathcal {A}\) used to define one time security.

  • stage 1: The adversary \(\mathcal {A}\) queries \((m_{0},m_{1})\) to an encryption oracle. We require that the output of \(\mathcal {A}\) satisfies \({\mid }m_{0}{\mid }={\mid }m_{1}{\mid }\). The challenger chooses \(b\xleftarrow {R}\{0,1\}\), \(K\xleftarrow {R} K_{D}\), computes \(\texttt {Enc}(K,m_{b})=c^{*}\) and sends \(c^{*}\) to adversary \(\mathcal {A}\). Here we stress that the ciphertext is made from a random key along with the plaintext and every key has been used only once.

  • stage 2: The adversary \(\mathcal {A}\) outputs a guessing bit \( b^{'}\in \{0,1\}\).

We define \({\mathrm {Adv}}^{\mathcal {OT-UF}}_{\texttt {DEM},\mathcal {A}}(\lambda )\) to be \({\mid }\Pr [b=b^{'}] -\frac{1}{2}{\mid }\) in the above attack game.

We say that \(\texttt {DEM\,=\,(DEM.Enc,DEM.Dec)}\) is one time secure if for all probabilistic polynomial-time adversary \(\mathcal {A}\), the function \({\mathrm {Adv}}^{\mathcal {OT-UF}}_{\texttt {DEM},\mathcal {A}_{2}}(\lambda ) \) grows negligibly in \(\lambda \).

3 ECCA Security of Hybrid Scheme

3.1 Tag-KEM/DEM

Let \(\texttt {Tag-KEM=(TKEM.Gen,TKEM.Enc,TKEM.Dec)}\) be a public key encryption scheme and \(\texttt {DEM\,=\,(DEM.Enc,DEM.Dec)}\) be a symmetric encryption scheme. Then hybrid encryption scheme

$$\texttt {Tag-KEM/DEM}\,=\,(\texttt {HybGen},\texttt {HybEnc}, \texttt {HybDec})$$

can be constructed as follows.

  • \(\texttt {HybGen}(1^\lambda ){:}\) Run \((pk,sk)\leftarrow \texttt {TKEM.Gen}(1^\lambda )\) and output (pksk).

  • \(\texttt {HybEnc}(pk,m){:}\) Run \((\omega ,K)\leftarrow \texttt {TKEM.Key}(pk)\), \(\texttt {TKEM.Key}(\cdot )\) is a probabilistic algorithm that inputs public key pk and outputs one-time key \(K\in K_{D}\) along with the internal state information \(\omega \). Here \( K_{D}\) is the key-space of DEM. Then choosing \(r\xleftarrow {\$}\{0,1\}^{\lambda }\) and computing

    $$\begin{aligned} \chi \leftarrow \texttt {DEM.Enc}_{K}(m), \end{aligned}$$
    $$\psi \leftarrow \texttt {TKEM.Enc}_{pk}(\omega ,r,\chi ),$$

    we get the result ciphertext (of m) \(c:=(\psi ,\chi ).\)

  • \(\texttt {HybDec}(sk,c):\) First, parse c as \(\psi ||\chi \).

    Run

    $$K\leftarrow \texttt {TKEM.Dec}_{sk}(\psi ,\chi ),\,\text { and }m\leftarrow \texttt {DEM.Dec}_{K}(\chi ).$$

    Then, output the message m or “reject” symbol \(\bot .\)

3.2 ECCA Security of Tag-KEM/DEM

Theorem 1

If the scheme is secure and \(\texttt {DEM}\) is one time secure, then the hybrid scheme is secure. In particular, for every probabilistic polynomial time \((\texttt {PPT})\) adversary \(\mathcal {A}\), there exists probabilistic adversaries \(\mathcal {A}_{1}\) and \(\mathcal {A}_{2}\) whose running times are essentially the same as that of \(\mathcal {A}\), such that for all \(\lambda \ge 0\), we have

$$\begin{aligned} {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {Tag-KEM/DEM},{\mathcal {A}}}(\lambda )\le 2 {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {Tag-KEM},{\mathcal {A}}_{1}}(\lambda )+{\mathrm {Adv}}^{\mathcal {OT-UF}}_{\texttt {DEM},{\mathcal {A}}_{2}}(\lambda ). \end{aligned}$$
(1)

Proof

Fix \(\mathcal {A}\) and \(\lambda \), \(\mathcal {A}\) be a \(\texttt {PPT}\) adversary that attacks the hybrid scheme . Now, the theorem can be proved via the following games. (Denote \(T_i\) if the adversary \(\mathcal {A}\) wins in the i-th game).

Game \(_0{:}\) This is an \(\texttt {ECCA}\) experiment on the scheme played between the challenger and an adversary \(\mathcal {A}\). In particular, there is:

  • stage 1: The adversary queries a key generation oracle. Then the challenger runs \((pk,sk) \leftarrow \texttt {TKEM.Gen}(\lambda )\) and responds adversary \(\mathcal {A}\) with pk.

  • stage 2: The adversary makes a sequence of calls to a decryption oracle. For each decryption oracle query, the adversary \(\mathcal {A}_{1}\) submits a ciphertext \(c=(\psi ,\chi )\) to the challenger. Then the challenger runs

    $$\begin{aligned} K\leftarrow \texttt {TKEM.Dec}_{sk}(\psi ,\chi ),\,\text { and }m\leftarrow \texttt {DEM.Dec}_{K}(\chi ). \end{aligned}$$

    and runs the random recovery algorithm \(r \leftarrow \texttt {Rec}(c,sk) \). If \(m=\,\perp \), the challenger responds \(\mathcal {A}_{1}\) with \(\perp \), else the challenger responds \(\mathcal {A}_{1}\) with (mr).

  • stage 3: The adversary \(\mathcal {A}_{1}\) queries \((m_{0},m_{1})\) to an encryption oracle, and the challenger runs \((\omega ,K)\leftarrow \texttt {TKEM.Key}(pk)\), \(K\in K_{D}\), where \( K_{D}\) is the key-space of \(\texttt {DEM}\). Then the challenger chooses \(r \xleftarrow {R}\{0,1\}^{\lambda }\) and computes

    $$\begin{aligned} \texttt {DEM.Enc}_{K}(m_{0})=\chi ^{*},\texttt {TKEM.Enc}_{pk}(r,\omega ,\chi ^{*})=\psi ^{*}, \end{aligned}$$

    and sends \(c^{*}=(\psi ^{*},\chi ^{*})\) to the adversary \(\mathcal {A}_{1}\).

  • stage 4: The adversary \(\mathcal {A}_{2}\) continues to make calls \(c=(\psi ,\chi ) \) to the challenger, where c subjects to the only restriction that a submitted ciphertext c is not identical to \(c^{*}\). The challenger runs

    $$K\leftarrow \texttt {TKEM.Dec}_{sk}(\psi ,\chi ),\,\text { and }m\leftarrow \texttt {DEM.Dec}_{K}(\chi ) $$

    and runs the random recovery algorithm \(r \leftarrow \texttt {Rec}(c,sk) \). If \(m=\perp \), the challenger responds \(\mathcal {A}_{2}\) with \(\perp \), else responds \(\mathcal {A}_{2}\) with (mr).

  • stage 5: The adversary \(\mathcal {A}\) outputs a guessing bit \( b^{'}\in \{0,1\}\).

Naturally, it holds that

$$\begin{aligned} {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {Tag-KEM/DEM},\mathcal {A}}(\lambda )=\left| \Pr [b=b']-\frac{1}{2}\right| = \left| \Pr [T_0]-\frac{1}{2}\right| . \end{aligned}$$
(2)

Game \(_1{:}\) This game is identical to the above game except we use a completely random symmetric key \(K_{0}\xleftarrow {R}K_{D}\) to encrypt \(m_{0}\) in the step-4 of Game \(_0\), so we have

Lemma 1

There exists a probabilistic adversary \(\mathcal {A}_{1}\) whose running time is essentially the same as that of \(\mathcal {A}\), such that

(3)

Proof

The claim is proven by constructing the adversary \(\mathcal {A}_{1}\) that attacks . The adversary \(\mathcal {A}_{1}\) offers the environment for \(\mathcal {A}\). We describe the interaction as follows.

  • stage 1: The adversary \(\mathcal {A}_{1}\) was given \((pk,K_{\sigma })\), and at the same time, pk was sent to adversary \(\mathcal {A}\).

  • stage 2: The adversary \(\mathcal {A}\) makes a sequence of calls to a decryption oracle. For each decryption oracle query, the decryption oracle responds with \( m\leftarrow \texttt {Dec}(sk,c)\) and the random recovery algorithm responds with \(r\leftarrow \texttt {Rec}(sk,c) \). Finally, if \(m=\,\perp \), responds \(\mathcal {A}\) with \(\perp \), else responds \(\mathcal {A}\) with (mr).

  • stage 3: The adversary \(\mathcal {A}\) queries \((m_{0},m_{1})\) to an encryption oracle, \({\mid }m_{0}{\mid }={\mid }m_{1}{\mid }\). The adversary \(\mathcal {A}_{1}\) computes \(\texttt {DEM.EncS}_{K_{\sigma }}(m_{0})=\chi ^{*}\) and outputs \(\chi ^{*} \) as the target tag, then it receives \(\psi ^{*}\) as a challenge cipher. Finally, the adversary \(\mathcal {A}_{1}\) sends \(c^{*}=(\psi ^{*},\chi ^{*})\) to adversary \(\mathcal {A}\).

  • stage 4: The adversary \(\mathcal {A}\) continues to make calls \(c=(\psi _{i},\chi _{i}) \) to decryption oracle query, where c subjects to the only restriction that a submitted cipher-text c is not identical to \(c^{*}\). The adversary \(\mathcal {A}_{1}\) runs

    $$ K_{i}\leftarrow \texttt {TKEM.Dec}_{sk}(\chi _{i},\psi _{i}),\, m\leftarrow \texttt {DEM.Dec}_{K_{i}}(\psi _{i}).$$

    and runs the random recovery algorithm \(r \leftarrow \texttt {Rec(c,sk)}\). If \(m=\,\perp \), the adversary \(\mathcal {A}_{1}\) responds \(\mathcal {A}\) with \(\perp \), else responds \(\mathcal {A}\) with (mr).

  • stage 5: \(\mathcal {A}\) outputs a guessing bit \( b^{'}\in \{0,1\}\) and \(\mathcal {A}_{1}\) outputs \(\sigma ^{'}=b^{'}\).

This completes the description of \(\mathcal {A}_{1}\). By construction, it is clear that decryption for \(\mathcal {A}\) is perfectly simulated because the correct decryption is obtained from \(\texttt {TKEM.Dec} \) for every query.

  • If \(\sigma =0\), we know that \(K_{0}\) is a random key used for computing \(\chi \) and the view of \(\mathcal {A}\) is identical to that in Game \(_0\).

  • If \(\sigma =1\), we know that \(K_{1}\) is the correct key embedded in \(\psi \) and the view of \(\mathcal {A}\) is identical to that in Game \(_1\).

we have that

$$ {\mid }\Pr [T_{ 1}]-\Pr [T _{0} ]{\mid } \le {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {Tag-KEM},\mathcal {A}_{1}}(\lambda ). $$

The Lemma 1 is proved.

Game \(_2{:}\) This game is identical to \(\text {Game}_1\) except that we encrypt \(m_{1}\) instead of \(m_{0}\) in the step-4 of Game \(_1\).

Lemma 2

There exists a probabilistic adversary \(\mathcal {A}_{2}\) whose running time is essentially the same as that of \(\mathcal {A}\), such that

$$\begin{aligned} {\mid }\Pr [T_{ 2}]-\Pr [T _{1} ]{\mid } \le {\mathrm {Adv}}^{\mathcal {OT-UF}}_{\texttt {DEM},\mathcal { A}_{2}}(\lambda ). \end{aligned}$$
(4)

Proof

The claim is proven by constructing the adversary \(\mathcal {A}_{2}\) that attacks \(\texttt {DEM}\), the adversary \(\mathcal {A}_{2}\) offers the environment for \(\mathcal {A}\). We describe the interaction as follows.

  • stage 1: The adversary \(\mathcal {A}_{2}\) runs the key generation oracle \((pk,sk)\leftarrow \texttt {TKEM.Gen}(\lambda )\) and sends pk adversary to \(\mathcal {A}\).

  • stage 2: The adversary \(\mathcal {A}\) makes a sequence of calls to a decryption oracle. For each decryption oracle query, the adversary \(\mathcal {A}\) submits a ciphertext c to the decryption oracle. The decryption oracle runs \( m\leftarrow \texttt {Dec}(sk,c)\) and the random recovery algorithm \(r\leftarrow \texttt {Rec(sk,c)} \). If \(m=\,\perp \), responds \(\mathcal {A}\) with \(\perp \), else responds \(\mathcal {A}\) with (mr).

  • stage 3: The adversary \(\mathcal {A}\) sends \((m_{0},m_{1})\) to \(\mathcal {A}_{2}\), \(\mathcal {A}_{2}\) queries \((m_{0},m_{1})\) to an encryption oracle and receives challenge ciphertext \(\chi ^{*}\). The adversary \(\mathcal {A}_{2}\) chooses \(r \xleftarrow {R}\{0,1\}^{\lambda }\), runs \((\omega ,K)\leftarrow \texttt {TKEM.Key}(pk)\), then computes

    $$\texttt {TKEM.Enc}_{pk}(r,\omega ,\chi ^{*})=\psi ^{*}, $$

    and finally sends \(c^{*}=(\psi ^{*},\chi ^{*})\) to adversary \(\mathcal {A}\).

  • stage 4: The adversary \(\mathcal {A}\) continues to make calls \(c=(\psi _{i},\chi _{i}) \) to decryption oracle query, where c is subjected to the only restriction that a submitted ciphertext c is not identical to \(c^{*}\). The the adversary \(\mathcal {A}_{2}\) runs

    $$K_{i}\leftarrow \texttt {TKEM.Dec}_{sk}(\psi _{i},\chi _{i}),\, m\leftarrow \texttt {DEM.Dec}_{K_{i}}(\psi _{i}), $$

    and runs the random recovery algorithm \(r \leftarrow \texttt {Rec}(c,sk) \). If \(m=\,\perp \), the adversary \(\mathcal {A}_{2}\) responds \(\mathcal {A}\) with \(\perp \), else the adversary \(\mathcal {A}_{2}\) responds \(\mathcal {A}\) with (mr).

  • stage 5: \(\mathcal {A}\) outputs a guessing bit \( b^{'}\in \{0,1\}\) and \(\mathcal {A}_{2}\) outputs \(\sigma ^{'}=b^{'}\).

This completes the description of \(\mathcal {A}_{2}\). By construction, the view of \(\mathcal {A}\) is identical to that in Game \(_1\) and Game \(_2 \), it is clear that we have

$$ {\mid }\Pr [T_{ 1}]-\Pr [T _{2} ]{\mid }\le {\mathrm {Adv}}^{\mathcal {OT-UF}}_{\texttt {DEM},\mathcal {A}_{2}}(\lambda ). $$

Game \(_3{:}\) This game is identical to \({\mathrm {Game}}_2\) except that we use the correct key K generated by \(\texttt {TKEM.Key}\) for \(\texttt {DEM.Enc}\) in the step-3 of Game \(_2\).

Lemma 3

There exists a probabilistic adversary \(\mathcal {A}_{1}\) whose running time is essentially the same as that of \(\mathcal {A}\), such that

$$\begin{aligned} {\mid }\Pr [T_{ 2}]-\Pr [T _{1} ]{\mid }\le {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {Tag-KEM},\mathcal {A}_{1}}(\lambda ). \end{aligned}$$
(5)

Proof

The proof is similar to Lemma 1, so we omit it here.

We know that \(\mathcal {A}\)’s advantage in \(\text {Game}_{0}\)

$$\begin{aligned} {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {Tag-KEM/DEM},\mathcal {A}}(\lambda )=\left| \Pr [T_{0}]-\frac{1}{2}\right| \le 2 {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {Tag-KEM},{\mathcal {A}}_{1}}(\lambda )+{\mathrm {Adv}}^{\mathcal {OT-UF}}_{\texttt {DEM},{\mathcal {A}}_{2}}(\lambda ) \end{aligned}$$

is negligible.

Putting all the facts together, the Theorem 1 is proved.

3.3 KEM/Tag-DEM

Let \(\texttt {KEM\,=\,(Gen,KEM.Enc,KEM.Dec)}\) be a public key encryption scheme and be a symmetric key encryption scheme. Then hybrid cryptosystem scheme

can be constructed as follows.

  • \(\texttt {HybGen}(1^\lambda ):\) Run \((pk,sk)\leftarrow \texttt {Gen}(1^\lambda )\) and output (pksk).

  • \(\texttt {HybEnc}(pk,m):\) Choose \(r\xleftarrow {R}\{0,1\}^{\lambda }\), \(K\in K_{D}\). Here \( K_{D}\) is the key-space of \(\texttt {DEM}\).

    Then compute

    $$\psi \leftarrow \texttt {KEM.Enc}_{pk}(r,K),$$
    $$\chi \leftarrow \texttt {TDEM.Enc}_{K}(m,\psi ),$$

    and output the ciphertext (of m) \(c:=(\psi ,\chi ).\)

  • \(\texttt {HybDec}(sk,c):\) First, parse c as \(\psi ||\chi \).

    Run

    $$K\leftarrow \texttt {KEM.Dec}_{sk}(\psi ),\,\text { and }m\leftarrow \texttt {TDEM.Dec}_{K}(\chi ,\psi ).$$

    Then, output the message m or “reject” symbol \(\bot .\)

3.4 ECCA Security of KEM/Tag-DEM

Theorem 2

If the public key encryption scheme \({\texttt {\textit{KEM\,=\,(Gen,KEM.Enc,KEM.Dec)}}}\) is \({\texttt {\textit{IND-ECCA}}}\) secure and symmetric key encryption \({{\texttt {\textit{Tag-DEM}}}}\,=\,({{\texttt {\textit{TDEM.Enc}}}}, {{\texttt {\textit{TDEM.Dec}}}})\) is \(\texttt {IND-CCA}\) secure, the hybrid encryption scheme \({{\texttt {\textit{KEM/Tag-DEM}}}}\) is \({{\texttt {\textit{IND-ECCA}}}}\) secure. In particular, for every probabilistic polynomial time \({{\texttt {\textit{(PPT)}}}}\) adversary \(\mathcal {A}\), there exists probabilistic adversary \(\mathcal {A}_{1}\) and \(\mathcal {A}_{2}\) whose running times are essentially the same as that of A, such that for all \(\lambda \ge 0\), we have

$$\begin{aligned} {\mathrm {Adv}}^{{\texttt {\textit{ECCA}}}}_{{\texttt {\textit{KEM/Tag-DEM}}},\mathcal {A}}(\lambda )\le {\mathrm {Adv}}^{{\texttt {\textit{ECCA}}}}_{{\texttt {\textit{KEM}}},\mathcal {\mathcal {A}}_{1}}(\lambda )+ {\mathrm {Adv}}^{{\texttt {\textit{CCA}}}}_{{\texttt {\textit{Tag-DEM}}},\mathcal {\mathcal {A}}_{2}}(\lambda ). \end{aligned}$$

Proof

Fix \(\mathcal {A}\) and \(\lambda \). Let \(\mathcal {A}\) be a \(\texttt {PPT}\) adversary who attacks on the hybrid scheme . Now, the theorem can be proved via the following games. (Denote by \(T_i\) the adversary \(\mathcal {A}\) wins in the i-th game).

Game \(_0{:}\) This is an original ECCA experiment on the hybrid scheme played between the challenger and the adversary \(\mathcal {A}\). In particular,

  • stage 1: The adversary queries a key generation oracle. The challenger runs \((pk,sk) \leftarrow \texttt {Gen}(\lambda )\) and responds the adversary \(\mathcal {A}\) with pk.

  • stage 2: The adversary makes a sequence of calls to a decryption oracle. For each decryption oracle query, the adversary \(\mathcal {A}_{1}\) submits a ciphertext c to the challenger. The challenger then runs the decryption oracle \( m\leftarrow \texttt {Dec}(sk,c)\) and the random recovery algorithm \(r\leftarrow \texttt {Rec}(sk,c) \). If \(m=\perp \), the challenger responds with \(\perp \), else the challenger responds with (mr).

  • stage 3: The adversary \(\mathcal {A}_{1}\) queries \((m_{0},m_{1})\) to an encryption oracle. The challenger chooses \(b\xleftarrow {R}\{0,1\}\), \(r \xleftarrow {R}\{0,1\}^{\lambda }, K\xleftarrow {R} K_{D}\), computes

    $$\texttt {KEM.EncP}_{pk}(r,K)=\psi ^{*}, \texttt {TDEM.EncS}_{K}(m_{b},\psi )=\chi ^{*}$$

    and sends \(c^{*}=(\psi ^{*},\chi ^{*})\) to adversary \(\mathcal {A}_{1}\).

  • stage 4: The adversary \(\mathcal {A}_{2}\) continues to make calls \(c=(\psi ,\chi ) \) to the challenger, where c is subjected to the only restriction that a submitted ciphertext c is not identical to \(c^{*}\). The challenger runs

    $$K\leftarrow \texttt {KEM.Dec}_{sk}(\psi ),\, m\leftarrow \texttt {TDEM.Dec}_{K}(\chi ,\psi ).$$

    and the random recovery algorithm \(r \leftarrow \texttt {Rec}(c,sk) \). If \(m=\,\perp \), the challenger responds \(\mathcal {A}_{2}\) with \(\perp \), else the challenger responds \(\mathcal {A}_{2}\) with (mr).

  • stage 5: The adversary outputs a guessing bit \( b^{'}\in \{0,1\}\).

Naturally, it holds that

$$\begin{aligned} {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {KEM/Tag-DEM},\mathcal {A}}(\lambda )=\left| \Pr [b=b']-\frac{1}{2}\right| = \left| \Pr [T_0]-\frac{1}{2}\right| . \end{aligned}$$
(6)

Game \(_1{:}\) This game is identical to \({\mathrm {Game}}_1\) except that we use a completely random symmetric key \(K_{0}\) in place of the key \(K_{1}\) in both the encryption and decryption oracles. We have

Lemma 4

There exists a probabilistic adversary \(\mathcal {A}_{1}\) whose running time is essentially the same as that of \(\mathcal {A}\), such that

$$\begin{aligned} {\mid }\Pr [T_{ 0}]-\Pr [T _{1} ]{\mid }\le {\mathrm {Adv}}^{{\texttt {\textit{ECCA}}}}_{{\texttt {\textit{KEM}}},\mathcal {A}_{1}}(\lambda ). \end{aligned}$$
(7)

Proof

The claim is proven by constructing a probabilistic adversary \(\mathcal {A}_{1}\) that attacks KEM: \(\mathcal {A}_{1}\) offers the environment for \(\mathcal {A}\). We describe the interaction as follows.

  • First, the adversary \(\mathcal {A}_{1}\) receives pk and sends it to \(\mathcal {A}\).

  • \(\mathcal {A}_{1}\) chooses \((m_{0},m_{1})\) and sends them to \(\mathcal {A}_{1}\). Meanwhile, the adversary \(\mathcal {A}_{1}\) runs the encryption of KEM.Enc, and receives \((K_{\delta }, \psi ^{*})\). Then the adversary\(\mathcal {A}_{1}\) chooses \(b\in \{0,1\}\) and computes \(\texttt {TDEM.Enc}(m_{b}, \psi ^{*})=\chi ^{*}\). Finally, \(\mathcal {A}_{1}\) sends \((\psi ^{*},\chi ^{*})\) to \(\mathcal {A}\).

  • \(\mathcal {A}\) continues to submit a cipher-text \(c=(\psi ,\chi )\) to the decryption oracle, where c is subjected to the only restriction that a submitted ciphertext c is not identical to \(c^{*}\).

    • If \(\psi \ne \psi ^{*}\), \(\mathcal {A}_{1}\) sends \(\psi \) to its own decryption oracle \(K \leftarrow \texttt {KEM.Dec}_{sk}(\psi ), m\leftarrow \texttt {TDEM.Dec}_{K}(\psi ,\chi ), r\leftarrow \texttt {Rec}(c,sk)\). If \(m=\perp \), the \(\mathcal {A}_{1}\) responds \(\mathcal {A}\) with \(\perp \), else responds with (mr).

    • If \(\psi =\psi ^{*}\), \(\mathcal {A}_{1}\) uses \(K_{\sigma }\) to decrypt \((\chi ,\psi )\): \( m\leftarrow \texttt {TDEM.Dec}_{K}(\psi ,\chi ), r\leftarrow \texttt {Rec}(c,sk)\). If \(m=\perp \), the \(\mathcal {A}_{1}\) responds \(\mathcal {A}\) with \(\perp \), else responds with (mr).

  • Finally, \(\mathcal {A}\) outputs a guessing bit \( b^{'}\in \{0,1\}\),

\(\mathcal {A}_{1}\) outputs 1 if \(b=b^{'}\) and 0 if \(b\ne b^{'}\). This completes the description of \(\mathcal {A}_{1}\) and it is clear that we have

$$\begin{aligned} {\mid }\Pr [T_{ 0}]-\Pr [T _{1} ]{\mid }\le {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {KEM},\mathcal {A}_{1}}(\lambda ). \end{aligned}$$
(8)

In game \(G_{1}\), we use a random symmetric key in both the encryption and decryption oracles so the cipher-text \(\psi ^{*}\) cannot be decrypted. To see this, it is noticed that in game \(G_{1}\) the cipher-text \(\chi ^{*}\) is produced by using the random symmetric encryption key \(K_{0}\). Meanwhile, some other cipher-texts \(\chi =\chi ^{*}\) are being decrypted by using \(K_{0}\) which plays no other role in game \(G_{1}\). Thus, in game \(G_{1}\), the adversary \( \mathcal {A}\) essentially just carries out an adaptive chosen cipher-text attack against . So we have

Lemma 5

There exists a probabilistic adversary \(\mathcal {A}_{2}\) whose running time is essentially the same as that of \(\mathcal {A}\), such that

$$\begin{aligned} {\mid }\Pr [T_{ 1}]-\frac{1}{2}{\mid }\le {\mathrm {Adv}}^{{\texttt {\textit{CCA}}}}_{{\texttt {\textit{Tag-DEM}}},\mathcal {A}_{2}}(\lambda ). \end{aligned}$$
(9)

Proof

We construct a probabilistic adversary \(\mathcal {A}_{2}\) that attacks and \(\mathcal {A}_{2}\) offers the environment for \(\mathcal {A}\). We describe the interaction as follows.

  • The adversary \(\mathcal {A}_{2}\) runs the key generation oracle \((pk,sk)\leftarrow \texttt {TKEM.Gen}(\lambda )\) and sends pk adversary to \(\mathcal {A}\).

  • The adversary \(\mathcal {A}\) makes a sequence of calls to a decryption oracle. For each decryption oracle query, the adversary \(\mathcal {A}\) submits a ciphertext c to the decryption oracle and the decryption oracle runs \( m\leftarrow \texttt {Dec}(sk,c)\) and the random recovery algorithm \(r\leftarrow \texttt {Rec(sk,c)} \). If \(m=\,\perp \), responds \(\mathcal {A}\) with \(\perp \), else responds \(\mathcal {A}\) with (mr).

  • The adversary \(\mathcal {A}\) sends \((m_{0},m_{1})\) to \(\mathcal {A}_{2}\). \(\mathcal {A}_{2}\) chooses \( K\xleftarrow {R} K_{D}\), \(r\xleftarrow {R}\{0,1\}^{\lambda }\), runs \(\psi ^{*}\leftarrow \texttt {KEM.Enc}_{pk}(r,K)\) and then sends \((m_{0},m_{1},\psi ^{*})\) to encryption oracle \(\texttt {Tag-DEM}\). The \(\mathcal {A}_{2}\) receives ciphertext \(\chi ^{*}\), and sends \(c^{*}=(\psi ^{*},\chi ^{*})\) to \(\mathcal {A}\). We note that the key \(K^{*}\) chosen as the encryption key of as well as embedded in \(\psi ^{*}\) is completely random and mutually independent with each other.

  • \(\mathcal {A}\) continues to submit a ciphertext \(c=(\psi ,\chi )\) to the decryption oracle, where c is subjected to the only restriction that a submitted ciphertext c is not identical to \(c^{*}\). \(\mathcal {A}_{2}\) runs the decryption oracle by using the secret key sk.

    $$\texttt {K}\leftarrow \texttt {KEM.Dec}_{sk}(\psi ),m\leftarrow \texttt {TDEM.Dec}_{K}(\psi ,\chi ),$$

    and runs the random recovery algorithm \(r \leftarrow \texttt {Rec}(c,sk)\), If \(m=\perp \), \(\mathcal {A}_{2}\) responds \(\mathcal {A}\) with \(\perp \), else \(\mathcal {A}_{2}\) responds \(\mathcal {A}\) with (mr).

  • Finally, \(\mathcal {A}\) outputs a guessing bit \( b^{'}\in \{0,1\}\) and \(\mathcal {A}_{2}\) also outputs \(b^{'}\).

This completes the description of \(\mathcal {A}_{2}\). By construction, it is clear that the decryption for \(\mathcal {A}\) is perfectly simulated, and whenever \(\mathcal {A}\) wins, so does \(\mathcal {A}_{2}\). We have that

$$\begin{aligned} {\mid }\Pr [T_{ 1}]-\frac{1}{2}{\mid } \le {\mathrm {Adv}}^{\texttt {CCA}}_{\texttt {Tag-DEM},\mathcal {A}_{2}}(\lambda ). \end{aligned}$$
(10)

we know that the \(\mathcal {A}\)’s advantage in \(\text {Game}_{0}\)

$$\begin{aligned} {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {KEM/Tag-DEM},\mathcal {A}}(\lambda )=\left| \Pr [T_{0}]-\frac{1}{2}\right| \le {\mathrm {Adv}}^{\texttt {ECCA}}_{\texttt {KEM},{\mathcal {A}}_{1}}(\lambda )+ {\mathrm {Adv}}^{\texttt {CCA}}_{\texttt {Tag-DEM},\mathcal {\mathcal {A}}_{2}}(\lambda ), \end{aligned}$$

which is negligible.

Putting all the facts together, the Theorem 2 is proved.

4 Conclusion

In this paper, we discuss the security results for achieving \(\texttt {ECCA}\) secure hybrid encryptions from the well-known hybrid paradigms, \(\texttt {KEM/Tag-DEM}\) and \(\texttt {Tag-KEM/DEM}\). We have proven that the hybrid encryption scheme (KEM/Tag-DEM) can be\(\texttt {ECCA}\) secure if the \(\texttt {KEM}\) part is \(\texttt {ECCA}\) secure and the DEM part is \(\texttt {CCA}\) secure. Meanwhile, we have also proven that the hybrid encryption scheme \((\texttt {Tag-KEM/DEM})\) can be\(\texttt {ECCA}\) secure if the \(\texttt {KEM}\) part is \(\texttt {ECCA}\) secure and the \(\texttt {DEM}\) part is one-time secure.