Revisiting NIZK-Based Technique for Chosen-Ciphertext Security: Security Analysis and Corrected Proofs

Abstract

Non-interactive zero-knowledge (NIZK) proofs for chosen-ciphertext security are generally considered to give an impractical construction. An interesting recent work by Seo, Abdalla, Lee, and Park (Information Sciences, July 2019) proposed an efficient semi-generic conversion method for achieving chosen-ciphertext security based on NIZK proofs in the random oracle model. The recent work by Seo et al. demonstrated that the semi-generic conversion method transforms a one-way (OW)-secure key encapsulation mechanism (KEM) into a chosen-ciphertext secure KEM while preserving tight security reduction. This paper shows that the security analysis of the semi-generic conversion method has a flaw, which comes from the OW security condition of the underlying KEM. Without changing the conversion method, this paper presents a revised security proof under the changed conditions that (1) the underlying KEM must be chosen-plaintext secure in terms of indistinguishability and (2) an NIZK proof derived from the underlying KEM via the Fiat–Shamir transform must have the properties of zero-knowledge and simulation soundness. This work extended the security proof strategy to the case of identity-based KEM (IBKEM) and also revise the security proof for IBKEM of previous method by Seo et al. Finally, this work gives a corrected security proof by applying the new proofs to several existing (IB)KEMs.

1. Introduction

Non-interactive zero-knowledge (NIZK) proofs [1,2,3] are considered as some of the most fundamental and versatile cryptographic primitives [4,5]. One usage of NIZK is to construct public-key encryption schemes secure against chosen-ciphertext attacks (denoted as “CCA-security”) based on the Naor–Yung double encryption paradigm [6,7,8]. As building blocks, this approach uses any public-key encryption scheme secure against chosen-plaintext attacks (denoted as “CPA security”) and any NIZK proof system for all of $\mathcal{NP}$ [9,10]. However, the Naor–Yung paradigm has been perceived as a feasibility result for the existence of CCA-secure encryption schemes based on general cryptographic assumptions, leading to impractical constructions [11].

Interestingly, a recent work by Seo et al. [12] proposed a new semi-generic approach for constructing a CCA-secure (and practical) key encapsulation mechanism (KEM) based on NIZK proof systems derived from the Fiat–Shamir (FS) transform [13]. As building blocks, their technique uses a one-way (OW)-secure KEM and an FS-derived NIZK proof system to prove the relationship (such as equality or linearity) among discrete logarithms. In particular, the term “semi-generic” comes from the fact that the underlying OW-secure KEM should satisfy an additional property called “NIZK-compatibility”, meaning that the pair {ciphertext, key} can be an NIZK statement when randomness for KEM is used as a witness for NIZK. Seo et al. [12] demonstrated that their approach can transform an OW-secure (and NIZK-compatible) KEM into a CCA-secure KEM in the random oracle model without security loss.

1.1. Organization

In Section 1.2, we briefly review the semi-generic conversion method from Seo et al. and explain the flaw in the security proof of the method. In Section 1.3, we present the concept of corrected proofs. In Section 2, we present the details of the interactive proof systems for proving the equality and linearity of discrete logarithms, and we describe how FS-derived NIZK proof systems can achieve the properties of zero-knowledge and simulation soundness. In Section 3, we introduced the conversion method for CCA-secure KEM and present our corrected proofs using the hybrid argument of indistinguishability-based framework. As in [12], we can extend our strategy to the case of identity-based KEM (IBKEM); thus, a newly corrected security proof for the conversion of IBKEM is given in Section 4. In Section 5, we apply our security result to several (IB)KEMs used in [12] and provide new corrected theorems for each scheme. Finally, we conclude this paper in Section 6.

1.2. Flaw in Security Proof in Previous Research Literature

The new conversion in [12] works correctly, but we have identified a flaw in its security analysis. For easier explanation, consider the ElGamal KEM as an underlying scheme. Let $\mathbb{G}$ be a group of prime order p, and let $(g^w,h^w)$ be a pair {ciphertext, key} for group elements $g,h\in \mathbb{G}$, and a random $w\in {\mathbb{Z}}_p$. It is easy to see that the pair can be an NIZK statement $\mathsf{stmt}=(g^w,h^w)$ for equality of discrete logarithms when the randomness w is the witness (i.e., NIZK-compatible). Let $\mathsf{com}$ be a commitment $(g^r,h^r)$ for a random $r\in {\mathbb{Z}}_p$. The Fiat–Shamir transform [13] gives the NIZK proof $\pi =(c,s)$, where $s=r+cw\in {\mathbb{Z}}_p$ and $c=H_1(\mathsf{stmt},\mathsf{com})$. Assuming that the hash function $H_1$ is modeled as a random oracle, the NIZK proof system is proven to be honest verifier zero-knowledge and sound. The concept behind the transformation proposed in [12] is to see the original ElGamal KEM as a designated verifier proof system by setting $h=g^x$ for a secret x (only known to the verifier) so that the element $A_1=g^w$ is sufficient for the designated verifier NIZK statement. In the transformed variant of the ElGamal KEM, the resulting ciphertext consists of $(A_1,\pi =(c,s))$, and the decapsulation algorithm (as a designated verifier) first recovers $A_2=h^w$ by computing ${(g^w)}^x$ and then computes $\mathsf{com}=(g^s{A}_1^{-c},h^s{A}_2^{-c})$ along with $\mathsf{stmt}=(g^w,h^w)$ and $\pi$. It also verifies that $\pi$ is a valid proof for the recovered statement $\mathsf{stmt}$. If $\pi$ is valid, the decapsulation algorithm computes the final KEM key as $\mathsf{key}=H_2(\mathsf{stmt},\mathsf{com},\pi )$ for another hash function $H_2$.

Seo et al. [12] demonstrated that the above variant of the ElGamal KEM is tightly CCA-secure based on the computational Diffie–Hellman (CDH) assumption. From a theoretical viewpoint, the first challenge in their security analysis is how to handle decapsulation queries issued by an adversary without knowing the secret key x. Let $\mathsf{CT}=(A_1,\pi =(c,s))$ be a queried ciphertext, and let $H_1$, $H_2$ be modeled as random oracles. A reduction algorithm (simulator) finds a tuple in the $H_1$ query table such that $c=H_1(A_1,\star ,\star ,\star )$, say $c=H_1(A_1,A_2,B_1,B_2)$, and checks that $\pi$ is the valid NIZK proof for the statement $(A_1,A_2)$ and the commitment $(B_1,B_2)$. If so, the simulator outputs the key $\mathsf{key}=H_2(A_1,A_2,B_1,B_2,\pi )$ from the $H_2$ query table. The decapsulation works correctly because of the soundness of the underlying NIZK proof system, meaning that the adversary is forced to generate the proof $\pi$ for the well-formed ciphertext such that ${log}_g{A}_1={log}_h{A}_2$. The second challenge in their security analysis is to find the correct solution $h^a$ to a given CDH instance $(g,g^a,h)$ without security loss. The strategy in [12] is as follows: by using the zero-knowledge property, the simulator first generates a simulated proof ${\pi }^{*}=(c^{*},s^{*})$ with respect to the element $A_1^{*}=g^a$ for some unknown $a\in {\mathbb{Z}}_p$ and implicitly sets $c^{*}=H_1(A_1^{*},\circ ,B_1^{*},\diamond )$ and ${\mathsf{key}}^{*}=H_2(A_1^{*},\circ ,B_1^{*},\diamond ,{\pi }^{*})$, where “∘” and “⋄” indicate that the simulator does not know the entries. After the challenge ciphertext ${\mathsf{CT}}^{*}=(A_1^{*},{\pi }^{*}=(c^{*},s^{*}))$ and the challenge key ${\mathsf{key}}^{*}$ are given to the adversary, the simulator waits for the adversary to query the hash inputs $(A_1^{*},\star ,B_1^{*},\star ,{\pi }^{*})$ for $H_2$. Seo et al.’s assertion [12] is that because of the soundness of the NIZK proof system, there exists one query $(A_1^{*},A_2,B_1^{*},B_2,{\pi }^{*})$ (with overwhelming probability) such that ${\pi }^{*}$ is valid among the queried inputs $\left\{(A_1^{*},\star ,B_1^{*},\star ,{\pi }^{*})\right\}$, in which case the entry $A_2$ is the solution to the given CDH instance. Thus, if their assertion was true, the adversary who succeeds in breaking the CCA-security of the variant must make the query, including the CDH solution, to $H_2$; otherwise, the adversary has no information on the challenge key.

However, we show that their assertion is not true for the following reasons. Let ${\mathsf{CT}}^{*}=(A_1^{*},{\pi }^{*}=(c^{*},s^{*}))$ and ${\mathsf{key}}^{*}$ be the challenge ciphertext and key, respectively. First, the adversary generates the value $B_1^{*}$ by computing $g^{s^{*}}{(A_1^{*})}^{-c^{*}}$, which is the same as the value that the simulator calculated. Next, the adversary can generate the values $A_2$ and $B_2$ as follows: pick a random $R\in {\mathbb{Z}}_p$, and set $A_2=h^R$ and $B_2=h^{s^{*}}{(A_2)}^{-c^{*}}$. Finally, the adversary issues $(A_1^{*},A_2,B_1^{*},B_2,{\pi }^{*})$ to the $H_2$ query. We can see that ${\pi }^{*}=(c^{*},s^{*})$ is valid with respect to the false statement $(A_1^{*},A_2)$ and the relevant commitment $(B_1^{*},B_2)$; furthermore, polynomially-many such simulated queries can be made after ${\mathsf{CT}}^{*}$ and ${\mathsf{key}}^{*}$ are given to the adversary. If the adversary issues the correct query such that $A_2=h^a$ among the polynomially-many simulated queries, the simulator cannot specify which query relates to the correct statement $(A_1^{*}=g^a,A_2=h^a)$ associated with the CDH solution, unless it is given an oracle to solve the decisional Diffie–Hellman (DDH) problem. Moreover, the implicitly predetermined challenge key ${\mathsf{key}}^{*}$ will be mapped to a certain wrong $H_2$ query input $(A_1^{*},A_2^{\prime },B_1^{*},B_2^{\prime },{\pi }^{*})$ with “high” probability. Clearly, such inconsistent mapping will allow the adversary to distinguish between a real attack and a simulation.

1.3. Concept of Corrected Proofs

Our strategy to revise Seo et al.’s proofs [12] is to change the security condition of the underlying KEM from OW to CPA while keeping their conversion method intact. In our corrected proofs, the underlying KEM must be CPA-secure in terms of indistinguishability, meaning (roughly) the following: given $({\mathsf{CT}}^{*},K^{*})$ as a challenge, it is infeasible to determine whether the challenge key $K^{*}$ was correct or false with respect to the challenge ciphertext ${\mathsf{CT}}^{*}$. Now, the simulator attacking the CPA security of the underlying KEM is given $({\mathsf{CT}}^{*},K^{*})$ and wants to determine whether $K^{*}$ is correct or false using the adversary against CCA-security. Let us assume that the underlying KEM is still NIZK-compatible, as defined in [12]. Given $({\mathsf{CT}}^{*},K^{*})$, the simulator proceeds as follows: it sets the pair as the NIZK statement, ${\mathsf{stmt}}^{*}=({\mathsf{CT}}^{*},K^{*})$, and generates a simulated proof ${\pi }^{*}$ for ${\mathsf{stmt}}^{*}$ using the zero-knowledge property. Then, it computes the challenge key ${\mathsf{key}}^{*}=H_2({\mathsf{stmt}}^{*},{\mathsf{com}}^{*},{\pi }^{*})$, where ${\mathsf{com}}^{*}$ is the relevant commitment for ${\mathsf{stmt}}^{*}$. Then, it gives the challenge ciphertext $({\mathsf{CT}}^{*},{\pi }^{*})$ and the challenge key ${\mathsf{key}}^{*}$ to the adversary. If $K^{*}$ is the correct key corresponding to ${\mathsf{CT}}^{*}$, then ${\pi }^{*}$ is the NIZK proof for the correct statement $({\mathsf{CT}}^{*},K^{*})$. Otherwise, ${\pi }^{*}$ is the NIZK proof for the false statement $({\mathsf{CT}}^{*},K^{*})$. Now that the simulator knows the candidate value $K^{*}$ of the KEM key, it does distinguish whether $K^{*}$ is correct or false by checking whether $({\mathsf{stmt}}^{*},{\mathsf{com}}^{*},{\pi }^{*})$ is issued to $H_2$ queries. Note that $K^{*}$ is not given to the adversary. If $K^{*}$ (including ${\mathsf{stmt}}^{*}$) appears in $H_2$ queries, it is possible to ensure (with overwhelming probability) that $K^{*}$ is the correct key corresponding to ${\mathsf{CT}}^{*}$; otherwise, $K^{*}$ is a false key. Furthermore, as long as the input $({\mathsf{stmt}}^{*},{\mathsf{com}}^{*},{\pi }^{*})$ is not queried to $H_2$ (modeled as a random oracle), the adversary obtains no information on the challenge key ${\mathsf{key}}^{*}$. It follows that success in breaking the CCA-security of the transformed KEM straightforwardly leads to success in breaking the CPA security of the underlying KEM without causing security loss. When applying our proof strategy to the above variant of the ElGamal KEM, it can be proved to be tightly CCA-secure under the DDH assumption.

In our corrected proofs, decapsulation queries are handled by the simulator in the same way as in [12]. However, the NIZK property required for answering decapsulation queries is (one-time) simulation soundness (SS) rather than soundness. This is because ${\pi }^{*}$ can be the simulated proof for the correct or false statement $({\mathsf{CT}}^{*},K^{*})$ (given to the simulator) depending on $K^{*}$. Furthermore, once $({\mathsf{CT}}^{*},{\pi }^{*})$ is given to the adversary as a challenge, it should be difficult for the adversary to generate a pair of a new false statement and its relevant proof that are correctly verified. In particular, a new false statement includes any modification of ${\mathsf{stmt}}^{*}=({\mathsf{CT}}^{*},K^{*})$. Unlike in Seo et al.’s proofs [12], the simulator in ours knows all hash input values regarding ${\mathsf{stmt}}^{*}$ and ${\mathsf{com}}^{*}$ explicitly; thus, the security flaw mentioned above does not occur. Rather, making hash queries about ${\mathsf{stmt}}^{*}$ by the adversary could increase the probability that the simulator will succeed in breaking the CPA security of the given KEM.

To show that the underlying NIZK proof system satisfies the simulation soundness property, we use the result of Faust et al. [14], which showed that (roughly) an FS-derived NIZK proof system ${\mathsf{\Pi }}^{\mathsf{FS}}$ is simulation-sound in the random oracle model if a canonical three-round interactive proof system $\mathsf{\Pi }$ (The transcript of $\mathsf{\Pi }$ consists of {commitment, challenge, and response}.) has the properties of completeness, soundness, and unique response. In fact, along with the soundness, the unique response property gives the effect of making the resulting NIZK proof $\pi$ strongly unforgeable [15] when viewing $\pi$ as a (one-time) signature. As a building block, the conversion by Seo et al. [12] uses an FS-derived NIZK proof system to prove the equality or linearity of discrete logarithms, and it is easy to show that a three-round interactive proof system for equality or linearity satisfies the property of unique response as well as soundness. Thus, by adapting the result in [14], all the underlying (FS-derived) NIZK proof systems in our corrected proofs have the simulation soundness property in the random oracle model.

2. Background

2.1. Notation

$\lambda \in \mathbb{N}$ is the security parameter. We say that a function $\nu :\mathbb{N}\to \mathbb{R}$ is $negligible$ if for every positive polynomial $\mathsf{poly}(·)$, there exists an integer $N>0$ such that for all $x>N$, it holds that ${\left|\nu (x)\right|<\mathsf{poly}(x)}^{-1}$. Given an algorithm A, we write $y\leftarrow A$ to denote that y is the output of A. If A is a probabilistic algorithm, then $y\stackrel{\$}{\leftarrow }A$ denotes that y is computed by A using fresh random coins. When A is a set, $a\stackrel{\$}{\leftarrow }A$ denotes that a is chosen uniformly over A. For $n\in \mathbb{N}$, we write $\left[n\right]$ to denote the set $\{1,\dots ,n\}$. The above notation follows the notation from the work in [16].

2.2. Interactive Proof System

Let $\mathcal{L}=\{\mathsf{stmt}:\exists \mathsf{wit}s.t.(\mathsf{stmt},\mathsf{wit})\in {\mathcal{R}}_{\mathcal{L}}\}$ be an NP-language. We first review a three-move public coin proof system, where a prover wants to convince a verifier that a statement $\mathsf{stmt}$ belongs to $\mathcal{L}$ using a witness $\mathsf{wit}$ such that $(\mathsf{stmt},\mathsf{wit})\in {\mathcal{R}}_{\mathcal{L}}$. Let a prover $\mathcal{P}=({\mathcal{P}}_0,{\mathcal{P}}_1)$ and a verifier $\mathcal{V}=({\mathcal{V}}_0,{\mathcal{V}}_1)$ be PPT algorithms that participate in the protocol. First, as inputs, $\mathsf{com}\leftarrow {\mathcal{P}}_0(\mathsf{stmt},\mathsf{wit};\rho )$ takes a statement $\mathsf{stmt}$, a witness $\mathsf{wit}$, and a random string $\rho$ and then computes a commitment $\mathsf{com}$ and sends it to a verifier $\mathcal{V}$. Then, $\mathsf{chal}\stackrel{\$}{\leftarrow }{\mathcal{V}}_0(\mathsf{stmt},\mathsf{com})$ inputs a statement $\mathsf{stmt}$ and commitment $\mathsf{com}$, randomly chooses a challenge $\mathsf{chal}$ in the challenge space, and sends it to $\mathcal{P}$. Finally, as inputs, $\mathsf{resp}\leftarrow {\mathcal{P}}_1(\mathsf{com},\mathsf{chal},\mathsf{stmt},\mathsf{wit};\rho )$ takes $\mathsf{com},\mathsf{chal},\mathsf{stmt},\mathsf{wit}$, and $\rho$; generates a response $\mathsf{resp}$; and sends it to $\mathcal{V}$. Then, as inputs, $\{0,1\}\leftarrow {\mathcal{V}}_1(\mathsf{stmt},\mathsf{com},\mathsf{chal},\mathsf{resp})$ takes $\mathsf{stmt}$, $\mathsf{com}$, $\mathsf{chal}$, and $\mathsf{resp}$, and then outputs 0 or 1. When ${\mathcal{V}}_1$ outputs 1, the verifier $\mathcal{V}$ is convinced that the statement $\mathsf{stmt}$ belongs to $\mathcal{L}$.

We now review the following properties.

2.2.1. Completeness

If $\mathsf{stmt}\in \mathcal{L}$, any proper execution of the protocol between $\mathcal{P}$ and $\mathcal{V}$ ends with the verifier accepting $\mathcal{P}$’s proof. That is, the following holds:

$$\begin{array}{cc}\hfill & Pr[1\leftarrow {\mathcal{V}}_1(\mathsf{stmt},\mathsf{com},\mathsf{chal},\mathsf{resp}):\mathsf{stmt}\in \mathcal{L}\wedge \mathsf{com}\leftarrow {\mathcal{P}}_0(\mathsf{stmt},\mathsf{wit};\rho )\hfill \\ & \wedge \mathsf{chal}\stackrel{\$}{\leftarrow }{\mathcal{V}}_0(\mathsf{stmt},\mathsf{com})\wedge \mathsf{resp}\leftarrow {\mathcal{P}}_1(\mathsf{stmt},\mathsf{com},\mathsf{chal},\mathsf{wit};\rho )]=1.\hfill \end{array}$$

2.2.2. Honest Verifier Zero-Knowledge (HVZK)

There exists an efficient algorithm $\mathcal{S}$ called a zero-knowledge simulator such that for any PPT distinguisher, $\mathcal{D}=({\mathcal{D}}_0,{\mathcal{D}}_1)$, and for any $(\mathsf{stmt},\mathsf{wit})\in {\mathcal{R}}_{\mathcal{L}}$, it holds that

$$\begin{array}{cc}\hfill & Pr[1\leftarrow {\mathcal{D}}_1(\pi ,\delta ):(\mathsf{stmt},\mathsf{wit},\delta )\leftarrow {\mathcal{D}}_0\wedge \pi \leftarrow \langle \mathcal{P}(\mathsf{stmt},\mathsf{wit};\lambda ),\mathcal{V}(\mathsf{stmt};\lambda )\rangle ]\hfill \\ \hfill & \approx Pr[1\leftarrow {\mathcal{D}}_1(\pi ,\delta ):(\mathsf{stmt},\mathsf{wit},\delta )\leftarrow {\mathcal{D}}_0\wedge \pi \leftarrow \mathcal{S}(\mathsf{stmt},\lambda )],\hfill \end{array}$$

where $\pi \leftarrow \langle \mathcal{P}(\mathsf{stmt},\mathsf{wit};\lambda ),\mathcal{V}(\mathsf{stmt};\lambda )\rangle$ denotes the resulting transcript returned at the end of the interaction between $\mathcal{P}$ and $\mathcal{V}$ on common input $\mathsf{stmt}$ and private input $\mathsf{wit}$.

2.2.3. Soundness

If $\mathsf{stmt}\notin \mathcal{L}$, any PPT adversary ${\mathcal{P}}^{*}=({\mathcal{P}}_0^{*},{\mathcal{P}}_1^{*})$ is accepted only with negligible probability. That is, the following holds:

$$\begin{array}{cc}\hfill & Pr[\mathsf{resp}\leftarrow {\mathcal{P}}_1^{*}(\mathsf{stmt},\mathsf{com},\mathsf{chal};\rho ):\mathsf{stmt}\notin \mathcal{L}\wedge \mathsf{com}\leftarrow {\mathcal{P}}_0^{*}(\mathsf{stmt};\rho )\hfill \\ & \wedge \mathsf{chal}\stackrel{\$}{\leftarrow }{\mathcal{V}}_0(\mathsf{stmt},\mathsf{com})\wedge 1\leftarrow {\mathcal{V}}_1(\mathsf{stmt},\mathsf{com},\mathsf{chal},\mathsf{resp})]\approx 0.\hfill \end{array}$$

2.2.4. Unique Response

An interactive proof system has the unique response if for any PPT adversary $\mathcal{A}$ and for any security parameter $\lambda$, it holds that

$$\begin{array}{cc}\hfill & Pr[(\mathsf{stmt},\mathsf{com},\mathsf{chal},\mathsf{resp},{\mathsf{resp}}^{\prime })\leftarrow \mathcal{A}(\lambda ):\hfill \\ & \mathcal{V}(\mathsf{stmt},\mathsf{com},\mathsf{chal},\mathsf{resp})=\mathcal{V}(\mathsf{stmt},\mathsf{com},\mathsf{chal},{\mathsf{resp}}^{\prime })=1\wedge \mathsf{resp}\ne {\mathsf{resp}}^{\prime }]=0.\hfill \end{array}$$

2.3. Protocol for Proving the Equality of Discrete Logarithms

We review the generalized interactive protocol for proving the equality of discrete logarithms [17,18,19]. Let ${\mathbb{G}}_1,\dots ,{\mathbb{G}}_n$ be groups of prime order p, and let $g_i\in {\mathbb{G}}_i$ be a generator for $i\in \left[n\right]$. Now, we consider the NP-language

$$\begin{array}{c}\hfill \mathcal{L}=\{(g_1,\dots ,g_n,A_1,\dots ,A_n):\exists x\in {\mathbb{Z}}_p\mathrm{s}.\mathrm{t}.A_i=g_i^x\mathrm{for}i\in \left[n\right]\}.\end{array}$$

The discrete logarithm $\mathsf{wit}=x$ is a witness for a statement: $\mathsf{stmt}=(g_1,\dots ,g_n,A_1$, $\dots ,A_n)$. Then, the interactive protocol $(\mathcal{P},\mathcal{V})$ for proving the above language is as follows.

• For a statement $\mathsf{stmt}=(g_1,\dots ,g_n,A_1,\dots ,A_n)$, the prover $\mathcal{P}$ selects a random exponent $r\in {\mathbb{Z}}_p$ and computes a commitment $\mathsf{com}$ as follows.

  $$\begin{array}{c}\hfill \mathsf{com}=(B_1,\dots ,B_n)=(g_1^r,\dots ,g_n^r).\end{array}$$
• The verifier $\mathcal{V}$ randomly selects a random challenge $\mathsf{chal}=c\in {\mathbb{Z}}_p$.
• $\mathcal{P}$ computes a response $\mathsf{resp}=s=r+cd\in {\mathbb{Z}}_p$.
• Given a proof $\pi =(\mathsf{com},\mathsf{chal},\mathsf{resp})$, $\mathcal{V}$ checks that

  $$\begin{array}{c}\hfill B_1=g_1^s{A_1}^{-c},\dots ,B_n=g_n^s{A_n}^{-c}.\end{array}$$

It is well known that this protocol is a non-trivial three-round public coin interactive proof system satisfying completeness, HVZK, (statistical) soundness, and unique response properties.

2.4. Protocol for Proving the Linearity of Discrete Logarithms

We review the generalized interactive protocol for proving the linearity of discrete logarithms. Let ${\mathbb{G}}_1,\dots ,{\mathbb{G}}_{n+1}$ be groups of prime order p, and let $g_i\in {\mathbb{G}}_i$ be a generator for $i\in [n+1]$. Now, we consider the NP-language

$$\begin{array}{cc}\hfill & \mathcal{L}=\{(g_1,\dots ,g_n,g_{n+1},A_1,\dots ,A_n,A_{n+1}):\hfill \\ \hfill & \exists (x_1,\dots ,x_n)\in {\mathbb{Z}}_p^n\mathrm{s}.\mathrm{t}.A_i=g_i^{x_i}\mathrm{for}i\in \left[n\right],A_{n+1}=g_{n+1}^{x_1+\cdots +x_n}\}.\hfill \end{array}$$

The discrete logarithm $\mathsf{wit}=(x_1,\dots ,x_n)$ is a witness for a statement $\mathsf{stmt}=(g_1,\dots ,$ $g_n,g_{n+1},$ $A_1,\dots ,A_n,A_{n+1})$. Then, the interactive protocol $(\mathcal{P},\mathcal{V})$ for proving the above language is as follows.

• For a statement $\mathsf{stmt}=(g_1,\dots ,g_n,g_{n+1},A_1$, …, $A_n$, $A_{n+1})$, the prover $\mathcal{P}$ selects random exponents $(r_1$, $\dots ,r_n)\in {\mathbb{Z}}_p^n$ and computes a commitment $\mathsf{com}$ as follows.

  $$\begin{array}{c}\hfill \mathsf{com}=(B_1,\dots ,B_n,B_{n+1})=(g_1^{r_1},\dots ,g_n^{r_n},g_{n+1}^{r_1+\cdots +r_n}).\end{array}$$
• The verifier $\mathcal{V}$ randomly selects a random challenge $\mathsf{chal}=c\in {\mathbb{Z}}_p$.
• $\mathcal{P}$ computes a response $\mathsf{resp}=(s_1,\dots ,s_n)$, where $s_i=r_i+c{x}_i\in {\mathbb{Z}}_p$ for $i\in \left[n\right]$.
• Given a proof $\pi =(\mathsf{com},\mathsf{chal},\mathsf{resp})$, $\mathcal{V}$ checks that

  $$\begin{array}{cc}\hfill & B_1=g_1^{s_1}{A_1}^{-c},\dots ,B_n=g_n^{s_n}{A_n}^{-c},\mathrm{and}{B}_{n+1}=g_{n+1}^{s_1+\cdots +s_n}{A_{n+1}}^{-c}.\hfill \end{array}$$

Similarly to the equality of discrete logarithms, this protocol is also a non-trivial three-round public coin interactive proof system satisfying completeness, HVZK, (statistical) soundness, and unique response properties.

2.5. NIZK in the Random Oracle Model

We can remove the interaction between $\mathcal{P}$ and $\mathcal{V}$ by replacing the challenge $\mathsf{chal}$ with a hash value $H(\mathsf{stmt},\mathsf{com})$ computed by the prover, where H is a hash function modeled as a random oracle. By applying the Fiat–Shamir paradigm [13], we can transform an interactive protocol ($\mathcal{P},\mathcal{V}$) into a non-interactive proof system (${\mathcal{P}}^H,{\mathcal{V}}^H$).

Syntax

Let $\mathcal{L}:=\{\mathsf{stmt}:\exists \mathsf{wit}$ such that $R(\mathsf{stmt},\mathsf{wit})=1\}$ is an NP-language defined by a binary relation R, and H is a hash function (modeled as a random oracle). A non-interactive proof system (${\mathcal{P}}^H,{\mathcal{V}}^H$) for $\mathcal{L}$ consists of two algorithms. The proving algorithm $\pi \stackrel{\$}{\leftarrow }{\mathcal{P}}^H(\mathsf{stmt},\mathsf{wit})$ takes as input a statement $\mathsf{stmt}$ and a witness $\mathsf{wit}$ such that $R(\mathsf{stmt},\mathsf{wit})=1$ and outputs a proof $\pi$. The verification algorithm ${\mathcal{V}}^H$($\mathsf{stmt}$, $\pi )\in \{0,1\}$ takes as input a statement $\mathsf{stmt}$ and a proof $\pi$ and outputs 1 (true) or 0 (false).

We refer here to the zero-knowledge simulator $\mathcal{S}$ of a non-interactive zero-knowledge proof system [14] defined in the explicitly programmable random oracle model [20]. As a stateful algorithm, the simulator $\mathcal{S}$ can operate in two modes: $(h_i,st)\leftarrow \mathcal{S}(1,st,q_i)$ deals with answering random oracle queries such that $h_i=H(q_i)$, while $(\pi ,st)\leftarrow \mathcal{S}(2,st,\mathsf{stmt})$ simulates the proof. Note that calls to $\mathcal{S}(1,\cdots )$ and $\mathcal{S}(2,\cdots )$ share the common state $st$, which is updated after each operation.

Definition 1

(Unbounded Non-Interactive Zero-Knowledge [14]). Let $\mathcal{L}$ be an NP-language. Let $({\mathcal{S}}_1,{\mathcal{S}}_2)$ denote the oracles such that ${\mathcal{S}}_1(q_i)$ returns the first output of $(h_i,st)\leftarrow \mathcal{S}(1,st,q_i)$ and ${\mathcal{S}}_2(\mathsf{stmt},\mathsf{wit})$ returns the first output of $(\pi ,st)\leftarrow \mathcal{S}(2,st,\mathsf{stmt})$ if $(\mathsf{stmt},\mathsf{wit})\in {\mathcal{R}}_{\mathcal{L}}$. We say a protocol $({\mathcal{P}}^H,{\mathcal{V}}^H)$ is an NIZK proof for language $\mathcal{L}$ in the random oracle model if there exists a PPT simulator $\mathcal{S}$ such that for all PPT distinguishers $\mathcal{D}$, the advantage ${ϵ}_{\mathsf{ZK}}$ such that

$$\begin{array}{cc}\hfill & {ϵ}_{\mathsf{ZK}}(\lambda )=|Pr[1\leftarrow {\mathcal{D}}^{H(·),{\mathcal{P}}^H(·)}(\lambda )]-Pr[1\leftarrow {\mathcal{D}}^{{\mathcal{S}}_1(·),{\mathcal{S}}_2(·)}(\lambda )]|\hfill \end{array}$$

is negligible, where both $\mathcal{P}$ and ${\mathcal{S}}_2$ oracles output ⊥ if $(\mathsf{stmt},\mathsf{wit})\ne {\mathcal{R}}_{\mathcal{L}}$.

Definition 2

(Unbounded Simulation Soundness [14]). Let $\mathcal{L}$ be an NP-language. Consider a proof system $({\mathcal{P}}^H,{\mathcal{V}}^H)$ for $\mathcal{L}$ with zero-knowledge simulator $\mathcal{S}$. Let $({\mathcal{S}}_1,{\mathcal{S}}_2^{\prime })$ denote the oracle such that ${\mathcal{S}}_1(q_i)$ returns the first output of $(h_i,st)\leftarrow \mathcal{S}(1,st,q_i)$ and ${\mathcal{S}}_2^{\prime }$ returns the first output of $(\pi ,st)\leftarrow \mathcal{S}(2,st,\mathsf{stmt})$. We say that $({\mathcal{P}}^H,{\mathcal{V}}^H)$ is simulation-sound with respect to $\mathcal{S}$ in the random oracle model if for all PPT adversaries $\mathcal{A}$ the advantage ${ϵ}_{\mathsf{SS}}$ such that

$$\begin{array}{cc}\hfill {ϵ}_{\mathsf{SS}}(\lambda )=Pr[& ({\mathsf{stmt}}^{*},{\pi }^{*})\leftarrow {\mathcal{A}}^{{\mathcal{S}}_1(·),{\mathcal{S}}_2^{\prime }(·)}(\lambda ):\hfill \\ \hfill ({\mathsf{stmt}}^{*}& ,{\pi }^{*})\ne \mathcal{T}\wedge {\mathsf{stmt}}^{*}\ne \mathcal{L}\wedge {\mathcal{V}}^{{\mathcal{S}}_1}({\mathsf{stmt}}^{*},{\pi }^{*})=1]\hfill \end{array}$$

is negligible, where $\mathcal{T}$ is the list of pairs $({\mathsf{stmt}}_i,{\pi }_i)$, i.e., (true or false) statements queried to and proofs returned by the simulator.

Theorem 1

(Fiat–Shamir NIZKs [14]). Consider a three-round HVZK interactive proof system $(\mathcal{P},\mathcal{V})$ for a language $\mathcal{L}\in \mathit{NP}$ with completeness. Let H be a function with range equal to the space of the verifier’s coins. In the random oracle model, the proof system $({\mathcal{P}}^H,{\mathcal{V}}^H)$ derived from $(\mathcal{P},\mathcal{V})$ by applying the Fiat–Shamir transform is unbounded non-interactive zero-knowledge.

Theorem 2

(Simulation Soundness of Fiat–Shamir NIZKs [14]). Consider a three-round HVZK interactive proof system $(\mathcal{P},\mathcal{V})$ for a language $\mathcal{L}\in \mathit{NP}$ with completeness, soundness, and unique response. In the random oracle model, the proof system $({\mathcal{P}}^H,{\mathcal{V}}^H)$ derived from $(\mathcal{P},\mathcal{V})$ via the Fiat–Shamir transform is simulation-sound NIZK with respect to its canonical simulator $\mathcal{S}$.

By applying the above theorems to the previous interactive protocols for proving the $equality$ and $linearity$ of discrete logarithms, we can obtain NIZK proof systems for the equality and linearity of discrete logarithms, which both have the properties of zero-knowledge and simulation soundness. Note that the two previous interactive protocols satisfy the completeness, HVZK, (statistical) soundness, and unique response properties.

To measure the concrete bounds of the advantages ${ϵ}_{\mathsf{ZK}}$ and ${ϵ}_{\mathsf{SS}}$ with respect to the two interactive protocols, we follow the proofs in [14] (Theorems 1 and 2 therein). First, ${ϵ}_{\mathsf{ZK}}$ of the NIZK systems is bounded by the probability that the “good” NIZK simulator $\mathcal{S}$ fails and aborts during the simulation. Note that the NIZK simulator $\mathcal{S}$ fails when a collision of the random oracle H happens in the process of updating the hash table ${\mathcal{T}}_H$. Because the probability that a collision happens is at most $q_H^2/p$, where $q_H$ is the maximum number of H queries and p is the group order including the size of the challenge space, we see that ${ϵ}_{\mathsf{ZK}}\le q_H^2/p$. Second, ${ϵ}_{\mathsf{SS}}$ of the NIZK scheme is bounded by $q_H·{ϵ}_{\mathsf{snd}}+q_H^2/p$, where ${ϵ}_{\mathsf{snd}}$ denotes the bound of advantage that the adversary violates the $soundness$ of the proof system $(\mathcal{P},\mathcal{V})$. The $soundness$ bound ${ϵ}_{\mathsf{snd}}$ in the two interactive protocols is statistically the same as the inverse of the size of the challenge space, $1/p$, so we see that ${ϵ}_{\mathsf{SS}}\le (q_H+q_H^2)/p$.

3. Conversion Method for CCA-Secure KEM

3.1. KEM

3.1.1. Syntax

We follow the syntax of KEM from the work in [16]. A key encapsulation mechanism $\mathsf{KEM}$ = ($\mathsf{KEM}.\mathsf{Setup}$, $\mathsf{KEM}.\mathsf{Encap}$, $\mathsf{KEM}.\mathsf{Decap}$) consists of three algorithms: The setup algorithm $(\mathsf{PK},\mathsf{SK})$ $\stackrel{\$}{\leftarrow }$ $\mathsf{KEM}.\mathsf{Setup}(\lambda )$ takes as input the security parameter $\lambda$ and outputs a key pair $(\mathsf{PK},\mathsf{SK})$. The encapsulation algorithm $(\mathsf{K},\mathsf{CT})$ $\stackrel{\$}{\leftarrow }$ $\mathsf{KEM}.\mathsf{Encap}(\mathsf{PK})$ generates a key $\mathsf{K}$ and a ciphertext $\mathsf{CT}$ from input $\mathsf{PK}$. The decapsulation algorithm $\mathsf{K}$ ← $\mathsf{KEM}.\mathsf{Decap}(\mathsf{PK},\mathsf{SK},\mathsf{CT}$) takes as input a public key $\mathsf{PK}$, a private key $\mathsf{SK}$, and a ciphertext $\mathsf{CT}$ and outputs a key $\mathsf{K}$.

3.1.2. Security Model of KEM

Here, we define the IND-{CPA,CCA} security of KEM by referring to [12]. First, a security experiment of IND-CPA played between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$ is described as follows.

• Experiment Exp${}_{\mathsf{IND}-\mathsf{CPA},b}^{\mathsf{KEM},\mathcal{A}}$($\lambda$)
• $(\mathsf{PK},\mathsf{SK})$$\stackrel{\$}{\leftarrow }$$\mathsf{KEM}.\mathsf{Setup}(\lambda )$;
• ${\mathsf{K}}_0^{*}\stackrel{\$}{\leftarrow }\mathcal{K}$; $({\mathsf{K}}_1^{*},{\mathsf{CT}}^{*})\stackrel{\$}{\leftarrow }\mathsf{KEM}.\mathsf{Encap}(\mathsf{PK})$;
• $b^{\prime }$←$\mathcal{A}$ ($\mathsf{PK}$, ${\mathsf{CT}}^{*}$, ${\mathsf{K}}_b^{*}$);
• Output $b^{\prime }$.

The advantage of $\mathcal{A}$ for breaking the IND-CPA security of KEM is defined as ${\mathbf{Adv}}_{\mathsf{IND}-\mathsf{CPA}}^{\mathsf{KEM},\mathcal{A}}$ = $|Pr\left[1\leftarrow {\mathbf{Exp}}_{\mathsf{IND}-\mathsf{CPA},1}^{\mathsf{KEM},\mathcal{A}}(\lambda )\right]-Pr\left[1\leftarrow {\mathbf{Exp}}_{\mathsf{IND}-\mathsf{CPA},0}^{\mathsf{KEM},\mathcal{A}}(\lambda )\right]|$.

Definition 3.

The $\mathsf{KEM}$ scheme is $(t,ϵ)$-IND-CPA-secure if for any polynomial time adversary $\mathcal{A}$ that runs in at most time t, we have ${\mathbf{Adv}}_{\mathsf{IND}-\mathsf{CPA}}^{\mathsf{KEM},\mathcal{A}}$ $<ϵ$.

Now, the security experiment of IND-CCA, where the additional decapsulation oracle is given to an adversary $\mathcal{A}$, is described as follows.

• Experiment Exp${}_{\mathsf{IND}-\mathsf{CCA},b}^{\mathsf{KEM},\mathcal{A}}$($\lambda$)
• $(\mathsf{PK},\mathsf{SK})$$\stackrel{\$}{\leftarrow }$$\mathsf{KEM}.\mathsf{Setup}(\lambda )$;
• ${\mathsf{K}}_0^{*}\stackrel{\$}{\leftarrow }\mathcal{K}$; $({\mathsf{K}}_1^{*},{\mathsf{CT}}^{*})\stackrel{\$}{\leftarrow }\mathsf{KEM}.\mathsf{Encap}(\mathsf{PK})$;
• $b^{\prime }$ ← ${\mathcal{A}}^{\mathsf{DecO}(·)}$ ($\mathsf{PK}$, ${\mathsf{CT}}^{*}$, ${\mathsf{K}}_b^{*}$);
• Output $b^{\prime }$.

The oracle $\mathsf{DecO}(·)$ takes as input $\mathsf{CT}$ and returns a key $\mathsf{K}$ ← $\mathsf{KEM}.\mathsf{Decap}$($\mathsf{PK}$, $\mathsf{SK}$, $\mathsf{CT})$ with the condition that $\mathcal{A}$ cannot query the challenge ciphertext ${\mathsf{CT}}^{*}$. The advantage of $\mathcal{A}$ for breaking the IND-CCA-security of KEM is defined as ${\mathbf{Adv}}_{\mathsf{IND}-\mathsf{CCA}}^{\mathsf{KEM},\mathcal{A}}$ = $|Pr\left[1\leftarrow {\mathbf{Exp}}_{\mathsf{IND}-\mathsf{CCA},1}^{\mathsf{KEM},\mathcal{A}}(\lambda )\right]$ − $Pr\left[1\leftarrow {\mathbf{Exp}}_{\mathsf{IND}-;\mathsf{CCA},0}^{\mathsf{KEM},\mathcal{A}}(\lambda )\right]|$.

Definition 4.

The $\mathsf{KEM}$ scheme is $(t,ϵ,q_d)$-IND-CCA-secure if for any polynomial time adversary $\mathcal{A}$ that runs in time at most t and issues at most $q_d$ decapsulation queries, then we have ${\mathbf{Adv}}_{\mathsf{IND}-\mathsf{CCA}}^{\mathsf{KEM},\mathcal{A}}$ $<ϵ$.

3.2. Conversion Method

The conversion method is for a special case of $\mathsf{KEM}$ which is compatible with the $\mathsf{NIZK}$ schemes. We suppose that the $\mathsf{KEM}.\mathsf{Encap}$ algorithm takes the public key $\mathsf{pk}$ and randomness x as inputs and returns a key $\mathsf{k}$ and a ciphertext $\mathsf{ct}$ (e.g., $(\mathsf{k},\mathsf{ct})\leftarrow \mathsf{KEM}.\mathsf{Encap}(\mathsf{pk};x))$. Then, we say that a $\mathsf{KEM}$ is $\mathsf{NIZK}$-compatible if a tuple $(\mathsf{pk},\mathsf{ct},\mathsf{k})$ can be parsed as the statement for proving a relation for discrete logarithms using the witness x. For example, the ElGamal KEM and the linear KEM [21] are $\mathsf{NIZK}$-compatible [12].

Let KEM = $(\mathsf{KEM}.\mathsf{Setup},\mathsf{KEM}.\mathsf{Encap},\mathsf{KEM}.\mathsf{Decap})$ be an IND-CPA-secure KEM and $\mathsf{NIZK}$-compatible. Using the KEM and NIZK scheme, the generic construction of IND-CCA-secure ${\mathsf{KEM}}^{\prime }$ = $(\mathsf{KEM}.{\mathsf{Setup}}^{\prime }$, $\mathsf{KEM}.{\mathsf{Encap}}^{\prime }$, $\mathsf{KEM}.{\mathsf{Decap}}^{\prime })$ by Seo et al. [12] is described as follows.

${\mathsf{KEM}.\mathsf{Gen}}^{\prime }$($\lambda$): Given security parameter $\lambda$, the setup algorithm proceeds as follows.

• Generate $\mathsf{sk}$ and $\mathsf{pk}$ by running KEM.Setup$(\lambda )$.
• Choose $H_1:{\{0,1\}}^{*}\to {\{0,1\}}^k$ and $H_2:{\{0,1\}}^{*}\to {\{0,1\}}^{\ell }$ for $k,l\in {\mathbb{Z}}^{+}$.
• Output $\mathsf{SK}=\mathsf{sk}$ and $\mathsf{PK}=(H_1,H_2,\mathsf{pk})$.

${\mathsf{KEM}.\mathsf{Encap}}^{\prime }$($\mathsf{PK}$): Given a public key $\mathsf{PK}=(H_1,H_2,\mathsf{pk})$, the Encap algorithm proceeds as follows.

• Choose the random coins x and compute $(\mathsf{ct},\mathsf{k})$ ← $\mathsf{KEM}.\mathsf{Encap}$ $(\mathsf{pk};x)$.
• Set $\mathsf{stmt}=(\mathsf{pk},\mathsf{ct},\mathsf{k})$ and $\mathsf{wit}=x$.
• Compute $\pi \leftarrow {\mathcal{P}}^{H_1}$($\mathsf{stmt},\mathsf{wit}$).

  (a)

  Choose the random value r and compute $\mathsf{com}$.

  (b)

  Compute $c=H_1(\mathsf{stmt},\mathsf{com})$ and the relevant s.

  (c)

  Output the proof $\pi =(s,c)$.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi ).$
• Output $\mathsf{K}$ and $\mathsf{CT}=(\mathsf{ct},\pi )$.

${\mathsf{KEM}.\mathsf{Decap}}^{\prime }$($\mathsf{PK},\mathsf{SK},\mathsf{CT}$): Given a public key $\mathsf{PK}=(H_1,H_2,\mathsf{pk})$, a ciphertext $\mathsf{CT}=(\mathsf{ct},\pi =(s,c))$, and a private $\mathsf{SK}=\mathsf{sk}$, the Decap algorithm proceeds as follows.

• Compute $\mathsf{k}\leftarrow \mathsf{KEM}.\mathsf{Decap}(\mathsf{sk},\mathsf{ct})$.
• Set $\mathsf{stmt}=(\mathsf{pk},\mathsf{ct},\mathsf{k})$.
• If $1\leftarrow {\mathcal{V}}^{H_1}$($\mathsf{stmt},\pi$), go on. Otherwise, abort.

  (a)

  Deterministically compute $\mathsf{com}$.

  (b)

  If $c=H_1(\mathsf{stmt},\mathsf{com})$, output 1. Otherwise, output 0.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi )$ and output $\mathsf{K}$.

3.3. Security Proof

Theorem 3.

Let $H_1$ and $H_2$ be modeled as random oracles with ${ϵ}_{\mathsf{CR}}$-collision resistance. Suppose that $\mathsf{KEM}$ is $(t^{\prime },{ϵ}^{\prime })$-IND-CPA-secure and $\mathsf{NIZK}$-compatible with ${ϵ}_{\mathsf{ZK}}$-zero-knowledge and ${ϵ}_{\mathsf{SS}}$-simulation soundness. Then, the resulting ${\mathsf{KEM}}^{\prime }$ is $(t,ϵ,q_d)$-IND-CCA-secure, where

$$ϵ\le 2·({ϵ}_{\mathsf{CR}}+{ϵ}_{\mathsf{ZK}}+q_d·{ϵ}_{\mathsf{SS}}+{ϵ}^{\prime })+1/\left|\mathcal{K}\right|,t^{\prime }\approx t+\mathcal{O}(q_d{t}_v).$$

Here, $t_v$ is the required time for verification in $\mathsf{NIZK}$, and $\mathcal{K}$ is the key space of $\mathsf{KEM}$.

Proof. 

We consider a sequence of hybrid games Game 0, …, Game 9. Game 0 is the actual IND-CCA security game, where an adversary is given a key from the encapsulation algorithm, and Game 9 is the actual game, where an adversary is given a key randomly chosen from a key space for the encapsulation query. Let ${\mathsf{Win}}_i$ denote the event that $\mathcal{A}$ wins in the Game i.

Table 1. Values or operations of ${\mathsf{K}}^{*}$, ${\mathsf{CT}}^{*}$, $\mathsf{SK}$, and DecO(·) in each game and properties ensuring the indistinguishability of consecutive games. $\mathsf{RO}$ + $\mathsf{SS}$ denotes that the simulator retrieves $\mathsf{k}$ from a random oracle table and checks the validity of the ciphertext based on the $\mathsf{SS}$ property.

Game	${\mathsf{K}}^{*}$	${\mathsf{stmt}}^{*}$	${\mathsf{CT}}^{*}$	SK	DecO(·)	Property
0	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{real}}^{*})$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{real}}^{*}$	$\mathsf{sk}$	$\mathsf{KEM}.\mathsf{Decap}(·)$	-
1	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{real}}^{*})$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{real}}^{*}$	$\mathsf{sk}$	$\mathsf{KEM}.\mathsf{Decap}(·)$	CR
2	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{sim}}^{*})$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	$\mathsf{sk}$	$\mathsf{KEM}.\mathsf{Decap}(·)$	ZK
3	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{sim}}^{*})$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	-	$\mathsf{RO}+\mathsf{SS}$	SS
4	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{sim}}^{*})$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{\prime })$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	-	$\mathsf{RO}+\mathsf{SS}$	IND-CPA
5	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{\prime })$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	-	$\mathsf{RO}+\mathsf{SS}$	$1/\left|\mathcal{K}\right|$
6	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	-	$\mathsf{RO}+\mathsf{SS}$	$\mathsf{IND}-\mathsf{CPA}$
7	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	$\mathsf{sk}$	$\mathsf{KEM}.\mathsf{Decap}(·)$	SS
8	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{real}}^{*}$	$\mathsf{sk}$	$\mathsf{KEM}.\mathsf{Decap}(·)$	ZK
9	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{real}}^{*}$	$\mathsf{sk}$	$\mathsf{KEM}.\mathsf{Decap}(·)$	CR

summarizes the games described below and the properties used to prove indistinguishability between consecutive games.

Game 0. This is the actual $\mathsf{IND}$-$\mathsf{CCA}$ security game, which is executed with $b=1$. Thus, the challenger always returns $({\mathsf{CT}}^{*},{\mathsf{K}}^{*})$ $=\mathsf{KEM}.\mathsf{Encap}(\mathsf{PK})$ for the challenge.

Game 1. Let $\mathsf{Coll}$ be the event that a collision of the hash functions $H_1$ or $H_2$ occurs. This game is identical to Game 0 except that it aborts when the event $\mathsf{Coll}$ occurs during the simulation. Due to the collision resistance of the hash functions, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_1\right]-Pr\left[{\mathsf{Win}}_0\right]|\le {ϵ}_{\mathsf{CR}}.\end{array}$$

Game 2. This game is identical to Game 1 except that the challenge ciphertext ${\mathsf{CT}}^{*}=({\mathsf{ct}}^{*},{\pi }^{*})$ is computed differently. Instead of using the real proving algorithm of $\mathsf{NIZK}$, the challenger generates the challenge ciphertext using the simulator of $\mathsf{NIZK}$ (i.e., ${\mathsf{CT}}^{*}=({\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*})$). Due to the non-interactive zero-knowledge property of $\mathsf{NIZK}$, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_2\right]-Pr\left[{\mathsf{Win}}_1\right]|\le {ϵ}_{\mathsf{ZK}}.\end{array}$$

Game 3. This game is identical to Game 2 except that the decapsulation query is operated differently. In the previous game, for a given ciphertext $\mathsf{CT}=(\mathsf{ct},\pi =(s,c))$, the challenger computes $\mathsf{k}\leftarrow \mathsf{KEM}.\mathsf{Decap}(\mathsf{sk},\mathsf{ct})$ using $\mathsf{sk}$ and returns $\mathsf{K}=H_2\left(\mathsf{stmt}=(\mathsf{pk},\mathsf{ct},\mathsf{k}),\mathsf{com}=({\mathsf{com}}^{\mathsf{ct}},{\mathsf{com}}^{\mathsf{k}})\right)$ only if $1\leftarrow {\mathcal{V}}^{H_1}$($\mathsf{stmt},\pi$) holds. In this game, the challenger retrieves a tuple $(\mathsf{stmt},\mathsf{com},c)$ in the $H_1$ hash table such that $c=H_1(\mathsf{stmt}=(\mathsf{pk},\mathsf{ct},\star )$, $\mathsf{com}$ = $({\mathsf{com}}_{\mathsf{ct}},\star ))$. If the statement $\mathsf{stmt}$, commitment $\mathsf{com}$, challenge c, and response s are verified (i.e., $1\leftarrow \mathcal{V}$($\mathsf{stmt},\mathsf{com},c,s$)), then it returns $\mathsf{K}=H_2(\mathsf{stmt},\mathsf{com},\pi )$.

Note that an adversary cannot distinguish Game 3 from Game 2 unless it queries a ciphertext $\widetilde{\mathsf{CT}}=(\widetilde{\mathsf{ct}},\tilde{\pi }=(\tilde{s},\tilde{c}))$ such that proof $\tilde{\pi }$ is verified with a retrieved tuple $(\widetilde{\mathsf{stmt}},\widetilde{\mathsf{com}},\tilde{c})$ in $H_1$ (i.e., $1\leftarrow \mathcal{V}$($\widetilde{\mathsf{stmt}}$, $\widetilde{\mathsf{com}}$, $\tilde{c}$, $\tilde{s}$)) and $\widetilde{\mathsf{stmt}}$ is a false statement. In other words, the adversary must forge a proof $\tilde{\pi }$ for a false statement $\widetilde{\mathsf{stmt}}$ to distinguish the games. Then, by the simulation soundness of $\mathsf{NIZK}$ with respect to $q_d$ decapsulation queries, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_3\right]-Pr\left[{\mathsf{Win}}_2\right]|\le q_d·{ϵ}_{\mathsf{SS}}.\end{array}$$

Game 4. This game is identical to Game 3 except that the challenge ciphertext is computed differently. In the challenge phase, the challenger randomly selects ${\mathsf{k}}^{\prime }$ instead of getting ${\mathsf{k}}^{*}$ from $({\mathsf{ct}}^{*},{\mathsf{k}}^{*})\leftarrow \mathsf{KEM}.\mathsf{Encap}(\mathsf{pk};x)$. The other procedures are the same as in Game 3. Finally, it outputs $({\mathsf{CT}}^{*},{\mathsf{K}}^{*})$. We can show that a distinguisher between Game 4 and Game 3 implies an adversary that breaks the IND-CPA security of the underlying $\mathsf{KEM}$ scheme. For the sake of simplicity, we prove this later. Then, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_4\right]-Pr\left[{\mathsf{Win}}_3\right]|\le {ϵ}_{\mathsf{IND}-\mathsf{CPA}}^{\mathsf{KEM}}.\end{array}$$

Game 5. This game is identical to Game 4 except that it is executed with $b=0$. In other words, the challenger always returns ${\mathsf{K}}^{*}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$ instead of computing ${\mathsf{K}}^{*}=H_2(\mathsf{stmt}=({\mathsf{ct}}^{*},{\mathsf{k}}^{\prime }),\mathsf{com}=({\mathsf{com}}_{\mathsf{sim}}^{{\mathsf{ct}}^{*}},{\mathsf{com}}_{\mathsf{sim}}^{{\mathsf{k}}^{\prime }}),{\pi }_{\mathsf{sim}}^{*}=(s,c))$. The adversary cannot distinguish Game 5 from Game 4 unless it queries the tuple $\left(\mathsf{stmt}=({\mathsf{ct}}^{*},{\mathsf{k}}^{\prime }),\mathsf{com}=({\mathsf{com}}_{\mathsf{sim}}^{{\mathsf{ct}}^{*}},{\mathsf{com}}_{\mathsf{sim}}^{{\mathsf{k}}^{\prime }}),{\pi }_{\mathsf{sim}}^{*}=(s,c)\right)$ to the $H_2$ oracle. Note that ${\mathsf{k}}^{\prime }$ is a random key from $\mathcal{A}$’s view because ${\mathsf{ct}}^{*}$ is independent of ${\mathsf{k}}^{\prime }$. Therefore, the probability that the adversary queries the tuple to the $H_2$ oracle is at most $1/\left|\mathcal{K}\right|$. Then, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_5\right]-Pr\left[{\mathsf{Win}}_4\right]|\le 1/|\mathcal{K}|.\end{array}$$

Game 6. This game is identical to Game 5 except that the challenge ciphertext is computed differently. In the challenge phase, the challenger uses back ${\mathsf{k}}^{*}$ from $({\mathsf{ct}}^{*},{\mathsf{k}}^{*})\leftarrow \mathsf{KEM}.\mathsf{Encap}(\mathsf{pk};x)$. The other procedures are the same as in Game 5. Finally, it outputs $({\mathsf{CT}}^{*},{\mathsf{K}}^{*})$. Like the case between Game 4 and Game 3, we can show that a distinguisher between Game 6 and Game 5 implies an adversary that breaks the IND-CPA security of the underlying $\mathsf{KEM}$ scheme. For the sake of simplicity, we prove this later. Then, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_6\right]-Pr\left[{\mathsf{Win}}_5\right]|\le {ϵ}_{\mathsf{IND}-\mathsf{CPA}}^{\mathsf{KEM}}.\end{array}$$

Game 7. This game is identical to Game 6 except that the decapsulation query is operated differently. In this game, the challenger changes back the operation of the decapsulation query to normal. For a given ciphertext $\mathsf{CT}=(\mathsf{ct},\pi =(s,c))$, the challenger computes $\mathsf{k}\leftarrow \mathsf{KEM}.\mathsf{Decap}(\mathsf{sk},\mathsf{ct})$ using $\mathsf{sk}$ and returns $\mathsf{K}=H_2(\mathsf{stmt}=(\mathsf{pk},\mathsf{ct},\mathsf{k})$, $\mathsf{com}=({\mathsf{com}}^{\mathsf{ct}},{\mathsf{com}}^{\mathsf{k}}))$ only if $1\leftarrow {\mathcal{V}}^{H_1}$($\mathsf{stmt},\pi$) holds. Like the case between Game 3 and Game 2, an adversary cannot distinguish Game 7 from Game 6 unless it submits a ciphertext with a forged proof for a false statement. Then, by the simulation soundness of $\mathsf{NIZK}$ with respect to $q_d$ decapsulation queries, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_7\right]-Pr\left[{\mathsf{Win}}_6\right]|\le q_d·{ϵ}_{\mathsf{SS}}.\end{array}$$

Game 8. This game is identical to Game 7 except that the challenge ciphertext is computed differently. The challenger uses the real proving algorithm for $\mathsf{NIZK}$ instead of using simulated proofs. Due to the zero-knowledge property of $\mathsf{NIZK}$, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_8\right]-Pr\left[{\mathsf{Win}}_7\right]|\le {ϵ}_{\mathsf{ZK}}.\end{array}$$

Game 9. This game is identical to Game 8 but it does not abort when the event $\mathsf{Coll}$ occurs during the simulation. Due to the collision resistance of the hash functions, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_9\right]-Pr\left[{\mathsf{Win}}_8\right]|\le {ϵ}_{\mathsf{CR}}.\end{array}$$

Note that Game 9 is identical to the $\mathsf{IND}$-$\mathsf{CCA}$ security game executed with $b=0$. Then, we have

$$\begin{array}{cc}\hfill |Pr[{\mathsf{Win}}_0]& -Pr\left[{\mathsf{Win}}_9\right]|\le 2·({ϵ}_{\mathsf{CR}}+{ϵ}_{\mathsf{ZK}}+q_d·{ϵ}_{\mathsf{SS}}+{ϵ}_{\mathsf{IND}-\mathsf{CPA}}^{\mathsf{KEM}})+1/\left|\mathcal{K}\right|.\hfill \end{array}$$

Lemma 1.

If there exists a polynomial time distinguisher $\mathcal{D}$ between Game 3 and Game 4, then there exists a polynomial time adversary $\mathcal{A}$ that breaks the IND-CPA security of $\mathsf{KEM}$.

Proof. 

Let $\mathcal{D}$ be a distinguisher between Game 3 and Game 4. Then, we show how to construct an $\mathcal{A}$ that wins the IND-CPA security game of $\mathsf{KEM}$ using $\mathcal{D}$ with the same advantage.

$\mathcal{A}$ receives a public key $\mathsf{pk}$ as input. Then, $\mathcal{A}$ runs $\mathcal{D}$ by simulating Game 3 with changes as follows.

• In the setup phase, $\mathcal{A}$ sends $\mathsf{PK}=(H_1,H_2,\mathsf{pk})$ to $\mathcal{D}$.
• In the challenge phase, the challenge ciphertext and key $({\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$ are given to $\mathcal{A}$. Then, $\mathcal{A}$ sets $\mathsf{stmt}=(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$ and generates a simulated proof ${\pi }_{\mathsf{sim}}^{*}$ on the statement $\mathsf{stmt}$. $\mathcal{A}$ sets ${\mathsf{K}}^{*}=H_2(\mathsf{stmt}$, ${\mathsf{com}}_{\mathsf{sim}}$, ${\pi }_{\mathsf{sim}}^{*})$, where ${\mathsf{com}}_{\mathsf{sim}}$ is the deterministically computed commitment from ($\mathsf{stmt},{\pi }_{\mathsf{sim}}^{*}$). $\mathcal{A}$ sends $({\mathsf{CT}}^{*}=({\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}),{\mathsf{K}}^{*})$ to $\mathcal{D}$.

In the guess phase, $\mathcal{D}$ outputs its guess. If the guess is “Game 3”, then $\mathcal{A}$ outputs 1; otherwise, it output 0.

Note that if $b=1$, i.e., $\mathsf{stmt}=(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$ is a true statement or $\mathsf{stmt}=(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})\in {\mathcal{R}}_{\mathcal{L}}$, the above simulation is identical to Game 3 from $\mathcal{D}$’s viewpoint. Otherwise, the above simulation is identical to Game 4. Therefore, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_4\right]-Pr\left[{\mathsf{Win}}_3\right]|\le {ϵ}_{\mathcal{D}}={ϵ}_{\mathsf{IND}-\mathsf{CPA}}^{\mathsf{KEM}}.\end{array}$$

 □

Lemma 2.

If there exists a polynomial time distinguisher $\mathcal{D}$ between Games 5 and 6, then there exists a polynomial time adversary $\mathcal{A}$ that breaks the IND-CPA security of $\mathsf{KEM}$.

Proof 1.

Let $\mathcal{D}$ be a distinguisher between Games 5 and 6. Then, we show how to construct an $\mathcal{A}$ that wins the IND-CPA security game of $\mathsf{KEM}$ using $\mathcal{D}$ with the same advantage.

$\mathcal{A}$ receives a public key $\mathsf{pk}$ as input. Then, $\mathcal{A}$ runs $\mathcal{D}$ by simulating Game 5 with changes as follows.

• In the setup phase, $\mathcal{A}$ sends $\mathsf{PK}=(H_1,H_2,\mathsf{pk})$ to $\mathcal{D}$.
• In the challenge phase, the challenge ciphertext and key $({\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$ are given to $\mathcal{A}$. Then, $\mathcal{A}$ sets $\mathsf{stmt}=(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$ and generates a simulated proof ${\pi }_{\mathsf{sim}}^{*}$ on the statement $\mathsf{stmt}$. Moreover, $\mathcal{A}$ randomly chooses ${\mathsf{K}}^{*}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$ and sends $({\mathsf{CT}}^{*}=({\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}),{\mathsf{K}}^{*})$ to $\mathcal{D}$.

In the guess phase, $\mathcal{D}$ outputs its guess. If the guess is “Game 6”, then $\mathcal{A}$ outputs 1; otherwise, it output 0.

Note that if $b=1$, i.e., $\mathsf{stmt}=(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$ is a true statement or $\mathsf{stmt}=(\mathsf{pk},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})\in {\mathcal{R}}_{\mathcal{L}}$, the above simulation is identical to Game 6 from $\mathcal{D}$’s viewpoint. Otherwise, the above simulation is identical to Game 5. Therefore, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_6\right]-Pr\left[{\mathsf{Win}}_5\right]|\le {ϵ}_{\mathcal{D}}={ϵ}_{\mathsf{IND}-\mathsf{CPA}}^{\mathsf{KEM}}.\end{array}$$

 □

This completes the proof of the theorem. □

4. Conversion Method for CCA-Secure IBKEM

4.1. IBKEM

4.1.1. Syntax

An ID-based key encapsulation mechanism $\mathsf{IBKEM}$ consists of four algorithms ($\mathsf{IBKEM}.\mathsf{Setup}$, $\mathsf{IBKEM}.\mathsf{KeyGen}$, $\mathsf{IBKEM}.\mathsf{Encap}$, and $\mathsf{IBKEM}.\mathsf{Decap}$). The setup algorithm $(\mathsf{PP}$, $\mathsf{MSK})$ $\stackrel{\$}{\leftarrow }$ $\mathsf{IBKEM}.\mathsf{Setup}(\lambda )$ takes as input the security parameter $\lambda$ and outputs public parameters $\mathsf{PP}$ and a master secret key $\mathsf{MSK}$. The key generation algorithm ${\mathsf{SK}}_{\mathsf{ID}}$ $\stackrel{\$}{\leftarrow }$ $\mathsf{IBKEM}.\mathsf{KeyGen}(\mathsf{PP},\mathsf{MSK},\mathsf{ID})$ takes as input public parameters $\mathsf{PP}$, the master secret key $\mathsf{MSK}$, and an identity $\mathsf{ID}$, and outputs an identity secret key ${\mathsf{SK}}_{\mathsf{ID}}$. The encapsulation algorithm $(\mathsf{K},\mathsf{CT})$ $\stackrel{\$}{\leftarrow }$ $\mathsf{IBKEM}.\mathsf{Encap}$ $(\mathsf{PP}$, $\mathsf{ID})$ takes as input $\mathsf{PP}$ and $\mathsf{ID}$, and generates a key $\mathsf{K}$ and a ciphertext $\mathsf{CT}$. The decapsulation algorithm $\mathsf{K}$ ← $\mathsf{IBKEM}.\mathsf{Decap}(\mathsf{PP},\mathsf{CT},{\mathsf{SK}}_{\mathsf{ID}}$) takes as input public parameters $\mathsf{PP}$, a ciphertext $\mathsf{CT}$, and an identity secret key ${\mathsf{SK}}_{\mathsf{ID}}$, and then outputs a key $\mathsf{K}$.

4.1.2. Security Model of IBKEM

Here, we define the IND-ID-{CPA,CCA} security of IBKEM by referring to [12]. First, the security experiment of IND-ID-CPA played between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$ is described as follows.

• Experiment Exp${}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA},b}^{\mathsf{IBKEM},\mathcal{A}}$($\lambda$)
• $(\mathsf{PP},\mathsf{MSK})$$\stackrel{\$}{\leftarrow }$$\mathsf{IBKEM}.\mathsf{Setup}(\lambda )$;
• ${\mathsf{ID}}^{*}$←${\mathcal{A}}^{\mathsf{KeyGenO}(·)}$ ($\mathsf{PP}$);
• ${\mathsf{K}}_0^{*}\stackrel{\$}{\leftarrow }\mathcal{K}$; $({\mathsf{K}}_1^{*},{\mathsf{CT}}^{*})\stackrel{\$}{\leftarrow }\mathsf{IBKEM}.\mathsf{Encap}(\mathsf{PP},{\mathsf{ID}}^{*})$;
• $b^{\prime }$ ← ${\mathcal{A}}^{\mathsf{KeyGenO}(·)}$ ($\mathsf{PP}$, ${\mathsf{CT}}^{*}$, ${\mathsf{K}}_b^{*}$);
• Output $b^{\prime }$.

The oracle KeyGen(·) takes as input an identity $\mathsf{ID}$ and returns an identity secret key ${\mathsf{SK}}_{\mathsf{ID}}$ $\stackrel{\$}{\leftarrow }$ $\mathsf{IBKEM}.\mathsf{KeyGen}$ $(\mathsf{MSK}$, $\mathsf{ID})$ with the condition that $\mathcal{A}$ is not able to query the target identity ${\mathsf{ID}}^{*}$. Then, the advantage of $\mathcal{A}$ for breaking the IND-ID-CPA security of IBKEM is defined as ${\mathbf{Adv}}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}^{\mathsf{IBKEM},\mathcal{A}}=|Pr\left[1\leftarrow {\mathbf{Exp}}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA},1}^{\mathsf{IBKEM},\mathcal{A}}(\lambda )\right]-Pr\left[1\leftarrow {\mathbf{Exp}}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA},0}^{\mathsf{IBKEM},\mathcal{A}}(\lambda )\right]|.$

Definition 5.

The $\mathsf{IBKEM}$ scheme is $(t,ϵ,q_{id})$-IND-ID-CPA-secure if for any polynomial time adversary $\mathcal{A}$ that runs in time at most t and issues at most $q_{id}$ key generation queries, then we have ${\mathbf{Adv}}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}^{\mathsf{IBKEM},\mathcal{A}}$ $<ϵ$.

Now, the security experiment of IND-ID-CCA, where the additional decapsulation oracle is given to an adversary $\mathcal{A}$, is described as follows.

• Experiment Exp${}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CCA},b}^{\mathsf{IBKEM},\mathcal{A}}$($\lambda$)
• $(\mathsf{PP},\mathsf{MSK})$$\stackrel{\$}{\leftarrow }$$\mathsf{IBKEM}.\mathsf{Setup}(\lambda )$;
• ${\mathsf{ID}}^{*}$ ← ${\mathcal{A}}^{\mathsf{KeyGenO}(·),\mathsf{DecO}(·)}$ ($\mathsf{PP}$);
• ${\mathsf{K}}_0^{*}\stackrel{\$}{\leftarrow }\mathcal{K}$; $({\mathsf{K}}_1^{*},{\mathsf{CT}}^{*})\stackrel{\$}{\leftarrow }\mathsf{IBKEM}.\mathsf{Encap}(\mathsf{PP},{\mathsf{ID}}^{*})$;
• $b^{\prime }$←${\mathcal{A}}^{\mathsf{KeyGenO}(·),\mathsf{DecO}(·)}$ ($\mathsf{PP}$, ${\mathsf{CT}}^{*}$, ${\mathsf{K}}_b^{*}$);
• Output $b^{\prime }$.

The oracle KeyGen(·) is the same as that in the IND-ID-CPA security game. The additional oracle $\mathsf{DecO}(·)$ takes as input $\mathsf{ID}$ and $\mathsf{CT}$ and returns a key $\mathsf{K}$ ← $\mathsf{IBKEM}.\mathsf{Decap}$ ($\mathsf{PP}$, $\mathsf{CT}$, ${\mathsf{SK}}_{\mathsf{ID}})$, where ${\mathsf{SK}}_{\mathsf{ID}}\stackrel{\$}{\leftarrow }\mathsf{IBKEM}.\mathsf{KeyGen}(\mathsf{PP}$, $\mathsf{MSK}$, $\mathsf{ID})$. The restriction on the oracle $\mathsf{DecO}(·)$ is that $\mathcal{A}$ is not able to query the pair $({\mathsf{ID}}^{*},{\mathsf{CT}}^{*})$. The advantage of $\mathcal{A}$ for breaking the IND-ID-CCA-security of IBKEM is defined as ${\mathbf{Adv}}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CCA}}^{\mathsf{IBKEM},\mathcal{A}}=|Pr\left[1\leftarrow {\mathbf{Exp}}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CCA},1}^{\mathsf{IBKEM},\mathcal{A}}(\lambda )\right]$ $-Pr\left[1\leftarrow {\mathbf{Exp}}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CCA},0}^{\mathsf{IBKEM},\mathcal{A}}(\lambda )\right]|.$

Definition 6.

The $\mathsf{IBKEM}$ scheme is $(t,ϵ,q_{id},q_d)$-IND-ID-CCA-secure if for any polynomial time adversary $\mathcal{A}$ that runs in time at most t and issues at most $q_{id}$ key generation queries and $q_d$ decapsulation queries, then we have ${\mathbf{Adv}}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CCA}}^{\mathsf{IBKEM},\mathcal{A}}$ $<ϵ$.

4.2. Conversion Method

Similar to the previous KEM, this conversion method is for a special case of $\mathsf{IBKEM}$ which is compatible with the $\mathsf{NIZK}$ schemes. We suppose that the $\mathsf{IBKEM}.\mathsf{Encap}$ algorithm takes public parameters $\mathsf{pp}$, an identity $\mathsf{ID}$, and random coins x as inputs and returns a key $\mathsf{k}$ and a ciphertext $\mathsf{ct}$ (e.g., $(\mathsf{k},\mathsf{ct})\leftarrow \mathsf{IBKEM}.\mathsf{Encap}(\mathsf{pp},\mathsf{ID};x))$. Then, we say that an $\mathsf{IBKEM}$ scheme is $\mathsf{NIZK}$-compatible if a tuple $(\mathsf{pp},\mathsf{ID},\mathsf{ct},\mathsf{k})$ can be parsed as the statement for proving a relation for discrete logarithms using the witness x. For instance, the Boneh–Franklin $\mathsf{IBKEM}$ and Boneh–Boyen $\mathsf{IBKEM}$ are $\mathsf{NIZK}$-compatible [12].

Let $\mathsf{IBKEM}$ = $(\mathsf{IBKEM}.\mathsf{Setup}$, $\mathsf{IBKEM}.\mathsf{KeyGen}$, $\mathsf{IBKEM}$.$\mathsf{Encap}$, $\mathsf{IBKEM}.\mathsf{Decap})$ be IND-ID-CPA-secure and $\mathsf{NIZK}$-compatible. Using the IBKEM and NIZK scheme, the generic construction of the CCA-secure ${\mathsf{IBKEM}}^{\prime }$ = $(\mathsf{IBKEM}.{\mathsf{Setup}}^{\prime }$, $\mathsf{IBKEM}.{\mathsf{KeyGen}}^{\prime }$, $\mathsf{IBKEM}$.${\mathsf{Encap}}^{\prime }$, $\mathsf{IBKEM}$.${\mathsf{Decap}}^{\prime })$ by Seo et al. is described as follows.

${\mathsf{IBKEM}.\mathsf{Setup}}^{\prime }$($\lambda$): Given security parameter $\lambda$, the setup algorithm proceeds as follows.

• Generate $\mathsf{msk}$ and $\mathsf{pp}$ by running IBKEM.Setup$(\lambda )$.
• Choose $H_1:{\{0,1\}}^{*}\to {\{0,1\}}^k$ and $H_2:{\{0,1\}}^{*}\to {\{0,1\}}^{\ell }$ for $k,l\in {\mathbb{Z}}^{+}$.
• Output $\mathsf{MSK}=\mathsf{msk}$ and $\mathsf{PP}=(\mathsf{pp},H_1,H_2)$.

${\mathsf{IBKEM}.\mathsf{KeyGen}}^{\prime }$($\mathsf{PP},\mathsf{MSK},\mathsf{ID}$): Given public parameters $\mathsf{PP}=(\mathsf{pp},H_1,H_2)$, a master secret key $\mathsf{MSK}$, and an identity $\mathsf{ID}$, the KeyGen algorithm proceeds as follows.

• Compute ${\mathsf{sk}}_{\mathsf{ID}}\stackrel{\$}{\leftarrow }\mathsf{IBKEM}.\mathsf{KeyGen}(\mathsf{pp},\mathsf{msk},\mathsf{ID})$.
• Set ${\mathsf{SK}}_{\mathsf{ID}}={\mathsf{sk}}_{\mathsf{ID}}$ and output ${\mathsf{SK}}_{\mathsf{ID}}$.

${\mathsf{IBKEM}.\mathsf{Encap}}^{\prime }$($\mathsf{PP},\mathsf{ID}$): Given public parameters $\mathsf{PP}$ = $(\mathsf{pp}$, $H_1$, $H_2)$ and an identity $\mathsf{ID}$, the Encap algorithm proceeds as follows.

• Choose the randomness x and compute $(\mathsf{ct},\mathsf{k})$←$\mathsf{IBKEM}.\mathsf{Encap}$ $(\mathsf{pp},\mathsf{ID};x)$.
• Set $\mathsf{stmt}=(\mathsf{pp},\mathsf{ID},\mathsf{ct},\mathsf{k})$ and $\mathsf{wit}=x$.
• Run $\pi \leftarrow {\mathcal{P}}^{H_1}$($\mathsf{stmt},\mathsf{wit}$).

  (a)

  Choose the randomness r and compute $\mathsf{com}$.

  (b)

  Compute $c=H_1(\mathsf{stmt},\mathsf{com})$ and the relevant s.

  (c)

  Output the proof $\pi =(s,c)$.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi ).$
• Output $\mathsf{K}$ and $\mathsf{CT}=(\mathsf{ct},\pi )$.

${\mathsf{IBKEM}.\mathsf{Decap}}^{\prime }$($\mathsf{PP},\mathsf{CT},{\mathsf{SK}}_{\mathsf{ID}}$): Given a public key $\mathsf{PP}=(\mathsf{pp},H_1,H_2)$, a ciphertext $\mathsf{CT}=(\mathsf{ct},\pi =(s,c))$, and a private ${\mathsf{SK}}_{\mathsf{ID}}={\mathsf{sk}}_{\mathsf{ID}}$, the Decap algorithm proceeds as follows.

• Compute $\mathsf{k}\leftarrow \mathsf{IBKEM}.\mathsf{Decap}(\mathsf{pp},\mathsf{ct},{\mathsf{sk}}_{\mathsf{ID}})$.
• Set $\mathsf{stmt}=(\mathsf{pp},\mathsf{ID},\mathsf{ct},\mathsf{k})$.
• If $1\leftarrow {\mathcal{V}}^{H_1}$($\mathsf{stmt},\pi$), go on. Otherwise, abort.

  (a)

  Deterministically compute $\mathsf{com}$.

  (b)

  If $c=H_1(\mathsf{stmt},\mathsf{com})$, output 1. Otherwise, output 0.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi )$ and output $\mathsf{K}$.

4.3. Security Proof

Theorem 4.

Let $H_1$ and $H_2$ be modeled as random oracles with ${ϵ}_{\mathsf{CR}}$-collision resistance. Suppose that $\mathsf{IBKEM}$ is $(t^{\prime },{ϵ}^{\prime },q_{id}^{\prime })$-IND-ID-CPA-secure and $\mathsf{NIZK}$-compatible with ${ϵ}_{\mathsf{ZK}}$-zero-knowledge and ${ϵ}_{\mathsf{SS}}$-simulation soundness. Then, the resulting ${\mathsf{IBKEM}}^{\prime }$ is $(t,ϵ,q_{id},q_d)$-IND-ID-CCA-secure, where

$$ϵ\le 2·({ϵ}_{\mathsf{CR}}+{ϵ}_{\mathsf{ZK}}+q_d·{ϵ}_{\mathsf{SS}}+{ϵ}^{\prime })+1/\left|\mathcal{K}\right|,t^{\prime }\approx t+\mathcal{O}(q_d{t}_v).$$

Here, $t_v$ is the required time for verification in the $\mathsf{NIZK}$ and $\mathcal{K}$ is the key space of $\mathsf{IBKEM}$.

Proof. 

We consider a sequence of hybrid games Game 0,…, Game 9. Game 0 is the actual IND-ID-CCA security game, where an adversary is given a key from the encapsulation algorithm for the encapsulation query, and Game 9 is the actual IND-ID-CCA game, where an adversary is given a key randomly chosen from a key space for the encapsulation query. Let ${\mathsf{Win}}_i$ denote the event that $\mathcal{A}$ wins in Game i.

Table 2. Values or operations of ${\mathsf{K}}^{*}$, ${\mathsf{CT}}^{*}$, $\mathsf{SK}$, and DecO(·) in each game and properties ensuring the indistinguishability of consecutive games. $\mathsf{RO}$ + $\mathsf{SS}$ denotes that the simulator retrieves $\mathsf{k}$ from a random oracle table and checks the validity of the ciphertext based on the $\mathsf{SS}$ property.

Game	${\mathsf{K}}^{*}$	${\mathsf{stmt}}^{*}$	${\mathsf{CT}}^{*}$	SK	DecO(·)	Property
0	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{real}}^{*})$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{real}}^{*}$	$\mathsf{sk}$	$\mathsf{IBKEM}.\mathsf{Decap}(·)$	-
1	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{real}}^{*})$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{real}}^{*}$	$\mathsf{sk}$	$\mathsf{IBKEM}.\mathsf{Decap}(·)$	CR
2	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{sim}}^{*})$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	$\mathsf{sk}$	$\mathsf{IBKEM}.\mathsf{Decap}(·)$	ZK
3	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{sim}}^{*})$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	-	$\mathsf{RO}+\mathsf{SS}$	SS
4	$H_2({\mathsf{stmt}}^{*},\mathsf{com},{\pi }_{\mathsf{sim}}^{*})$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{\prime })$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	-	$\mathsf{RO}+\mathsf{SS}$	IND-ID-CPA
5	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{\prime })$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	-	$\mathsf{RO}+\mathsf{SS}$	$1/\left|\mathcal{K}\right|$
6	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	-	$\mathsf{RO}+\mathsf{SS}$	IND-ID-CPA
7	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*}$	$\mathsf{sk}$	$\mathsf{IBKEM}.\mathsf{Decap}(·)$	SS
8	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{real}}^{*}$	$\mathsf{sk}$	$\mathsf{IBKEM}.\mathsf{Decap}(·)$	ZK
9	$\mathsf{K}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$	$(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{*})$	${\mathsf{ct}}^{*},{\pi }_{\mathsf{real}}^{*}$	$\mathsf{sk}$	$\mathsf{IBKEM}.\mathsf{Decap}(·)$	CR

summarizes the games described below and the properties used to prove indistinguishability between consecutive games.

Game 0. This is the $\mathsf{IND}$-$\mathsf{ID}$-$\mathsf{CCA}$ security game executed with $b=1$. Thus, the challenger always returns $({\mathsf{CT}}^{*},{\mathsf{K}}^{*})$ $=\mathsf{IBKEM}.{\mathsf{Encap}}^{\prime }(\mathsf{PP},{\mathsf{ID}}^{*})$ for the challenge.

Game 1. Let $\mathsf{Coll}$ be the event that a collision of the hash functions $H_1$ or $H_2$ occurs. This game is identical to Game 0 except that it aborts when the event $\mathsf{Coll}$ occurs during the simulation. Due to the collision resistance of the hash functions, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_1\right]-Pr\left[{\mathsf{Win}}_0\right]|\le {ϵ}_{\mathsf{CR}}.\end{array}$$

Game 2. This game is identical to Game 1 except that the challenge ciphertext is computed differently. Instead of using the real proving algorithm of $\mathsf{NIZK}$, the challenger generates challenge ciphertext using the simulator of $\mathsf{NIZK}$ (i.e., ${\mathsf{CT}}^{*}=({\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*})$). Due to the non-interactive zero-knowledge property of $\mathsf{NIZK}$, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_2\right]-Pr\left[{\mathsf{Win}}_1\right]|\le {ϵ}_{\mathsf{ZK}}.\end{array}$$

Game 3. This game is identical to Game 2 except that the decapsulation query is operated differently. In the previous game, for a given pair $\left(\mathsf{CT}=(\mathsf{ct},\pi =(s,c)),\mathsf{ID}\right)$, the challenger runs ${\mathsf{SK}}_{\mathsf{ID}}\stackrel{\$}{\leftarrow }\mathsf{IBKEM}.{\mathsf{KeyGen}}^{\prime }$ $(\mathsf{PP},\mathsf{MSK},\mathsf{ID})$, computes $\mathsf{K}\stackrel{\$}{\leftarrow }\mathsf{IBKEM}.{\mathsf{Decap}}^{\prime }(\mathsf{PP}$, $\mathsf{CT}$, ${\mathsf{SK}}_{\mathsf{ID}})$, and returns $\mathsf{K}$. In this game, if $\mathsf{ID}={\mathsf{ID}}^{*}$, the challenger retrieves a tuple $(\mathsf{stmt},\mathsf{com},c)$ in the $H_1$ hash table such that $c=H_1\left(\mathsf{stmt}=(\mathsf{pp},{\mathsf{ID}}^{*},\mathsf{ct},\star ),\mathsf{com}=({\mathsf{com}}_{\mathsf{ct}},\star )\right)$; then, it returns $\mathsf{K}=H_2(\mathsf{stmt},\mathsf{com},\pi )$ only when these statement $\mathsf{stmt}$, commitment $\mathsf{com}$, challenge c, and response s are verified (i.e., $1\leftarrow \mathcal{V}$($\mathsf{stmt},\mathsf{com},c,s$)). Otherwise, if $\mathsf{ID}\ne {\mathsf{ID}}^{*}$, it generates ${\mathsf{SK}}_{\mathsf{ID}}$ using $\mathsf{MSK}$ and decapsulates the ciphertext $\mathsf{CT}$ using ${\mathsf{SK}}_{\mathsf{ID}}$, as in the previous game.

Note that an adversary cannot distinguish Game 3 from Game 2 unless it queries a ciphertext $\widetilde{\mathsf{CT}}=(\widetilde{\mathsf{ct}},\tilde{\pi }=(\tilde{s},\tilde{c}))$ such that proof $\tilde{\pi }$ is verified with a retrieved tuple $(\widetilde{\mathsf{stmt}},\widetilde{\mathsf{com}},\tilde{c})$ in $H_1$ (i.e., $1\leftarrow \mathcal{V}$($\widetilde{\mathsf{stmt}}$, $\widetilde{\mathsf{com}}$, $\tilde{c}$, $\tilde{s}$)) and $\widetilde{\mathsf{stmt}}$ is a false statement. In other words, the adversary must forge a proof $\tilde{\pi }$ for a false statement $\widetilde{\mathsf{stmt}}$ to distinguish the games. Then, by the simulation soundness of $\mathsf{NIZK}$ with respect to $q_d$ decapsulation queries, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_3\right]-Pr\left[{\mathsf{Win}}_2\right]|\le q_d·{ϵ}_{\mathsf{SS}}.\end{array}$$

Game 4. This game is identical to Game 3 except that the challenge ciphertexts are computed differently. In the challenge phase, the challenger randomly selects ${\mathsf{k}}^{\prime }$ instead of computing ${\mathsf{k}}^{*}\leftarrow \mathsf{IBKEM}.\mathsf{Encap}(\mathsf{pp},{\mathsf{ID}}^{*};x)$. The other procedures are the same as in Game 3. Finally, it outputs $({\mathsf{CT}}^{*},{\mathsf{K}}^{*})$. We can show that a distinguisher between Game 4 and Game 3 implies an adversary that breaks the IND-ID-CPA security of the $\mathsf{IBKEM}$ scheme. For the sake of simplicity, we prove this later. Then, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_4\right]-Pr\left[{\mathsf{Win}}_3\right]|\le {ϵ}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}^{\mathsf{IBKEM}}.\end{array}$$

Game 5. This game is identical to Game 4 except that it is executed with $b=0$. In other words, the challenger always returns ${\mathsf{K}}^{*}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$ instead of computing ${\mathsf{K}}^{*}=H_2(\mathsf{stmt}=(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{\prime })$, $\mathsf{com}=({\mathsf{com}}_{\mathsf{sim}}^{{\mathsf{ct}}^{*}}$, ${\mathsf{com}}_{\mathsf{sim}}^{{\mathsf{k}}^{\prime }})$, ${\pi }_{\mathsf{sim}}^{*}=(s,c))$. $\mathcal{A}$ cannot distinguish Game 5 from Game 4 unless $\mathcal{A}$ queries the tuple $(\mathsf{stmt}=(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}^{\prime })$, $\mathsf{com}=({\mathsf{com}}_{\mathsf{sim}}^{{\mathsf{ct}}^{*}}$, ${\mathsf{com}}_{\mathsf{sim}}^{{\mathsf{k}}^{\prime }})$, ${\pi }_{\mathsf{sim}}^{*}=(s,c))$ to the $H_2$ oracle. Note that ${\mathsf{k}}^{\prime }$ is random from $\mathcal{A}$’s viewpoint because ${\mathsf{ct}}^{*}$ is independent of ${\mathsf{k}}^{\prime }$. Therefore, the probability that $\mathcal{A}$ queries the tuple to the $H_2$ oracle is $1/\left|\mathcal{K}\right|$. Then, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_5\right]-Pr\left[{\mathsf{Win}}_4\right]|\le 1/|\mathcal{K}|.\end{array}$$

Game 6. This game is identical to Game 5 except that the challenge ciphertexts are computed differently. In the challenge phase, the challenger uses back ${\mathsf{k}}^{*}\leftarrow \mathsf{IBKEM}.\mathsf{Encap}(\mathsf{pp},$ ${\mathsf{ID}}^{*};x)$. The other procedures are the same as in Game 5. Finally, it outputs $({\mathsf{CT}}^{*},{\mathsf{K}}^{*})$. Like the case between Game 4 and Game 3, we can show that a distinguisher between Game 6 and Game 5 implies an adversary that breaks the IND-ID-CPA security of the $\mathsf{IBKEM}$ scheme. For the sake of simplicity, we prove this later. Then, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_6\right]-Pr\left[{\mathsf{Win}}_5\right]|\le {ϵ}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}^{\mathsf{IBKEM}}.\end{array}$$

Game 7. This game is identical to Game 6 except that the decapsulation query is operated differently. In this game, the challenger changes the operation of decapsulation query back to normal. For a given pair $(\mathsf{CT},\mathsf{ID})$, the challenger generates ${\mathsf{SK}}_{\mathsf{ID}}$ using $\mathsf{MSK}$ and decapsulates the ciphertext $\mathsf{CT}$ using ${\mathsf{SK}}_{\mathsf{ID}}$. Like the case between Game 3 and Game 2, $\mathcal{A}$ cannot distinguish Game 7 from Game 6 unless it submits a ciphertext with a forged proof for a false statement. Then, by the simulation soundness of $\mathsf{NIZK}$ with respect to $q_d$ decapsulation queries, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_7\right]-Pr\left[{\mathsf{Win}}_6\right]|\le q_d·{ϵ}_{\mathsf{SS}}.\end{array}$$

Game 8. This game is identical to Game 7 except that the challenge ciphertext is computed differently. The challenger uses the real proving algorithm for $\mathsf{NIZK}$ instead of using simulated proofs. Due to the zero-knowledge property of $\mathsf{NIZK}$, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_8\right]-Pr\left[{\mathsf{Win}}_7\right]|\le {ϵ}_{\mathsf{ZK}}.\end{array}$$

Game 9. This game is identical to Game 8 but it does not abort when the event $\mathsf{Coll}$ occurs during the simulation. Due to the collision resistance of the hash functions, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_9\right]-Pr\left[{\mathsf{Win}}_8\right]|\le {ϵ}_{\mathsf{CR}}.\end{array}$$

Note that Game 9 is identical to the $\mathsf{IND}$-$\mathsf{ID}$-$\mathsf{CCA}$ security game executed with $b=0$. Then, we have

$$\begin{array}{cc}\hfill |Pr& \left[{\mathsf{Win}}_0\right]-Pr\left[{\mathsf{Win}}_9\right]|\le 2·({ϵ}_{\mathsf{CR}}+{ϵ}_{\mathsf{ZK}}+q_d·{ϵ}_{\mathsf{SS}}+{ϵ}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}^{\mathsf{IBKEM}})+1/\left|{\mathcal{K}}^{\mathsf{KEM}}\right|.\hfill \end{array}$$

Lemma 3.

If there exists a polynomial time distinguisher $\mathcal{D}$ between Game 3 and Game 4, then there exists a polynomial time adversary $\mathcal{A}$ that breaks the IND-ID-CPA security of $\mathsf{IBKEM}$.

Proof. 

Let $\mathcal{D}$ be a distinguisher between Game 3 and Game 4. Then, we show how to construct $\mathcal{A}$ so that it wins the IND-ID-CPA security game of $\mathsf{IBKEM}$ using $\mathcal{D}$ with the same advantage.

$\mathcal{A}$ receives as input a public parameter $\mathsf{pp}$. Then, $\mathcal{A}$ runs $\mathcal{D}$ by simulating Game 3 with changes as follows.

• In the setup phase, $\mathcal{A}$ sends $\mathsf{PP}=(\mathsf{pp},H_1,H_2)$ to $\mathcal{D}$.
• When asked a decapsulation query (CT,ID), if $\mathsf{ID}\ne {\mathsf{ID}}^{*}$, $\mathcal{A}$ queries $\mathsf{ID}$ for key generation oracle of its challenger, decapsulates $\mathsf{CT}$, and returns it to $\mathcal{D}$. Otherwise, if $\mathsf{ID}\ne {\mathsf{ID}}^{*}$, the procedure is the same as in Game 3.
• In the challenge phase, the distinguisher $\mathcal{D}$ sends ${\mathsf{ID}}^{*}$ to $\mathcal{A}$. Then, $\mathcal{A}$ sends ${\mathsf{ID}}^{*}$ to its challenger and receives the challenge ciphertext and key pair. Given the pair $({\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$, $\mathcal{A}$ sets $\mathsf{stmt}=(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$ and generates simulated proof ${\pi }_{\mathsf{sim}}^{*}$ on the statement $\mathsf{stmt}$. Furthermore, $\mathcal{A}$ sets ${\mathsf{K}}^{*}=H_2(\mathsf{stmt},{\mathsf{com}}_{\mathsf{sim}},{\pi }_{\mathsf{sim}}^{*})$, where ${\mathsf{com}}_{\mathsf{sim}}$ is deterministically computed commitment from ($\mathsf{stmt},{\pi }_{\mathsf{sim}}^{*}$), and sends $({\mathsf{CT}}^{*}=({\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*})$, ${\mathsf{K}}^{*})$ to $\mathcal{D}$.

In the guess phase, $\mathcal{D}$ outputs its guess. If the guess is “Game 3”, $\mathcal{A}$ outputs 1; otherwise, it output 0.

Note that if $b=1$, i.e., $\mathsf{stmt}=(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$ is a true statement or $\mathsf{stmt}=(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},$ ${\mathsf{k}}_b^{*})\in {\mathcal{R}}_{\mathcal{L}}$, the above simulation is identical to Game 3 from $\mathcal{D}$’s viewpoint. Otherwise, the above simulation is identical to Game 4. Therefore, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_4\right]-Pr\left[{\mathsf{Win}}_3\right]|\le {ϵ}_{\mathcal{D}}={ϵ}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}^{\mathsf{IBKEM}}.\end{array}$$

 □

Lemma 4.

If there exists a polynomial time distinguisher $\mathcal{D}$ between Game 5 and Game 6, then there exists a polynomial time adversary $\mathcal{A}$ that breaks the IND-ID-CPA security of $\mathsf{IBKEM}$.

Proof. 

Let $\mathcal{D}$ be a distinguisher between Game 5 and Game 6. Then, we show how to construct $\mathcal{A}$ that wins the IND-ID-CPA security game of $\mathsf{IBKEM}$ using $\mathcal{D}$ with the same advantage.

$\mathcal{A}$ receives as input a public parameter $\mathsf{pp}$. Then, $\mathcal{A}$ runs $\mathcal{D}$ by simulating Game 5 with changes as follows.

• In the setup phase, $\mathcal{A}$ sends $\mathsf{PP}=(\mathsf{pp},H_1,H_2)$ to $\mathcal{D}$.
• When asked a decapsulation query (CT,ID), if $\mathsf{ID}\ne {\mathsf{ID}}^{*}$, $\mathcal{A}$ queries $\mathsf{ID}$ for key generation oracle of its challenger, decapsulates $\mathsf{CT}$, and returns it to $\mathcal{D}$. Otherwise, if $\mathsf{ID}\ne {\mathsf{ID}}^{*}$, the procedure is the same as in Game 3.
• In the challenge phase, the distinguisher $\mathcal{D}$ sends ${\mathsf{ID}}^{*}$ to $\mathcal{A}$. Then, $\mathcal{A}$ sends ${\mathsf{ID}}^{*}$ to its challenger and receives the challenge ciphertext and key pair. Given the pair $({\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$, $\mathcal{A}$ sets $\mathsf{stmt}=(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})$ and generates simulated proof ${\pi }_{\mathsf{sim}}^{*}$ on the statement $\mathsf{stmt}$. Then, $\mathcal{A}$ randomly chooses ${\mathsf{K}}^{*}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\ell }$ and sends $({\mathsf{CT}}^{*}=({\mathsf{ct}}^{*},{\pi }_{\mathsf{sim}}^{*})$, ${\mathsf{K}}^{*})$ to $\mathcal{D}$.

In the guess phase, $\mathcal{D}$ outputs its guess. If the guess is “Game 6”, $\mathcal{A}$ outputs 1; otherwise, it output 0.

Note that if $b=1$, i.e., $\mathsf{stmt}=(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},$ ${\mathsf{k}}_b^{*})$ is a true statement or $\mathsf{stmt}=(\mathsf{pp},{\mathsf{ID}}^{*},{\mathsf{ct}}^{*},{\mathsf{k}}_b^{*})\in {\mathcal{R}}_{\mathcal{L}}$, the above simulation is identical to Game 6 from $\mathcal{D}$’s viewpoint. Otherwise, the above simulation is identical to Game 5. Therefore, we have

$$\begin{array}{c}\hfill |Pr\left[{\mathsf{Win}}_6\right]-Pr\left[{\mathsf{Win}}_5\right]|\le {ϵ}_{\mathcal{D}}={ϵ}_{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}^{\mathsf{IBKEM}}.\end{array}$$

 □

This completes the proof of the theorem. □

5. Application

In this section, we review the applications described by Seo et al. [12].

5.1. CCA-Secure ElGamal KEM

Let ${\mathsf{GGen}}^{\mathsf{DDH}}(\lambda )$ be a group generator generating a group $\mathcal{G}=(\mathbb{G},p,g)$, where the $\mathsf{DDH}$ assumption holds. In the ElGamal $\mathsf{KEM}$, a public key consists of two group elements $(g,h=g^x)\in {\mathbb{G}}^2$ with corresponding private key $x\in {\mathbb{Z}}_p$. The encapsulation is done by computing $\mathsf{ct}=g^w\in \mathbb{G}$ and $\mathsf{k}=h^w\in \mathbb{G}$, and decapsulation is done by computing $\mathsf{k}={(\mathsf{ct})}^x\in \mathbb{G}$. Based on this scheme, the transformed IND-CCA-secure scheme is described as follows.

$\mathsf{KEM}.\mathsf{Gen}$($\lambda$): For a security parameter $\lambda$, the setup algorithm proceeds as follows.

• Generate $\mathcal{G}=(\mathbb{G},p,g)$ by running GGen$(\lambda )$.
• Choose a random exponent $x\in {\mathbb{Z}}_p$ and set $h=g^x\in \mathbb{G}$.
• Choose hash functions $H_1:{\{0,1\}}^{*}\to {\{0,1\}}^k\subseteq {\mathbb{Z}}_p$ and $H_2:{\{0,1\}}^{*}\to {\{0,1\}}^{\ell }$.
• Output $\mathsf{SK}=x$ and $\mathsf{PK}=(\mathbb{G},p,g,h,H_1,H_2)$.

$\mathsf{KEM}.\mathsf{Encap}$($\mathsf{PK}$): For a public key $\mathsf{PK}=(\mathbb{G}$, p, g, h, $H_1$, $H_2)$, the Encap algorithm proceeds as follows.

• Choose the random exponent $w\in {\mathbb{Z}}_p$.
• Set $\mathsf{stmt}=(g,h,g^w,h^w)$ and $\mathsf{wit}=w$.
• Compute $\pi \leftarrow {\mathcal{P}}^{H_1}$($\mathsf{stmt},\mathsf{wit}$).

  (a)

  Choose the random exponent $r\in {\mathbb{Z}}_p$ and set $\mathsf{com}=(g^r,h^r)\in {\mathbb{G}}^2$.

  (b)

  Set $c=H_1(\mathsf{stmt},\mathsf{com})$ and $s=r+wc\in {\mathbb{Z}}_p$.

  (c)

  Output the proof $\pi =(s,c)$.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi ).$
• Output $\mathsf{K}$ and $\mathsf{CT}=(g^w,\pi )$.

$\mathsf{KEM}.\mathsf{Decap}$($\mathsf{PK},\mathsf{CT},\mathsf{SK}$): For a public key $\mathsf{PK}$ = $(\mathbb{G}$, p, g, h, $H_1$, $H_2)$, a ciphertext $\mathsf{CT}=(\mathsf{ct},\pi =(s,c))$, and a private $\mathsf{SK}=x$, the Decap algorithm proceeds as follows.

• Set $\mathsf{k}={(\mathsf{ct})}^x$ and $\mathsf{stmt}=(g,h,\mathsf{ct},\mathsf{k})\in {\mathbb{G}}^4$.
• If $1\leftarrow {\mathcal{V}}^{H_1}$($\mathsf{stmt},\pi$), go on. Otherwise, abort.

  (a)

  Set $\mathsf{com}=(g^s·{\mathsf{ct}}^{-c},h^s·{\mathsf{k}}^{-c})\in {\mathbb{G}}^2$.

  (b)

  If $c=H_1(\mathsf{stmt},\mathsf{com})$, output 1. Otherwise, output 0.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi )$ and output $\mathsf{K}$.

Theorem 5.

Suppose that the $(t_{ddh},{ϵ}_{ddh})$ DDH assumption holds in $\mathcal{G}$, and $H_1$ and $H_2$ are random oracles. Then, the ElGamal KEM is $(t,ϵ,q_d)$-IND-CCA-secure, where

$$\begin{array}{cc}\hfill & ϵ\le \frac{{ϵ}_{ddh}}{2}+\frac{q_{H_1}^2}{2^{k-1}}+\frac{q_{H_2}^2}{2^{\ell -1}}+\frac{2q_{H_1}^2+2q_d·(q_{H_1}+q_{H_1}^2)+1}{p},t_{ddh}\approx t+\mathcal{O}(q_d{t}_e).\hfill \end{array}$$

Here, $\{q_{H_1},q_{H_2}\}$ are the numbers of $\{H_1,H_2\}$ queries, $t_e$ is the required time for exponentiation in $\mathcal{G}$, and p is the group order.

Proof. 

We can obtain the proof by applying Theorem 3 to the facts that ${ϵ}^{\prime }\le {ϵ}_{ddh}$, $t_{ddh}\approx t^{\prime }$, ${ϵ}_{\mathsf{ZK}}\le q_{H_1}^2/p$, and ${ϵ}_{\mathsf{SS}}\le (q_{H_1}+q_{H_1}^2)/p$. Moreover, we use the fact that $t_v$ becomes similar to $t_e$ in Theorem 3. □

5.2. CCA-Secure Linear KEM

Let ${\mathsf{GGen}}^{\mathsf{DLIN}}(\lambda )$ be a group generator generating a group $\mathcal{G}=(\mathbb{G},p)$, where the decision linear assumption [21] holds. In the linear $\mathsf{KEM}$, a public key consists of three group elements $(g_1,g_2,h)\in {\mathbb{G}}^3$ such that $h=g_1^{x_1}=g_2^{x_2}$ with corresponding private key $(x_1,x_2)\in {\mathbb{Z}}_p^2$. The encapsulation is done by computing $\mathsf{ct}=(g_1^{w_1},g_2^{w_2})\in \mathbb{G}$ and $\mathsf{k}=h^{w_1+w_2}\in \mathbb{G}$, and decapsulation is done by computing $\mathsf{k}={(g_1^{w_1})}^{x_1}{(g_2^{w_2})}^{x_2}\in \mathbb{G}$. Based on this scheme, the transformed IND-CCA-secure scheme is described as follows.

$\mathsf{KEM}.\mathsf{Gen}$($\lambda$): For security parameter $\lambda$, the setup algorithm proceeds as follows.

• Generate $\mathcal{G}=(\mathbb{G},p)$ by running ${\mathsf{GGen}}^{\mathsf{DLIN}}(\lambda )$.
• Choose a random generator $g_1\in \mathbb{G}$ and a random exponent $x_1\in {\mathbb{Z}}_p$.
• Choose a random exponent t and set $g_2=g_1^t\in \mathbb{G}$ and $x_2=x_1{t}^{-1}\in {\mathbb{Z}}_p$ such that $g_1^{x_1}=g_2^{x_2}=h$ for some $h\in \mathbb{G}$.
• Choose hash functions $H_1:{\{0,1\}}^{*}\to {\{0,1\}}^k\subseteq {\mathbb{Z}}_p$ and $H_2:{\{0,1\}}^{*}\to {\{0,1\}}^{\ell }$.
• Output $\mathsf{SK}=(x_1,x_2)$ and $\mathsf{PK}=(\mathbb{G},p,g_1,g_2$, h, $H_1$, $H_2)$.

$\mathsf{KEM}.\mathsf{Encap}$($\mathsf{PK}$): For a public key $\mathsf{PK}$ = $(\mathbb{G}$, p, $g_1$, $g_2$, h, $H_1$, $H_2)$, the Encap algorithm proceeds as follows.

• Choose random exponents $w_1,w_2\in {\mathbb{Z}}_p$.
• Set $\mathsf{stmt}=(g_1,g_2,h,g_1^{w_1},g_2^{w_2},h^{w_1+w_2})$ and $\mathsf{wit}=(w_1,w_2)$.
• Compute $\pi \leftarrow {\mathcal{P}}^{H_1}$($\mathsf{stmt},\mathsf{wit}$).

  (a)

  Choose random exponents $r_1,r_2\in {\mathbb{Z}}_p$.

  (b)

  Set $\mathsf{com}=(g_1^{r_1},g_2^{r_2},h^{r_1+r_2})\in {\mathbb{G}}^3$.

  (c)

  Compute $c=H_1(\mathsf{stmt},\mathsf{com})$ and $s_1=r_1+w_{1}c$, $s_2=r_2+w_{2}c\in {\mathbb{Z}}_p$.

  (d)

  Output the proof $\pi =(s_1,s_2,c)$.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi ).$
• Output $\mathsf{K}$ and $\mathsf{CT}=(g_1^{w_1},g_2^{w_2},\pi )$.

$\mathsf{KEM}.\mathsf{Decap}$($\mathsf{PK},\mathsf{CT},\mathsf{SK}$): For a public key $\mathsf{PK}$ = $(\mathbb{G}$, p, $g_1$, $g_2$, h, $H_1$, $H_2)$, a ciphertext $\mathsf{CT}=({\mathsf{ct}}_1,{\mathsf{ct}}_2,\pi =(s_1,s_2,c))$, and a private $\mathsf{SK}=(x_1,x_2)$, the Decap algorithm proceeds as follows.

• Compute $\mathsf{k}={\mathsf{ct}}_1^{x_1}{\mathsf{ct}}_2^{x_2}\in \mathbb{G}$ and set $\mathsf{stmt}=(g_1$, $g_2$, h, ${\mathsf{ct}}_1$, ${\mathsf{ct}}_2$, $\mathsf{k})$.
• If $1\leftarrow {\mathcal{V}}^{H_1}$($\mathsf{stmt},\pi$), go on. Otherwise, abort.

  (a)

  Set $\mathsf{com}=(g_1^{s_1}·{\mathsf{ct}}_1^{-c},g_2^{s_2}·{\mathsf{ct}}_2^{-c},h^{(s_1+s_2)}·{\mathsf{k}}^{-c})\in {\mathbb{G}}^3$.

  (b)

  If $c=H_1(\mathsf{stmt},\mathsf{com})$, output 1. Otherwise, output 0.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi )$ and output $\mathsf{K}$.

Theorem 6.

Suppose that the $(t_{dlin},{ϵ}_{dlin})$ decision linear assumption holds in $\mathcal{G}$, and $H_1$ and $H_2$ are random oracles. Then, the linear KEM is $(t,ϵ,q_d)$-IND-CCA-secure, where

$$\begin{array}{cc}\hfill & ϵ\le \frac{{ϵ}_{dlin}}{2}+\frac{q_{H_1}^2}{2^{k-1}}+\frac{q_{H_2}^2}{2^{\ell -1}}+\frac{2q_{H_1}^2+2q_d·(q_{H_1}+q_{H_1}^2)+1}{p},t_{dlin}\approx t+\mathcal{O}(q_d{t}_e).\hfill \end{array}$$

Here, $\{q_{H_1},q_{H_2}\}$ are the numbers of $\{H_1,H_2\}$ queries, $t_e$ is the required time for exponentiation in $\mathcal{G}$, and p is the group order.

Proof. 

We can obtain the proof by applying Theorem 3 to the facts that ${ϵ}^{\prime }\le {ϵ}_{dlin}$, $t_{dlin}\approx t^{\prime }$, ${ϵ}_{\mathsf{ZK}}\le q_{H_1}^2/p$, and ${ϵ}_{\mathsf{SS}}\le (q_{H_1}+q_{H_1}^2)/p$. Moreover, we use the fact that $t_v$ becomes similar to $t_e$ in Theorem 3. □

5.3. CCA-Secure Boneh–Franklin IBKEM

Let ${\mathsf{GGen}}^{\mathsf{DBDH}}(\lambda )$ be a bilinear group generator generating a group $\mathcal{G}=({\mathbb{G}}_1,{\mathbb{G}}_2$, ${\mathbb{G}}_T,p,e)$, where the DBDH assumption [22,23] holds. In the Boneh–Franklin $\mathsf{IBKEM}$ [22], public parameters consist of two group elements $(g,h)\in {\mathbb{G}}_2^2$ such that $h=g^x$ with corresponding master secret key $x\in {\mathbb{Z}}_p$. For an identity $\mathsf{ID}$, the secret key is generated by computing ${\mathsf{sk}}_{\mathsf{ID}}=H{(\mathsf{ID})}^x\in {\mathbb{G}}_1$. The encapsulation is done by computing $\mathsf{ct}=g^w\in {\mathbb{G}}_2$ and $\mathsf{k}=e{(H(\mathsf{ID}),h)}^w\in {\mathbb{G}}_T$, and decapsulation is done by computing $\mathsf{k}=e(H{(\mathsf{ID})}^x,\mathsf{ct})\in {\mathbb{G}}_T$. Based on this scheme, the transformed IND-CCA-secure scheme is described as follows.

$\mathsf{IBKEM}.\mathsf{Setup}$($\lambda$): For security parameter $\lambda$, the setup algorithm proceeds as follows.

• Generate $\mathcal{G}=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,p,e)$ $\stackrel{\$}{\leftarrow }$ ${\mathsf{GGen}}^{\mathsf{DBDH}}(\lambda )$.
• Select a random generator $g\in {\mathbb{G}}_2$.
• Select a random exponent $x\in {\mathbb{Z}}_p$ and compute $h=g^x\in {\mathbb{G}}_2$.
• Select hash functions $H:{\{0,1\}}^{*}\to {\mathbb{G}}_1$, $H_1:{\{0,1\}}^{*}$→${\{0,1\}}^k$⊆${\mathbb{Z}}_p$ and $H_2:{\{0,1\}}^{*}\to {\{0,1\}}^{\ell }$.
• Output $\mathsf{MSK}=x$ and $\mathsf{PP}=(\mathcal{G},g,h,H,H_1,H_2)$.

$\mathsf{IBKEM}.\mathsf{KeyGen}$($\mathsf{PP},\mathsf{MSK},\mathsf{ID}$): For public parameters $\mathsf{PP}=(\mathcal{G},g,h,H,H_1,H_2)$, a master secret key $\mathsf{MSK}=x$, and an identity $\mathsf{ID}$, the KeyGen algorithm proceeds as follows.

• Compute ${\mathsf{SK}}_{\mathsf{ID}}=H{(\mathsf{ID})}^x\in {\mathbb{G}}_1$.
• Output ${\mathsf{SK}}_{\mathsf{ID}}$.

$\mathsf{IBKEM}.\mathsf{Encap}$($\mathsf{PP},\mathsf{ID}$): For public parameters $\mathsf{PP}$ = $(\mathcal{G}$, g, h, H, $H_1$, $H_2)$ and an identity $\mathsf{ID}$, the Encap algorithm proceeds as follows.

• Select a random exponent $w\in {\mathbb{Z}}_p$.
• Compute $Q_{\mathsf{ID}}=e(H(ID),h)\in {\mathbb{G}}_T$.
• Set $\mathsf{stmt}=(g,h,\mathsf{ID},g^w,Q_{\mathsf{ID}}^w)$ and $\mathsf{wit}=w$.
• Compute $\pi \leftarrow {\mathcal{P}}^{H_1}$($\mathsf{stmt},\mathsf{wit}$).

  (a)

  Choose the random exponent $r\in {\mathbb{Z}}_p$.

  (b)

  Set $\mathsf{com}=(g^r,Q_{\mathsf{ID}}^r)\in {\mathbb{G}}_2\times {\mathbb{G}}_T$.

  (c)

  Compute $c=H_1(\mathsf{stmt},\mathsf{com})$ and $s=r+wc$.

  (d)

  Output the proof $\pi =(s,c)$.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi ).$
• Output $\mathsf{K}$ and $\mathsf{CT}=(g^w,\pi )$.

$\mathsf{IBKEM}.\mathsf{Decap}$($\mathsf{PP},\mathsf{CT},{\mathsf{SK}}_{\mathsf{ID}}$): For public parameters $\mathsf{PP}$ = $(\mathcal{G},g,h,H,H_1,H_2)$, a ciphertext $\mathsf{CT}=(\mathsf{ct},\pi =(s,c))$, and a private ${\mathsf{SK}}_{\mathsf{ID}}$, the Decap algorithm proceeds as follows.

• Compute $\mathsf{k}=e({\mathsf{SK}}_{\mathsf{ID}},\mathsf{ct})\in {\mathbb{G}}_T$.
• Set $\mathsf{stmt}=(g,h,\mathsf{ID},\mathsf{ct},\mathsf{k})$.
• If $1\leftarrow {\mathcal{V}}^{H_1}$($\mathsf{stmt},\pi$), go on. Otherwise, abort.

  (a)

  Compute $Q_{\mathsf{ID}}=e(H(\mathsf{ID}),h)\in {\mathbb{G}}_T$.

  (b)

  Set $\mathsf{com}=(g^s·{\mathsf{ct}}^{-c}$, $Q_{\mathsf{ID}}^s·{\mathsf{k}}^{-c})\in {\mathbb{G}}_2\times {\mathbb{G}}_T$.

  (c)

  If $c=H_1(\mathsf{stmt},\mathsf{com})$, output 1. Otherwise, output 0.

• Compute $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi )$ and output $\mathsf{K}$.

Theorem 7.

Suppose that the $(t_{dbdh},{ϵ}_{dbdh})$ DBDH assumption holds in $\mathcal{G}$, and $H_1$ and $H_2$ are random oracles. Then, the Boneh–Franklin IBKEM is $(t,ϵ,q_{id},q_d)$-IND-ID-CCA-secure, where

$$\begin{array}{cc}\hfill & ϵ\le \frac{e(1+q_{id}){ϵ}_{dbdh}}{2}+\frac{q_{H_1}^2}{2^{k-1}}+\frac{q_{H_2}^2}{2^{\ell -1}}+\frac{2q_H^2+2q_{H_1}^2+2q_d·(q_{H_1}+q_{H_1}^2)+1}{p},t_{dbdh}\approx t+\mathcal{O}((q_{id}+q_H+q_d)t_e).\hfill \end{array}$$

Here, $\{q_H,q_{H_1},q_{H_2}\}$ are the numbers of $\{H,H_1,H_2\}$ queries, $t_e$ is the required time for exponentiation in $\mathcal{G}$, and p is the group order.

Proof. 

We can obtain the proof by applying Theorem 4 to the facts that ${ϵ}^{\prime }\le e(1+q_{id}){ϵ}_{dbdh}$, $t_{dbdh}\approx t^{\prime }+\mathcal{O}((q_{id}+q_H)t_e)$, ${ϵ}_{\mathsf{ZK}}\le q_{H_1}^2/p$, and ${ϵ}_{\mathsf{SS}}\le (q_{H_1}+q_{H_1}^2)/p$. Moreover, we use the fact that $t_v$ becomes similar to $t_e$ in Theorem 4. □

5.4. CCA-Secure Boneh–Boyen IBKEM

Let ${\mathsf{GGen}}^{\mathsf{DBDH}}(\lambda )$ be a bilinear group generator generating a group $\mathcal{G}=({\mathbb{G}}_1,{\mathbb{G}}_2$, ${\mathbb{G}}_T,p,e)$, where the DBDH assumption holds. In the Boneh–Boyen $\mathsf{IBKEM}$ [24], public parameters consist of four group elements $(g_1,y_1,y_2,\mathsf{\Lambda }=e{(g_1,g_2)}^{\alpha })\in {\mathbb{G}}_1^3\times {\mathbb{G}}_T$ such that $y_1=g_1^x$, $y_2=g_1^y$ with corresponding master secret key $(g_2,x,y,\alpha )\in {\mathbb{G}}_2\times {\mathbb{Z}}_p^3$. For an identity $\mathsf{ID}$, the secret key is generated by computing ${\mathsf{sk}}_{\mathsf{ID}}=(d_1,d_2)=(g_2^{\alpha +(x+H(\mathsf{ID})y)t},g_2^t)\in {\mathbb{G}}_2^2$. The encapsulation is done by computing $\mathsf{ct}=({\mathsf{ct}}_1,{\mathsf{ct}}_2)=\left(g_1^w,{(y_1{y}_2^{H(\mathsf{ID})})}^w\right)\in {\mathbb{G}}_1^2$ and $\mathsf{k}={\mathsf{\Lambda }}^w\in {\mathbb{G}}_T$, and decapsulation is done by computing $\mathsf{k}=e({\mathsf{ct}}_1,d_1)/e({\mathsf{ct}}_2,d_2)\in {\mathbb{G}}_T$. Based on this scheme, the transformed IND-CCA-secure scheme is described as follows.

$\mathsf{IBKEM}.\mathsf{Setup}$($\lambda$): For security parameter $\lambda$, the setup algorithm proceeds as follows.

• Generate $\mathcal{G}=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,p,e)$ $\stackrel{\$}{\leftarrow }$ ${\mathsf{GGen}}^{\mathsf{DBDH}}(\lambda )$.
• Select two random generators $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$.
• Select random exponents $x,y,\alpha \in {\mathbb{Z}}_p$.
• Compute $y_1=g_1^x$, $y_2=g_1^y$, and $\mathsf{\Lambda }=e{(g_1,g_2)}^{\alpha }$.
• Select hash functions $H:{\{0,1\}}^{*}\to {\mathbb{Z}}_p$, $H_1:{\{0,1\}}^{*}$→${\{0,1\}}^k$⊆${\mathbb{Z}}_p$ and $H_2:{\{0,1\}}^{*}\to {\{0,1\}}^{\ell }$.
• Output $\mathsf{MSK}=(g_2,x,y,\alpha )$ and $\mathsf{PP}$ = $(\mathcal{G}$, $g_1$, $y_1$, $y_2$, $\mathsf{\Lambda }$, H, $H_1$, $H_2)$.

$\mathsf{IBKEM}.\mathsf{KeyGen}$($\mathsf{PP},\mathsf{MSK},\mathsf{ID}$): For public parameters $\mathsf{PP}=(\mathcal{G},g_1,y_1,y_2,\mathsf{\Lambda }$, $H,H_1,$$H_2)$, a master secret key $\mathsf{MSK}=(g_2,x,y,\alpha )$, and an identity $\mathsf{ID}$, the KeyGen algorithm proceeds as follows.

• Select a random exponent $t\in {\mathbb{Z}}_p$.
• Compute ${\mathsf{SK}}_{\mathsf{ID}}=(g_2^{\alpha +(x+H(\mathsf{ID})y)t},g_2^t)\in {\mathbb{G}}_2^2$.
• Output ${\mathsf{SK}}_{\mathsf{ID}}$.

$\mathsf{IBKEM}.\mathsf{Encap}$($\mathsf{PP},\mathsf{ID}$): For public parameters $\mathsf{PP}$ = $(\mathcal{G}$, $g_1$, $y_1$, $y_2$, $\mathsf{\Lambda }$, H, $H_1$, $H_2)$ and an identity $\mathsf{ID}$, the Encap algorithm proceeds as follows.

• Select a random exponent $w\in {\mathbb{Z}}_p$.
• Compute $Q_{\mathsf{ID}}=y_1{y}_2^{H(\mathsf{ID})}\in {\mathbb{G}}_1$.
• Set $\mathsf{stmt}=(g_1,y_1,y_2,\mathsf{\Lambda },\mathsf{ID},g_1^w,Q_{\mathsf{ID}}^w,{\mathsf{\Lambda }}^w)$ and $\mathsf{wit}=w$.
• Compute $\pi \leftarrow {\mathcal{P}}^{H_1}$($\mathsf{stmt},\mathsf{wit}$).

  (a)

  Select the random exponent $r\in {\mathbb{Z}}_p$.

  (b)

  Set $\mathsf{com}=(g_1^r,Q_{\mathsf{ID}}^r,{\mathsf{\Lambda }}^r)\in {\mathbb{G}}_1^2\times {\mathbb{G}}_T$.

  (c)

  Compute $c=H_1(\mathsf{stmt},\mathsf{com})$ and $s=r+wc$.

  (d)

  Output the proof $\pi =(s,c)$.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi ).$
• Output $\mathsf{K}$ and $\mathsf{CT}=(g_1^w,Q_{\mathsf{ID}}^w,\pi )$.

$\mathsf{IBKEM}.\mathsf{Decap}$($\mathsf{PP},\mathsf{CT},{\mathsf{SK}}_{\mathsf{ID}}$): For public parameters $\mathsf{PP}$ = $(\mathcal{G},g_1,y_1,y_2,\mathsf{\Lambda }$, $H,H_1,H_2)$, a ciphertext $\mathsf{CT}$ = $({\mathsf{ct}}_1$, ${\mathsf{ct}}_2$, $\pi =(s,c))$, and a private ${\mathsf{SK}}_{\mathsf{ID}}=(d_1,d_2)$, the Decap algorithm proceeds as follows.

• Compute $\mathsf{k}=e({\mathsf{ct}}_1,d_1)/e({\mathsf{ct}}_2,d_2)\in {\mathbb{G}}_T$.
• Set $\mathsf{stmt}=(g_1,y_1,y_2,\mathsf{\Lambda },\mathsf{ID},{\mathsf{ct}}_1,{\mathsf{ct}}_2,\mathsf{k})$.
• If $1\leftarrow {\mathcal{V}}^{H_1}$($\mathsf{stmt},\pi$), go on. Otherwise, abort.

  (a)

  Compute $Q_{\mathsf{ID}}=y_1{y}_2^{H(\mathsf{ID})}\in {\mathbb{G}}_1$.

  (b)

  Set $\mathsf{com}=(g_1^s·{\mathsf{ct}}_1^{-c}$, $Q_{\mathsf{ID}}^s·{\mathsf{ct}}_2^{-c}$, ${\mathsf{\Lambda }}^s·{\mathsf{k}}^{-c})\in {\mathbb{G}}_1^2\times {\mathbb{G}}_T$.

  (c)

  If $c=H_1(\mathsf{stmt},\mathsf{com})$, output 1. Otherwise, output 0.

• Set $\mathsf{K}\leftarrow H_2(\mathsf{stmt},\mathsf{com},\pi )$ and output $\mathsf{K}$.

Theorem 8.

Suppose that the $(t_{dbdh},{ϵ}_{dbdh})$ DBDH assumption holds in $\mathcal{G}$, and $H_1$ and $H_2$ are random oracles. Then, the Boneh–Boyen IBKEM is $(t,ϵ,q_{id},q_d)$-IND-ID-CCA-secure, where

$$\begin{array}{cc}\hfill & ϵ\le \frac{q_H·{ϵ}_{dbdh}}{2}+\frac{q_{H_1}^2}{2^{k-1}}+\frac{q_{H_2}^2}{2^{\ell -1}}+\frac{2q_H^2+2q_{H_1}^2+2q_d·(q_{H_1}+q_{H_1}^2)+1}{p},t_{dbdh}\approx t+\mathcal{O}((q_{id}+q_H+q_d)t_e).\hfill \end{array}$$

Here, $\{q_H,q_{H_1},q_{H_2}\}$ are the numbers of $\{H,H_1,H_2\}$ queries, $t_e$ is the required time for exponentiation in $\mathcal{G}$, and p is the group order.

Proof. 

We can obtain the proof by applying Theorem 4 to the facts that ${ϵ}^{\prime }\le q_H·{ϵ}_{dbdh}$, $t_{dbdh}\approx t^{\prime }+\mathcal{O}(q_{id}{t}_e)$, ${ϵ}_{\mathsf{ZK}}\le q_{H_1}^2/p$, and ${ϵ}_{\mathsf{SS}}\le (q_{H_1}+q_{H_1}^2)/p$. Moreover, we use the fact that $t_v$ becomes similar to $t_e$ in Theorem 4. □

6. Conclusions

This paper shows the security proof of the recent work for the CCA conversion method in [12] has a flaw and proposes the corrected proof for the method. The CCA conversion method [12] from OW-CPA-KEM to IND-CCA-KEM is a tightly secure conversion and is based on the Random Oracle model. Without changing the basic conversion method, this paper proposes the new corrected security proof of the conversion method. If the security proof for the newly designed cryptography scheme is not correct, there may exist some vulnerability in the system using the scheme. Therefore, this report on the flaw of security proof of the conversion method [12] and the fixed security proof should be considered by developers that use this conversion method. With the revised CCA conversion method, one can obtain an IND-CCA-KEM scheme from an IND-CPA-KEM scheme, and an IND-ID-CCA-IBKEM scheme from an IND-ID-CPA-IBKEM scheme, respectively. This paper provides the revised applications of the CCA conversion method which are the practical encryption schemes and the ID-based encryption schemes. As a result, information systems such as software tools, image processing, and sound transmission [25,26,27] that require information security can use those applications of the CCA conversion method to enhance data privacy.

However, this work has the limitations that the new security proof assumes the stronger condition that an underlying CPA-KEM is secure in terms of IND instead of OW. As future work, we note that proving the security of the conversion method with a weaker assumption that an underlying CPA-KEM is secure in terms of OW is an interesting open question.