Revisiting NIZK-Based Technique for Chosen-Ciphertext Security: Security Analysis and Corrected Proofs

: Non-interactive zero-knowledge (NIZK) proofs for chosen-ciphertext security are generally considered to give an impractical construction. An interesting recent work by Seo, Abdalla, Lee, and Park (Information Sciences, July 2019) proposed an efﬁcient semi-generic conversion method for achieving chosen-ciphertext security based on NIZK proofs in the random oracle model. The recent work by Seo et al. demonstrated that the semi-generic conversion method transforms a one-way (OW)-secure key encapsulation mechanism (KEM) into a chosen-ciphertext secure KEM while preserving tight security reduction. This paper shows that the security analysis of the semi-generic conversion method has a ﬂaw, which comes from the OW security condition of the underlying KEM. Without changing the conversion method, this paper presents a revised security proof under the changed conditions that (1) the underlying KEM must be chosen-plaintext secure in terms of indistinguishability and (2) an NIZK proof derived from the underlying KEM via the Fiat–Shamir transform must have the properties of zero-knowledge and simulation soundness. This work extended the security proof strategy to the case of identity-based KEM (IBKEM) and also revise the security proof for IBKEM of previous method by Seo et al. Finally, this work gives a corrected security proof by applying the new proofs to several existing (IB)KEMs.

As building blocks, this approach uses any public-key encryption scheme secure against chosen-plaintext attacks (denoted as "CPA security") and any NIZK proof system for all of N P [9,10]. However, the Naor-Yung paradigm has been perceived as a feasibility result for the existence of CCA-secure encryption schemes based on general cryptographic assumptions, leading to impractical constructions [11].
Interestingly, a recent work by Seo et al. [12] proposed a new semi-generic approach for constructing a CCA-secure (and practical) key encapsulation mechanism (KEM) based on NIZK proof systems derived from the Fiat-Shamir (FS) transform [13]. As building blocks, their technique uses a one-way (OW)-secure KEM and an FS-derived NIZK proof system to prove the relationship (such as equality or linearity) among discrete logarithms. In particular, the term "semi-generic" comes from the fact that the underlying OW-secure KEM should satisfy an additional property called "NIZK-compatibility", meaning that the pair {ciphertext, key} can be an NIZK statement when randomness for KEM is used as a witness for NIZK. Seo et al. [12] demonstrated that their approach can transform an OW-secure (and NIZK-compatible) KEM into a CCA-secure KEM in the random oracle model without security loss.

Organization
In Section 1.2, we briefly review the semi-generic conversion method from Seo et al. and explain the flaw in the security proof of the method. In Section 1.3, we present the concept of corrected proofs. In Section 2, we present the details of the interactive proof systems for proving the equality and linearity of discrete logarithms, and we describe how FS-derived NIZK proof systems can achieve the properties of zero-knowledge and simulation soundness. In Section 3, we introduced the conversion method for CCA-secure KEM and present our corrected proofs using the hybrid argument of indistinguishabilitybased framework. As in [12], we can extend our strategy to the case of identity-based KEM (IBKEM); thus, a newly corrected security proof for the conversion of IBKEM is given in Section 4. In Section 5, we apply our security result to several (IB)KEMs used in [12] and provide new corrected theorems for each scheme. Finally, we conclude this paper in Section 6.

Flaw in Security Proof in Previous Research Literature
The new conversion in [12] works correctly, but we have identified a flaw in its security analysis. For easier explanation, consider the ElGamal KEM as an underlying scheme. Let G be a group of prime order p, and let (g w , h w ) be a pair {ciphertext, key} for group elements g, h ∈ G, and a random w ∈ Z p . It is easy to see that the pair can be an NIZK statement stmt = (g w , h w ) for equality of discrete logarithms when the randomness w is the witness (i.e., NIZK-compatible). Let com be a commitment (g r , h r ) for a random r ∈ Z p . The Fiat-Shamir transform [13] gives the NIZK proof π = (c, s), where s = r + cw ∈ Z p and c = H 1 (stmt, com). Assuming that the hash function H 1 is modeled as a random oracle, the NIZK proof system is proven to be honest verifier zero-knowledge and sound. The concept behind the transformation proposed in [12] is to see the original ElGamal KEM as a designated verifier proof system by setting h = g x for a secret x (only known to the verifier) so that the element A 1 = g w is sufficient for the designated verifier NIZK statement. In the transformed variant of the ElGamal KEM, the resulting ciphertext consists of (A 1 , π = (c, s)), and the decapsulation algorithm (as a designated verifier) first recovers A 2 = h w by computing (g w ) x and then computes com = (g s A −c 1 , h s A −c 2 ) along with stmt = (g w , h w ) and π. It also verifies that π is a valid proof for the recovered statement stmt. If π is valid, the decapsulation algorithm computes the final KEM key as key = H 2 (stmt, com, π) for another hash function H 2 .
Seo et al. [12] demonstrated that the above variant of the ElGamal KEM is tightly CCA-secure based on the computational Diffie-Hellman (CDH) assumption. From a theoretical viewpoint, the first challenge in their security analysis is how to handle decapsulation queries issued by an adversary without knowing the secret key x. Let CT = (A 1 , π = (c, s)) be a queried ciphertext, and let H 1 , H 2 be modeled as random oracles. A reduction algorithm (simulator) finds a tuple in the H 1 query table such that , and checks that π is the valid NIZK proof for the statement (A 1 , A 2 ) and the commitment (B 1 , B 2 ). If so, the simulator outputs the key key = H 2 (A 1 , A 2 , B 1 , B 2 , π) from the H 2 query table. The decapsulation works correctly because of the soundness of the underlying NIZK proof system, meaning that the adversary is forced to generate the proof π for the well-formed ciphertext such that log g A 1 = log h A 2 . The second challenge in their security analysis is to find the correct solution h a to a given CDH instance (g, g a , h) without security loss. The strategy in [12] is as follows: by using the zero-knowledge property, the simulator first generates a simulated proof π * = (c * , s * ) with respect to the element A * 1 = g a for some unknown a ∈ Z p and implicitly sets c * = H 1 (A * 1 , •, B * 1 , ) and key * = H 2 (A * 1 , •, B * 1 , , π * ), where "•" and " " indicate that the simulator does not know the entries. After the challenge ciphertext CT * = (A * 1 , π * = (c * , s * )) and the challenge key key * are given to the adversary, the simulator waits for the adversary to query the hash inputs (A * 1 , , B * 1 , , π * ) for H 2 . Seo et al.'s assertion [12] is that because of the soundness of the NIZK proof system, there exists one query (A * 1 , A 2 , B * 1 , B 2 , π * ) (with overwhelming probability) such that π * is valid among the queried inputs {(A * 1 , , B * 1 , , π * )}, in which case the entry A 2 is the solution to the given CDH instance. Thus, if their assertion was true, the adversary who succeeds in breaking the CCA-security of the variant must make the query, including the CDH solution, to H 2 ; otherwise, the adversary has no information on the challenge key.
However, we show that their assertion is not true for the following reasons. Let CT * = (A * 1 , π * = (c * , s * )) and key * be the challenge ciphertext and key, respectively. First, the adversary generates the value B * 1 by computing g s * (A * 1 ) −c * , which is the same as the value that the simulator calculated. Next, the adversary can generate the values A 2 and B 2 as follows: pick a random R ∈ Z p , and set A 2 = h R and B 2 = h s * (A 2 ) −c * . Finally, the adversary issues (A * 1 , A 2 , B * 1 , B 2 , π * ) to the H 2 query. We can see that π * = (c * , s * ) is valid with respect to the false statement (A * 1 , A 2 ) and the relevant commitment (B * 1 , B 2 ); furthermore, polynomially-many such simulated queries can be made after CT * and key * are given to the adversary. If the adversary issues the correct query such that A 2 = h a among the polynomially-many simulated queries, the simulator cannot specify which query relates to the correct statement (A * 1 = g a , A 2 = h a ) associated with the CDH solution, unless it is given an oracle to solve the decisional Diffie-Hellman (DDH) problem. Moreover, the implicitly predetermined challenge key key * will be mapped to a certain wrong H 2 query input (A * 1 , A 2 , B * 1 , B 2 , π * ) with "high" probability. Clearly, such inconsistent mapping will allow the adversary to distinguish between a real attack and a simulation.

Concept of Corrected Proofs
Our strategy to revise Seo et al.'s proofs [12] is to change the security condition of the underlying KEM from OW to CPA while keeping their conversion method intact. In our corrected proofs, the underlying KEM must be CPA-secure in terms of indistinguishability, meaning (roughly) the following: given (CT * , K * ) as a challenge, it is infeasible to determine whether the challenge key K * was correct or false with respect to the challenge ciphertext CT * . Now, the simulator attacking the CPA security of the underlying KEM is given (CT * , K * ) and wants to determine whether K * is correct or false using the adversary against CCA-security. Let us assume that the underlying KEM is still NIZK-compatible, as defined in [12]. Given (CT * , K * ), the simulator proceeds as follows: it sets the pair as the NIZK statement, stmt * = (CT * , K * ), and generates a simulated proof π * for stmt * using the zero-knowledge property. Then, it computes the challenge key key * = H 2 (stmt * , com * , π * ), where com * is the relevant commitment for stmt * . Then, it gives the challenge ciphertext (CT * , π * ) and the challenge key key * to the adversary. If K * is the correct key corresponding to CT * , then π * is the NIZK proof for the correct statement (CT * , K * ). Otherwise, π * is the NIZK proof for the false statement (CT * , K * ). Now that the simulator knows the candidate value K * of the KEM key, it does distinguish whether K * is correct or false by checking whether (stmt * , com * , π * ) is issued to H 2 queries. Note that K * is not given to the adversary. If K * (including stmt * ) appears in H 2 queries, it is possible to ensure (with overwhelming probability) that K * is the correct key corresponding to CT * ; otherwise, K * is a false key. Furthermore, as long as the input (stmt * , com * , π * ) is not queried to H 2 (modeled as a random oracle), the adversary obtains no information on the challenge key key * . It follows that success in breaking the CCA-security of the transformed KEM straightforwardly leads to success in breaking the CPA security of the underlying KEM without causing security loss. When applying our proof strategy to the above variant of the ElGamal KEM, it can be proved to be tightly CCA-secure under the DDH assumption.
In our corrected proofs, decapsulation queries are handled by the simulator in the same way as in [12]. However, the NIZK property required for answering decapsulation queries is (one-time) simulation soundness (SS) rather than soundness. This is because π * can be the simulated proof for the correct or false statement (CT * , K * ) (given to the simulator) depending on K * . Furthermore, once (CT * , π * ) is given to the adversary as a challenge, it should be difficult for the adversary to generate a pair of a new false statement and its relevant proof that are correctly verified. In particular, a new false statement includes any modification of stmt * = (CT * , K * ). Unlike in Seo et al.'s proofs [12], the simulator in ours knows all hash input values regarding stmt * and com * explicitly; thus, the security flaw mentioned above does not occur. Rather, making hash queries about stmt * by the adversary could increase the probability that the simulator will succeed in breaking the CPA security of the given KEM.
To show that the underlying NIZK proof system satisfies the simulation soundness property, we use the result of Faust et al. [14], which showed that (roughly) an FS-derived NIZK proof system Π FS is simulation-sound in the random oracle model if a canonical three-round interactive proof system Π (The transcript of Π consists of {commitment, challenge, and response}.) has the properties of completeness, soundness, and unique response. In fact, along with the soundness, the unique response property gives the effect of making the resulting NIZK proof π strongly unforgeable [15] when viewing π as a (one-time) signature. As a building block, the conversion by Seo et al. [12] uses an FSderived NIZK proof system to prove the equality or linearity of discrete logarithms, and it is easy to show that a three-round interactive proof system for equality or linearity satisfies the property of unique response as well as soundness. Thus, by adapting the result in [14], all the underlying (FS-derived) NIZK proof systems in our corrected proofs have the simulation soundness property in the random oracle model.

Notation
λ ∈ N is the security parameter. We say that a function ν : N → R is negligible if for every positive polynomial poly(·), there exists an integer N > 0 such that for all x > N, it holds that |ν(x)| < poly(x) −1 . Given an algorithm A, we write y ← A to denote that y is the output of A. If A is a probabilistic algorithm, then y $ ← − A denotes that y is computed by A using fresh random coins. When A is a set, a $ ← − A denotes that a is chosen uniformly over A. For n ∈ N, we write [n] to denote the set {1, . . . , n}. The above notation follows the notation from the work in [16].

Interactive Proof System
Let L = {stmt : ∃ wit s.t. (stmt, wit) ∈ R L } be an NP-language. We first review a three-move public coin proof system, where a prover wants to convince a verifier that a statement stmt belongs to L using a witness wit such that (stmt, wit) ∈ R L . Let a prover P = (P 0 , P 1 ) and a verifier V = (V 0 , V 1 ) be PPT algorithms that participate in the protocol. First, as inputs, com ← P 0 (stmt, wit; ρ) takes a statement stmt, a witness wit, and a random string ρ and then computes a commitment com and sends it to a verifier V. Then, chal $ ← − V 0 (stmt, com) inputs a statement stmt and commitment com, randomly chooses a challenge chal in the challenge space, and sends it to P. Finally, as inputs, resp ← P 1 (com, chal, stmt, wit; ρ) takes com, chal, stmt, wit, and ρ; generates a response resp; and sends it to V. Then, as inputs, {0, 1} ← V 1 (stmt, com, chal, resp) takes stmt, com, chal, and resp, and then outputs 0 or 1. When V 1 outputs 1, the verifier V is convinced that the statement stmt belongs to L.
We now review the following properties.

Completeness
If stmt ∈ L, any proper execution of the protocol between P and V ends with the verifier accepting P's proof. That is, the following holds:

Honest Verifier Zero-Knowledge (HVZK)
There exists an efficient algorithm S called a zero-knowledge simulator such that for any PPT distinguisher, D = (D 0 , D 1 ), and for any (stmt, wit) ∈ R L , it holds that where π ← P (stmt, wit; λ), V (stmt; λ) denotes the resulting transcript returned at the end of the interaction between P and V on common input stmt and private input wit.

Soundness
If stmt / ∈ L, any PPT adversary P * = (P * 0 , P * 1 ) is accepted only with negligible probability. That is, the following holds:

Protocol for Proving the Equality of Discrete Logarithms
We review the generalized interactive protocol for proving the equality of discrete logarithms [17][18][19]. Let G 1 , . . . , G n be groups of prime order p, and let g i ∈ G i be a generator for i ∈ [n]. Now, we consider the NP-language The discrete logarithm wit = x is a witness for a statement: stmt = (g 1 , . . . , g n , A 1 , . . . , A n ). Then, the interactive protocol (P, V ) for proving the above language is as follows. 1.

2.
The verifier V randomly selects a random challenge chal = c ∈ Z p .

3.
P computes a response resp = s = r + cd ∈ Z p .

4.
Given a proof π = (com, chal, resp), V checks that It is well known that this protocol is a non-trivial three-round public coin interactive proof system satisfying completeness, HVZK, (statistical) soundness, and unique response properties.

Protocol for Proving the Linearity of Discrete Logarithms
We review the generalized interactive protocol for proving the linearity of discrete logarithms. Let G 1 , . . . , G n+1 be groups of prime order p, and let g i ∈ G i be a generator for i ∈ [n + 1]. Now, we consider the NP-language The discrete logarithm wit = (x 1 , . . . , x n ) is a witness for a statement stmt = (g 1 , . . . , g n , g n+1 , A 1 , . . . , A n , A n+1 ). Then, the interactive protocol (P, V ) for proving the above language is as follows.

2.
The verifier V randomly selects a random challenge chal = c ∈ Z p .

4.
Given a proof π = (com, chal, resp), V checks that Similarly to the equality of discrete logarithms, this protocol is also a non-trivial threeround public coin interactive proof system satisfying completeness, HVZK, (statistical) soundness, and unique response properties.

NIZK in the Random Oracle Model
We can remove the interaction between P and V by replacing the challenge chal with a hash value H(stmt, com) computed by the prover, where H is a hash function modeled as a random oracle. By applying the Fiat-Shamir paradigm [13], we can transform an interactive protocol (P, V) into a non-interactive proof system (P H , V H ).

Syntax
Let L := {stmt : ∃ wit such that R(stmt, wit) = 1} is an NP-language defined by a binary relation R, and H is a hash function (modeled as a random oracle). A non-interactive proof system (P H , V H ) for L consists of two algorithms. The proving algorithm π $ ← − P H (stmt, wit) takes as input a statement stmt and a witness wit such that R(stmt, wit) = 1 and outputs a proof π. The verification algorithm V H (stmt, π) ∈ {0, 1} takes as input a statement stmt and a proof π and outputs 1 (true) or 0 (false).
We refer here to the zero-knowledge simulator S of a non-interactive zero-knowledge proof system [14] defined in the explicitly programmable random oracle model [20]. As a stateful algorithm, the simulator S can operate in two modes: (h i , st) ← S(1, st, q i ) deals with answering random oracle queries such that h i = H(q i ), while (π, st) ← S(2, st, stmt) simulates the proof. Note that calls to S(1, · · · ) and S(2, · · · ) share the common state st, which is updated after each operation.
Definition 1 (Unbounded Non-Interactive Zero-Knowledge [14]). Let L be an NP-language. Let (S 1 , S 2 ) denote the oracles such that S 1 (q i ) returns the first output of (h i , st) ← S(1, st, q i ) and S 2 (stmt, wit) returns the first output of (π, st) ← S(2, st, stmt) if (stmt, wit) ∈ R L . We say a protocol (P H , V H ) is an NIZK proof for language L in the random oracle model if there exists a PPT simulator S such that for all PPT distinguishers D, the advantage ZK such that is negligible, where both P and S 2 oracles output ⊥ if (stmt, wit) = R L . [14]). Let L be an NP-language. Consider a proof system (P H , V H ) for L with zero-knowledge simulator S. Let (S 1 , S 2 ) denote the oracle such that S 1 (q i ) returns the first output of (h i , st) ← S(1, st, q i ) and S 2 returns the first output of (π, st) ← S(2, st, stmt). We say that (P H , V H ) is simulation-sound with respect to S in the random oracle model if for all PPT adversaries A the advantage SS such that

Definition 2 (Unbounded Simulation Soundness
is negligible, where T is the list of pairs (stmt i , π i ), i.e., (true or false) statements queried to and proofs returned by the simulator.
Theorem 1 (Fiat-Shamir NIZKs [14]). Consider a three-round HVZK interactive proof system (P, V ) for a language L ∈ NP with completeness. Let H be a function with range equal to the space of the verifier's coins. In the random oracle model, the proof system (P H , V H ) derived from (P, V ) by applying the Fiat-Shamir transform is unbounded non-interactive zero-knowledge.
Theorem 2 (Simulation Soundness of Fiat-Shamir NIZKs [14]). Consider a three-round HVZK interactive proof system (P, V ) for a language L ∈ NP with completeness, soundness, and unique response. In the random oracle model, the proof system (P H , V H ) derived from (P, V ) via the Fiat-Shamir transform is simulation-sound NIZK with respect to its canonical simulator S.
By applying the above theorems to the previous interactive protocols for proving the equality and linearity of discrete logarithms, we can obtain NIZK proof systems for the equality and linearity of discrete logarithms, which both have the properties of zeroknowledge and simulation soundness. Note that the two previous interactive protocols satisfy the completeness, HVZK, (statistical) soundness, and unique response properties.
To measure the concrete bounds of the advantages ZK and SS with respect to the two interactive protocols, we follow the proofs in [14] (Theorems 1 and 2 therein). First, ZK of the NIZK systems is bounded by the probability that the "good" NIZK simulator S fails and aborts during the simulation. Note that the NIZK simulator S fails when a collision of the random oracle H happens in the process of updating the hash table T H . Because the probability that a collision happens is at most q 2 H /p, where q H is the maximum number of H queries and p is the group order including the size of the challenge space, we see that ZK ≤ q 2 H /p. Second, SS of the NIZK scheme is bounded by q H · snd + q 2 H /p, where snd denotes the bound of advantage that the adversary violates the soundness of the proof system (P, V ). The soundness bound snd in the two interactive protocols is statistically the same as the inverse of the size of the challenge space, 1/p, so we see that

Security Model of KEM
Here, we define the IND-{CPA,CCA} security of KEM by referring to [12]. First, a security experiment of IND-CPA played between a challenger C and an adversary A is described as follows. Now, the security experiment of IND-CCA, where the additional decapsulation oracle is given to an adversary A, is described as follows.

Conversion Method
The conversion method is for a special case of KEM which is compatible with the NIZK schemes. We suppose that the KEM.Encap algorithm takes the public key pk and randomness x as inputs and returns a key k and a ciphertext ct e.g., (k, ct) ← KEM.Encap(pk; x) . Then, we say that a KEM is NIZK-compatible if a tuple (pk, ct, k) can be parsed as the statement for proving a relation for discrete logarithms using the witness x. For example, the ElGamal KEM and the linear KEM [21] are NIZK-compatible [12]. KEM.Gen (λ): Given security parameter λ, the setup algorithm proceeds as follows.

Security Proof
Here, t v is the required time for verification in NIZK, and K is the key space of KEM.
Proof. We consider a sequence of hybrid games Game 0, . . . , Game 9. Game 0 is the actual IND-CCA security game, where an adversary is given a key from the encapsulation algorithm, and Game 9 is the actual game, where an adversary is given a key randomly chosen from a key space for the encapsulation query. Let Win i denote the event that A wins in the Game i. Table 1 summarizes the games described below and the properties used to prove indistinguishability between consecutive games.
Game 0. This is the actual IND-CCA security game, which is executed with b = 1. Thus, the challenger always returns (CT * , K * ) = KEM.Encap(PK) for the challenge.

Game 2.
This game is identical to Game 1 except that the challenge ciphertext CT * = (ct * , π * ) is computed differently. Instead of using the real proving algorithm of NIZK, the challenger generates the challenge ciphertext using the simulator of NIZK (i.e., CT * = (ct * , π * sim )). Due to the non-interactive zero-knowledge property of NIZK, we have Game 3. This game is identical to Game 2 except that the decapsulation query is operated differently. In the previous game, for a given ciphertext CT = (ct, π = (s, c)), the challenger computes k ← KEM.Decap(sk, ct) using sk and returns K = H 2 stmt = (pk, ct, k), com = (com ct , com k ) only if 1 ← V H 1 (stmt, π) holds. In this game, the challenger retrieves a tuple (stmt, com, c) in the H 1 hash table such that c = H 1 stmt = (pk, ct, ), com = (com ct , ) . If the statement stmt, commitment com, challenge c, and response s are verified (i.e., 1 ← V(stmt, com, c, s)), then it returns K = H 2 (stmt, com, π). Note that an adversary cannot distinguish Game 3 from Game 2 unless it queries a ciphertextCT = (ct,π = (s,c)) such that proofπ is verified with a retrieved tuple (stmt,com,c) in H 1 (i.e., 1 ← V(stmt,com,c,s)) andstmt is a false statement. In other words, the adversary must forge a proofπ for a false statementstmt to distinguish the games. Then, by the simulation soundness of NIZK with respect to q d decapsulation queries, we have Game 4. This game is identical to Game 3 except that the challenge ciphertext is computed differently. In the challenge phase, the challenger randomly selects k instead of getting k * from (ct * , k * ) ← KEM.Encap(pk; x). The other procedures are the same as in Game 3. Finally, it outputs (CT * , K * ). We can show that a distinguisher between Game 4 and Game 3 implies an adversary that breaks the IND-CPA security of the underlying KEM scheme. For the sake of simplicity, we prove this later. Then, we have

Game 5.
This game is identical to Game 4 except that it is executed with b = 0. In other words, the challenger always returns K * $ ← − {0, 1} instead of computing K * = H 2 (stmt = (ct * , k ), com = (com ct * sim , com k sim ), π * sim = (s, c)). The adversary cannot distinguish Game 5 from Game 4 unless it queries the tuple stmt = (ct * , k ), com = (com ct * sim , com k sim ), π * sim = (s, c) to the H 2 oracle. Note that k is a random key from A's view because ct * is independent of k . Therefore, the probability that the adversary queries the tuple to the H 2 oracle is at most 1/|K|. Then, we have | Pr[Win 5 ] − Pr[Win 4 ]| ≤ 1/|K|. Game 6. This game is identical to Game 5 except that the challenge ciphertext is computed differently. In the challenge phase, the challenger uses back k * from (ct * , k * ) ← KEM.Encap(pk; x). The other procedures are the same as in Game 5. Finally, it outputs (CT * , K * ). Like the case between Game 4 and Game 3, we can show that a distinguisher between Game 6 and Game 5 implies an adversary that breaks the IND-CPA security of the underlying KEM scheme. For the sake of simplicity, we prove this later. Then, we have

Game 7.
This game is identical to Game 6 except that the decapsulation query is operated differently. In this game, the challenger changes back the operation of the decapsulation query to normal. For a given ciphertext CT = (ct, π = (s, c)), the challenger computes k ← KEM.Decap(sk, ct) using sk and returns K = H 2 stmt = (pk, ct, k), com = (com ct , com k ) only if 1 ← V H 1 (stmt, π) holds. Like the case between Game 3 and Game 2, an adversary cannot distinguish Game 7 from Game 6 unless it submits a ciphertext with a forged proof for a false statement.  Proof. Let D be a distinguisher between Game 3 and Game 4. Then, we show how to construct an A that wins the IND-CPA security game of KEM using D with the same advantage.
A receives a public key pk as input. Then, A runs D by simulating Game 3 with changes as follows.

•
In the setup phase, A sends PK = (H 1 , H 2 , pk) to D.
• In the challenge phase, the challenge ciphertext and key (ct * , k * b ) are given to A. Then, A sets stmt = (pk, ct * , k * b ) and generates a simulated proof π * sim on the statement stmt. A sets K * = H 2 (stmt, com sim , π * sim ), where com sim is the deterministically computed commitment from (stmt, π * sim ). A sends (CT * = (ct * , π * sim ), K * ) to D. In the guess phase, D outputs its guess. If the guess is "Game 3", then A outputs 1; otherwise, it output 0.
Note that if b = 1, i.e., stmt = (pk, ct * , k * b ) is a true statement or stmt = (pk, ct * , k * b ) ∈ R L , the above simulation is identical to Game 3 from D's viewpoint. Otherwise, the above simulation is identical to Game 4. Therefore, we have Proof. Let D be a distinguisher between Games 5 and 6. Then, we show how to construct an A that wins the IND-CPA security game of KEM using D with the same advantage. A receives a public key pk as input. Then, A runs D by simulating Game 5 with changes as follows.

•
In the setup phase, A sends PK = (H 1 , H 2 , pk) to D.
• In the challenge phase, the challenge ciphertext and key (ct * , k * b ) are given to A. Then, A sets stmt = (pk, ct * , k * b ) and generates a simulated proof π * sim on the statement stmt. Moreover, A randomly chooses K * $ ← − {0, 1} and sends (CT * = (ct * , π * sim ), K * ) to D. In the guess phase, D outputs its guess. If the guess is "Game 6", then A outputs 1; otherwise, it output 0.
Note that if b = 1, i.e., stmt = (pk, ct * , k * b ) is a true statement or stmt = (pk, ct * , k * b ) ∈ R L , the above simulation is identical to Game 6 from D's viewpoint. Otherwise, the above simulation is identical to Game 5. Therefore, we have This completes the proof of the theorem. Table 1. Values or operations of K * , CT * , SK, and DecO(·) in each game and properties ensuring the indistinguishability of consecutive games. RO + SS denotes that the simulator retrieves k from a random oracle table and checks the validity of the ciphertext based on the SS property.

Security Model of IBKEM
Here, we define the IND-ID-{CPA,CCA} security of IBKEM by referring to [12]. First, the security experiment of IND-ID-CPA played between a challenger C and an adversary A is described as follows.

Conversion Method
Similar to the previous KEM, this conversion method is for a special case of IBKEM which is compatible with the NIZK schemes. We suppose that the IBKEM.Encap algorithm takes public parameters pp, an identity ID, and random coins x as inputs and returns a key k and a ciphertext ct e.g., (k, ct) ← IBKEM.Encap(pp, ID; x) . Then, we say that an IBKEM scheme is NIZK-compatible if a tuple (pp, ID, ct, k) can be parsed as the statement for proving a relation for discrete logarithms using the witness x. For instance, the Boneh-Franklin IBKEM and Boneh-Boyen IBKEM are NIZK-compatible [12].

2.
Set SK ID = sk ID and output SK ID .

Security Proof
Here, t v is the required time for verification in the NIZK and K is the key space of IBKEM.
Proof. We consider a sequence of hybrid games Game 0,. . . , Game 9. Game 0 is the actual IND-ID-CCA security game, where an adversary is given a key from the encapsulation algorithm for the encapsulation query, and Game 9 is the actual IND-ID-CCA game, where an adversary is given a key randomly chosen from a key space for the encapsulation query. Let Win i denote the event that A wins in Game i. Table 2 summarizes the games described below and the properties used to prove indistinguishability between consecutive games.
Game 0. This is the IND-ID-CCA security game executed with b = 1. Thus, the challenger always returns (CT * , K * ) = IBKEM.Encap (PP, ID * ) for the challenge. Game 1. Let Coll be the event that a collision of the hash functions H 1 or H 2 occurs. This game is identical to Game 0 except that it aborts when the event Coll occurs during the simulation. Due to the collision resistance of the hash functions, we have

Game 2.
This game is identical to Game 1 except that the challenge ciphertext is computed differently. Instead of using the real proving algorithm of NIZK, the challenger generates challenge ciphertext using the simulator of NIZK (i.e., CT * = (ct * , π * sim )). Due to the non-interactive zero-knowledge property of NIZK, we have Proof. Let D be a distinguisher between Game 3 and Game 4. Then, we show how to construct A so that it wins the IND-ID-CPA security game of IBKEM using D with the same advantage.
A receives as input a public parameter pp. Then, A runs D by simulating Game 3 with changes as follows.

•
In the setup phase, A sends PP = (pp, H 1 , H 2 ) to D.
• When asked a decapsulation query (CT,ID), if ID = ID * , A queries ID for key generation oracle of its challenger, decapsulates CT, and returns it to D. Otherwise, if ID = ID * , the procedure is the same as in Game 3.

•
In the challenge phase, the distinguisher D sends ID * to A. Then, A sends ID * to its challenger and receives the challenge ciphertext and key pair. Given the pair (ct * , k * b ), A sets stmt = (pp, ID * , ct * , k * b ) and generates simulated proof π * sim on the statement stmt. Furthermore, A sets K * = H 2 (stmt, com sim , π * sim ), where com sim is deterministically computed commitment from (stmt, π * sim ), and sends (CT * = (ct * , π * sim ), K * ) to D. In the guess phase, D outputs its guess. If the guess is "Game 3", A outputs 1; otherwise, it output 0.
Note that if b = 1, i.e., stmt = (pp, ID * , ct * , k * b ) is a true statement or stmt = (pp, ID * , ct * , k * b ) ∈ R L , the above simulation is identical to Game 3 from D's viewpoint. Otherwise, the above simulation is identical to Game 4. Therefore, we have  Proof. Let D be a distinguisher between Game 5 and Game 6. Then, we show how to construct A that wins the IND-ID-CPA security game of IBKEM using D with the same advantage. A receives as input a public parameter pp. Then, A runs D by simulating Game 5 with changes as follows.

•
In the setup phase, A sends PP = (pp, H 1 , H 2 ) to D.
• When asked a decapsulation query (CT,ID), if ID = ID * , A queries ID for key generation oracle of its challenger, decapsulates CT, and returns it to D. Otherwise, if ID = ID * , the procedure is the same as in Game 3.

•
In the challenge phase, the distinguisher D sends ID * to A. Then, A sends ID * to its challenger and receives the challenge ciphertext and key pair. Given the pair (ct * , k * b ), A sets stmt = (pp, ID * , ct * , k * b ) and generates simulated proof π * sim on the statement stmt. Then, A randomly chooses K * $ ← − {0, 1} and sends (CT * = (ct * , π * sim ), K * ) to D.
In the guess phase, D outputs its guess. If the guess is "Game 6", A outputs 1; otherwise, it output 0.
Note that if b = 1, i.e., stmt = (pp, ID * , ct * , k * b ) is a true statement or stmt = (pp, ID * , ct * , k * b ) ∈ R L , the above simulation is identical to Game 6 from D's viewpoint. Otherwise, the above simulation is identical to Game 5. Therefore, we have 3.
paper proposes the new corrected security proof of the conversion method. If the security proof for the newly designed cryptography scheme is not correct, there may exist some vulnerability in the system using the scheme. Therefore, this report on the flaw of security proof of the conversion method [12] and the fixed security proof should be considered by developers that use this conversion method. With the revised CCA conversion method, one can obtain an IND-CCA-KEM scheme from an IND-CPA-KEM scheme, and an IND-ID-CCA-IBKEM scheme from an IND-ID-CPA-IBKEM scheme, respectively. This paper provides the revised applications of the CCA conversion method which are the practical encryption schemes and the ID-based encryption schemes. As a result, information systems such as software tools, image processing, and sound transmission [25][26][27] that require information security can use those applications of the CCA conversion method to enhance data privacy. However, this work has the limitations that the new security proof assumes the stronger condition that an underlying CPA-KEM is secure in terms of IND instead of OW. As future work, we note that proving the security of the conversion method with a weaker assumption that an underlying CPA-KEM is secure in terms of OW is an interesting open question.