Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Public key encryption in the multi-user setting. The most important security notion for public key encryption is indistinguishability under chosen ciphertext attacks (IND-CCA). The modeled setting is as follows: One user generates a key pair, a second users encrypts one out of two messages to her, and the adversary shall find out which one it was. Here, importantly, the adversary controls the distribution of the two messages and may request decryptions of ciphertexts of its choice.

The definition of selective opening (SO) security is more general as it takes into account the fact that the public key setting allows for more than two parties. Concretely, in the SO setting one user generates a key pair, many users encrypt messages to her key (of course using fresh and independent random coins), and the adversary’s goal is to derive any information about any of the messages. Again the adversary controls the message distribution (individually for each participant, but also joint distributions are possible) and may have arbitrary ciphertexts decrypted. On top of that the adversary is allowed to ‘open’ any subset of ciphertexts, i.e., to corrupt the encrypters, for instance by breaking into their computers, and thereby reveal the messages they encrypted and the random coins they used. (In some applications, like in secure multi-party computation, users even deliberately reveal their messages and randomness to make their computations publicly verifiable.) Selective opening security is provided if in this situation the confidentiality of the remaining ‘unopened’ ciphertexts is still provided. Intuitively, as all the encryptions occur independently of each other, IND-CCA should imply SO security. Unfortunately, formal analysis reveals that this is not the case.

Notions of Selective Opening security. Formalising suitable notions of SO security has proven to be highly non-trivial. Since encrypted messages may depend on each other, opening some ciphertexts might readily leak information on messages encrypted in other (unopened) ciphertexts. Thus, it is not even clear what it means for unopened messages to remain confidential. Two flavours of SO security have been studied in prior work: notions based on indistinguishability (IND) and notions based on simulatability (SIM). For IND based notions an adversary may open arbitrary ciphertexts and is challenged to tell apart the originally encrypted messages from fresh messages that occur as likely as the original messages. One usually restricts the distribution on the messages to be efficiently conditionally resamplable to ensure an efficient security game (weak-IND-SO). We obtain the security experiment for full-IND-SO if arbitrary distributions may occur in the experiment.

In contrast, SIM based notions (capturing semantic security in the SO setting) do not suffer from such a restriction. In a nutshell, a scheme is SIM-SO secure if for every SO adversary there exists a simulator that can compute the same output without seeing any ciphertexts. Importantly, such simulators may corrupt senders to learn the messages they (virtually) encrypted.

Both flavours may be considered for passive (CPA) and active (CCA) adversaries whereby, in contrast to the CPA setting, a CCA adversary has access to a decryption oracle (with the usual restrictions). While any of IND-SO-CPA/CCA and SIM-SO-CPA/CCA implies standard IND-CPA/CCA security, the converse does not hold in general. Only partial results are known for the reverse direction, as discussed below. We give more details on the relations amongst the notions of selective opening security at the end of Sect. 2.

Motivation and contribution. Considering that users in practice may be exposed to the threats modeled in the SO context, and given that the classical indistinguishability notions are formally weaker than notions of SO security, the following question is immediate: Are users ‘safe’ if they trust in a PKE scheme designed towards the goal of ‘only’ indistinguishability? At least in theory, if the security proof of the scheme considers exclusively indistinguishability, information about encrypted messages is potentially exposed to the adversary in SO-like attack scenarios. This observation calls for a thorough SO analysis of all encryption schemes covered by international standards. The facts that all PKE schemes that so far were formally confirmed to be SO secure require heavy building blocks like lossy trapdoor functions (except for one work discussed in Previous work) and that practitioners systematically avoid such building blocks for reasons of efficiency suggest that likely most practical schemes would not withstand SO attacks. Fortunately, however, in this paper we show that virtually all practical PKE constructions provably do meet SO security.

Our approach is complementary to that of prior works: Instead of analysing the asymmetric building blocks of constructions, we observe that SO security is tightly linked to the security of the symmetric building blocks (i.e., symmetric encryption). We particularly show that in the KEM/DEM paradigm for hybrid encryption certain properties of blockcipher-based DEMs suffice to render the overall PKE scheme SO secure (in the ideal cipher model for the blockcipher) independently of the properties of the KEM.

In a nutshell, our result is: We introduce a specific property called simulatability for blockcipher-based DEMs that is met by virtually all DEMs used in practice and guarantees that if a corresponding DEM is combined with any IND-CCA secure KEM then the overall hybrid PKE scheme achieves SIM-SO-CCA security (in the ideal cipher model). Intuitively, simulatable DEMs can be thought of as some form of non-committing encryption in the realm of symmetric cryptography, while non-committing encryption is usually considered in the public-key setting.

Previous work. The SO problem dates back to [12] where the selective decommitment problem was studied for commitment schemes. SO notions for encryption first appeared in [3, 6]. The first IND-SO-CPA secure encryption scheme in the standard model was given in [3] and is based on lossy encryption (cf. [29]).

Also deniable encryption [7] and techniques from non-committing encryption [8, 21] already allow for constructing SO secure PKE ([11]). Lots of separation and implication results for SO and standard notions were studied in [2, 5, 6, 26]. While it was known that IND-CPA implies weak-IND-SO-CPA when messages are drawn pair-wise independently (cf. [5, 12]), the implication does not hold for arbitrary (efficiently conditionally resamplable) distributions as recently reported [25]. The result makes use of heavy machinery as public-coin differing-inputs obfuscation and correlation intractable hash functions. However, IND-CPA implies weak-IND-SO-CPA for low-dependency distributions such as Markov chains [19]. Further, SIM-SO secure constructions in the standard model usually (cf. [28]) suffer in efficiency from bit-wise encryption to ensure efficient openability. See [24] for current research. SIM-SO-CCA secure PKE schemes are constructed in [18] employing extended HPSs and cross-authentication codes. This line of research continued in [28] identifying special properties of a KEM, allowing to construct SIM-SO-CCA secure PKE, when combined with strengthened cross-authentication codes.

Note that we only consider SO security under sender corruption. Only recently, security under receiver corruption gained some attention [20] while already defined in [1].

Work analysing the SO security of standardised widely-used encryption schemes appeared only recently (in the random oracle model). Concretely, Heuer et al. [22] consider Hashed ElGamal encryption (standardised under the name of DHIES) and RSA-OAEP. Unfortunately, the considered versions of these PKE schemes assume messages that are not longer than the output lengths of the used random oracle, i.e., less than 128 bytes. This severely limits the results of [22] for practical considerations.

Paper organization. In Sect. 2 we recall some important cryptographic notions, including the definition of SO security that we use in this paper. We then, in Sect. 3, identify certain combinatorial properties of DEMs that suffice to achieve SO security of hybrid PKE; more precisely, we expose the central claim of this paper which states that any DEM that has these properties in combination with any KEM results, in the ideal cipher model, in a SIM-SO-CCA secure PKE scheme. In Sect. 3 we also sketch the arguments required for proving this claim. We continue in Sect. 4 with checking whether widely-used DEMs (in particular the NIST standardised: CTR, CBC, CCM) have these properties, and come to the conclusion that they do. We work out the full details of our main claim and its proof in Sect. 5. We conclude in Sect. 6.

In the full version of this paper [23] we further show that also the (NIST standardised) GCM mode of operation possesses the combinatorial properties identified in Sect. 3.

2 Preliminaries

For \(n\in \mathbb {N}\) let \([n]:=\{1,\ldots ,n\}\). We distinguish the following operators for assigning values to variables: We use symbol ‘’ when the assigned value results from a constant expression (including the output of a deterministic algorithm), we write ‘’ when the value is sampled uniformly at random from a finite set, and we write ‘’ when the assigned value is the output of a randomised algorithm. If f is a function or a deterministic algorithm that maps elements from a set A to a set B we use notations \(f:A\rightarrow B\) and \(A\rightarrow f\rightarrow B\) interchangeably. If f is a randomised algorithm we correspondingly write , or simply in case the algorithm takes no input. If \(A\times B\rightarrow f\rightarrow C\) is a function then for any \(a\in A\) we write \(f_a=f(a;\cdot )\) for the partially applied function \(B\rightarrow f_a\rightarrow C;\;b\mapsto f(a,b)\). If R denotes the randomness space of a (randomised) algorithm , we may write \(A\times R \rightarrow f\rightarrow B\) for its deterministic version. If \(A\rightarrow f\rightarrow B\) is a function or a deterministic algorithm we let \([f]:=f(A)\subseteq B\) denote the image of A under f; if has randomness space R we correspondingly let \([f]:=f(A\times R)\subseteq B\) denote the set of all its possible outputs. When the union \(A\cup B\) of two sets AB is a disjoint union, i.e., if \(A\cap B=\emptyset \), we annotate this with . For a bitstring x of length at least l we write \(\mathrm {msb}_l(x)\) for its left-most l bits and \(\mathrm {lsb}_l(x)\) for its right-most l bits (‘most/least significant bits’).

Our security definitions are based on games played between a challenger and an adversary. These games are expressed using program code and terminate when a ‘Stop’ command is executed; the argument of the latter is the output of the game. We write \(\Pr [G\Rightarrow 1]\) for the probability that game G terminates by running into a ‘Stop with 1’ instruction.

We next define partial permutations and blockciphers. In our proofs, the former play an important role for the abstraction of the latter.

Definition 1 (Permutation, partial permutation, blockcipher)

For a finite domain \(\mathcal {D}\) we denote the set of all permutations on \(\mathcal {D}\) with \(\mathcal {P}(\mathcal {D})\) and the set of all partial permutations on \(\mathcal {D}\) with \(\mathcal {P}\mathcal {P}(\mathcal {D})\). Precisely, a relation \(R\subseteq \mathcal {D}\times \mathcal {D}\) is a if \(\alpha R\beta ,\alpha 'R\beta \Rightarrow \alpha =\alpha '\) and \(\alpha R \beta ,\alpha R\beta '\Rightarrow \beta =\beta '\); relation R is a if in addition \(|R|=|\mathcal {D}|\) holds. A with key space \(\mathcal {K}\) and domain \(\mathcal {D}\) is a family \((E_k)_{k\in \mathcal {K}}\) of permutations \(E_k\in \mathcal {P}(\mathcal {D})\).

We associate with a partial permutation \(R\in \mathcal {P}\mathcal {P}(\mathcal {D})\) the partial functions \(\mathcal {D}\rightarrow R^+\rightarrow \mathcal {D}\) and \(\mathcal {D}\rightarrow R^-\rightarrow \mathcal {D}\) that evaluate R left-to-right and right-to-left, respectively. For instance, if \((\alpha ,\beta )\in R\) then \(R^+(\alpha )=\beta \) and \(R^-(\beta )=\alpha \). We write \(\mathrm{Dom}(R)\) and \(\mathrm{Rng}(R)\) for the domain and range of \(R^+\), i.e., for the sets \(\{\alpha \in \mathcal {D}\mid \exists \beta :(\alpha ,\beta )\in R\}\) and \(\{\beta \in \mathcal {D}\mid \exists \alpha :(\alpha ,\beta )\in R\}\), respectively. If \(\alpha \notin \mathrm{Dom}(R)\) and \(\beta \notin \mathrm{Rng}(R)\) we denote with the operation of ‘programming’ R such that \(R^+(\alpha ) = \beta \) and \(R^-(\beta ) = \alpha \) for the updated R, which is again a partial permutation. Note that any partial permutation can be completed to a (full) permutation by adding sufficiently many such pairs \((\alpha ,\beta )\) to it. More importantly, if a partial permutation is selected according to the uniform distribution over some subset of \(\mathcal {P}\mathcal {P}(\mathcal {D})\), it can be extended to a permutation uniformly distributed in \(\mathcal {P}(\mathcal {D})\) by adding random such pairs \((\alpha ,\beta )\) to it.

Our definition of keyed hash functions subsumes both message authentication codes and universal hash functions.

Definition 2 (Keyed hash function)

A for a message space \(\mathcal {M}\) consists of a key space \(\mathcal {K}\), a tag space \(\mathcal {T}\), and an efficient function \(\mathrm {khf}\) of the form \(\mathcal {K}\times \mathcal {M}\rightarrow \mathrm {khf}\rightarrow \mathcal {T}\).

We proceed with specifying the syntax and functionality of DEMs. As a corresponding notion of authenticity we define integrity of ciphertexts [4]. In a nutshell, a DEM offers this feature if no adversary with access to an encapsulation oracle can find a fresh ciphertext that corresponds to a valid message, i.e., is not rejected by the decapsulation algorithm. Relevant in our work is in particular the corresponding one-time notion where the adversary can pose at most one encapsulation query.

Definition 3 (DEM)

A (DEM) for a message space \(\mathcal {M}\) consists of a finite key space \(\mathcal {K}\), a ciphertext space \(\mathcal {C}\), and a pair of efficient algorithms \(\mathsf {DEM}=(\mathsf {D.Enc},\mathsf {D.Dec})\) of the form

where symbol ‘\(\bot \)’ may be used to indicate errors. Correctness requires that for all \(k\in \mathcal {K}\) and \(m\in \mathcal {M}\), if \(\mathsf {D.Enc}(k,m)=c\) then \(\mathsf {D.Dec}(k,c)=m\).

Definition 4 (INT-CTXT secure DEM)

A data encapsulation mechanism is \((\tau ,q_d,\epsilon )\)-OT-INT-CTXT secure if all \(\tau \)-time adversaries \(\mathcal {A}\) that interact in the \({\mathsf {OT}\text {-}\mathsf {INT\text {-}CTXT}}\) experiment from Fig. 1 and issue at most \(q_d\) queries to the \(\textsc {D.Dec}\) oracle have an advantage of at most \(\epsilon \), where we define

This definition can be generalised to \((\tau ,q_e,q_d,\epsilon )\)-INT-CTXT security by removing line 04 from the experiment and bounding the number of queries to the \(\textsc {D.Enc}\) oracle by \(q_e\).

Fig. 1.
figure 1

Security game for defining OT-INT-CTXT security of DEMs. We write ‘Abort’ as an abbreviation for ‘Stop with 0’. Observe that line 04 ensures that the \(\textsc {D.Enc}\) oracle is queried at most once.

In most applications a DEM is combined with a KEM to obtain (hybrid) PKE [10]. We recall the concepts of KEMs and PKE below, and include an indistinguishability definition for KEMs.

Definition 5 (KEM)

A (KEM) for a finite key space \(\mathcal {K}\) consists of a public-key space \(\mathcal {P}\mathcal {K}\), a secret-key space \(\mathcal {S}\mathcal {K}\), a ciphertext space \(\mathcal {C}\), and a triple of efficient algorithms \(\mathsf {KEM}=(\mathsf {K.Gen},\mathsf {K.Enc},\mathsf {K.Dec})\) of the form

where symbol ‘\(\bot \)’ may be used to indicate errors. The randomness space of \(\mathsf {K.Enc}\) is typically denoted with \(\mathcal {R}\). Correctness requires that for all \(( pk , sk )\in [\mathsf {K.Gen}]\), if \((k,c)\in [\mathsf {K.Enc}( pk )]\) then \(\mathsf {K.Dec}( sk ,c)=k\).

Definition 6 (IND-CCA secure KEM)

A KEM is \((\tau ,q_d,\epsilon )\)-IND-CCA secure if all \(\tau \)-time adversaries \(\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)\) that interact in the \(\mathsf {IND\text {-}CCA}^b\) experiments from Fig. 2 and issue at most \(q_d\) queries to the \(\textsc {K.Dec}\) oracle have an advantage of at most \(\epsilon \), where we define

Fig. 2.
figure 2

Security games for defining IND-CCA security of KEMs. We write ‘Abort’ as an abbreviation for ‘Stop with 0’.

Definition 7 (PKE)

A scheme for (PKE) for a message space \(\mathcal {M}\) consists of a public-key space \(\mathcal {P}\mathcal {K}\), a secret-key space \(\mathcal {S}\mathcal {K}\), a ciphertext space \(\mathcal {C}\), and a triple of efficient algorithms \(\mathsf {PKE}=(\mathsf {P.Gen},\mathsf {P.Enc},\mathsf {P.Dec})\) of the form

where symbol ‘\(\bot \)’ may be used to indicate errors. The randomness space of \(\mathsf {P.Enc}\) is typically denoted with \(\mathcal {R}\). Correctness requires that for all \(( pk , sk )\in [\mathsf {P.Gen}]\) and \(m\in \mathcal {M}\), if \(c\in [\mathsf {P.Enc}( pk ,m)]\) then \(\mathsf {P.Dec}( sk ,c)=m\).

Construction 1 (Hybrid encryption)

Take a DEM for a message space \(\mathcal {M}\) and a KEM for the key space of the DEM. Then the algorithms in Fig. 3 form the hybrid PKE scheme. The randomness space of \(\mathsf {P.Enc}\) coincides with the randomness space of \(\mathsf {K.Enc}\).

Fig. 3.
figure 3

Hybrid construction of PKE from a KEM and a DEM. We write \(\langle c_1,c_2\rangle \) for the encoding of two ciphertext components into one. For clarity we make the randomness used by \(\mathsf {P.Gen}\) and \(\mathsf {P.Enc}\) explicit.

We present now the main security definition of this paper: confidentiality under selective opening attacks. Our model is based on works of [6, 18] Find a discussion of its details below.

Definition 8 (SIM-SO-CCA secure PKE)

Consider the experiments from Fig. 4. For a function \(\epsilon :\mathbb {N}\rightarrow \mathbb {R}^{\ge 0}\) we say that a PKE scheme is \((\tau ,\tau ',q_{d},\epsilon )\)-SIM-SO-CCA secure if for all \(\tau \)-time adversaries \(\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)\) that interact in the \(\mathsf {r\text {-}SO\text {-}CCA}\) experiment and issue at most \(q_{d}\) decryption queries there exists a (roughly) \(\tau \)-time simulator \(\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2)\) that interacts in the \(\mathsf {i\text {-}SO\text {-}CCA}\) experiment such that for all \(\tau '\)-time predicates and all \(n\in \mathbb {N}\) the advantage is at most \(\epsilon (n)\), where we define

Fig. 4.
figure 4

Security experiments for defining SIM-SO-CCA security of PKE. With \(\mathfrak {D}\) we denote a randomised circuit that induces a distribution over \(\mathcal {M}^n\). The randomness space of \(\mathsf {P.Enc}\) is denoted with \(\mathcal {R}\). Oracle \(\textsc {Open}\) may be called for all \(i\in [n]\). We write ‘Abort’ as an abbreviation for ‘Stop with 0’. We show the lines of \(\mathsf {i\text {-}SO\text {-}CCA}\) aligned to the ones of \(\mathsf {r\text {-}SO\text {-}CCA}\) for easier comparison.

We give rationale on this formalisation of SO security. The notion compares the information an adversary can deduce about a set of challenge messages in two settings: a real setting (game \(\mathsf {r\text {-}SO\text {-}CCA}\)) and an idealised setting (game \(\mathsf {i\text {-}SO\text {-}CCA}\)). The real experiment starts with the generation of a key pair. The adversary receives the public key and specifies a message distribution, represented by a randomised circuit \(\mathfrak {D}\). Messages \(m_1,\ldots ,m_n\) are sampled according to this distribution and encrypted using fresh randomnesses \(r_1,\ldots ,r_n\), and the ciphertexts are given to the adversary which derives some information \(out\) about the hidden messages. The adversary is supported by two oracles: one that decrypts arbitrary ciphertexts and one that opens honest ciphertexts by revealing the corresponding message and the randomness used to encrypt it (this is meant to model sender corruption).

The ideal experiment is similar but with all the artifacts of public key encryption removed: there is no key generation, no ciphertext generation, and no decryption oracle. Beyond that, the adversary (in this context called ‘simulator’) performs as above: it specifies a message distribution, adaptively requests openings, and derives some information \(out\) about unopened messages.

Clearly, in the ideal setting the confidentiality of unopened messages is granted (only their lengths leak in line 18, but this is unavoidable for any practical PKE scheme and implicitly also happens in line 08). We thus deem a public key encryption scheme secure under selective opening attacks if the adversary in the real setting cannot draw more conclusions about unopened messages than can be drawn in the ideal setting. Formally, it is required that for every \(\mathcal {A}\) for \(\mathsf {r\text {-}SO\text {-}CCA}\) there exists a corresponding \(\mathcal {S}\) for \(\mathsf {i\text {-}SO\text {-}CCA}\) that derives the same information. This is tested by distinguishing predicate \(\mathsf {Pred}\), which also takes further environmental information into account, for instance the recorded opening history \(\mathcal {I}\). We proceed with some remarks on the model.

In prior works that give simulation-based definitions of SO security there does not seem to be concensus on the order of quantification of \(\mathcal {S}\) and \(\mathsf {Pred}\). While most papers (cf. [22, 28]) allow for the simulator to depend on the distinguishing predicate, the work of [6] implicitly defines a stronger notion that requires the existence of a simulator that is universal. (Interestingly, many papers that exclusively consider the weaker notion actually do construct universal simulators.) We adopt the stronger notion and require the simulator to work for any distinguisher.

In the upcoming sections we construct several PKE schemes that are secure under selective opening attacks. The corresponding proofs will idealise a central building block of the schemes, concretely a blockcipher. By consequence, ideal-cipher oracles have to be added to Fig. 4. There are various options how and where to do this: It is clear that adversary \(\mathcal {A}\) should have access to the ideal cipher, but what about \(\mathcal {S}\), what about \(\mathsf {Pred}\), and what about \(\mathfrak {D}\)? It seems that each configuration somehow makes sense and gives rise to an individual variant of SIM-SO-CCA security.Footnote 1 Each such notion might have particular strengths and weaknesses, so declaring any of them right or wrong is arbitrary. Ultimately, when proving the SO security of our schemes, we decided to go for a model where, besides the relevant algorithms of the encryption scheme itself, only adversary \(\mathcal {A}\) gets access to the ideal cipher.

Notions of SO security under active Attacks. As mentioned in the introduction, three notions for SO security under active attacks exist: {weak-IND, full-IND, SIM}-SO-CCA. Non of them has emerged as a de-facto standard notion, yet. Clearly, weak-IND-SO-CCA suffers from the unnatural restriction to efficiently conditionally resamplable message distributions and security implications for practical applications are unclear. While full-IND-SO-CCA would provide security for arbitrary underlying message distributions, as of today, no even a full-IND-SO-CPA secure scheme is known.

We note that SIM-SO-CCA does not suffer from any of the above disadvantages (there is no resampling involved) and seems to offer a strong security guarantee.

Only few results relating the SO-CCA notions are known; [26] shows that IND-CCA is strictly weaker than weak-IND-CCA in general.

3 Simulatable DEMs and Our Main Result

In this section we present our main result on hybrid public key encryption. We define a combinatorial property of a DEM called simulatability and show that any KEM and any DEM satisfying standard security notions, if the DEM is in addition simulatable, when composed yield a SIM-SO-CCA secure PKE, in the ideal cipher model [9, 17, 27].

3.1 Simulatable DEMs

Many practical DEMs are constructed from blockciphers, possibly in combination with further symmetric building blocks like universal hash functions or MACs. We formalise next what it means for a DEM to make use of a blockcipher in a black-box way. Virtually all blockcipher-based DEMs, and in particular those specified by the major standardisation bodies, are of this type. In our definition, \(\mathcal {K}\) denotes the key space of the blockcipher and \(\mathcal {K}'\) denotes the cartesian product of the key spaces of the remaining cryptographic primitives used by the scheme. For instance, in an encrypt-then-MAC construction, \(\mathcal {K}'\) would be the key space of the message authentication code; if the construction requires no further keyed primitive, \(\mathcal {K}'\) would be the trivial set containing a single element.

Recall from Definition 1 that \(\mathcal {P}(\mathcal {D})\) and \(\mathcal {P}\mathcal {P}(\mathcal {D})\) denote the sets of all permutations and partial permutations, respectively, on domain \(\mathcal {D}\).

Definition 9 (Oracle DEM)

An (oDEM) for a domain \(\mathcal {D}\) and a message space \(\mathcal {M}\) consists of a finite key space \(\mathcal {K}'\), a ciphertext space \(\mathcal {C}\), and efficient algorithms \(\mathsf {O.Enc}\) and \(\mathsf {O.Dec}\) that have oracle access to a permutation on \(\mathcal {D}\) (in both directions) and are of the form

where symbol ‘\(\bot \)’ may be used to indicate errors. Correctness requires that for all \(\pi \in \mathcal {P}(\mathcal {D})\), \(k'\in \mathcal {K}'\), and \(m\in \mathcal {M}\), if \(\mathsf {O.Enc}^\pi (k',m)=c\) then \(\mathsf {O.Dec}^\pi (k',c)=m\).

Definition 10 (Permutation-driven DEM)

A DEM for message space \(\mathcal {M}\) with keyspace \(\mathcal {K}''=\mathcal {K}\times \mathcal {K}'\) is if there exists an oracle DEM for \(\mathcal {D}\) and \(\mathcal {M}\) with algorithms \(\mathcal {K}'\times \mathcal {M}\rightarrow \mathsf {O.Enc}^\pi \rightarrow \mathcal {C}\) and and a blockcipher \((E_k)_{k\in \mathcal {K}}\) on domain \(\mathcal {D}\) such that for all \(k'\in \mathcal {K}'\) and \(m\in \mathcal {M}\) and \(c\in \mathcal {C}\) we have

$$\begin{aligned} \mathsf {D.Enc}((k,k'),m)=\mathsf {O.Enc}^{E_k}(k',m) \quad \textit{and}\quad \mathsf {D.Dec}((k,k'),c)=\mathsf {O.Dec}^{E_k}(k',c). \end{aligned}$$
(1)

According to this definition, for any specific permutation-driven DEM multiple corresponding oracle DEMs, i.e., \(\mathsf {O.Enc}\) and \(\mathsf {O.Dec}\) algorithms, and blockciphers E might exist. In practice, however, a single canonic specification of these algorithms will stick out. This holds, as we will see, in particular for the standardised DEMs studied in Sect. 4. For the sake of a concise notation, in this paper we thus assume that suitable \(\mathsf {O.Enc}\), \(\mathsf {O.Dec}\), and E algorithms are always uniquely given.

We next define a combinatorial property called simulatability that holds for an oracle DEM if, in principle, the encapsulation algorithm could commit to a ciphertext before seeing the corresponding message; intuitively, this is only possible if the permutation in the oracle is ‘flexible enough’, i.e., can be ‘programmed’. We formalise this idea by splitting the encapsulation routine into two components, \(\mathsf {Fake}\) and \(\mathsf {Make}\). First \(\mathsf {Fake}\) outputs a ciphertext c without seeing the message m (but it does see the length of m), then \(\mathsf {Make}\), on input m, is meant to find a possible (partial) permutation instance \(\tilde{\pi }\) under which indeed m would be encapsulated to c. To be useful in our later selective opening related proofs where we want to embed \(\tilde{\pi }\) into an ideal cipher, \(\tilde{\pi }\) is further required to be uniformly distributed (conditioned on the formulated requirements).

Definition 11 (Simulatable oracle DEM)

Consider an oracle DEM for a domain \(\mathcal {D}\) and a message space \(\mathcal {M}\) that has an encapsulation algorithm of the form \(\mathcal {K}'\times \mathcal {M}\rightarrow \mathsf {O.Enc}^\pi \rightarrow \mathcal {C}\). Consider algorithms \(\mathsf {Fake}\) and \(\mathsf {Make}\) of the form

where \(\varSigma \) is a state space shared between the two algorithms. We say that the oracle DEM is (by \(\mathsf {Fake}\) and \(\mathsf {Make}\)) if for all \(k'\in \mathcal {K}'\) and \(m\in \mathcal {M}\), for the random variable (defined over the coins of \(\mathsf {Fake}\) and \(\mathsf {Make}\))

we have

  1. (1)

    partial permutation \(\varPi _{k'}^m\) can be extended to a uniformly distributed permutation on \(\mathcal {D}\), i.e., by ‘filling up’ \(\varPi _{k'}^m\) with random pairs one obtains a permutation uniformly distributed in \(\mathcal {P}(\mathcal {D})\);

  2. (2)

    the ciphertext output by \(\mathsf {Fake}\) deviates from the one that would be output by \(\mathsf {O.Enc}\) if invoked with an extension of the partial permutation output by \(\mathsf {Make}\) with probability at most \(\epsilon \). More precisely, for any uniformly distributed extension \(\pi \in \mathcal {P}(\mathcal {D})\) of \(\varPi _{k'}^m\) we have \(\Pr [c\ne \mathsf {O.Enc}^\pi (k',m)]\le \epsilon \) (where the probability is also taken over the random extension of \(\varPi _{k'}^m\) to \(\pi \));

  3. (3)

    the joint running time of \(\mathsf {Fake}(k',|m|)\) and \(\mathsf {Make}( st ,m)\) does not exceed the running time of \(\mathsf {O.Enc}(k',m)\), not counting the latter’s oracle queries.

In informal discussions, when we say that a data encapsulation mechanism is we mean that it is permutation-driven and \(\mathsf {Fake},\mathsf {Make}\) algorithms exist for which it is \(\epsilon \)-simulatable with a negligibly small value \(\epsilon \).

Concerning the above definition it is important to understand that the random coins of \(\mathsf {Fake}\) and \(\mathsf {Make}\), and the coins used to extend the partial permutation in items (1) and (2), belong to the same probability space. We give an equivalent yet more verbose definition that makes this aspect more explicit in the Appendix of the full version [23].

In line with a comment made above, for all practical DEMs that are simulatable, corresponding specifications for the \(\mathsf {Fake}\) and \(\mathsf {Make}\) algorithms emerge canonically. For the sake of notational clarity, from now on we thus assume uniqueness.

Proving Simulatability. We discuss a general technique for proving the simulatability of an oracle DEM. The \(\mathsf {Fake}\) and \(\mathsf {Make}\) algorithms are typically explicitly provided in the proof. \(\mathsf {Fake}\)’s strategy is to mimic the behaviour of \(\mathsf {O.Enc}\) by executing it and answering blockcipher queries with random elements from \(\mathcal {D}\). \(\mathsf {Make}\) constructs a partial permutation \(\tilde{\pi }\) that fits this random assignment by starting with the empty relation \(\tilde{\pi }=\emptyset \) and iteratively adding pairs \((\alpha ,\beta )\in \mathcal {D}\times \mathcal {D}\) to \(\tilde{\pi }\) that help meeting the \(\mathsf {O.Enc}^{\tilde{\pi }}(k',m)=c\) goal, always taking care that also the \(\alpha \tilde{\pi }\beta ,\alpha '\tilde{\pi }\beta \Rightarrow \alpha =\alpha '\) and \(\alpha \tilde{\pi }\beta ,\alpha \tilde{\pi }\beta ' \Rightarrow \beta =\beta '\) requirements from Definition 1 are not violated (\(\mathsf {Make}\) aborts if simultaneously reaching these conditions turns out to be impossible). Simulatability requirement (1) is achieved by ensuring that for each addition of \((\alpha ,\beta )\) to \(\tilde{\pi }\) either \(\alpha \) or \(\beta \) are uniformly distributed, conditioned on the prior state of \(\tilde{\pi }\). Proving the bound from condition (2) typically requires a combinatorial argument that assesses the probability of collisions. Requirement (3) follows by inspection of the specifications of \(\mathsf {Fake}\) and \(\mathsf {Make}\).

3.2 Selective Opening Security from Simulatable DEMs

Our main result is on the SO security of public-key encryption obtained by combining an arbitrary KEM with a permutation-driven DEM. Our analysis is conducted in the ideal cipher model for the blockcipher underlying the DEM. We give an informal version of our main theorem and an outline of the proof. We caution that some technical preconditions are omitted in the statement as we give it here. See Sect. 5 for the full theorem statement and proof.

Theorem 1 (informal)

Combine any KEM and any permutation-driven DEM to obtain a PKE scheme. If the KEM is IND-CCA secure, the DEM is OT-INT-CTXT secure and the corresponding oracle DEM is simulatable, then the combined PKE scheme is SIM-SO-CCA secure, in the ideal cipher model.

Fig. 5.
figure 5

Game \(\mathsf {r\text {-}SO\text {-}CCA}\) adapted towards the analysis of a PKE scheme constructed following the KEM/DEM paradigm using a permutation-driven DEM with corresponding oracle DEM algorithms \(\mathsf {O.Enc}\) and \(\mathsf {O.Dec}\), in the ideal cipher model. We write ‘Abort’ as an abbreviation for ‘Stop with 0’. We further abbreviate the pair \(\textsc {E}^+,\textsc {E}^-\) of ideal cipher oracles with just \(\textsc {E}\).

We proceed with the proof outline. The goal is to show that for every adversary \(\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)\) for the \(\mathsf {r\text {-}SO\text {-}CCA}\) game there exists a simulator \(\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2)\) for the \(\mathsf {i\text {-}SO\text {-}CCA}\) game that deduces the same information. In Fig. 5 we reproduce the \(\mathsf {r\text {-}SO\text {-}CCA}\) game from Fig. 4 with the hybrid construction of the encryption scheme, the oracle DEM underlying the DEM, and the ideal cipher model made explicit. (In the \(\mathsf {i\text {-}SO\text {-}CCA}\) game there is nothing to be adapted.) We correspondingly equip adversary \(\mathcal {A}\) and the DEM algorithms with oracles \(\textsc {E}^+\) and \(\textsc {E}^-\) that implement an ideal blockcipher on domain \(\mathcal {D}\). In particular, for each key k, oracles \(\textsc {E}^+(k;\cdot )\) and \(\textsc {E}^-(k;\cdot )\) are inverses of each other. For a concise notation, we typically just write \(\textsc {E}\) for the pair consisting of \(\textsc {E}^+\) and \(\textsc {E}^-\). We implement ideal cipher \(\textsc {E}\) via lazy sampling and keep track of made assignments using a game internal family \((E_k)_{k\in \mathcal {K}}\) of partial permutations \(E_k\in \mathcal {P}\mathcal {P}(\mathcal {D})\). Note that we do not also provide the KEM algorithms with access to \(\textsc {E}\), meaning we assume the KEM does not use the same blockcipher as the DEM. See Sect. 5 for a discussion.

Fig. 6.
figure 6

Simplified version of simulator \(\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2)\), constructed from adversary \(\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)\). We write \(\textsc {Open}_\mathcal {S}\) and \(\textsc {Open}_\mathcal {A}\) for the opening oracles provided to \(\mathcal {S}_2\) and \(\mathcal {A}_2\), respectively. For simplicity we do not annotate the state information passed from \(\mathcal {A}_1\) to \(\mathcal {A}_2\) and from \(\mathcal {S}_1\) to \(\mathcal {S}_2\).

When it comes to constructing \(\mathcal {S}\) from \(\mathcal {A}\), the strategy is to let the former run the latter as a subroutine: Simulator \(\mathcal {S}\) converts the own input to an input for \(\mathcal {A}\), uses the output of \(\mathcal {A}\) as the own output, and answers, and in some cases relays, oracle queries posed by \(\mathcal {A}\). We give the footprint of a universal such simulator that leverages on the simulatability of the (permutation-driven) DEM in Fig. 6. For the sake of clarity, we simplified the specifications of algorithms \(\mathcal {S}_1\) and \(\mathcal {S}_2\) quite a bit, removing many technicalities. While we briefly discuss the missing parts below, for the full details of the simulator and a formal analysis we refer to Sect. 5.

We walk the reader through the design principles of our simulator. What above we refered to as ‘deduces the same information’ formally requires that the inputs \(\mathfrak {D},m_1,\ldots ,m_n,\mathcal {I},out\) of the \(\mathsf {Pred}\) invocations in the \(\mathsf {r\text {-}SO\text {-}CCA}\) and \(\mathsf {i\text {-}SO\text {-}CCA}\) games be similar. This is achieved by letting \(\mathcal {S}\) simulate for \(\mathcal {A}\) the environment of \(\mathsf {r\text {-}SO\text {-}CCA}\) in a way such that: \(\mathcal {S}_1\) forwards the message distribution \(\mathfrak {D}\) obtained from \(\mathcal {A}_1\) without modification (this also ensures that the distributions of \(m_1,\ldots ,m_n\) match), \(\mathcal {S}_2\) keeps the index sets \(\mathcal {I}\) corresponding to \(\mathcal {A}_2\)’s and its own \(\textsc {Open}\) queries consistent (by forwarding the queries), and \(\mathcal {S}_2\) forwards \(\mathcal {A}_2\)’s output \(out\) without modification. The lines in Fig. 6 corresponding to these steps are 03,04 and 14 and 12,13, respectively.

Running \(\mathcal {A}\) as a subroutine leads to useful results only if \(\mathcal {A}\) is exposed to an \(\mathsf {r\text {-}SO\text {-}CCA}\)-like environment. Effectively this means that \(\mathcal {S}\) has to ‘fill all the blank lines’ of the \(\mathsf {i\text {-}SO\text {-}CCA}\) game in Fig. 4. Concretely this involves (a) generating and providing a public key for \(\mathcal {A}_1\), (b) providing ciphertexts to \(\mathcal {A}_2\) that correspond to messages \(m_1,\ldots ,m_n\), (c) providing adequate randomness when processing opening queries of \(\mathcal {A}_2\), and (d) handling decryption queries of \(\mathcal {A}_1\) and \(\mathcal {A}_2\). Further, ideal cipher queries of \(\mathcal {A}_1\) and \(\mathcal {A}_2\) have to be taken care of. The latter is straight-forward when deploying lazy sampling, i.e., using the mechanisms of the \(\mathsf {r\text {-}SO\text {-}CCA}\) version from Fig. 5. Also (a) and (d) are easy to deal with: The public key \( pk \) provided to \(\mathcal {A}_1\) is a regular KEM key generated by \(\mathcal {S}_1\) (lines 02,03); in particular, secret key \( sk \) is known to \(\mathcal {S}\) and can be used to process decryption queries. Concerning (b), creating ciphertexts \(c_1,\ldots ,c_n\) for \(\mathcal {A}_2\) consists, in principle, of two parts: letting the KEM establish session keys and encapsulating messages with the DEM. Component \(\mathcal {S}_2\) of our simulator does the former according to the specification, i.e., by invoking algorithm \(\mathsf {K.Enc}\) with fresh randomness (lines 06,07), while for the latter, as it cannot invoke \(\mathsf {D.Enc}\) (or, more precisely, \(\mathsf {O.Enc}\)) for not knowing the messages it needs to encapsulate, it leverages on the simulatability of the DEM and obtains the corresonding ciphertext from an execution of the \(\mathsf {Fake}\) algorithm (line 09). How \(\mathcal {S}_2\) deals with (c) is now immediate: for each created ciphertext it knows the randomness used, so it can release it in an opening query (line 17). Note, however, that knowledge of this randomness brings \(\mathcal {A}_2\) into the position to verify the DEM ciphertext components generated by \(\mathsf {Fake}\) (e.g., by decapsulating or re-encapsulating them); correspondingly, the \(\textsc {Open}\) oracle in addition runs the \(\mathsf {Make}\) algorithm and embeds the partial permutation proposed by it into ideal cipher \(\textsc {E}\) (lines 15,16). By the definition of simulatability of a DEM, this fixes the ideal cipher such that overall consistency is established.

As announced earlier, in Fig. 6 we leave out some details of our simulator. These are related to situations in which \(\mathcal {S}\) cannot uphold a proper environment for \(\mathcal {A}\) and has to abort its execution. This is the case when \(\mathsf {Fake}\) and \(\mathsf {Make}\) fail to properly simulate \(\mathsf {O.Enc}\) (the definition of simulatability considers a small probability of failure), or if the partial permutation output by \(\mathsf {Make}\) cannot be embedded into the ideal cipher (line 16). The latter condition can result from various actions of adversary \(\mathcal {A}\), for instance (explicitly) from queries to the \(\textsc {E}\) oracles, or (implicitly) from evaluations of \(\textsc {E}\) during the processing of a decryption query. In the full proof given in Sect. 5 we show that if the KEM is IND-CCA secure and the DEM is OT-INT-CTXT secure, then the probability is small that any of these conditions is met. (Very briefly speaking, we use the KEM notion for bounding the probability of explicit queries, and we use the DEM notion for bounding the probability of implicit ones.)

4 Simulatability of Practical DEMs

We prove that three blockcipher-based DEMs that were standardised by NIST are permutation-driven and simulatable. Concretely we analyse the CTR and CBC modes of operation (SP 800-38A [13]), a CBC variant with ciphertext stealing (CTS) (Addendum to SP 800-38A [16]) and the CCM mode (SP 800-38C [14]). The fourth NIST standardised mode of operation, the GCM mode (SP 800-38D [15]), is covered in the full version of this paper [23]. More precisely, as for our results on selective opening security only those DEMs are relevant that offer ciphertext integrity (cf. Definition 4), instead of plain CTR, CBC, and CBC/CTS encryption we actually analyse their encrypt-then-MAC variants, where we assume arbitrary strongly unforgeable MACs. Further, as CCM is an authenticated encryption scheme with associated data (AEAD [30]), we turn it into a DEM by using it with a fixed nonce \(N_0\) and an empty associated data string \(A_0\). As the three named modes follow different design principles, some of which might be incompatible with simulatability, analysing all of them is more than just a matter of diligence. While CTR mode encrypts by XORing blockcipher outputs into the message, CBC mode encrypts by pushing message blocks through the cipher, and CCM combines both approaches is a MAC-then-encrypt design.

In the following we specify the mentioned DEMs in their oracle DEM form, assuming that the underlying blockcipher \((E_k)_{k\in \mathcal {K}}\) is over domain \(\mathcal {D}=\{0,1\}^\ell \). We show their simulatability by proposing and analysing corresponding \(\mathsf {Fake}\) and \(\mathsf {Make}\) algorithms, following the general strategy suggested at the end of Sect. 3.1.

4.1 CTR-then-MAC

We analyse the DEM obtained by first encrypting the provided message with the CTR0 mode of operation of a blockcipher (counter mode with fixed initial counter value) and then appending a deterministic MAC tag to the ciphertext.

We specify the \(\mathsf {O.Enc}\) and \(\mathsf {O.Dec}\) algorithms of CTR0-DEM in Fig. 7, where we assume that \(G:{[{1}\,..\,{V}]}\rightarrow \mathcal {D}\) denotes a fixed injective function (a ‘counter generator’) for some sufficiently large value V. The MAC is represented by a keyed hash function \(\mathcal {K}'\times \{0,1\}^*\rightarrow \mathrm {khf}\rightarrow \{0,1\}^T\). The message space of CTR0-DEM is \(\mathcal {M}=\{0,1\}^*\) and the ciphertext space is \(\mathcal {C}=\{0,1\}^{\ge T}\).

Fig. 7.
figure 7

CTR0-DEM. Lines 00 and 16 uniquely identify quantities l and \(l^*\) such that \(l\in \mathbb {N}^{\ge 1}\) and \(0\le l^*<\ell \), and \(|m|=(l-1)\ell +l^*\) and \(|\bar{c}|=(l-1)\ell +l^*\), respectively. Correspondingly, line 01 assumes \(|m_1|=\ldots =|m_{l-1}|=\ell \) and \(|m^*_l|=l^*\), and line 17 assumes \(|c_1|= \ldots = |c_{l-1}|=\ell \) and \(|c^*_l|=l^*\). Further, line 13 assumes \(|t|=T\).

Lemma 1

CTR0-DEM is \(\epsilon \)-simulatable with \(\epsilon =(\lceil L/\ell \rceil ^2-\lceil L/\ell \rceil )/2^{\ell +1}\), where L is the maximum message length (in bits).

Proof

Consider algorithms \(\mathsf {Fake}\) and \(\mathsf {Make}\) from Fig. 8. The idea of \(\mathsf {Fake}\) is to compute intermediate ciphertext \(\bar{c}\) on basis of uniformly distributed blockcipher outputs (see how line 01 of \(\mathsf {Fake}\) replaces l-many iterations of line 06 of \(\mathsf {O.Enc}\)), but to compute the MAC tag on \(\bar{c}\) faithfully. Note that the correct length of \(\bar{c}\) is known to \(\mathsf {Fake}\) as it coincides with the length of m. Inspection shows that, given m, algorithm \(\mathsf {Make}\) finds a minimal partial permutation \(\tilde{\pi }\) such that \(\mathsf {Fake}\) and \(\mathsf {Make}\) jointly mimic the behaviour of \(\mathsf {O.Enc}\) (see here how lines 15–18 of \(\mathsf {Make}\) arrange the entries of \(\tilde{\pi }\) such that they are consistent with lines 05–06 of \(\mathsf {O.Enc}\)). In some invocations of the algorithms, the described process might fail (lines 16, 17), namely when partial permutation \(\tilde{\pi }\) would become inconsistent (i.e., the updated \(\tilde{\pi }\) would stop being an element of \(\mathcal {P}\mathcal {P}\)). In such cases \(\mathsf {Make}\) aborts, outputting the empty partial permutation \(\tilde{\pi }=\emptyset \).

We next show that the conditions from Definition 11 are met. Observe that, as \(\mathsf {Fake}\) picks values \(c_1,\ldots ,c_l\) uniformly and independently of each other, the same holds for the values \(v_1,\ldots ,v_l\) computed in line 15. That is, in each iteration of line 18 a value \(v_i\) is added to \(\mathrm{Rng}(\tilde{\pi })\) that is uniform conditioned on the then current state of \(\mathrm{Rng}(\tilde{\pi })\). Thus condition (1) holds. To establish the correctness bound of condition (2) we analyse the probability that \(\mathsf {Make}\) aborts. By the injectivity of function G the \(u_i\)-values from line 14 are pairwise distinct, so the abort condition of line 16 is never met. Further, as values \(v_i\) computed in line 15 are uniformly distributed and independent of each other, the abort condition of line 17 is met with probability \(\epsilon =(0+\ldots +(l-1))/|\mathcal {D}|=((l^2-l)/2)/|\mathcal {D}|\) (accumulated over all iterations of the loop). Plugging in the maximum value \(l=\lceil L/\ell \rceil \) gives the bound claimed in the statement. Condition (3) is clear.    \(\square \)

Fig. 8.
figure 8

\(\mathsf {Fake}\) and \(\mathsf {Make}\) for CTR0-DEM. We write ‘Abort’ as an abbreviation for ‘Return \(\emptyset \)’.

4.2 CBC-then-MAC

We consider the DEM obtained by encrypting the message with CBC0 mode (cipher block chaining with initialisation vector zero) and appending a MAC tag to the ciphertext. As a variant we also look at CBC0-CTS (CBC0 with ‘ciphertext stealing’) that supports a complementary message space.

Fig. 9.
figure 9

CBC-DEM (for multi-block messages). Lines 00 and 14 identify quantity \(l\in \mathbb {N}^{\ge 0}\) such that \(|m|=l\ell \) and \(|\bar{c}|=l\ell \), respectively. Correspondingly, line 01 assumes \(|m_1|=\ldots =|m_l|=\ell \) and line 15 assumes \(|c_1|= \ldots = |c_l|=\ell \). Further, line 11 assumes \(|t|=T\).

Fig. 10.
figure 10

CBC-CTS-DEM (for messages that require padding). Lines 00 and 16 uniquely identify quantities l and \(l^*\) such that \(l\in \mathbb {N}^{\ge 1}\) and \(1\le l^*<\ell \), and \(|m|=l\ell +l^*\) and \(|\bar{c}|=l\ell +l^*\), respectively. Correspondingly, line 01 assumes \(|m_1|=\ldots =|m_l|=\ell \) and \(|m^*_{l+1}|=l^*\), and line 17 assumes \(|c_1|= \ldots = |c_{l-1}|=\ell \) and \(|c^*_l|=l^*\) and \(|c_{l+1}|=\ell \). Further, line 13 assumes \(|t|=T\).

We specify the \(\mathsf {O.Enc}\) and \(\mathsf {O.Dec}\) algorithms of CBC-DEM in Fig. 9 and of CBC-CTS-DEM in Fig. 10. Similarly as for CTR0-DEM, the MAC is represented by a keyed hash function of the form \(\mathcal {K}'\times \{0,1\}^*\rightarrow \mathrm {khf}\rightarrow \{0,1\}^T\). The message space of CBC-DEM consists of all messages that have a length that is a multiple of the blocklength \(\ell \), i.e., \(\mathcal {M}=\bigcup _{\lambda \ge \ell ,\ell \mid \lambda }\{0,1\}^\lambda \); the ciphertext space is \(\mathcal {C}=\bigcup _{\lambda \ge \ell ,\ell \mid \lambda }\{0,1\}^{\lambda +T}\). In contrast, CBC-CTS-DEM supports all message lengths that are not a multiple of \(\ell \), with a minimum value of \(\ell +1\); formally, \(\mathcal {M}=\bigcup _{\lambda \ge \ell ,\ell \not \mid \lambda }\{0,1\}^\lambda \) and \(\mathcal {C}=\bigcup _{\lambda \ge \ell ,\ell \not \mid \lambda }\{0,1\}^{\lambda +T}\). Together, CBC-DEM and CBC-CTS-DEM can handle messages of any length not smaller than \(\ell \).Footnote 2

Lemma 2

CBC-DEM is \(\epsilon \)-simulatable where \(\epsilon =((L/\ell )^2-(L/\ell ))/2^\ell \), and CBC-CTS-DEM is \(\epsilon \)-simulatable with \(\epsilon =(\lfloor L/\ell \rfloor ^2+\lfloor L/\ell \rfloor )/2^\ell \), where L is the maximum message length (in bits).

Fig. 11.
figure 11

\(\mathsf {Fake}\) and \(\mathsf {Make}\) for CBC-DEM. We write ‘Abort’ as an abbreviation for ‘Return \(\emptyset \)’.

Proof

The proof is similar to the one of Lemma 1. Consider algorithms \(\mathsf {Fake}\) and \(\mathsf {Make}\) from Fig. 11. The idea of \(\mathsf {Fake}\) is to compute intermediate ciphertext \(\bar{c}\) on basis of uniformly distributed blockcipher outputs (see how line 01 of \(\mathsf {Fake}\) replaces l-many iterations of line 05 of \(\mathsf {O.Enc}\)), but to compute the MAC tag on \(\bar{c}\) faithfully. Note that the correct length of \(\bar{c}\) is known to \(\mathsf {Fake}\) as it coincides with the length of m. Inspection shows that, given m, algorithm \(\mathsf {Make}\) finds a minimal partial permutation \(\tilde{\pi }\) such that \(\mathsf {Fake}\) and \(\mathsf {Make}\) jointly mimic the behaviour of \(\mathsf {O.Enc}\) (see here how lines 13–16 of \(\mathsf {Make}\) arrange the entries of \(\tilde{\pi }\) such that they are consistent with lines 04–05 of \(\mathsf {O.Enc}\)). In some invocations of the algorithms, the described process might fail (lines 14, 15), namely when partial permutation \(\tilde{\pi }\) would become inconsistent. In such cases \(\mathsf {Make}\) aborts, outputting the empty partial permutation \(\tilde{\pi }=\emptyset \).

We next show that the conditions from Definition 11 are met. Observe that, as \(\mathsf {Fake}\) picks values \(c_1,\ldots ,c_l\) uniformly and independently of each other, in each iteration of line 16 a value \(c_i\) is added to \(\mathrm{Rng}(\tilde{\pi })\) that is uniform conditioned on the then current state of \(\mathrm{Rng}(\tilde{\pi })\). Thus condition (1) holds. To establish the correctness bound of condition (2) we analyse the probability that \(\mathsf {Make}\) aborts. With values \(c_1,\ldots ,c_{l-1}\) also the values \(u_2,\ldots ,u_l\) computed in line 13 are uniformly distributed and independent of each other, so the abort condition of line 14 is met with probability \((0+\ldots +(l-1))/|\mathcal {D}|=((l^2-l)/2)/|\mathcal {D}|\) (accumulated over all iterations of the loop). The same bound holds for line 15. Plugging in the maximum value \(l=L/\ell \) gives the bound claimed in the statement. Condition (3) is clear.

Algorithms \(\mathsf {Fake}\) and \(\mathsf {Make}\) for CBC-CTS-DEM are given in Fig. 12. The analysis is similar. Here, however, we have \(l=\lfloor L/\ell \rfloor \) and for lines 16 and 17 the accumulated probabilities of abort amount to \((0+\ldots +l)/|\mathcal {D}|\) each.    \(\square \)

Fig. 12.
figure 12

\(\mathsf {Fake}\) and \(\mathsf {Make}\) for CBC-CTS-DEM. We write ‘Abort’ as an abbreviation for ‘Return \(\emptyset \)’.

4.3 CCM

We analyse the CCM mode of operation (‘CTR mode with CBC-MAC’) with fixed nonce and associated data field; we call this mode CCM0-DEM. CCM is parameterised by an authentication tag length T, a formatting function \(F:\mathcal {N}\times \mathcal {A}\times \mathcal {M}\rightarrow \mathcal {D}^+\) (where \(\mathcal {N}\) and \(\mathcal {A}\) denote the nonce space and the associated data space, respectively), and a counter generation function \(G:\mathcal {N}\times {[{0}\,..\,{V}]}\rightarrow \mathcal {D}\), where V is a sufficiently large value. While only one set of instantiations of F and G is suggested in SP 800-38C (and if it is chosen the resulting version of CCM is the one used in wireless encryption standard IEEE 802.11), the specification is explicitly modular in the sense that it works with any F and G that meet certain conditions. Amongst others, the conditions listed in [14] imply that for all \(N\in \mathcal {N}\) the function \(G(N;\cdot )\) is injective and that for all \((N,A,m)\in \mathcal {N}\times \mathcal {A}\times \mathcal {M}\) and \(z_0\ldots z_r=F(N,A,m)\) we have that \(z_0\notin G(N,{[{0}\,..\,{V}]})\). Now, if we fix any nonce \(N_0\) and any associated data string \(A_0\) (e.g., the all-zero string for \(N_0\) and the empty string for \(A_0\)) and define the restrictions \(F_0:\mathcal {M}\rightarrow \mathcal {D}^+;\;m\mapsto F(N_0,A_0,m)\) and \(G_0:{[{0}\,..\,{V}]}\rightarrow \mathcal {D};\;i\mapsto G(N_0,i)\), then the algorithms of the resulting oracle DEM associated with CCM are given in Fig. 13. The message space of CCM0-DEM is \(\mathcal {M}=\{0,1\}^*\) and the ciphertext space is \(\mathcal {C}=\{0,1\}^{\ge T}\).

Fig. 13.
figure 13

CCM0-DEM. Lines 09 and 20 uniquely identify quantities l and \(l^*\) such that \(l\in \mathbb {N}^{\ge 1}\) and \(0\le l^*<\ell \), and \(|m|=(l-1)\ell +l^*\) and \(|c|=(l-1)\ell +l^*+T\), respectively. Correspondingly, line 10 assumes \(|m_1|=\ldots =|m_{l-1}|=\ell \) and \(|m^*_l|=l^*\), and line 21 assumes \(|c_1|= \ldots = |c_{l-1}|=\ell \) and \(|c^*_l|=l^*\) and \(|t^*|=T\).

Lemma 3

CCM0-DEM is \(\epsilon \)-simulatable with \(\epsilon \le \lfloor L/\ell \rfloor ^2/2^{\ell -2}\), where L is the maximum message length (in bits).

Proof

Consider algorithms \(\mathsf {Fake}\) and \(\mathsf {Make}\) from Fig. 14. The idea of \(\mathsf {Fake}\) is to compute the visible ciphertext components on basis of uniformly distributed blockcipher outputs while completely ignoring the blockcipher invocations of CCM’s internal CBC-MAC computation (see how line 07 and l-many iterations of line 15 of \(\mathsf {O.Enc}\) (in Fig. 13) are replaced by lines 00 and 03 of \(\mathsf {Fake}\), while lines 01 and 04 of \(\mathsf {O.Enc}\) have no counterpart). Inspection shows that, given m, algorithm \(\mathsf {Make}\) finds a minimal partial permutation \(\tilde{\pi }\) such that \(\mathsf {Fake}\) and \(\mathsf {Make}\) jointly mimic the behaviour of \(\mathsf {O.Enc}\) (see here how lines 24–27, 30–33, 35–38, 43–46 of \(\mathsf {Make}\) arrange the entries of \(\tilde{\pi }\) such that they are consistent with lines 01, 04, 06/07, 14/15 of \(\mathsf {O.Enc}\)). In some invocations of the algorithms, the described process might fail (in lines 25/26, 31/32, 36/37, 44/45), namely when partial permutation \(\tilde{\pi }\) would become inconsistent. In such cases \(\mathsf {Make}\) aborts, outputting the empty partial permutation \(\tilde{\pi }=\emptyset \).

Fig. 14.
figure 14

\(\mathsf {Fake}\) and \(\mathsf {Make}\) for CCM0-DEM. We write ‘Abort’ as an abbreviation for ‘Return \(\emptyset \)’.

We next show that the requirements from Definition 11 are met. To see that condition (1) holds, observe that in \(\mathsf {Make}\) the values \(y_0\), \(y_i\), \(v_0\), and \(v_j\) are uniformly distributed and independent of each other at the point they are added to \(\mathrm{Rng}(\tilde{\pi })\) in lines 27, 33, 38, 46. To establish the correctness bound of condition (2) we assess the probability that \(\mathsf {Make}\) aborts. Using a similar analysis as in the proof of Lemma 1 we obtain the following (accumulated) probabilities: The abort conditions in lines 25 and 26 are never met; for lines 31 and 32 the probabilities are \((1+\ldots +r)/|\mathcal {D}|\) each; by the properties of CCM’s functions \(F_0\) and \(G_0\), for lines 36 and 37 the probabilities are \(r/|\mathcal {D}|\) and \((r+1)/|\mathcal {D}|\); for line 44 the probability is \(lr/|\mathcal {D}|\); finally, for line 45 the probability is \(((r+2)+\ldots +(r+l+1))/|\mathcal {D}|\). If we assume reasonable behaviour of function \(F_0\) and let \(r=l\), we obtain quantity \(4l^2/|\mathcal {D}|\) as an upper bound for the sum of these probabilities. This establishes the claimed bound. Condition (3) is clear.    \(\square \)

5 A Formal Treatment of Our Main Result

We anticipated the main result of this paper in Sect. 3: Any (hybrid) PKE scheme constructed from a KEM and a permutation-driven DEM offers SIM-SO-CCA security in the ideal cipher model, if the KEM provides confidentiality (IND-CCA), the DEM provides authenticity (OT-INT-CTXT), and the DEM is simulatable. Prerequisites like IND-CCA and OT-INT-CTXT on the KEM and DEM, respectively, are standard for proofs of the IND-CCA security of hybrid encryption, so the important finding is that the added constraint of simulatability suffices to lift security to the stronger notion of SO security.Footnote 3

We discussed an informal version of our result in Sect. 3.2. Recall from the included proof sketch that an important subgoal was bounding the probability of the ideal cipher being evaluated on input a key established by the KEM before a corresponding \(\textsc {Open}\) query is posed. (If the cipher is evaluated earlier, the partial permutation found by \(\mathsf {Fake}\) and \(\mathsf {Make}\) cannot be smoothly embedded into it any more.) In the following we argue that without putting further restrictions on the KEM, bounding this probability to any small value is in general impossible. Indeed, assume for a moment a KEM where \(\mathsf {K.Enc}\), before outputting a key k and a ciphertext c, evaluates the blockcipher used by \(\mathsf {D.Enc}\) on input key k and a value \(d_0\), where the latter is any fixed element \(d_0\in \mathcal {D}\) in the cipher’s domain, and assume \(\mathsf {K.Enc}\) completely ignores the result. Even though this blockcipher evaluation is completely pointless and should not affect security of the overall design, for such a KEM our arguments would not work. Below, in the formal version of our theorem statement, we correspondingly restrict the set of considered KEMs to those that do not evaluate the blockcipher at all. This admittedly is a limitation of our result, but we believe it is a mild one. Indeed, all practical KEMs we are aware of do not (internally) invoke blockcipher operations at all. This holds in particular for Hashed ElGamal, PSEC-KEM, Cramer-Shoup KEM, and RSA-KEM. In the following theorem statement, if E is a blockcipher, we say a KEM is if no KEM algorithm evaluates \(E^+\) or \(E^-\).

We proceed with the statement and proof of our main theorem.

Theorem 2

Let \(\mathsf {DEM}\) be a \((\mathcal {K},\mathcal {D})\)-permutation-driven DEM with corresponding oracle DEM \(\mathsf {oDEM}\) and blockcipher E. Let \(\mathsf {KEM}\) denote an E-independent KEM for the key space of the DEM. Let \(\mathsf {PKE}\) denote the hybrid PKE scheme obtained when instantiating Construction 1 in Fig. 3 with \(\mathsf {KEM}\) and \(\mathsf {DEM}\).

Let \(\mathsf {DEM}\) be \((\tau ,q_{d},\epsilon _{ctxt})\)-OT-INT-CTXT secure and \(\mathsf {KEM}\) be \((\tau ,q_{d},\epsilon _{cca})\)-IND-CCA secure.

If \(\mathsf {oDEM}\) is \(\epsilon _{sim}\)-simulatable, then \(\mathsf {PKE}\) is \((\tau ,\tau ',q_{d},q_{ic},\epsilon )\)-SIM-SO-CCA secure where \(\epsilon \) can be upper-bounded by

$$ \epsilon (n) \le n \cdot \left( 3 \cdot \epsilon _{cca}+ \epsilon _{ctxt}+ \epsilon _{sim}+ 2 \cdot \frac{n+q_{ic}+q_{d}}{|\mathcal {K}|} \right) $$

and E is modeled as an ideal cipher.

Fig. 15.
figure 15

Proposed simulator \(\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2)\) inlined into the \(\mathsf {i\text {-}SO\text {-}CCA}\) experiment. \(\mathcal {S}_1\) in lines 00 – 03, \(\mathcal {S}_2\) given in lines 04 – 11. Instructions in grey boxes are executed by the ideal experiment. The whole code corresponds to the last game \({\mathsf {G}}_6\) in our proof. For \(\mathcal {J}\subseteq [n]\) we denote \(C_{\mathcal {J},1}:=\{c_{j,1}\mid j\in \mathcal {J}\}\) and \(K_\mathcal {J}:=\{k_j\mid j\in \mathcal {J}\}\). Further, we denote \(\mathrm{supp}(E):=\{k\in \mathcal {K}\mid E_k\ne \emptyset \}\).

See Sect. 3.2 for a proof sketch including the high-level ideas. We proceed with a detailed proof of Theorem 2.

Proof. For the list of n challenge ciphertexts \((\langle c_{1,1},c_{1,2} \rangle ,\ldots ,\langle c_{n,1},c_{n,2}\rangle )\) and \(\mathcal {J}\subseteq [n]\) let \(C_{\mathcal {J},1}\) denote the set \(\{c_{j,1}\mid j\in \mathcal {J}\}\). For the keys output by the n iterations of \(\mathsf {K.Enc}\), and \(\mathcal {J}\subseteq [n]\) let \(K_\mathcal {J}\) denote the set \(\{k_j\mid j\in \mathcal {J}\}\) of blockcipher keys \(k_i\) for \(i\in \mathcal {J}\). For the family of partial permutations \((E_k)_{k\in \mathcal {K}}\) maintained by \(\mathcal {S}\) to implement ideal cipher E, let \(\mathrm{supp}(E):=\{k\in \mathcal {K}\mid E_k\ne \emptyset \}\) denote the set of keys \(k\in \mathcal {K}\) where partial permutation \(E_k\) is not empty.

Fix any SIM-SO-CCA adversary \(\mathcal {A}\). We define a simulator \((\mathcal {S}_1,\mathcal {S}_2)\) by giving its pseudocode in Fig. 15. Simulator \(\mathcal {S}_1\) consists of lines 00 – 03, \(\mathcal {S}_2\) consists of lines 04 – 11. Their code is enhanced by bookkeeping and abort events, while the explicit invocation of \(\mathcal {S}_1\), \(\mathcal {S}_2\) and their input/output behaviour is merged into the ideal game. Instructions in grey boxes are performed by the ideal game.

We show that \(\mathcal {S}\), when run in the ideal game, can simulate the real game for \(\mathcal {A}\). To this end we proceed in a sequence of experiments tracing \(\mathcal {A}\)’s advantage of distinguishing two consecutive games. The sequence interpolates between the real game (\({\mathsf {G}}_0=\mathsf {r\text {-}SO\text {-}CCA}\), cf.  Fig. 5) and a simulated real game (\({\mathsf {G}}_6\), cf.  Fig. 15) provided by the simulator \(\mathcal {S}\) inlined into the ideal game.

The whole sequence of experiments is given in Fig. 16. Lines ending with a range of experiments \(\mathsf {G}_i\)\(\mathsf {G}_j\) (resp. \(\mathsf {G}_i\) if \(j=i\)) are only executed when an experiment within the range is run.

Without loss of generality we assume that \(\mathcal {A}\) does not make the same opening query twice. We proceed with detailed descriptions of the experiments.

Fig. 16.
figure 16

Experiments \({\mathsf {G}}_0\)\({\mathsf {G}}_6\) used in the proof of Theorem 2. We write ‘Abort’ as an abbreviation for ‘Stop with 0’.

Game \({\mathsf {G}}_0\). The \(\mathsf {r\text {-}SO\text {-}CCA}\) game as given in Fig. 5.

Game \({\mathsf {G}}_1\). Lines 28 and 29 are added: Any decryption query of the form \(\langle c_1,c_2\rangle \) is answered with \(\bot \) if \(c_1\in C_{[n]\setminus \mathcal {I},1}\). That is, there exists \({i\in [n]}\) such that \(c_1=c_{i,1}\) and \(\mathcal {A}\) did not query \(\textsc {Open}(i)\).

Claim. There exists an adversary \(\mathcal {B}_{cca}\) that \((\tau ,q_{d},\epsilon _{cca})\)-breaks the IND-CCA security of \(\mathsf {KEM}\) and an adversary \(\mathcal {B}_{ctxt}\) that \((\tau ,q_{d},\epsilon _{ctxt})\)-breaks the OT-INT-CTXT security of \(\mathsf {DEM}\) with \(|\Pr [{\mathsf {G}}_0\Rightarrow 1]-\Pr [{\mathsf {G}}_1\Rightarrow 1]|\le n \cdot (\epsilon _{cca}+\epsilon _{ctxt}).\)

Proof. Games \({\mathsf {G}}_0\) and \({\mathsf {G}}_1\) proceed identically, until \(\mathcal {A}\) submits a ciphertext \(\langle c_1,c_2\rangle \) to decryption where \(c_1\in C_{[n]\setminus \mathcal {I}}\) and \(\mathsf {P.Dec}( sk ,\langle c_1,c_2\rangle )\ne \bot \). We fix some \({i\in [n]}\) and analyse the probability that \(\mathcal {A}\) submits a ciphertext \(\langle c_1,c_2 \rangle \) where \(c_1\in C_{\{i\}\setminus \mathcal {I}}\) and \(\mathsf {P.Dec}( sk ,\langle c_1,c_2\rangle )\ne \bot \) we denote this event by ‘\(\langle c_{i,1},c_2\rangle \nrightarrow \bot \)’.

At first, we replace \(k_i''\) as output by the \(i^{th}\) invocation of \(\mathsf {K.Enc}\) with a uniformly random key. We lose an additional summand of \(\epsilon _{cca}\) in the bound on \(\Pr [\langle c_{i,1},c_2\rangle \nrightarrow \bot ]\) as shown by the following reduction run by adversary \(\mathcal {B}_{cca}\): It uses its decapsulation oracle to answer decryption queries from \(\mathcal {A}_1\). Receiving \((c^*,k_b^*)\), \(\mathcal {B}_{cca}\) parses and computes all ciphertexts faithfully except for . Decryption queries \(\langle c_1,c_2\rangle \) by \(\mathcal {A}_2\) are answered employing the decapsulation oracle for \(c_1\ne c^*\) and using key \(k_b^*\) otherwise.

The reduction perfectly simulates \({\mathsf {G}}_1\) until \(\mathcal {A}\) queries \(\textsc {Open}(i)\) which the reduction cannot answer. Yet, to bound the probability of event ‘\(\langle c_{i,1},c_2\rangle \nrightarrow \bot \)’ happening, it suffices to make sure that the reduction ‘works’ as long as the event can occur. Observe that ‘\(\langle c_{i,1},c_2\rangle \nrightarrow \bot \)’ cannot happen after query \(\textsc {Open}(i)\).

We now show how to break the OT-INT-CTXT security of the DEM if ‘\(\langle c_{i,1},c_2\rangle \nrightarrow \bot \)’ happens. We construct \(\mathcal {B}_{ctxt}\). The reduction performed by \(\mathcal {B}_{ctxt}\) runs \(\mathsf {K.Gen}\) and starts \(\mathcal {A}_1( pk )\). Decryption queries are answered using \( sk \). Once \(\mathcal {A}_1\) outputs \(\mathfrak {D}\), \(\mathcal {B}_{ctxt}\) samples messages but submits \(m_i\) to the \(\mathsf {D.Enc}\) oracle of its OT-INT-CTXT game to obtain a data encapsulation under a random key \(k''_{\$}\). Additionally, \(\mathcal {B}_{ctxt}\) runs \(\mathsf {K.Enc}\) to obtain \((k,c_1^*)\) and sends \((c_1,\ldots ,c_{i-1},\langle c_1^*,c_2^*\rangle ,\ldots ,c_n)\) to \(\mathcal {A}\). Adversary \(\mathcal {B}_{ctxt}\) answers all further decryption queries on its own, unless the ciphertext is of the form \(\langle c_1^*,c_2\rangle \) where it submits \(c_2\) to the decapsulation oracle of the \({\mathsf {OT}\text {-}\mathsf {INT\text {-}CTXT}}\) experiment. If it receives \(\bot \), it returns \(\bot \) to \(\mathcal {A}_2\).

Clearly, \(\mathcal {B}_{ctxt}\) wins the OT-INT-CTXT game when \(\mathcal {A}\) submits a ciphertext that causes ‘\(\langle c_{i,1},c_2\rangle \nrightarrow \bot \)’ to happen.

We obtain \(\Pr [\langle c_{i,1},c_2\rangle \nrightarrow \bot ]\le \epsilon _{cca}+\epsilon _{ctxt}\). The claim follows from the union-bound over all \({i\in [n]}\).   \(\square \)

The next game hop ensures that (if it is not aborted) the \(i^{th}\) invocation of the oracle data encapsulation, i.e., \(\mathsf {O.Enc}^{E(k_i;\cdot )}\), has access to an empty partial permutation \(E_{k_i}\). This is a preparational step to ensure that later, when \(\mathsf {O.Enc}\) is replaced with \(\mathsf {Fake}\) and \(\mathsf {Make}\), the partial permutation output by \(\mathsf {Make}\) can be embedded into \(E_{k_i}\).

Game \({\mathsf {G}}_2.\) Line 10 is added. That is, \({\mathsf {G}}_2\) aborts if the \(i^{th}\) iteration of \(\mathsf {O.Enc}\) would have oracle access to a non-empty permutation \(E(k_i;\cdot )\).Footnote 4

Claim. There exists an adversary \(\mathcal {B}_{cca}\) that \((\tau ,q_{d},\epsilon _{cca})\)-breaks the IND-CCA security of \(\mathsf {KEM}\) with \(|\Pr [{\mathsf {G}}_1\Rightarrow 1]-\Pr [{\mathsf {G}}_2\Rightarrow 1]|\le n\cdot (\epsilon _{cca}+(n+q_{ic}+q_{d})\mathbin {/}|\mathcal {K}|)\).

Proof. We bound \(\Pr [k_i\in K_{[i-1]}\cup \mathrm{supp}(E)]\) for fixed \({i\in [n]}\). Again, we use \(\mathsf {KEM}\)’s IND-CCA security to replace \(k_i''\) output by the \(i^{th}\) invocation of \(\mathsf {K.Enc}\) with a uniform key. We construct adversary \(\mathcal {B}_{cca}\). It receives \( pk \) and starts \(\mathcal {A}_1( pk )\). Decryption queries are answered using the decapsulation oracle. When \(\mathcal {A}_1\) halts, \(\mathcal {B}_{cca}\) requests its IND-CCA challenge \((c^*,k_b^*)\) — let — and runs the For loop 07. In the \(i^{th}\) iteration \(\mathcal {B}_{cca}\) halts and returns 1 iff \(k_b\in K_{[i-1]}\cup \mathrm{supp}(E)\). Clearly, the reduction is perfect until \(\mathcal {B}_{cca}\) halts and we have \(|\Pr [k_i\in K_{[i-1]}\cup \mathrm{supp}(E)]-\Pr [k_{\$}\in K_{[i-1]}\cup \mathrm{supp}(E)]|\le \epsilon _{cca}\) where .

Note that each decryption query or query to the ideal cipher oracles adds at most one element to \(\mathrm{supp}(E)\), hence \(|K_{[i-1]}\cup \mathrm{supp}(E) |\le n+q_{ic}+q_{d}\). Thus, we obtain \(\Pr [k_{\$}\in K_{[i-1]}\cup \mathrm{supp}(E)]\le (n+q_{ic}+q_{d})\mathbin {/}|\mathcal {K}|\) and \(\Pr [k_i\in K_{[i-1]}\cup \mathrm{supp}(E)]\le \epsilon _{cca}+(n+q_{ic}+q_{d})\mathbin {/}(|\mathcal {K}|)\). The claim follows from the union-bound over \({i\in [n]}\).    \(\square \)

Game \({\mathsf {G}}_3.\) The faithful data encapsulation is replaced by algorithms \(\mathsf {Fake}\) and \(\mathsf {Make}\). More precisely, for each iteration of the For loop (line 06) we replace the invocation \(\mathsf {O.Dec}^{E(k_i;\cdot )}(k_i',m_i)\) (line 11) with running \(\mathsf {Fake}(k'_i,|m_i|)\) and \(\mathsf {Make}(m_i)\) back to back (lines 12,13). \(E_{k_i}\) gets assigned partial permutation \(\tilde{\pi }\) as output by \(\mathsf {Make}\) (cf.  line 14) and a check is performed whether \(E_{k_i}\) has been programmed ‘consistently’; if not, experiment \({\mathsf {G}}_3\) aborts (lines 15, 16).

Claim. \(|\Pr [{\mathsf {G}}_2\Rightarrow 1]-\Pr [{\mathsf {G}}_3\Rightarrow 1]|\le n \cdot \epsilon _{sim}.\)

Proof. Fix \({i\in [n]}\). Due to the modifications in games \({\mathsf {G}}_1\) and \({\mathsf {G}}_2\) partial permutation \(E_{k_i}\) is empty at the time of invoking \(\mathsf {O.Enc}\). Hence, once we replace \(\mathsf {O.Enc}\) by \(\mathsf {Fake}\) and \(\mathsf {Make}\), the partial permutation as output by \(\mathsf {Make}\) can always be embedded into \(E_{k_i}\). Particularly, partial permutations \(E_{k_i}\) accessed by \(\mathsf {O.Enc}\) and \(\tilde{\pi }\) output by \(\mathsf {Make}\) are identically distributed when randomly extended to a full permutation on \(\mathcal {D}\). We conclude that the abort in line 16 happens with probability at most \(\epsilon _{sim}\) as \(\mathsf {oDEM}\) is \(\epsilon _{sim}\)-simulatable. The claim follows from the union-bound over all \({i\in [n]}\).    \(\square \)

Recall from the proof outline that, eventually, \(\mathsf {Make}\) shall be run as part of the \(\textsc {Open}\) procedure. The upcoming modifications ensure that partial permutation \(E_{k_i}\) remains empty until \(\textsc {Open}(i)\) is queried.

Game \({\mathsf {G}}_4.\) Line 02 is added to initialise a flag ‘\(\mathrm {bad}\)’ as 0. Lines (35, 36) are added to the \(\textsc {E}^+\) oracle, lines (42, 43) are added to the \(\textsc {E}^-\) oracle and line 19 is added. That is, if \(\textsc {E}^+\) or \(\textsc {E}^-\) is queried on \((k_i,z)\) for any z and \(i\notin \mathcal {I}\), ‘\(\mathrm {bad}\)’ is set to 1 and the game aborts the execution of \(\mathcal {A}_2\) (in line 19).

Claim. There exists an adversary \(\mathcal {B}_{cca}\) that \((\tau ,q_{d},\epsilon _{cca})\)-breaks the IND-CCA security of \(\mathsf {KEM}\) with \(|\Pr [{\mathsf {G}}_3\Rightarrow 1]-\Pr [{\mathsf {G}}_4\Rightarrow 1]|\le n\cdot (\epsilon _{cca}+(q_{ic}+q_{d})/|\mathcal {K}|)\).

Proof. Fix \({i\in [n]}\) and let ‘\(k\in K_{\{i\}\setminus \mathcal {I}}\)’ denote the event that \(\textsc {E}^+\) or \(\textsc {E}^-\) is queried on (kz) where \(k\in K_{\{i\}\setminus \mathcal {I}}\). (That is, the condition in lines 35 or 42 holds, even for \(K_{\{i\}\setminus \mathcal {I}}\)). Again, we replace key \(k_i''\) output in the \(i^{th}\) invocation of \(\mathsf {K.Enc}\) with a uniform key . The reduction run by \(\mathcal {B}_{cca}\) proceeds as in the proof to bridge \({\mathsf {G}}_0\) and \({\mathsf {G}}_1\). Here, \(\mathcal {B}_{cca}\) halts after \(\mathcal {A}_2\)’s execution and outputs 1 iff \(\mathrm {bad}=1\). Clearly \(|\Pr [k\in K_{\{i\}\setminus \mathcal {I}}]-\Pr [k\in \{k_{\$}\}\setminus \mathcal {I}]|\le \epsilon _{cca}\) for uniform .

The reduction is perfect unless \(\mathcal {A}_2\) queries \(\textsc {Open}(i)\) which cannot be answered. Note that after query \(\textsc {Open}(i)\), \(`\mathrm {bad}\)’ cannot be set to 1 as \(K_{\{i\}\setminus \mathcal {I}}=\emptyset \). Similarly to before, it suffices to guarantee the correctness of the simulation as long as the abort in line 19 can potentially happen.

Note that \(k_{\$}\) is uniform from \(\mathcal {A}\)’s view: Only ciphertext \(\langle c_{i,1},c_{i,2}\rangle \) might contain information on \(k_{\$}\) but \(c_{i,1}\) is independent of \(k_{\$}\) as it is sampled after \(\mathsf {K.Enc}\) output \(c_{i,1}\) and data encapsulation \(c_{i,2}\) is independent of \(k_{\$}\) as we run \(\mathsf {Fake}(k_i',m_i)\) to compute \(c_{i,2}\). Thus, \(\Pr [k\in \{k_{\$}\}\setminus \mathcal {I}]\le (q_{ic}+q_{d})/|\mathcal {K}|\) and collecting the probabilities and applying the union-bound gives the desired bound.    \(\square \)

Game \({\mathsf {G}}_5.\) Lines 37 and 44 are added. Instead of aborting after the execution of \(\mathcal {A}_2\) if \(\mathrm {bad}=1\), game \({\mathsf {G}}_5\) aborts as soon as \(\mathrm {bad}\) (as introduced in game \({\mathsf {G}}_4\)) is set to 1. Now obsolete lines 02, 19, 36 and 43 are removed for clarity.

Claim. \(\Pr [{\mathsf {G}}_4\Rightarrow 1]=\Pr [{\mathsf {G}}_5\Rightarrow 1]\).

Proof. The claim follows from observing that game \({\mathsf {G}}_5\) aborts in lines 37 or 44 if and only if game \({\mathsf {G}}_4\) aborts in line 19.    \(\square \)

Game \({\mathsf {G}}_6.\) An abort event is added in line 22. The invocation of \(\mathsf {Make}\), the embedding of a partial permutation and the consistency check are moved from the For loop in lines 13 – 16 to the \(\textsc {Open}\) oracle (lines 23 – 24).

Claim. \(\Pr [{\mathsf {G}}_5\Rightarrow 1]=\Pr [{\mathsf {G}}_6\Rightarrow 1]\).

Proof. The abort event in line 22 is solely added for clarity but never met: Assume that line 22 would cause an abort, then the condition in line 10, or lines 35/42 would have been satisfied earlier. Hence, for all \({i\in [n]}\): a) in game \({\mathsf {G}}_5\) partial permutation as output by \(\mathsf {Make}\) in line 13 is information-theoretically hidden from \(\mathcal {A}\) until it queries \(\textsc {Open}\) and b) in game \({\mathsf {G}}_6\) partial permutation \(E_{k_i}\) remains empty until \(\mathcal {A}\) queries \(\textsc {Open}\). Thus, embedding partial permutation \(\tilde{\pi }\) into \(E_{k_i}\) always succeeds. Further, moving the invocation of \(\mathsf {Make}\), the embedding and checking to the \(\textsc {Open}\) oracle is completely oblivious to \(\mathcal {A}\).    \(\square \)

We observe that the code as given in game \({\mathsf {G}}_6\) in Fig. 16 matches the code of the simulator as given in Fig. 15.

The claim of Theorem 2 follows by collecting the probabilities.    \(\square \)

6 Conclusion

The most promising practical approach to public key encryption is through the hybrid KEM/DEM paradigm. Suitable KEMs include Hashed ElGamal, PSEC-KEM, Cramer-Shoup KEM, and RSA-KEM, and candidates for the DEM part are readily derived from the highly efficient encryption modes CTR, CBC, CCM standardised by NIST (to reach CCA security, the former two should be enhanced with a MAC, e.g., CMAC or HMAC). The last NIST standardised mode of operation, GCM, is covered in the full version of this paper [23], too. To compress the contribution of this paper into a single line: We effectively show that if any of these KEMs is combined with any of these DEMs in the sense of hybrid encryption, then the obtained PKE scheme offers a strong notion of selective opening security. Our result holds in the (heuristic) ideal cipher model for the underlying blockcipher. We thus recommend using modern blockciphers like AES as they come closest to meeting such requirements.