1 Introduction

Background. It is well known that randomness plays a key role in cryptography. For most cryptographic constructions, their security is guaranteed on condition that the random coins employed are uniformly and independently chosen. For example, IND-CCA security [19], one universally accepted security notion for PKE, requires that the randomness employed during the encryption is uniformly chosen and independent of any other elements. However, randomness may fail because of bugs or randomness subversion. Recently, it is well-known that the randomness failures are actual threats, and bring new challenges to cryptographic constructions and information security products.

As far as we know, there are mainly three kinds of PKE which have been proposed to provide good privacy under randomness failures. The first one is deterministic PKE (D-PKE) [1, 4, 9], where the encryption algorithm does not need to use any randomness for encryption, and its security is guaranteed on condition that the messages have high min-entropy. D-PKE was proposed to provide fast search on encrypted data at first. Since the encryption does not use randomness, D-PKE is an important class of PKE dealing with the subsequently revealed problem of randomness subversion. The second one is hedged PKE (H-PKE) [2, 5], which can be seen as an extension of D-PKE. For hedged PKE, the encryption algorithm is randomized, and its security is guaranteed only if the messages and the randomness jointly have high min-entropy. The third one is nonce-based PKE (N-PKE) [8], the encryption algorithm of which is randomized, and the messages can be arbitrarily chosen. For each encryption, instead of taking fresh randomness, the encryption algorithm takes a uniform seed, which can be used repeatedly, and a nonce as input. A significant benefit brought by N-PKE is that it’s not necessary for the senders to generate fresh, uniform and independent randomness at every encryption. The security of N-PKE is guaranteed as long as either the seed is confidential and the message-nonce pairs do not repeat, or the seed is exposed but the nonces are unpredictable.

The above three approaches focus on different scenarios. D-PKE is only suitable for the situations that the messages have sufficient min-entropy. H-PKE applies to the situations that the messages and the randomness have jointly sufficient min-entropy. Generally speaking, both of these two approaches require that the messages are independent of the public keys. N-PKE just applies to the case that either the seed or the nonces can provide sufficient randomness. Besides these three kinds of PKE schemes, currently the most commonly used ones in practice are the traditional PKE schemes (i.e., the security is guaranteed assuming that the randomness is good, and the messages can be arbitrarily chosen), such as RSA [18, 22].

However, unfortunately none of the aforementioned approaches is able to provide good privacy in all application scenarios. The messages we want to encrypt regularly do not have sufficient min-entropy [12] and sometimes may depend on the public key, and the randomness may fail because of bugs or deliberate randomness subversion [13, 15]. These facts limit the application of D-PKE and H-PKE. On the other hand, N-PKE can provide good privacy only if either the seed or the nonces have sufficient min-entropy from the adversaries’ point of view. If one uses N-PKE, when both the seed and the nonces do not have sufficient min-entropy, the security of the scheme cannot be guaranteed. These facts limit the application of N-PKE. More importantly, it’s almost unrealistic to determine beforehand which kinds of PKE should be used because the situations in which the scheme is deployed are dynamic.

Hedged security for nonce-based PKE. In this paper, we formalize the notions of hedged security for nonce-based PKE, and provide some constructions. N-PKE schemes achieving our hedged security are able to adaptively apply to the situations whenever randomness fails, and achieve the best-possible security. Specifically, we formalize the notion of chosen-ciphertext security against chosen-distribution attacks (IND-CDA2) for N-PKE, which can be seen as the CCA-and-N-PKE version of the original IND-CDA security for PKE formalized in [2]Footnote 1. This security is guaranteed on condition that the seeds, the messages and the nonces have jointly sufficient min-entropy.

We separate our IND-CDA2 security notion and the security notion proposed in [8] for N-PKE (i.e., NBP1 and NBP2 security), by presenting two counterexamples. Our counterexamples actually show that even extending the original IND-CDA security (for H-PKE) to the nonce-based setting, IND-CDA security is still separated from NBP1/NBP2 security.

Since the original NBP1/NBP2 security and IND-CDA2 security do not imply each other, when we consider the security of N-PKE, we have to require that the N-PKE schemes achieve NBP1, NBP2 and IND-CDA2 security simultaneously. For simplicity, we call it HN-IND security.

In order to handle the potential problem of randomness failures, we recommend that one use HN-IND secure N-PKE if possible, and, especially, employ a combination of a variety of things which do not repeat (e.g., the current time), and fresh, uniform and independent chosen randomness as nonce at every encryption (and the seed can be reused). The reasons are as follows. If there are no randomness failures, the N-PKE schemes meet the universally accepted IND-CCA security. If some randomness failures present, the security which is as good as possible can be guaranteed. More specifically, if the randomness of the nonces is compromised, as long as the seed is uniformly chosen and confidential and the message-nonce pairs do not repeat, then NBP1 security guarantees that the schemes still achieve IND-CCA security. If the seed is exposed, but if the nonces are still unpredictable, then NBP2 security guarantees IND-CCA security. For the case that neither the seeds nor the nonces have sufficient min-entropy, as long as the seed-message-nonce tuples have sufficient min-entropy, and the messages are independent of the public key, then the N-PKE schemes achieve IND-CDA2 security, which is defined under chosen-ciphertext attacks and strictly stronger than IND-CDA security. We also note that for an extreme situation that both the seed and the nonces are arbitrarily determined by the adversaries, but the messages still have sufficient min-entropy, then the schemes are actually D-PKE schemes achieving adaptive IND security (i.e., the adversary is allowed to access to the encryption oracle adaptively multiple times) in the CCA setting.

We note that the HN-IND secure N-PKE is able to adaptively handle the above cases, and achieves IND-CCA security even if there are some randomness failures. It’s not necessary to decide which kind of PKE (i.e., traditional PKE, H-PKE, N-PKE or D-PKE) should be used according to the specific cases beforehand.

Besides, in the setting of D-PKE, there is another kind of adaptive security notion proposed by Raghunathan, Segev and Vadhan (RSV) in [20], where the messages are allowed to depend on the public key, but an upper bound on the number of the message distributions is required. For completeness, we also formalize a similar version of IND-CDA2 security for N-PKE, and call it the RSV version of HN-IND security.

HN-IND secure constructions. In this paper we provide an N-PKE scheme achieving HN-IND security in the random oracle model (ROM). Our approach is from the ROM construction of N-PKE in [8]. We notice that in [8], the nonce-based PKE schemes were constructed with a building block called hedged extractor. There are two constructions of hedged extractor proposed in [8], where the first one is in the ROM, and the second one is in the standard model. We emphasize that under the security of hedged extractor, both of the N-PKE schemes based on these two hedged extractors respectively are not HN-IND secure. The reason is that the security of hedged extractor is guaranteed only if either the seed or the nonce has enough min-entropy. Therefore, it seems that all the generic constructions of N-PKE based on hedged extractors do not achieve HN-IND security.

We also provide a generic construction of HN-IND secure N-PKE. The main idea of our scheme is from [16], which is a combination of an N-PKE scheme and a D-PKE scheme. Our conclusion shows that if the underlying N-PKE scheme is NBP1 and NBP2 secure, and the D-PKE scheme is adaptively IND secure in the CCA setting and unique-ciphertext secure, then the construction is HN-IND secure. If both the underlying constructions are built in the standard model, then our construction achieves HN-IND security in the standard model.

Moreover, we show that both of the constructions achieve the RSV version of HN-IND security.

Related work. Deterministic PKE was formally introduced by Bellare et al. [1] in CRYPTO 2007. A security notion called PRIV for D-PKE was defined, and some PRIV secure ROM constructions were proposed in [1]. Later, several equivalent security notions were formalized in [4], including the IND security used in this paper. Some variants of PRIV/IND security or D-PKE also appeared [5, 9, 11, 17, 20], and more D-PKE constructions were proposed [5, 6, 14]. Wichs [23] pointed out that the fully IND security of D-PKE in the standard model can not be achieved under any single-stage assumption. Later with the help of UCE [6], Bellare and Hoang [5] gave the first fully IND secure D-PKE scheme in the standard model. Selective opening security for D-PKE was also formalized and achieved in the ROM [3, 16]. We note that the most commonly used security for D-PKE (i.e., PRIV or IND security) is a non-adaptive security notion. In other words, in the game defining the security, the adversary is allowed to make the challenge query only once.

Hedged PKE was introduced by Bellare et al. [2]. In [2], an adaptive security notion called IND-CDA, which is an extension of IND, is formalized, and a PKE scheme is called H-IND secure if it achieves IND-CPA and IND-CDA security simultaneously. Very recently, Boldyreva et al. [10] formalized the CCA version of IND-CDA security (which they named MMR-CCA security) for PKE with associated data. Both ROM constructions and standard-model constructions achieving fully H-IND security (i.e., the message-randomness pairs may be arbitrarily correlated) have been proposed [2, 5, 10]. The use of H-PKE in practice was explored in [10, 21].

Nonce-based PKE was introduced by Bellare and Tackmann in [8]. They formalized two security notions called NBP1 and NBP2, and showed ROM and standard-model constructions achieving both of the two security. Their constructions are based on a new primitive called hedged extractor. Nonce-based signatures was also defined and built in [8]. Recently, Hoang et al. [16] formalized SOA security for N-PKE, and lifted the security notion to H-PKE. To the best of our knowledge, it’s the first security notion for hedged N-PKE. But their security is defined in the SOA setting, and more importantly, it is a non-adaptive security notion. Furthermore, we note that their security notion is a comparison-based security (see [4]), and our IND-CDA2 security is an indistinguishability-based one. Informally, denote by COM-CDA2 security the HN-SO-CCA security formalized in [16] with the restriction that I is empty (i.e., the adversaries do not perform corruptions. We refer the readers to [16] for the details). Exploring the relations among COM-CDA2 security and the non-adaptive version of our IND-CDA2 security is an interesting topic for future research.

2 Preliminaries

Notations and conventions. Vectors are written in boldface, e.g., x. For a vector x, let \(|\mathbf x |\) denote its length and \(\mathbf x [i]\) denote its \(i^{\text {th}}\) component for \(i\in [|\mathbf x |]\). For a finite set X (resp. a string x), let |X| (resp. |x|) denote its size (resp. length). We extend the set membership notations to vectors. For any game \(\mathbf G \) presented in this paper, denote by \(\text {Pr}[\mathbf G ]\) the probability that the final output of \(\mathbf G \) is 1.

Public-key encryption. A (general) public-key encryption (PKE) scheme is a tuple of PPT algorithms \({\textsf {PKE}} = ({\textsf {Kg}}, {\textsf {Enc}}, {\textsf {Dec}})\). The key generation algorithm \({\textsf {Kg}}\), taking \(1^k\) as input, generates a public/secret key pair (pksk). The encryption algorithm \({\textsf {Enc}}\), taking pk and message \(m\in \{0,1\}^*\) as input, outputs a ciphertext c. The deterministic decryption algorithm \({\textsf {Dec}}\), taking sk and c as input, returns a value in \(\{0,1\}^*\cup \{\bot \}\). Standard correctness is required, which means that for any valid message \(m\in \{0,1\}^*\), \((pk,sk)\leftarrow {\textsf {Kg}}(1^k)\) and \(c\leftarrow {\textsf {Enc}}(pk, m)\), \({\textsf {Dec}}(sk, c)=m\) with overwhelming probability. For vectors m, r with \(|\mathbf m |=|\mathbf r |\), we denote by \({\textsf {Enc}}(pk, \mathbf m ; \mathbf r ):=({\textsf {Enc}}(pk, \mathbf m [1]; \mathbf r [1]), {\textsf {Enc}}(pk, \mathbf m [2]; \mathbf r [2]), \cdots ,\) \({\textsf {Enc}}(pk, \mathbf m [|\mathbf m |]; \mathbf r [|\mathbf m |]))\).

Fig. 1.
figure 1

Games for defining IND-CCA security of a standard PKE scheme PKE, IND security and adaptively CCA security of a D-PKE scheme DE.

Full size image

IND-CCA security for \({\textsf {PKE}}\) is defined by game \(\mathbf G ^{\text {ind-cca}}_{{\textsf {PKE}}, A}\) in Fig. 1. For any \((\mathbf m _0,\mathbf m _1)\) submitted to the encryption oracle \(\text {ENC}(\cdot )\) in \(\mathbf G ^{\text {ind-cca}}_{{\textsf {PKE}}, A}\), we require that \(|\mathbf m _0|=|\mathbf m _1|\), and for every \(i\in [|\mathbf m _0|]\), \(|\mathbf m _0[i]|=|\mathbf m _1[i]|\). \({\textsf {PKE}}\) is called IND-CCA secure if \(\mathbf{Adv }^{\text {ind-cca}}_{{\textsf {PKE}}, A}(k)=2\text {Pr}[\mathbf G ^{\text {ind-cca}}_{{\textsf {PKE}}, A}(k)]-1\) is negligible for any PPT adversary A, and called IND-CPA secure if A is not allowed to access to the decryption oracle \(\text {DEC}(\cdot )\).

Following [1], the maximum public-key collision probability of \({\textsf {PKE}}\) is defined by \(\textsf {maxpk}_{{\textsf {PKE}}}(k)=\max \limits _{\omega \in \{0,1\}^*}{\text {Pr}[pk=\omega : (pk, sk)\leftarrow {\textsf {Kg}}(1^k)]}.\)

PKE secure under randomness failures. Currently, there are mainly three approaches to deal with the problems of randomness failures for PKE: deterministic PKE, hedged PKE, and nonce-based PKE. We recall their definitions and security notions as follows.

Deterministic PKE. A PKE scheme is called deterministic if the encryption algorithm is deterministic. This notion was formally introduced by Bellare et al. [1]. For a D-PKE scheme \(\textsf {DE}=(\textsf {DKg},\) \(\textsf {DEnc},\textsf {DDec})\), IND security [4] is defined by game \(\mathbf G ^{\text {de-ind}}_{{\textsf {DE}}, A}\) in Fig. 1. An IND adversary \(A=(A_1,A_2)\) in game \(\mathbf G ^{\text {de-ind}}_{{\textsf {DE}}, A}\) is called legitimate, if for any \((\mathbf m _0,\mathbf m _1)\) sampled by \(\mathcal {M}\), associated with some polynomial \(\textsf {p}(\cdot )\), the following two conditions hold: (i) \(|\mathbf m _0|=|\mathbf m _1|=\textsf {p}(k)\), and for every \(i\in [\textsf {p}(k)]\), \(|\mathbf m _0[i]|=|\mathbf m _1[i]|\); (ii) for any \(b\in \{0,1\}\), \(\mathbf m _b[1], \cdots ,\) \(\mathbf m _b[\textsf {p}(k)]\) are distinct. The guessing probability of A is denoted by \(\text {Guess}_{A}(k)\), which returns the maximum of \(\text {Pr}[\mathbf m _b[i]=m]\) over all \(b\in \{0,1\}\), all \(i\in [\textsf {p}(k)]\), all \(m\in \{0,1\}^*\), and all \(\mathcal {M}\) submitted by \(A_1\), where the probability is taken over \((\mathbf m _0,\mathbf m _1)\leftarrow \mathcal {M}(1^k)\). The block-source guessing probability of A is denoted by \(\text {Guess}^{\text {b-s}}_{A}(k)\), which returns the maximum of \(\text {Pr}[\mathbf m _b[i]=m_i\mid \mathbf m _b[j]=m_j,~\forall j\in [i-1]]\) over all \(b\in \{0,1\}\), all \(i\in [\textsf {p}(k)]\), all \(m_1,\cdots ,m_i\in \{0,1\}^*\), and all \(\mathcal {M}\) submitted by \(A_1\), where the probability is taken over \((\mathbf m _0,\mathbf m _1)\leftarrow \mathcal {M}(1^k)\). We say that A has high min-entropy (resp. high block-source min-entropy [9]) if \(\text {Guess}_{A}(k)\) (resp. \(\text {Guess}^{\text {b-s}}_{A}(k)\)) is negligible. Scheme DE is fully IND secure (resp. block-source IND secure) if \(\mathbf{Adv }^{\text {de-ind}}_{{\textsf {DE}}, A}(k)=2\text {Pr}[\mathbf G ^{\text {de-ind}}_{{\textsf {DE}}, A}(k)]-1\) is negligible for any legitimate PPT adversary A of high min-entropy (resp. high block-source min-entropy).

We say that a PPT adversary is adaptive if it is allowed to query the challenge oracle multiple times, and each query may depend on the replies to the previous queries. IND is a non-adaptive security notion. A stronger adaptive security notion for D-PKE, adaptively CCA security, is defined by game \(\mathbf G ^{\text {de-cca}}_{{\textsf {DE}}, A}\) in Fig. 1. We similarly define adaptively CCA adversary that is legitimate and has high min-entropy. Scheme DE is fully adaptively CCA secure if \(\mathbf{Adv }^{\text {de-cca}}_{{\textsf {DE}}, A}(k)=2\text {Pr}[\mathbf G ^{\text {de-cca}}_{{\textsf {DE}}, A}(k)]-1\) is negligible for any legitimate PPT adversary A of high min-entropy. Block-source adaptively CCA security for D-PKE is similarly defined.

DE is called unique-ciphertext [5], if for any k, any (pksk) generated by DKg, and any message \(m\in \{0,1\}^*\), there is at most one \(c\in \{0,1\}^*\) such that \(\textsf {DDec}(sk,c)=m\). Each D-PKE scheme can be efficiently transformed to a unique-ciphertext one [5].

Hedged PKE. In ASIACRYPT 2009, Bellare, et al. [2] introduced the notion of IND-CDA security, which formalized the security for PKE when the messages and the randomness jointly have high entropy. A PKE scheme is called hedged if it achieves both IND-CPA security and IND-CDA security, which means that it achieves IND-CPA security when the random coins employed during the encryption are truly random, and achieves IND-CDA security when bad random coins are employed but the messages and the random coins jointly have high min-entropy.

For a hedged PKE (H-PKE) scheme \(\textsf {HE}=(\textsf {HKg},\textsf {HEnc},\textsf {HDec})\), IND-CDA security is defined by game \(\mathbf G ^{\text {ind-cda}}_{{\textsf {HE}}, A}\) in Fig. 2. An IND-CDA adversary \(A=(A_1,A_2)\) in game \(\mathbf G ^{\text {ind-cda}}_{{\textsf {HE}}, A}\) is called legitimate, if for any \((\mathbf m _0,\mathbf m _1,\mathbf r )\) sampled by \(\mathcal {M}\), associated with some polynomial \(\textsf {p}(\cdot )\), which is the message sampler submitted to oracle \(\text {LR}(\cdot )\) by \(A_1\), the following two conditions hold: (i) \(|\mathbf m _0|=|\mathbf m _1|=|\mathbf r |=\textsf {p}(k)\), and for every \(i\in [\textsf {p}(k)]\), \(|\mathbf m _0[i]|=|\mathbf m _1[i]|\); (ii) for any \(b\in \{0,1\}\), \((\mathbf m _b[1], \mathbf r [1]), \cdots ,\) \((\mathbf m _b[\textsf {p}(k)], \mathbf r [\textsf {p}(k)])\) are distinct. The guessing probability of A is denoted by \(\text {Guess}_{A}(k)\), which returns the maximum of \(\text {Pr}[(\mathbf m _b[i], \mathbf r [i])=(m,r)]\) over all \(b\in \{0,1\}\), all \(i\in [\textsf {p}(k)]\), all \(m\in \{0,1\}^*\), all \(r\in \{0,1\}^*\), and all \(\mathcal {M}\) submitted by \(A_1\), where the probability is taken over \((\mathbf m _0,\mathbf m _1, \mathbf r )\leftarrow \mathcal {M}(1^k)\). We say that A has high min-entropy if \(\text {Guess}_{A}(k)\) is negligible. Scheme HE is IND-CDA secure if \(\mathbf{Adv }^{\text {ind-cda}}_{{\textsf {HE}}, A}(k)=2\text {Pr}[\mathbf G ^{\text {ind-cda}}_{{\textsf {HE}}, A}(k)]-1\) is negligible for any legitimate PPT adversary A of high min-entropy. The notion of block-source IND-CDA security is similarly defined [2].

Fig. 2.
figure 2

Games for defining NBP1, NBP2 security of a N-PKE scheme NE, and IND-CDA security for a H-PKE scheme HE.

Full size image

Nonce-based PKE. A nonce-based public-key encryption (N-PKE) scheme with nonce space NE.NS is a tuple of PPT algorithms \({\textsf {NE}} = ({\textsf {NKg}}, {\textsf {NSKg}},\) \({\textsf {NEnc}}, {\textsf {NDec}})\). The key generation algorithm \({\textsf {NKg}}\), taking \(1^k\) as input, generates a public/secret key pair (pksk). The seed generation algorithm \({\textsf {NSKg}}\) taking \(1^k\) returns a sender seed xk. Let NE.SD denote the seed space. We say that \({\textsf {NSKg}}\) is trivial, if it returns a uniformly chosen xk from \(\textsf {NE.SD}=\{0,1\}^k\). The deterministic encryption algorithm \({\textsf {NEnc}}\), taking pk, xk, message \(m\in \{0,1\}^*\), and nonce \(n\in \textsf {NE.NS}\) as input, outputs a ciphertext c. The deterministic decryption algorithm \({\textsf {NDec}}\) is the same as that of the traditional PKE schemes, on input sk and c, returns a value in \(\{0,1\}^*\cup \{\bot \}\). The nonce is not necessary for decryption. Standard correctness is required, which means that for any valid message \(m\in \{0,1\}^*\), \((pk,sk)\leftarrow {\textsf {NKg}}(1^k)\), \(xk\leftarrow {\textsf {NSKg}}(1^k)\), \(n\in \textsf {NE.NS}\) and \(c\leftarrow {\textsf {NEnc}}(pk, xk, m, n)\), \({\textsf {Dec}}(sk, c)=m\) with overwhelming probability.

The notion of N-PKE was introduced by Bellare and Tackmann [8]. In their N-PKE constructions, the nonces are generated by a building block called nonce generator NG with nonce space NE.NS. A nonce generator NG is a PPT algorithm taking \(1^k\), a current state St, and a nonce selector \(\eta \) as input, returns a nonce \(n\in \textsf {NE.NS}\) and a new state St, i.e., \((n, St)\leftarrow \textsf {NG}(1^k, \eta , St)\). Standard security of NG requires that the generated nonces should be unpredictable and never repeat. We refer the readers to [8, 16] for the formal definition.

Two kinds of security notions for N-PKE were introduced in [8], which we recall in Fig. 2. An N-PKE scheme NE, with respect to NG, is NBP1 (resp. NBP2) secure if \(\mathbf{Adv }^{\text {nbp1}}_{{\textsf {NE}},\textsf {NG}, A}(k)=2\text {Pr}[\mathbf G ^{\text {nbp1}}_{{\textsf {NE}},\textsf {NG}, A}(k)]-1\) (resp. \(\mathbf{Adv }^{\text {nbp2}}_{{\textsf {NE}},\textsf {NG}, A}(k)=2\text {Pr}[\mathbf G ^{\text {nbp2}}_{{\textsf {NE}},\textsf {NG}, A}(k)]-1\)) is negligible for any PPT adversary A, where game \(\mathbf G ^{\text {nbp1}}_{{\textsf {NE}},\textsf {NG}, A}\) (resp. \(\mathbf G ^{\text {nbp2}}_{{\textsf {NE}},\textsf {NG}, A}\)) is defined in Fig. 2. According to [8], NBP1 security is achieved for any nonce generator (even for predictable nonce generator), as long as the message-nonce pairs do not repeat; NBP2 security is achieved for any unpredictable nonce generators.

3 Hedged Security for Nonce-Based Public-Key Encryption

In this section, we introduce hedged security for nonce-based public-key encryption. We first formalize chosen-ciphertext security against chosen-distribution attacks (IND-CDA2 security) for N-PKE. Then, we explore the relations among the security notions of N-PKE. Lastly, we formalize a special version (the Raghunathan et al. [20] version) of IND-CDA2 security for N-PKE.

3.1 Chosen-Ciphertext Security Against Chosen-Distribution Attacks

Notice that the original message samplers were defined for the general PKE schemes, which do not sample the seeds and the nonces. Therefore, we firstly formalize the notion of message samplers for N-PKE as follows.

Definition 1

(Message sampler for N-PKE). A message sampler \(\mathcal {M}\) for N-PKE is a PPT algorithm taking \(1^k\) as input, and returning \((\mathbf {m} _0,\mathbf {m} _1, \mathbf{{xk} }, \mathbf {n} )\leftarrow \mathcal {M}(1^k)\).

For any N-PKE scheme \({\textsf {NE}} = ({\textsf {NKg}}, {\textsf {NSKg}}, {\textsf {NEnc}},\) \({\textsf {NDec}})\) w.r.t. nonce generator NG, consider game \(\mathbf G ^{\text {ind-cda2}}_{{\textsf {NE}}, A}\) as shown in Fig. 3.

We say that the adversary \(A=(A_1,A_2)\) in game \(\mathbf G ^{\text {ind-cda2}}_{{\textsf {NE}}, A}\) is legitimate, if for any \((\mathbf m _0,\mathbf m _1, \mathbf{xk },\) \(\mathbf n )\) sampled by \(\mathcal {M}\) which is associated with some polynomial \(\textsf {p}(\cdot )\), the following two conditions hold: (i) \(|\mathbf m _0|=|\mathbf m _1|=|\mathbf{xk }|=|\mathbf n |=\textsf {p}(k)\), and for every \(i\in [\textsf {p}(k)]\), \(|\mathbf m _0[i]|=|\mathbf m _1[i]|\); (ii) for any \(b\in \{0,1\}\), \((\mathbf{xk }[1],\mathbf m _b[1],\mathbf n [1]), \cdots , (\mathbf{xk }[\textsf {p}(k)],\mathbf m _b[\textsf {p}(k)],\) \(\mathbf n [\textsf {p}(k)])\) are distinct.

Similarly, the guessing probability of A is denoted by \(\text {Guess}_{A}(k)\), which returns the maximum of \(\text {Pr}[(\mathbf{xk }[i],\mathbf m _b[i],\mathbf n [i])=(xk,m,n)]\) over all \(b\in \{0,1\}\), all \(i\in [\textsf {p}(k)]\), all \(xk\in \{0,1\}^*\), all \(m\in \{0,1\}^*\), all \(n\in \{0,1\}^*\), and all \(\mathcal {M}\) submitted by \(A_1\), where the probability is taken over \((\mathbf m _0,\mathbf m _1, \mathbf{xk }, \mathbf n )\leftarrow \mathcal {M}(1^k)\). The block-source guessing probability of A is denoted by \(\text {Guess}^{\text {b-s}}_{A}(k)\), which returns the maximum of \(\text {Pr}[(\mathbf{xk }[i],\mathbf m _b[i],\mathbf n [i])=(xk,m,n)\mid (\mathbf{xk }[j],\mathbf m _b[j],\mathbf n [j])=(xk_j,m_j,n_j),\) \(~\forall j\in [i-1]]\) over all \(b\in \{0,1\}\), all \(i\in [\textsf {p}(k)]\), all \(xk_1,\cdots ,xk_i\in \{0,1\}^*\), all \(m_1,\cdots ,m_i\in \{0,1\}^*\), all \(n_1,\cdots ,n_i\in \{0,1\}^*\), and all \(\mathcal {M}\) submitted by \(A_1\), where the probability is taken over \((\mathbf m _0,\mathbf m _1, \mathbf{xk }, \mathbf n )\leftarrow \mathcal {M}(1^k)\). We say that the IND-CDA2 adversary A has high min-entropy (resp. high block-source min-entropy) if \(\text {Guess}_{A}(k)\) (resp. \(\text {Guess}^{\text {b-s}}_{A}(k)\)) is negligible.

Fig. 3.
figure 3

Game for defining IND-CDA2 security of a N-PKE scheme NE

Full size image

Definition 2

(IND-CDA2). An N-PKE scheme \(\textsf {{NE}} = (\textsf {{NKg}}, \textsf {{NSKg}},\) \(\textsf {{NEnc}}, \textsf {{NDec}})\), with respect to nonce generator NG, is IND-CDA2 secure (resp. block-source IND-CDA2 secure), if for any legitimate PPT adversary \(A=(A_1,A_2)\) having high min-entropy (resp. high block-source min-entropy), its advantage is negligible, where game is defined in Fig. 3.

Remark 1

Note that if the adversary A is not allowed to access to the decryption oralce \(\text {DEC}(\cdot )\), then we call the defining security notion “IND-CDA security in the nonce-based setting”. Note that in [2] the notion of “IND-CDA security” was defined for the general PKE schemes, not for N-PKE. For simplicity, in this paper we abuse the notation, still using “IND-CDA security” when we refer to “IND-CDA security in the nonce-based setting”.

Remark 2

Recently, Boldyreva et al. [10] formalized the CCA version of IND-CDA security for PKE, and called it MMR-CCA security. The notion of MMR-CCA security is defined for PKE with associated data, and in the experiment defining MMR-CCA security, the adversary is allowed to access to the decryption oracle before seeing the public key. Our IND-CDA2 security is formalized for N-PKE (without associated data), and the adversary is not allowed to access to the decryption oracle until it receives the public key. If the lengths of the seed and the nonce are both restricted to be 0, our security will naturally become adaptive CCA security for D-PKE.

3.2 Separations Between NBP1/NBP2 Security and IND-CDA2 Security

We now show that NBP1/NBP2 security and IND-CDA2 security do not imply each other. Our separation results are based on the following observations. In the game defining IND-CDA2 security, (i) the sender seed xk is specified by the adversary through the generated message sampler \(\mathcal {M}\), instead of being generated by \(\textsf {NSKg}\) in the game defining NBP1/NBP2 security; (ii) the challenge messages are independent of the public key, instead of being chosen by the adversary after seeing the public key in the game defining NBP1/NBP2 security.

NBP1/NBP2 \(\nRightarrow \) IND-CDA2. Actually, we provide a stronger conclusion here “NBP1/NBP2 \(\nRightarrow \) IND-CDA”. For an NBP1/NBP2 secure N-PKE scheme \({\textsf {NE}} = ({\textsf {NKg}}, {\textsf {NSKg}}, {\textsf {NEnc}}, {\textsf {NDec}})\) w.r.t. a nonce generator NG, where NSKg is trivial, we construct a new N-PKE scheme \({\textsf {NE}}' = ({\textsf {NKg}}', {\textsf {NSKg}}', {\textsf {NEnc}}', {\textsf {NDec}}')\), w.r.t. the same NG, as shown in Fig. 4.

Fig. 4.
figure 4

Counterexamples \({\textsf {NE}}' = ({\textsf {NKg}}', {\textsf {NSKg}}', {\textsf {NEnc}}', {\textsf {NDec}}')\) and \({\textsf {NE}}'' = ({\textsf {NKg}}'', {\textsf {NSKg}}'', {\textsf {NEnc}}'', {\textsf {NDec}}'')\).

Full size image

Since NSKg is trivial, we have that \(xk\leftarrow \{0,1\}^k\). As a result, the probability that \(xk=0^k\) is negligible. Therefore, NBP1/NBP2 security of \({\textsf {NE}}'\) is guaranteed by NBP1/NBP2 security of \({\textsf {NE}}\).

Now we show an adversary \(A=(A_1,A_2)\) attacking \({\textsf {NE}}'\) in the sense of IND-CDA. For simplicity, we assume that the message space is \(\{0,1\}^k\). \(A_1\) makes an \(\text {LR}(\cdot )\) query by submitting a message sampler \(\mathcal {M}\) (with \(\textsf {p}(k)=1\)), which is defined as follows:

  1. 1.

    Set \(xk=0^k\).

  2. 2.

    For any \(b\in \{0,1\}\), choose \(m_b\) uniformly random from \(\{0,1\}^k\), conditioned on that the last bit of \(m_b\) is b.

  3. 3.

    Choose n uniformly random from nonce space \(\textsf {NE.NS}\).

Note that n is uniformly chosen from \(\textsf {NE.NS}\), and \(m_0,m_1\) are both uniformly chosen from \(\{0,1\}^{k-1}\). So adversary A is legitimate and has high min-entropy. After receiving the ciphertext \(c'=(c||0)\) from \(\text {LR}(\cdot )\), A returns the last bit of c as its final output. The advantage of A is obviously 1.

IND-CDA2 \(\nRightarrow \) NBP1/NBP2. Assuming that there is an N-PKE scheme \({\textsf {NE}} = ({\textsf {NKg}}, {\textsf {NSKg}},\) \({\textsf {NEnc}}, {\textsf {NDec}})\), w.r.t. a nonce generator NG, achieving IND-CDA2 security and having negligible maximum public-key collision probability \(\textsf {maxpk}_{{\textsf {NE}}}\). Note that the requirement that \(\textsf {maxpk}_{{\textsf {NE}}}\) is negligible is very mild, since any IND-CPA secure PKE has negligible \(\textsf {maxpk}_{{\textsf {NE}}}\) [1]. Based on \({\textsf {NE}}\), we present a new N-PKE scheme \({\textsf {NE}}''= ({\textsf {NKg}}'', {\textsf {NSKg}}'', {\textsf {NEnc}}'', {\textsf {NDec}}'')\), w.r.t. the same NG, as shown in Fig. 4.

For any IND-CDA2 adversary \(A=(A_1,A_2)\), A does not receive pk until it finishes the process of \(\text {LR}(\cdot )\) query. The negligible \(\textsf {maxpk}_{{\textsf {NE}}}\) guarantees that

$$\begin{aligned}&\max \limits _{i\in [|\mathbf m _0|]}{\text {Pr}}[(\mathbf m _0[i]=pk)\vee (\mathbf m _1[i]=pk):\mathcal {M}\text { is generated by} A_1^{\text {LR}},\\&~~~~~~~~~~~~~~(\mathbf m _0,\mathbf m _1,\mathbf{xk },\mathbf n )\leftarrow \mathcal {M}(1^k)] \end{aligned}$$

is negligible, where the probability is taken over \(A_1^{\text {LR}}\) and \((\mathbf m _0,\mathbf m _1,\mathbf{xk },\mathbf n )\) \(\leftarrow \mathcal {M}(1^k)\). Therefore, \(\textsf {NE}''\) is IND-CDA2 secure.

Note that in the game defining NBP1/NBP2 security, the adversary generates the challenge messages \((m_0,m_1)\) after seeing the public key. So we construct a NBP1/NBP2 adversary A as follows. Upon receiving pk, A sets \(m_0=pk\), and chooses an arbitrary distinct \(m_1\) from the message space such that \(|m_1|=|m_0|\), and an arbitrary valid nonce selector \(\eta \). Then A submits the generated \((m_0,m_1,\eta )\) to the encryption oracle \(\text {ENC}(\cdot )\). After receiving the ciphertext \(c''=(c||b)\), A returns b as its final output. The advantage of A is obviously 1.

Formally, we have the following theorem.

Theorem 1

NBP1/NBP2 security and IND-CDA2 security do not imply each other.

Remark 3

The aforementioned NBP1/NBP2 adversary attacking \(\textsf {NE}''\) does not make any decryption query. So we actually proved that IND-CDA2 security does not imply the CPA version of NBP1/NBP2 security. Therefore, our results also show the separations between NBP1/NBP2 security and IND-CDA security.

3.3 The RSV Version of IND-CDA2 Security

In EUROCRYPT 2013, Raghunathan et al. [20] formalized another security notion for D-PKE, ACD-CPA/CCA security, which allows the adversaries to adaptively choose message distributions after seeing the public key, with the following two restrictions: (1) the adversaries have high min-entropy; (2) for each adversary, there is an upper bound on the number of the message distributions from which the adversary is allowed to adaptively choose. The upper bound is \(2^{p(k)}\) where \(p(\cdot )\) is any a-priori fixed polynomial. Raghunathan et al. [20] proposed a D-PKE scheme achieving ACD-CCA security in the standard model, based on a primitive called \(\mathcal {R}\)-lossy trapdoor function.

Considering that this is an important optional security notion for D-PKE, and as far as we know, ACD-CCA is neither weaker nor stronger than adaptive CCA security, we formalize a similar version of IND-CDA2 security here, which we call the RSV version of IND-CDA2 security (RIND-CDA2).

Definition 3

(RSV message sampler for N-PKE). An RSV message sampler \(\mathcal {M}\) for N-PKE is a PPT algorithm taking \(1^k\) as input, and returning \((\mathbf {m} , \mathbf{{xk} }, \mathbf {n} )\leftarrow \mathcal {M}(1^k)\).

Definition 4

(Uniform message sampler with respect to \(\mathcal {M}\) ). For an RSV message sampler \(\mathcal {M}\) for N-PKE, a PPT algorithm \(\mathcal {U}\) is a uniform message sampler with respect to \(\mathcal {M}\) if for any message vector sampled by \(\mathcal {M}\) (i.e., \((\mathbf {m} , \mathbf {xk} , \mathbf {n} )\leftarrow \mathcal {M}(1^k)\)), \(\mathbf {m} _u\leftarrow \mathcal {U}(\mathcal {M},\mathbf {m} )\) is uniformly distributed over the same message space specified by \(\mathcal {M}\), such that \(|\mathbf {m} _u|=|\mathbf {m} |\) and \(|\mathbf {m} _u[i]|=|\mathbf {m} [i]|\) for any \(i\in [|\mathbf {m} |]\).

For any N-PKE scheme \({\textsf {NE}} = ({\textsf {NKg}}, {\textsf {NSKg}}, {\textsf {NEnc}},\) \({\textsf {NDec}})\) w.r.t. nonce generator NG, consider game \(\mathbf G ^{\text {rind-cda2}}_{{\textsf {NE}}, A}\) as shown in Fig. 5.

The adversary A in game \(\mathbf G ^{\text {rind-cda2}}_{{\textsf {NE}}, A}\) is legitimate, if for any \((\mathbf m , \mathbf{xk },\mathbf n )\) sampled by \(\mathcal {M}\) which is associated with some polynomial \(\textsf {p}(\cdot )\), the following two conditions hold: (i) \(|\mathbf m |=|\mathbf{xk }|=|\mathbf n |=\textsf {p}(k)\); (ii) \((\mathbf m [1],\mathbf{xk }[1],\) \(\mathbf n [1]), \cdots , (\mathbf m [\textsf {p}(k)],\mathbf{xk }[\textsf {p}(k)],\mathbf n [\textsf {p}(k)])\) are distinct.

Similar to that of Sect. 3.1, we have the guessing probabilities \(\text {Guess}_{A}(k)\) and \(\text {Guess}^{\text {b-s}}_{A}(k)\). We say that the RIND-CDA2 adversary A has high min-entropy (resp. high block-source min-entropy) if \(\text {Guess}_{A}(k)\) (resp. \(\text {Guess}^{\text {b-s}}_{A}(k)\)) is negligible.

For any given polynomial \(p(\cdot )\), we have the following definition.

Definition 5

( \(2^{p(k)}\) -bounded adversary). For any PPT legitimate adversary A having high min-entropy (resp. high block-source min-entropy) in game , let \(\mathcal {S}_{mg}\) be the set of message samplers which A may submit to the RoR oracle as a query with non-zero probability. A is a \(2^{p(k)}\) -bounded (resp. \(2^{p(k)}\) -bounded block-source) adversary if for every \(k\in \mathbb {N}\), \(|\mathcal {S}_{mg}|\le 2^{p(k)}\).

Definition 6

(RIND-CDA2). An N-PKE scheme \(\textsf {{NE}}\), w.r.t. nonce generator NG, is RIND-CDA2 secure (resp. block-source RIND-CDA2 secure), if for any \(2^{p(k)}\)-bounded (resp. \(2^{p(k)}\)-bounded block-source) adversary A, its advantage is negligible, where game is defined in Fig. 5.

Fig. 5.
figure 5

Game for defining RIND-CDA2 security of a N-PKE scheme NE, where \(\mathcal {U}\) is defined in Definition 4.

Full size image

4 Construction of H-PKE in the Random Oracle Model

In EUROCRYPT 2016, Bellare and Tackmann [8] proposed an NBP1/ NBP2 secure N-PKE scheme in the random oracle model. Their construction is based on a building block which they introduced and called hedged extractor.

In this section, we show that the Bellare-Tackmann ROM construction actually achieves HN-IND security. But we note that this construction cannot be generalized to the schemes based on hedged extractors like [8, Fig. 6].

Firstly, we recall the N-PKE scheme RtP [8], w.r.t. a nonce generator NG, as follows. Let \({\textsf {PKE}} = ({\textsf {Kg}}, {\textsf {Enc}}, {\textsf {Dec}})\) be a traditional probabilistic PKE scheme with message space \(\textsf {MSP}\) and randomness space \(\mathcal {R}_{{\textsf {Enc}}}\), and \(\textsf {RO}:\{0,1\}^*\rightarrow \mathcal {R}_{{\textsf {Enc}}}\) be a random oracle. The N-PKE scheme RtP is presented in Fig. 6.

Now we turn to the security. It has been proved in [8] that RtP is NBP1/NBP2 secure. So what remains is to prove its IND-CDA2 security. Formally, we have the following theorem.

Theorem 2

If \(\textsf {{PKE}}\) is a traditional IND-CCA secure PKE scheme, then N-PKE scheme RtP, w.r.t. a nonce generator NG, is IND-CDA2 secure in the random oracle model.

Fig. 6.
figure 6

N-PKE scheme \({\textsf {RtP}} = ({\textsf {RKg}}, {\textsf {RSKg}}, {\textsf {REnc}}, {\textsf {RDec}})\).

Full size image

Proof

For any legitimate PPT IND-CDA2 adversary A having high min-entropy, let \(q_r(k)\) (resp. \(q_l(k)\)) denote the number of random-oracle queries (resp. LR queries) of A.

Consider a sequence of games \(\mathbf G _0-\mathbf G _6\) in Figs. 7 and 8. In each game, there is a random oracle RO which maintains a local array H as shown in Fig. 7. Denote by \(\text {RO}_A\) the random-oracle interface of A. Note that in games \(\mathbf G _4\) and \(\mathbf G _5\), the oracle answers of \(\text {RO}_A\) and the answers given to the LR oracle in reply to its RO queries are independent, so we introduce another local array \(H_A\) for \(\text {RO}_A\). In game \(\mathbf G _6\), the LR oracle does not access to RO, so we omit the procedure “On query RO” in Fig. 8. For convenience, the RO queries made by A through \(\text {RO}_A\) is called \(\text {RO}_A\) queries in this proof. Without loss of generality, we assume that in each game, A does not repeat any \(\text {RO}_A\) queries.

Now we explain the sequence of games.

Game \(\mathbf G _0\) implements game \(\mathbf G ^{\text {ind-cda2}}_{{\textsf {RtP}}, A}\). So we have

$$\begin{aligned} \mathbf{Adv }_{{\textsf {RtP}}, A}^{\text {ind-cda2}}(k)=2\text {Pr}[\mathbf G _0(k)]-1. \end{aligned}$$
(1)

In game \(\mathbf G _1\), we introduces two sets \(T_1\) and \(T_2\). \(T_1\) denotes the set of RO queries made by A (i.e., \(\text {RO}_A\) queries), and \(T_2\) denotes the set of RO queries made by the LR oracle. The changes made in \(\mathbf G _1\) does not affect the final output. Therefore,

$$\begin{aligned} \text {Pr}[\mathbf G _1(k)]=\text {Pr}[\mathbf G _0(k)]. \end{aligned}$$
(2)

Games \(\mathbf G _2\) and \(\mathbf G _1\) are identical-until-\(\textsf {bad}_1\). Denote by \(\text {Pr}[\textsf {bad}_1]\) the probability that \(\mathbf G _2\) sets \(\textsf {bad}_1\). According to the fundamental lemma of game-playing [7], we have that \(|\text {Pr}[\mathbf G _2(k)]-\text {Pr}[\mathbf G _1(k)]|\le \text {Pr}[\textsf {bad}_1].\)

Let \(\mathcal {M}'\), associated with some polynomial \(\textsf {p}(\cdot )\), denote the message sampler leading to \(\textsf {bad}_1\). Game \(\mathbf G _2\) sets \(\textsf {bad}_1\) only if A has made some \(\text {RO}_A\) query \((xk',m',n')\) beforehand, such that for the \(\mathcal {M}'\) and \((\mathbf m _0,\mathbf m _1, \mathbf{xk }, \mathbf n )\leftarrow \mathcal {M}'\), there are some \(b\in \{0,1\}\) and some \(i\in [|\mathbf n |]\) satisfying \((\mathbf{xk }[i], \mathbf m _b[i], \mathbf n [i])=(xk',m',n')\). Since A has high min-entropy, for any \(\text {RO}_A\) query \((xk',m',n')\), we have that for any \(\mathcal {M}'\), any \(b\in \{0,1\}\), and any \(i\in [|\textsf {p}(k)|]\),

$$\begin{aligned} \text {Pr}[(\mathbf{xk }[i], \mathbf m _b[i], \mathbf n [i])=(xk',m',n'):(\mathbf m _0,\mathbf m _1, \mathbf{xk }, \mathbf n )\leftarrow \mathcal {M}']\le \text {Guess}_{A}(k). \end{aligned}$$

In other words, for any \(\text {RO}_A\) query \((xk',m',n')\),

$$\begin{aligned}&\max \limits _{\mathcal {M}',b,i}{\text {Pr}}[(\mathbf{xk }[i], \mathbf m _b[i], \mathbf n [i])=(xk',m',n'):(\mathbf m _0,\mathbf m _1, \mathbf{xk }, \mathbf n )\leftarrow \mathcal {M}']\\\le & {} \text {Guess}_{A}(k). \end{aligned}$$

Notice that A makes totally \(q_r(k)\) random-oracle queries and \(q_l(k)\) LR queries. So we have \(\text {Pr}[\textsf {bad}_1]\le 2q_r(k)q_l(k)\textsf {p}(k)\text {Guess}_{A}(k).\) Therefore,

$$\begin{aligned} |\text {Pr}[\mathbf G _2(k)]-\text {Pr}[\mathbf G _1(k)]|\le \text {Pr}[\textsf {bad}_1]\le 2q_r(k)q_l(k)\textsf {p}(k)\text {Guess}_{A}(k). \end{aligned}$$
(3)
Fig. 7.
figure 7

Games \(\mathbf G _0-\mathbf G _5\) in the proof of Theorem 2. Boxed code is only executed in the games specified by the game names in the same box style.

Full size image
Fig. 8.
figure 8

Game \(\mathbf G _6\) (left) and adversary B (right) in the proof of Theorem 2. Note that in this paper we extend the set membership notations to vectors, writing \(X\cup \mathbf x \) to mean \(X\cup \{\mathbf{x }{[}i{]}|i\in {[}|\mathbf{x }|{]}\}\).

Full size image

Games \(\mathbf G _3\) and \(\mathbf G _2\) are identical-until-\(\textsf {bad}_2\). \(\mathbf G _3\) sets \(\textsf {bad}_2\) only if the current \(\text {RO}_A\) query \((xk',m',n')\) has been queried by the LR oracle previously. In game \(\mathbf G _3\), if \(\textsf {bad}_2\) is set, then the \(H[xk',m',n']\) is overwritten with a random element from \(\mathcal {R}_{\textsf {Enc}}\). Denote by \(\text {Pr}[\textsf {bad}_2]\) the probability that \(\mathbf G _3\) sets \(\textsf {bad}_2\). Then, we have that \(|\text {Pr}[\mathbf G _3(k)]-\text {Pr}[\mathbf G _2(k)]|\le \text {Pr}[\textsf {bad}_2].\) In order to bound \(\text {Pr}[{\textsf {bad}}_2]\), we present the following lemma and postpone its proof.

Lemma 1

There is an IND-CCA adversary \(B_{upr}\) attacking \(\textsf {{PKE}}\) with advantage , such that

It follows that

$$\begin{aligned}&|\text {Pr}[\mathbf G _3(k)]-\text {Pr}[\mathbf G _2(k)]|\nonumber \\\le & {} 2\mathbf{Adv }_{{\textsf {PKE}}, B_{upr}}^{\text {ind-cca}}(k) +(q_r(k)+\frac{q_l(k){\textsf {p}}(k)-1}{2})q_l(k){\textsf {p}}(k)\text {Guess}_{A}(k).~~~~~~~ \end{aligned}$$
(4)

Note that in game \(\mathbf G _3\), the oracle answers of \(\text {RO}_A\) and the answers given to the LR oracle in reply to its RO queries are independent. Therefore, game \(\mathbf G _4\) is a simplified version of \(\mathbf G _3\), which implies that

$$\begin{aligned} \text {Pr}[\mathbf G _4(k)]=\text {Pr}[\mathbf G _3(k)]. \end{aligned}$$
(5)

Games \(\mathbf G _5\) and \(\mathbf G _4\) are identical-until-\(\textsf {bad}_3\). Similarly, denote by \(\text {Pr}[\textsf {bad}_3]\) the probability that \(\mathbf G _5\) sets \(\textsf {bad}_3\). We have that \(|\text {Pr}[\mathbf G _5(k)]-\text {Pr}[\mathbf G _4(k)]|\le \text {Pr}[\textsf {bad}_3].\) \(\mathbf G _5\) sets \(\textsf {bad}_3\) only if there is some tuple \((xk',m',n')\) which has been queried by the LR oracle at least twice. Since A has high min-entropy, for any \((xk',m',n')\in T_2\), any \(\mathcal {M}\) queried by A, any \(b\in \{0,1\}\), and any \(i\in [\textsf {p}(k)]\), \(\text {Pr}[(\mathbf{xk }[i], \mathbf m _b[i], \mathbf n [i])=(xk',m',n'):(\mathbf m _0,\mathbf m _1, \mathbf{xk }, \mathbf n )\) \(\leftarrow \mathcal {M}]\le \text {Guess}_{A}(k)\) is negligible. Notice that A makes totally \(q_l(k)\) LR queries, and for each LR query \(\mathcal {M}\), the LR oracle makes \(\textsf {p}(k)\) RO queries, so we derive that \(\text {Pr}[\textsf {bad}_3]\le \frac{q_l(k)\textsf {p}(k)(q_l(k)\textsf {p}(k)-1)}{2}\text {Guess}_{A}(k).\) Therefore,

$$\begin{aligned} |\text {Pr}[\mathbf G _5(k)]-\text {Pr}[\mathbf G _4(k)]|\le \frac{q_l(k)\textsf {p}(k)(q_l(k)\textsf {p}(k)-1)}{2}\text {Guess}_{A}(k). \end{aligned}$$
(6)

Note that in game \(\mathbf G _5\), both \(T_1\) and \(T_2\) are useless, and the vector \(\mathbf r \) generated by the LR oracle is truly random from A’s point of view. Therefore, game \(\mathbf G _6\) is a simplified version of \(\mathbf G _5\), which implies that

$$\begin{aligned} \text {Pr}[\mathbf G _6(k)]=\text {Pr}[\mathbf G _5(k)]. \end{aligned}$$
(7)

Next, we construct an IND-CCA adversary B attacking PKE as shown in Fig. 8. In order to distinguish B’s own decryption oracle (in the sense of IND-CCA) and A’s decryption oracle (in the sense of IND-CDA2), we denote by \(\text {DEC}_B\) (resp. \(\text {ENC}_B\)) B’s decryption (resp. encryption) oracle. B uses \(\text {ENC}_B\) to answer A’s LR queries, and uses \(\text {DEC}_B\) to answer A’s decryption queries. B perfectly simulates game \(\mathbf G _6\) for A, and that B wins game \(\mathbf G ^{\text {ind-cca}}_{{\textsf {PKE}}, B}\) if and only if A wins game \(\mathbf G _6\). Hence,

$$\begin{aligned} \text {Pr}[\mathbf G ^{\text {ind-cca}}_{{\textsf {PKE}}, B}(k)]=\text {Pr}[\mathbf G _6(k)]. \end{aligned}$$
(8)

Combining Eqs. (1)-(8), we derive that

$$\begin{aligned} \mathbf{Adv }_{{\textsf {RtP}}, A}^{\text {ind-cda2}}(k)\le & {} \mathbf{Adv }_{{\textsf {PKE}}, B}^{\text {ind-cca}}(k)+4\mathbf{Adv }_{{\textsf {PKE}}, B_{upr}}^{\text {ind-cca}}(k)\\&~~+(6q_r(k)+2q_l(k)\textsf {p}(k)-2)q_l(k)\textsf {p}(k)\text {Guess}_A(k). \end{aligned}$$

Now, we catch up with the proof of Lemma 1.

Proof

(of Lemma 1 ). We say that “\(\mathbf G _4\) sets \({\textsf {bad}}_2\)” (resp. “\(\mathbf G _5\) sets \({\textsf {bad}}_2\)”) if A submits an \(\text {RO}_A\) query \((xk',m',n')\), such that \((xk',m',n')\in T_2\), in \(\mathbf G _4\) (resp. \(\mathbf G _5\)).

Since \(\mathbf G _4\) is a simplified version of \(\mathbf G _3\), and \(\mathbf G _5\) and \(\mathbf G _4\) are identical-until-\(\textsf {bad}_3\),

$$\begin{aligned}&\text {Pr}[{\textsf {bad}}_2]= \text {Pr}[\mathbf G _4 ~\text {sets}~ {\textsf {bad}}_2]\le \text {Pr}[\mathbf G _5 ~\text {sets}~ \textsf {bad}_2]+\text {Pr}[\textsf {bad}_3]\nonumber \\\le & {} \text {Pr}[\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2]+\frac{q_l(k)\textsf {p}(k)(q_l(k)\textsf {p}(k)-1)}{2}\text {Guess}_{A}(k). \end{aligned}$$
(9)

To bound \(\text {Pr}[\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2]\), we consider an IND-CCA adversary \(B_{upr}\) as shown in Fig. 9. Similarly, denote by \(\text {ENC}_{B_{upr}}\) (resp. \(\text {DEC}_{B_{upr}}\)) \(B_{upr}\)’s encryption (resp. decryption) oracle in the sense of IND-CCA. Let \(\widetilde{b}\) be the challenge bit in game \(\mathbf G ^{\text {ind-cca}}_{{\textsf {PKE}}, B_{upr}}\). Denote by \(\mathbf G ^{\text {sim}}_{B_{upr},A}\) the game simulated by \(B_{upr}\) for A (as shown in Fig. 9). \(B_{upr}\)’s advantage is as follows.

$$\begin{aligned}&\mathbf{Adv }_{{\textsf {PKE}}, B_{upr}}^{\text {ind-cca}}(k)=2\text {Pr}[\mathbf G ^{\text {ind-cca}}_{{\textsf {PKE}}, B_{upr}}(k)]-1 =2\text {Pr}[b^*=\widetilde{b}]-1 \end{aligned}$$
(10)
$$\begin{aligned}= & {} 2(\text {Pr}[b^*=\widetilde{b}\mid \widetilde{b}=a]\text {Pr}[\widetilde{b}=a]+ \text {Pr}[b^*=\widetilde{b}\mid \widetilde{b}\ne a]\text {Pr}[\widetilde{b}\ne a])-1~~~~~~~~~~ \end{aligned}$$
(11)
$$\begin{aligned}= & {} \text {Pr}[b^*=\widetilde{b}\mid \widetilde{b}=a]+ \text {Pr}[b^*=\widetilde{b}\mid \widetilde{b}\ne a]-1 \end{aligned}$$
(12)

Equations (10)-(11) are trivial. Since a is uniformly random chosen from \(\{0,1\}\), \(\text {Pr}[\widetilde{b}=a]=\text {Pr}[\widetilde{b}\ne a]=\frac{1}{2}\). This justifies Eq. (12).

For \(\text {Pr}[b^*=\widetilde{b}\mid \widetilde{b}=a]\), we have the following equations.

$$\begin{aligned}&\text {Pr}[b^*=\widetilde{b}\mid \widetilde{b}=a]\nonumber&\\ =&\,\text {Pr}[b^*=\widetilde{b}\mid (\widetilde{b}=a)\wedge (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)]\text {Pr}[\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2\mid \widetilde{b}= a]\nonumber&\\&\quad +\text {Pr}[b^*=\widetilde{b}\mid (\widetilde{b}=a)\wedge \lnot (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)]\nonumber&\\&\qquad \qquad \qquad \qquad \cdot \text {Pr}[\lnot (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)\mid \widetilde{b}= a]&\\ \nonumber \end{aligned}$$
(13)
$$\begin{aligned} =&\,\text {Pr}[\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2]+\frac{1}{2}\text {Pr}[\lnot (\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2)]&\end{aligned}$$
(14)
$$\begin{aligned} =&\,\frac{1}{2}\text {Pr}[\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2]+\frac{1}{2}.&\end{aligned}$$
(15)

Equation (13) is trivial. We notice that when \(\widetilde{b}=a\), the simulated game \(\mathbf G ^{\text {sim}}_{B_{upr},A}\) is the same as \(\mathbf G _5\) from A’s point of view, so we have \(\text {Pr}[\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2\mid \widetilde{b}=a]=\text {Pr}[\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2]\). We also note that if \(\mathbf G ^{\text {sim}}_{B_{upr},A}\) sets \({\textsf {bad}}_2\), then \(B_{upr}\) outputs \(b^*=a\), otherwise \(B_{upr}\) outputs \(b^*\leftarrow \{0,1\}\). Therefore, \(\text {Pr}[b^*=\widetilde{b}\mid (\widetilde{b}=a)\wedge (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)]=1\) and \(\text {Pr}[b^*=\widetilde{b}\mid (\widetilde{b}=a)\wedge \lnot (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)]=\frac{1}{2}\). This justifies Eq. (14). Equation (15) is because \(\text {Pr}[\lnot (\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2)]=1-\text {Pr}[\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2]\).

With similar analysis, for \(\text {Pr}[b^*=\widetilde{b}\mid \widetilde{b}\ne a]\), we have the following equations.

$$\begin{aligned}&\text {Pr}[b^*=\widetilde{b}\mid \widetilde{b}\ne a]\nonumber \\= & {} \text {Pr}[b^*=\widetilde{b}\mid (\widetilde{b}\ne a)\wedge (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)]\text {Pr}[\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2\mid \widetilde{b}\ne a]\nonumber \\&\quad +\text {Pr}[b^*=\widetilde{b}\mid (\widetilde{b}\ne a)\wedge \lnot (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)]\nonumber \\&\qquad \qquad \qquad \qquad \qquad \,\, \cdot \text {Pr}[\lnot (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)\mid \widetilde{b}\ne a]\end{aligned}$$
(16)
$$\begin{aligned}= & {} 0+\frac{1}{2}\text {Pr}[\lnot (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)\mid \widetilde{b}\ne a]\end{aligned}$$
(17)
$$\begin{aligned}= & {} \frac{1}{2}(1-\text {Pr}[\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2\mid \widetilde{b}\ne a])\end{aligned}$$
(18)
$$\begin{aligned}\ge & {} \frac{1}{2}(1-q_l(k)q_r(k)\textsf {p}(k)\text {Guess}_A(k)). \end{aligned}$$
(19)

Equation (16) is trivial. \(B_{upr}\) outputs \(b^*=a\) when \(\mathbf G ^{\text {sim}}_{B_{upr},A}\) sets \({\textsf {bad}}_2\), so we have that \(\text {Pr}[b^*=\widetilde{b}\mid (\widetilde{b}\ne a)\wedge (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)]=0\). Considering that \(B_{upr}\) outputs \(b^*\leftarrow \{0,1\}\) when \(\mathbf G ^{\text {sim}}_{B_{upr},A}\) does not set \({\textsf {bad}}_2\), so we have \(\text {Pr}[b^*=\widetilde{b}\mid (\widetilde{b}\ne a)\wedge \lnot (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)]=\frac{1}{2}\). We have justified Eq. (17). Equation (18) is because \(\text {Pr}[\lnot (\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2)\mid \widetilde{b}\ne a]=1-\text {Pr}[\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2\mid \widetilde{b}\ne a]\). Notice that \(\widetilde{b}\ne a\) implies \(\widetilde{b}=1-a\), i.e., the challenge ciphertext vectors A received are the encryption of some uniformly random chosen message vectors. Thus the challenge ciphertext vectors do not contain any information about any \(\mathbf m _a\). Besides, in the simulated game \(\mathbf G ^{\text {sim}}_{B_{upr},A}\), the answers (of \(\text {RO}_A\), the LR oracle, and the decryption oracle) given to A do not contain any information about the \(\mathbf{xk }\) and \(\mathbf n \) sampled by the LR oracle. Therefore, for any tuple \((\mathbf m _0,\mathbf m _1,\mathbf{xk },\mathbf n )\leftarrow \mathcal {M}\) sampled by the LR oracle in game \(\mathbf G ^{\text {sim}}_{B_{upr},A}\), A has no additional information about any element of \(\{(\mathbf{xk }[i],\mathbf m _b[i],\mathbf n [i])\mid i\in [\textsf {p}(k)], b\in \{0,1\}\}\). Recall that \(\mathbf G ^{\text {sim}}_{B_{upr},A}\) sets \({\textsf {bad}}_2\) only if A succeeds in guessing some element in \(\{(\mathbf{xk }[i],\mathbf m _a[i],\mathbf n [i])\mid i\in [\textsf {p}(k)]\}\) for some \((\mathbf m _0,\mathbf m _1,\mathbf{xk },\mathbf n )\leftarrow \mathcal {M}\) sampled by the LR oracle and the a sampled by \(B_{upr}\). Notice that the total number of random-oracle (resp. LR-oracle) queries of A is \(q_r(k)\) (resp. \(q_l(k)\)). So we derive that \(\text {Pr}[\mathbf G ^{\text {sim}}_{B_{upr},A} ~\text {sets}~ {\textsf {bad}}_2\mid \widetilde{b}\ne a]\le q_l(k)q_r(k)\textsf {p}(k)\text {Guess}_A(k)\). We have justified Eq. (19).

Combining Eqs. (12), (15) and (19), we derive that

$$\begin{aligned} \mathbf{Adv }_{{\textsf {PKE}}, B_{upr}}^{\text {ind-cca}}(k)\ge \frac{1}{2}(\text {Pr}[\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2]-q_l(k)q_r(k)\textsf {p}(k)\text {Guess}_A(k)).~~ \end{aligned}$$
(20)

Hence,

$$\begin{aligned} \text {Pr}[\mathbf G _5 ~\text {sets}~ {\textsf {bad}}_2]\le 2\mathbf{Adv }_{{\textsf {PKE}}, B_{upr}}^{\text {ind-cca}}(k)+q_l(k)q_r(k)\textsf {p}(k)\text {Guess}_A(k).~~~~~~ \end{aligned}$$
(21)

Combining Eqs. (9) and (21), we obtain that

$$\begin{aligned} \text {Pr}[{\textsf {bad}}_2]\le 2\mathbf{Adv }_{{\textsf {PKE}}, B_{upr}}^{\text {ind-cca}}(k)\nonumber +(q_r(k)+\frac{q_l(k)\textsf {p}(k)-1}{2})q_l(k)\textsf {p}(k)\text {Guess}_{A}(k). \end{aligned}$$

   \(\square \)

Remark 4

The N-PKE scheme RtP is a special case of the ROM scheme NPE in [8, Fig. 6], but it seems that the original, generic ROM scheme NPE proposed in [8, Fig. 6] does not achieve IND-CDA2 security. The reason is as follows. In [8], the security of NPE is guaranteed by the IND-CCA security of the traditional PKE scheme, and the prf security and the ror security (defined in [8]) of their proposed building block, hedged extractor. The prf security focuses on the case that the seeds are random and confidential, and the ror security focuses on the case that the nonces are unpredictable. In other words, the security of hedged extractor just considers the case that either the seeds or the nonces have high entropy. And the IND-CDA2 security of N-PKE should be guaranteed as long as the seeds, messages and nonces jointly have high min-entropy.

With respect to RIND-CDA2 security, with similar technique we have the following corollary.

Corollary 1

If \(\textsf {{PKE}}\) is a traditional IND-CCA secure PKE scheme, then N-PKE scheme RtP, w.r.t. a nonce generator NG, is RIND-CDA2 secure in the random oracle model.

Fig. 9.
figure 9

Adversary \(B_{upr}\) (left) and game \(\mathbf G ^{\text {sim}}_{B_{upr},A}\) (right) in the proof of Lemma 1.

Full size image

5 Construction of H-PKE in the Standard Model

Generic construction. Let \({\textsf {NE}} = ({\textsf {NKg}}, {\textsf {NSKg}}, {\textsf {NEnc}}, {\textsf {NDec}})\) be an N-PKE scheme, w.r.t. a nonce generator NG. Let \({\textsf {DE}} = ({\textsf {DKg}}, {\textsf {DEnc}}, {\textsf {DDec}})\) be a D-PKE scheme. Recall the transform Nonce-then-Deterministic \(\textsf {NtD}\) \(=(\textsf {NDKg}, \textsf {NDSKg},\textsf {NDEnc},\textsf {NDDec})\) proposed in [16] as shown in Fig. 10.

Fig. 10.
figure 10

N-PKE scheme \({\textsf {NtD}} = ({\textsf {NDKg}}, {\textsf {NDSKg}}, {\textsf {NDEnc}}, {\textsf {NDDec}})\).

Full size image

In [16], Hoang et al. consider SOA security of \({\textsf {NtD}}\), showing that if \({\textsf {NE}}\) is N-SO-CPA (resp. N-SO-CCA) secure, and \({\textsf {DE}}\) is D-SO-CPA (resp. D-SO-CCA and unique-ciphertext) secure, then \({\textsf {NtD}}\) is HN-SO-CPA (resp. HN-SO-CCA) secure. The HN-SOA security notions formalized in [16] are non-adaptive. Therefore, the HN-SO-CCA security formalized in [16] does not imply our HN-IND security.

In this section, we point out that \({\textsf {NtD}}\) also applies to the HN-IND setting. Specifically, we assume \({\textsf {NE}}\) is NBP1 and NBP2 secure, and \({\textsf {DE}}\) is adaptively CCA secure and unique-ciphertext. Additionally, we require that NE is entropy-preserving, which is a property of N-PKE formalized by Hoang et al. [16].

Denote by \(\textsf {Entrp}_{\textsf {NE}}(\theta (k))\) the conditional min-entropy of \(\textsf {NEnc}(pk_n,xk,\) mn) given X, where X is a random variable such that the conditional min-entropy of (xkmn) is at least \(\theta (k)\), and \((pk_n,sk_n)\leftarrow \textsf {NKg}(1^k)\) is independent of (xkmnX). \(\textsf {NE}\) is called entropy-preserving, if for any \(\theta (k)\) satisfying that \(2^{-\theta (k)}\) is negligible, then \(2^{-\textsf {Entrp}_{\textsf {NE}}(\theta (k))}\) is also negligible.

Formally, we have the following theorem.

Theorem 3

For an NBP1, NBP2 secure and entropy-preserving N-PKE scheme \(\textsf {{NE}}\) and a D-PKE scheme \(\textsf {{DE}}\), let \(\textsf {{NtD}}\) be an N-PKE scheme defined in Fig. 10.

  1. (i)

    If \(\textsf {{DE}}\) is adaptively CCA secure and unique-ciphertext, then \(\textsf {{NtD}}\) is HN-IND secure.

  2. (ii)

    If \(\textsf {{DE}}\) is ACD-CCA secure and unique-ciphertext, then \(\textsf {{NtD}}\) is RSV-version HN-IND secure.

Proof

Firstly, we prove that \(\textsf {NtD}\) is NBP1 secure. The proof of NBP2 security is similar, which we will omit here.

For any NBP1 adversary A attacking \(\textsf {NtD}\), we present an NBP1 adversary \(B_{nbp1}\) attacking NE as shown in Fig. 11. Denote by \(\text {ENC}_{B}\) (resp. \(\text {DEC}_{B}\)) \(B_{nbp1}\)’s encryption (resp. decryption) oracle in the sense of NBP1. Note that DE is unique-ciphertext. As a result, for any decryption query \(c'\) of A, if \(y'\leftarrow \textsf {DDec}(sk_d,c')\) is one of the challenge ciphertext \(B_{nbp1}\) received, then \(c'\) is also one of the challenge ciphertext A received. Thus the DEC oracle simulated by \(B_{nbp1}\) is identical to the real DEC oracle in game \(\mathbf G _{{\textsf {NtD}}, A}^{\text {nbp1}}\). It’s easy to see that the ENC oracle simulated by \(B_{nbp1}\) is identical to the real ENC oracle of A. Therefore, \(B_{nbp1}\) perfectly simulates game \(\mathbf G _{{\textsf {NtD}}, A}^{\text {nbp1}}\) for A, and \(B_{nbp1}\) wins game \(\mathbf G _{{\textsf {NE}}, B_{nbp1}}^{\text {nbp1}}\) if and only if A wins \(\mathbf G _{{\textsf {NtD}}, A}^{\text {nbp1}}\). So we derive that \(\mathbf{Adv }_{{\textsf {NtD}}, A}^{\text {nbp1}}(k)=\mathbf{Adv }_{{\textsf {NE}}, B_{nbp1}}^{\text {nbp1}}(k)\).

Fig. 11.
figure 11

Adversary \(B_{nbp1}\) (up) and adversary B (down) in the proof of Theorem 3.

Full size image

Next, we show that \(\textsf {NtD}\) is IND-CDA2 secure. We call a PPT algorithm \(\textsf {MST}_{\text {n-d}}\) a message sampler transformer from N-PKE to D-PKE, if it takes a message sampler for N-PKE (and some state information) as input, and acts as a message sampler for D-PKE (see Fig. 11). For any legitimate PPT IND-CDA2 adversary A having high min-entropy, we construct a \(\textsf {MST}_{\text {n-d}}\) and an adaptively CCA adversary \(B=(B_1,B_2)\) attacking DE as shown in Fig. 11. Similarly, denote by \(\text {ENC}_{B}\) (resp. \(\text {DEC}_{B}\)) B’s encryption (resp. decryption) oracle in the sense of adaptive CCA. B perfectly simulates game \(\mathbf G _{{\textsf {NtD}}, A}^{\text {ind-cda2}}\) for A. Since NE is entropy-preserving, the construction of \(\textsf {MST}_{\text {n-d}}\) guarantees that B is legitimate and has high min-entropy. Note that B wins game \(\mathbf G _{{\textsf {DE}}, B}^{\text {cca}}\) if and only if A wins \(\mathbf G _{{\textsf {NtD}}, A}^{\text {ind-cda2}}\). So we derive that \(\mathbf{Adv }_{{\textsf {NtD}}, A}^{\text {ind-cda2}}(k)=\mathbf{Adv }_{{\textsf {DE}}, B}^{\text {cca}}(k)\).

With similar techniques, we can prove the RIND-CDA2 security of \(\textsf {NtD}\).    \(\square \)

Remark 5

Theorem 3 applies to both the ROM constructions and the standard-model constructions.

Concrete constructions. According to Theorem 3, let NE be the NBP1 and NBP2 secure standard-model construction proposed in [8], and DE be the ACD-CCA secure standard-model construction proposed in [20], then we obtain an RSV-version HN-IND secure N-PKE scheme \(\textsf {NtD}\) in the standard model.

Now we turn to HN-IND security of \(\textsf {NtD}\). According to Theorem 3, what remains is to construct a (unique-ciphertext) standard-model D-PKE scheme achieving adaptively CCA security. Considering IND-CDA2 security in the setting of H-PKE, instead of N-PKE, if the length of the randomness is zero (i.e., \(|\mathbf r [i]|=0\) for all \(i\in [|\textsf {p}(k)|]\)), then IND-CDA2 security actually becomes adaptive CCA security for D-PKE. Therefore, the problem that construct an IND-CDA2 secure N-PKE scheme in the standard model is at least as hard as the one that construct a fully adaptively CCA secure D-PKE scheme in the standard model. To the best of our knowledge, the latter is still an open problem. On the other hand, Theorem 3 shows that if an adaptively CCA secure (and unique-ciphertext) standard-model D-PKE scheme is constructed, then we will have an N-PKE scheme achieving HN-IND security in the standard model.

Some notes on adaptively CCA secure D-PKE. Recall that Bellare et al. [2] presented an adaptively IND secure D-PKE scheme, by showing any PKE scheme, achieving a special anonymity (i.e., the ANON security in [2]) and non-adaptive IND-CDA security simultaneously, achieves (adaptively) IND-CDA security. Although the conclusion cannot be employed to show an adaptively CCA secure D-PKE scheme directly, we note that it can be transformed to the setting of N-PKE under CCA attacks. For completeness, we present the transform in Appendix A.

More specifically, in Appendix A, we formalize the notion of ANON-CCA security for N-PKE, and show that if an N-PKE scheme achieves non-adaptive IND-CDA (not IND-CDA2) and ANON-CCA security, then it achieves IND-CDA2 security. We stress that very recently, Boldyreva et al. [10] showed a similar conclusion (for general PKE). But their formalized ANON-CCA security is stronger than ours (i.e., informally, the adversary can make decryption queries under two secret keys). More importantly, their conclusion, informally with our notations in this paper, is that “\(\text {non-adaptive IND-CDA2}+\text {stronger ANON-CCA}\Rightarrow \text {IND-CDA2}\)”. Our conclusion shows that the same result can be obtained under some weaker assumptions.