Fuyuki Kitagawa

On the Key Dependent Message Security of the Fujisaki-Okamoto Constructions

In PKC 1999, Fujisaki and Okamoto showed how to convert any public key encryption PKE scheme secure against chosen plaintext attacks CPA to a PKE scheme which is secure against chosen ciphertext attacks CCA in the random oracle model. Surprisingly, the resulting CCA secure scheme has almost the same efficiency as the underlying CPA secure scheme. Moreover, in J. Cryptology 2013, they proposed more efficient conversion by using the hybrid encryption framework. In this work, we clarify whether these two constructions are also secure in the sense of key dependent message security against chosen ciphertext attacks KDM-CCA security, under exactly the same assumptions on the building blocks as those used by Fujisaki and Okamoto. Specifically, we show two results: Firstly, we show that the construction proposed in PKC 1999 does not satisfy

Key Dependent Message Security and Receiver Selective Opening Security for Identity-Based Encryption

\text {KDM}\text {-}\text {CCA}

Simple and Generic Constructions of Succinct Functional Encryption

KDM-CCA security generally. Secondly, on the other hand, we show that the construction proposed in J. Cryptology 2013 satisfies

Formal Treatment of Verifiable Privacy-Preserving Data-Aggregation Protocols

\text {KDM}\text {-}\text {CCA}

A Framework for Achieving KDM-CCA Secure Public-Key Encryption

KDM-CCA security.

Constructions for the IND-CCA1 Secure Fully Homomorphic Encryption

Applebaum (EUROCRYPT 2011, J. Cryptology 2014) showed that it is possible to convert a public key encryption (PKE) scheme which is key dependent message (KDM) secure with respect to projection functions (also called projection-KDM secure) into a PKE scheme which is KDM secure with respect to any function family that can be computed in fixed polynomial time, without using any other assumption. This result holds in both of the chosen plaintext attack (CPA) and the chosen ciphertext attack (CCA) settings. In the CPA setting, he furthermore showed that even a projection-KDM secure 1-bit PKE scheme is sufficient to construct a KDM secure PKE scheme with respect to polynomial time computable functions. The existence of the latter trivially implies that of the former, and in this sense, he mentioned that single-bit projection-KDM security in the CPA setting and (multi-bit) projection-KDM security in the CCA setting are complete.