Efficient variants of the Naor-Yung and Dolev-Dwork-Naor transforms for CCA secure key encapsulation mechanism

Abstract

In this paper, we present novel constructions of chosen-ciphertext secure (CCA secure) key encapsulation mechanism (KEM) from chosen-plaintext secure (CPA secure) KEM in the standard model. It is already known that CCA secure public key encryption (PKE) can be generically constructed from CPA secure PKE and ((simulation-sound) non-interactive zero-knowledge proof) via the Naor-Yung or Dolev-Dwork-Naor transforms. Thus, one can also immediately construct CCA secure PKE from CPA secure KEM by converting CPA secure KEM into CPA secure PKE and transforming it to be CCA secure PKE. However, such a construction seems redundant since in general PKE is less efficient than KEM and it would be more efficient if we can directly construct CCA secure KEM from CPA secure KEM without intermediating CPA secure PKE. In this work, we propose new variants of the Naor-Yung and Dolev-Dwork-Naor transforms that directly convert CPA secure KEM into CCA secure KEM, and show that our proposed schemes are more efficient than the above straightforward constructions. For example, when instantiating from the decision linear assumption, ciphertext size of our Naor-Yung variant consists of 34 group elements while that of the straightforward construction consists of 47 group elements. Furthermore, we also propose another variant of the Dolev-Dwork-Naor transform from multiple KEM and show that a KEM which is obtained from Wee's extractable hash proof system can also be considered as an efficient construction of multiple KEM.