Tag-KEM/DEM Framework for Public-Key Encryption with Non-Interactive Opening

Yusuke SAKAI  Takahiro MATSUDA  Goichiro HANAOKA  

IEICE TRANSACTIONS on Information and Systems   Vol.E101-D   No.11   pp.2677-2687
Publication Date: 2018/11/01
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2017ICP0003
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Cryptographic Techniques
Public-key encryption with non-interactive opening,  Tag-KEM,  

Full Text: PDF(832.1KB)
>>Buy this Article

In a large-scale information-sharing platform, such as a cloud storage, it is often required to not only securely protect sensitive information but also recover it in a reliable manner. Public-key encryption with non-interactive opening (PKENO) is considered as a suitable cryptographic tool for this requirement. This primitive is an extension of public-key encryption which enables a receiver to provide a non-interactive proof which confirms that a given ciphertext is decrypted to some public plaintext. In this paper, we present a Tag-KEM/DEM framework for PKENO. In particular, we define a new cryptographic primitive called a Tag-KEM with non-interactive opening (Tag-KEMNO), and prove the KEM/DEM composition theorem for this primitives, which ensures a key encapsulation mechanism (KEM) and a data encapsulation mechanism (DEM) can be, under certain conditions, combined to form a secure PKENO scheme. This theorem provides a secure way of combining a Tag-KEMNO scheme with a DEM scheme to construct a secure PKENO scheme. Using this framework, we explain the essence of existing constructions of PKENO. Furthermore, we present four constructions of Tag-KEMNO, which yields four PKENO constructions. These PKENO constructions coincide with the existing constructions, thereby we explain the essence of these existing constructions. In addition, our Tag-KEMNO framework enables us to expand the plaintext space of a PKENO scheme. Some of the previous PKENO schemes are only able to encrypt a plaintext of restricted length, and there has been no known way to expand this restricted plaintext space to the space of arbitrary-length plaintexts. Using our framework, we can obtain a PKENO scheme with the unbounded-length plaintext space by modifying and adapting such a PKENO scheme with a bounded-length plaintext space.