RCCA security for KEM+DEM style hybrid encryptions and a general hybrid paradigm from RCCA-secure KEMs to CCA-secure encryptions



Replayable chosen-ciphertext attack (RCCA) security is a weaker notion than chosen-ciphertext attack (CCA) security and has been proven to be sufficient for several cryptographic tasks. However, it is open to construct RCCA-secure schemes more efficient than CCA-secure ones. This paper adapts RCCA security to the most popular hybrid paradigms, KEM+DEM and Tag-KEM/DEM. For KEM+DEM paradigm, we show RCCA security is consistent with the CCA case, just as desired. But for Tag-KEM/DEM paradigm, we find some different status. Natural RCCA-secure Tag-KEM schemes can be easily constructed, which are more efficient than all existing CCA-secure ones. But unfortunately, passive security of DEM is not sufficient to obtain RCCA hybrid encryptions. In spite of this and for completeness, we show RCCA-secure DEMs are still sufficient. On the other hand, for passive secure DEMs, we prove that a stronger notion of RCCA security for Tag-KEM, named as tRCCA security, suffices for RCCA-secure hybrid encryptions. This somewhat suggests that a benign RCCA security for tag-based schemes should be tRCCA security. Finally, to show RCCA-secure KEM is sufficient for achieving CCA-secure hybrid encryptions, we introduce a new hybrid paradigm, named as KEM/Tag-DEM, where the ciphertext of KEM is used as a tag for Tag-DEM scheme rather than reversely in Tag-KEM/DEM, so that the security of KEM can be weakened to RCCA one. KEM/Tag-DEM shows the diversity of hybrid encryptions and has additional practical values. We also show Tag-DEMs can be constructed as efficiently as DEMs. Copyright © 2013 John Wiley & Sons, Ltd.