Selective opening security of practical public‐key encryption schemes

The authors show that two well‐known and widely employed public‐key encryption schemes – RSA optimal asymmetric encryption padding (RSA‐OAEP) and Diffie–Hellman integrated encryption scheme (DHIES), instantiated with a one‐time pad, – are secure under (the strong, simulation‐based security notion of) selective opening security against chosen‐ciphertext attacks in the random oracle model. Both schemes are obtained via known generic transformations that transform relatively weak primitives (with security in the sense of one‐wayness) to indistinguishability (IND)‐CCA secure encryption schemes. The authors also show a similar result for the well‐known Fujisaki–Okamoto transformation that can generically turn a one‐way secure public key encryption system and a one‐time pad into a IND‐CCA‐secure public‐key encryption system. The authors prove that selective opening security comes for free in these transformations. Both DHIES and RSA‐OAEP are important building blocks in several standards for public key encryption and key exchange protocols. The Fujisaki–Okamoto transformation is very versatile and has successfully been utilised to build efficient lattice‐based cryptosystems. The considered schemes are the first practical cryptosystems that meet the strong notion of simulation‐based selective opening ( SIM‐SO‐CCA ) security.