#### Abstract

We introduce a general concept of *multidivisible online/offline (MDO) cryptography*, which covers the previous works including online/offline cryptographic schemes, divisible online/offline signatures, incrementally executable signcryptions, and multidivisible online/offline encryptions. We then present the notion of *multidivisible online/offline signcryptions* (MDOSCs) as novel application of MDO cryptography. We define several security notions for MDOSCs and show implications and separations between these security notions. We also present a generic construction of MDOSC that achieves the strongest security notions with regard to confidentiality and unforgeability. Using MDOSC schemes, the computationally restricted and/or bandwidth-restricted devices can transmit messages in both confidential and authenticated way with low computational overhead and/or low-bandwidth network.

#### 1. Introduction

In the emerging network environment, e.g., Internet of Things (IoT), more and more computationally restricted devices as well as bandwidth-restricted devices are connected to each other at any time in any place. Securing their communication is urgently required to make these environments sustainable and scalable. We can use cryptographic schemes as building blocks to achieve security for them, only if it is taken into account that the devices here have restricted resources.

Online/offline cryptography, a fundamental concept for many cryptographic systems (e.g., signatures [1–4], encryptions [5–8], signcryptions [9–13], and so forth), is a key to reduce computational costs of the devices sending their messages in confidential and/or authenticated way.

The history of online/offline cryptography began with online/offline signatures proposed by Even et al. [2, 3]. The signing procedure of online/offline signature scheme is split into the offline phase and the online phase. The signer can perform all the computationally expensive operations in the offline phase, i.e., in any idle time before the sender decides the message to be signed. Then, in the online phase, i.e., after the message is determined, only lightweight operations are required to sign the message so that even low-power devices can handle the signing process.

As an extension of online/offline signature scheme in the context of signcryption, the notion of incrementally executable signcryptions (IESCs) was proposed in [12]. Here, a signcryption process is split into three subprocesses, where the sender can activate each subprocess incrementally by its given sequential input: the sender’s own key pair, a recipient’s public key, and a plaintext message to be sent to the recipient. We can utilize significant intervals between these three subprocesses to perform as much precomputation as possible.

To save the transmission bandwidth as well as computational cost, Gao et al. [4] proposed the notion of *divisible online/offline signatures* (DOSs). Using DOS, intermediate outputs can be securely sent to the receiver in the offline phase so that the senders can save not only computational resources but also transmission bandwidths in the online phase.

Applying the above attractive features of DOS as well as IESC to public-key encryption schemes, the notion of multidivisible online/offline encryptions (MDOEs) was proposed in [14]. In MDOEs, encryption process can be executed in at most three steps and at most three partial ciphertexts can be transmitted one-by-one.

*Our contributions*: in this paper, we propose a general concept of *multidivisible online/offline cryptography* (MDO cryptography, for short), which covers the online/offline cryptography, divisible online/offline signatures, incrementally executable signcryptions, and multidivisible online/offline encryptions.

In general, MDO cryptographic schemes have the following features: *Incremental processing*: a sender’s process can be divided into two or more subprocesses* **Incremental sending*: outputs of intermediate subprocesses can be sent prior to all the subsequent subprocesses

These features enable us to save both computational overhead and transmission bandwidth, on which we can construct secure communication platform for IoT-like environment.

As instances taking full advantage of these two features of MDO cryptography, we introduce notions of multidivisible online/offline signcryptions (MDOSCs) and divisible online/offline tag-based KEMs.

We define parameterized security notions of MDOSCs, denoted as for confidentiality and for unforgeability, with regard to three parameters: the level of divisibility *k*, the number of users *n*, and the number of queries per user *q*. Then, we analyze all the relationships, i.e., the implications and separations, among these security notions.

We also present a generic construction of MDOSC that achieves the strongest security notions of both confidentiality and unforgeability.

*Expected application scenario*: Figure 1 shows a usage example of our MDOSCs, where a signcryption algorithm is split into three subalgorithms, i.e., , , and , each of which can be processed incrementally and can send outputs to recipient incrementally. The sender in our example system consists of the following three components: a computationally powerful cloud with , an energy-restricted mobile device with , and the most computationally restricted as well as bandwidth-restricted IoT device such as a sensor node with . Both the sender and the receiver in our system can access a shared storage. We assume the receiver has enough computational resource to decrypt signcrypted messages received from the sender. Firstly, the sender uses cloud computing to execute the most computationally expensive algorithm with the sender’s own key pair to generate partial ciphertext , store it into the shared storage, and also store state information to the storage of the mobile device. These procedures can be repeatedly executed depending on the storage capacity of the mobile device and the costs for using cloud computing as well as shared storage. Next, when the sender recognizes the target recipient to whom she might send some messages and obtains the receiver’s public key , the sender’s mobile device executes less-expensive algorithm with and to generate partial ciphertext , transmit it to the receiver, and store state information to the storage of the IoT device. These procedures can also be repeatedly executed depending on the storage capacities of the IoT device and the receiver. After that, when the IoT device is ready to send a message *m* (e.g., typically very short numeric value sensed by sensor), it executes the least expensive algorithm with and *m* to generate partial ciphertext , transmit it to the receiver. Note that is reasonably short since the cryptographic information for decryption (unsigncryption) has been already transmitted as and . Finally, the receiver securely obtains the message *m* by unsigncrypting and with separately downloaded from the shared storage as well as and using the algorithm.

*Organization of this paper*: this paper is organized as follows. Section 2 introduces basic notations used in this paper. In Section 3, we introduce the concept of MDO cryptography and discuss its instances including MDO signatures, MDO encryptions, and MDO signcryptions. Section 4 formally defines the notion of MDO signcryptions and its security notions. The relations between the security notions of MDOSC are discussed in Section 5. Section 6 shows a generic construction of MDOSC and comparison with previous signcryption schemes as well as usage example of our MDOSC construction. Concluding remarks are given in Section 7.

#### 2. Notations

For , denotes the set . We write or to indicate that *x* is the output from a function or an algorithm *y*, or the assignment of the value *y* to *x*. denotes the operation of selecting a random element *x* from a set . We write to indicate explicitly that the algorithm belongs to the scheme . We write to indicate the operation of a turing machine with inputs and access to oracles , and letting *z* be the output. Unless otherwise indicated, algorithms are randomized, i.e., it takes a source of randomness to make random choices during execution. In all the experiments (games), every number, set, and bit string is implicitly initialized by 0, empty set , and empty string *ε*, respectively. We write to indicate the probability of the event that adversary outputs *b* in attack game .

#### 3. Multidivisible Online/Offline Cryptography

In this section, we propose a concept of (multi)-divisible online/offline (MDO) cryptography as a generalization of online/offline cryptography. This concept can be applied to various cryptographic primitives, such as encryption schemes and signature schemes. MDO cryptographic schemes have the two features: incremental processing and incremental sending.

*Incremental Processing*. In a cryptographic primitive, a list of several inputs is processed by an algorithm to compute , which is sent via a (insecure) channel.

In contrast, in MDO cryptography is split into subalgorithms , andare computed instead of . is treated as the output of . , state information, is assumed to be secretly stored and will be consumed *only once* by subalgorithm .

For a more general model, *k* inputs are grouped into input groups, . In this case, is split into subalgorithms. By this definition, our concept enables us to model wide variety of systems in a unified way. For example, an online/offline scheme is a special case where inputs are divided into two groups, a message and the others. Moreover, an ordinary cryptographic scheme can be treated as a special case where all inputs are grouped into only one input group, i.e., .

Grouping of inputs should depend on the timing when each input is given to the sender.

*Incremental Sending*. To save transmission bandwidth, it is desired to send each partial output one-by-one. However, it is known that a scheme could be insecure if each is allowed to be sent one-by-one, even when the scheme is secure if all the ’s are sent at the same time [14]. Therefore, we need extended security notions that capture new types of adversary exploiting partial output ’s for attacks.

In the following, we show several MDO cryptographic primitives including: signatures, public-key encryptions, key encapsulation mechanisms (KEMs), tag-based key encapsulation mechanisms (TBKEMs), and signcryptions.

##### 3.1. Signatures

We recall the notion of *divisible online/offline signatures (DOSs)* [4]. A divisible online/offline signature scheme consists of the following algorithms: (the *public parameter generation* algorithm): it outputs public parameters *λ* to be used by all parties (the *key generation* algorithm): it generates a key pair for signing and verification (the *offline signing* algorithm): given public parameters *λ* and a secret key sk, it outputs state information *φ* and an offline signature token . We require that (the *online signing* algorithm): given state information *φ* and a message *m*, it outputs online signature token (the deterministic *verification* algorithm): given a public key pk, a message *m*, and signature tokens , it outputs 1 (accept) or 0 (reject)

We require the correctness for DOS, namely, for any , any , any , any , and any , we have .

As an attempt, we might try to extend DOS to MDOS, *multi*divisible online/offline signatures, based on our framework. More specifically, we could further split into and . While this splitting is possible theoretically, it does not provide significant benefits to senders in practical. This is because public parameters *λ* and secret key sk are obtained by senders almost at the same time in most applications so that senders cannot take advantage of the precomputation of . We therefore do not try to formalize the syntax of *multi*divisible online/offline signatures in this paper. Nevertheless, we can provide the security notions for it based on multidivisible online/offline style to capture the unforgeability notion for ordinary signatures [15] as well as the notion for divisible online/offline signatures [4] in a unified way.

We define the security notion of (strong) unforgeability against adaptive chosen message attacks ( and ) as follows.

*Definition 1. *Let and . Let . Let be a DOS scheme, and let be an adversary. The -advantage of against is defined aswhere the attack game is defined in Figure 2.

We say that is if holds for any adversary that runs in time *t* and makes at most *q* queries to oracle .

Note that the notion of is equivalent to the standard unforgeability notion for ordinary signatures [15], whereas is identical to the notion for divisible online/offline signatures [4].

We also define the notion of *smooth* divisible online/offline signature scheme in a similar fashion with a smooth KEM [16].

*Definition 2. *Smoothness for DOS is defined as follows:where the expected value is taken over . We say is *ϵ*-smooth if holds.

##### 3.2. Public-Key Encryptions and KEMs

The notion of multidivisible online/offline encryptions (MDOEs) was proposed in [14]. It captures both the desirable features of identity-based online/offline encryptions [5–8] and divisible online/offline signatures [4], that is, a part of encryption can be executed even when the public key to the receiver is unknown and partial ciphertexts can be sent to the receiver even when the sender’s inputs (e.g., a public key or a plaintext) are not fully determined. Concrete constructions are also proposed in [14], which allow the computationally restricted and/or bandwidth-restricted devices to transmit ciphertexts with low computational overhead and/or low-bandwidth network.

Their concrete constructions are built on *partitioned* KEM, which can be regarded as an instance of divisible online/offline KEM. As with DOS and MDOE, partitioned KEMs have divided encapsulation algorithms, and , both of which output partial encapsulations and .

##### 3.3. Tag-Based Key Encapsulation Mechanism

We introduce the notion of *divisible online/offline tag-based KEM (DOTK)*, which is a tag-based analogue of divisible online/offline KEM, i.e., partitioned KEM.

A divisible online/offline tag-based key encapsulation mechanism consists of the following algorithms: (the *public parameter generation* algorithm): it outputs public parameters *λ* to be used by all parties. Public parameters *λ* contains a description of the session key space, . (the *key generation* algorithm): it generates a key pair for decapsulation and encapsulation. (the *first key encapsulation* algorithm): given public parameters *λ* and a tag , it outputs state information *φ* and a partial encapsulation . We require that . (the *second key encapsulation* algorithm): given state information *φ* and a public key pk, it outputs a pair , where is a generated session key and is a partial encapsulation of *K*. (the deterministic *decapsulation* algorithm): given a secret key sk, a tag *τ*, and encapsulations , it outputs either a session key *K* or an error symbol .

We require the correctness for DOTK, namely, for any , any , any , any , and any , we have .

We define the security notion of indistinguishability against adaptive tag and adaptive chosen ciphertext attacks .

*Definition 3. *Let and . Let be a DOTK scheme, and let be an adversary. The -advantage of against is defined aswhere the attack game is defined in Figure 3.

We say that is if holds for any adversary that runs in time *t* and makes at most queries to the oracle .

*Construction. *Here, we give a concrete example of divisible online/offline tag-based KEM scheme with lightweight algorithm that requires only one regular exponentiation in of bilinear groups. The construction of our tag-based KEM is similar to the one of partitioned KEM [14] that is based on the IBE-based KEM from Boyen et al. [17, 18]. The concrete scheme is described in Figure 4, where is a bilinear group, i.e., , , and are cyclic groups of prime order *p*, equipped with a bilinear map (a bilinear map satisfies the following properties: (1) bilinearity: for any , any , and any ; (2) efficient computability for any input pair; (3) nondegeneracy: for any and any ), is a target collision resistant hash function, and is a secure chameleon hash function. As with the partitioned KEM in [14], our scheme has no second partial ciphertext, i.e., , which is desirable when algorithm is executed in the bandwidth-restricted environment. We can verify that the scheme is if the DBDH (Decisional Bilinear Diffie–Hellman) assumption on holds. The proof is similar with the original proof in [17].

##### 3.4. Signcryptions

The two features of MDO cryptography, i.e., incremental processing and sending, can show their full advantages when applying to signcryptions, where the sender-side algorithm has multiple input arguments that can be given incrementally in most cases. Therefore, in the rest of this paper, we focus on the notion of *multidivisible online/offline signcryption (MDOSC)*.

In MDOSC schemes, a signcryption algorithm is split into three subalgorithms, each of which can be processed incrementally, and their output can be transmitted incrementally. A formal definition, security notions, and a generic construction of MDOSC are described in the following sections.

#### 4. Multidivisible Online/Offline Signcryptions

We first introduce multidivisible online/offline signcryption (MDOSC). Then, we formally define its security models in terms of confidentiality and unforgeability.

##### 4.1. Syntax

*Definition 4. *A multidivisible online/offline signcryption scheme, , consists of the following algorithms: (the public parameter generation algorithm): it outputs public parameters *λ* to be used by all parties (the sender key generation algorithm): it generates a private/public key pair for a sender (the receiver key generation algorithm): it generates a private/public key pair for a receiver (the first signcryption algorithm): given public parameter *λ* and sender’s key pair , it outputs state information and partial ciphertext (the second signcryption algorithm): given state information and recipient’s public key , it outputs new state information and partial ciphertext (the third signcryption algorithm): given state information and plaintext m, it outputs partial ciphertext (the deterministic unsigncryption algorithm): given public parameters *λ*, recipient’s key pair , sender’s public key , and partial ciphertexts , , and , it outputs either plaintext m or error symbol We require the correctness for MDOSC, namely, for any , any , any , any *m*, any , and any , we have .

We say that a MDOSC scheme is a 2-divisible online/offline signcryption (2-DOSC, for short) scheme if is not null. Similarly, if is not null, we call it as 3-DOSC scheme.

##### 4.2. Confidentiality

As for confidentiality, we define the indistinguishability against insider-chosen ciphertext attacks (or insider-chosen plaintext attacks) in the dynamic multiuser model, based on the same notion for standard (i.e., nondivisible) signcryption [19]. As with the indistinguishability of MDO encryption [14], we introduce the level of ciphertext divisibility, *k*, to express the following three distinct situations: () all the ciphertext , , and are made public at the same time; () and are made public at the same time, then is published; () , , and are made public one by one. Notice that the case of is covered by the standard notion for signcryptions [19], whereas the case of corresponds to the incremental sending situation of MDO cryptography. Adversaries in the latter situations have more capabilities; for example, the adversary in the case of can choose the target recipient after observing and can choose challenge messages after knowing as well as . Our definition captures these types of adversaries using three signcryption oracles.

*Definition 5. *Let and . Let be a MDOSC scheme, and let be an adversary. The -advantage of against is defined aswhere attack game is defined in Figure 5.

We say that is if holds for any adversary that runs in time *t* and makes at most queries to the oracle .

In addition, the -advantage of against is defined in a similar fashion with -advantage, except that the adversary has no access to oracle , i.e., , in game .

##### 4.3. Unforgeability

As for unforgeability, we define the (strong) unforgeability against insider chosen-message attacks in the dynamic multiuser model. Similar to the confidentiality notion, we use the level *k* of divisibility to express the three distinct situations. Note that the case of is equivalent to the standard for signcryptions [19]. The adversary in the case of can take more flexible strategy: it can decide the target recipient key after observing and can query the signcryption oracle with a message *m* after knowing as well as .

*Definition 6. *Let and . Let . Let be a MDOSC scheme, and let be an adversary. The -advantage of against is defined aswhere the attack game is defined in Figure 6.

We say that is if holds for any adversary that runs in time *t*.

#### 5. Relations between Security Notions for MDOSCs

In this section, we clarify the relations between the security notions defined in the previous section in terms of confidentiality and unforgeability. The result is summarized in Figure 7, where denotes the notion of in the left-hand side, whereas denotes the notion of in the right-hand side. Note that for any , , and such that , , and , our trivially implies and . Similarly, trivially implies and .

##### 5.1. Confidentiality

The following two theorems say that for any , implies with reduction loss polynomial in the number *n* of receivers as well as the number *q* of challenge queries.

Theorem 1. *(). For , assume a k-DOSC scheme is . Then, is also , where .*

Using the hybrid argument in a similar fashion with [20], we can easily obtain the proof of Theorem 1.

As for the case of , the hybrid argument cannot be trivially applied due to the difficulty of the simulation of oracle in , which is called times, using oracle in , which can be called only once. Responding to the adversary’s query to with , the simulator for first chooses and uses its given single public key as a key of the user . Then, the simulator uses its given oracle access to in * if * will be used for the -th query related to the target user , whereas it computes by the simulator itself otherwise. Here, the simulator has to guess whether will be used for the -th challenge query to before a subsequent invocation of . To overcome this issue, we use a naive guessing approach and obtain the following reduction:

Theorem 2. *(). Assume a 3-DOSC scheme is . Then, is also , where .*

The proof is given in Appendix B.1.

*Remark 1. *We can apply the above argument to the multidivisible online/offline encryptions (MDOEs) to get a same polynomial reduction from to for MDOEs. The obtained reduction is significantly tighter than the previous one shown in [14] where only superpolynomial one was provided.

Next, we show that implies as follows:

Theorem 3. *(). Assume a 3-DOSC scheme is . Then is also .*

*Proof. *In the single-user setting, i.e., , the adversary has no choice of the recipient *i* when it invokes oracle . Hence, the successive invocations of and in game is essentially equivalent to the invocation of the oracle in .

Finally, we show the separation between and . Specifically, we provide a but not 3-DOSC scheme, , as an evidence of the separation. Scheme is described in Figure 8.

Theorem 4. *(). Assume there exists a (divisible) online/offline tag-based KEM that is , a smooth divisible online/offline signature scheme , and a DEM , where . Then, there exists a 3-DOSC scheme which is secure in the sense of but which is not secure in the sense of .*

The proof is given in Appendix B.2.

##### 5.2. Unforgeability

First, we show the following implications with regard to the number of senders.

Theorem 5. *(). For , if a k-DOSC scheme is , then is also , where .*

*Proof. *The adversary attacking can simulate signcryption oracles for the adversary attacking , using its given oracles (for the single target sender) as well as its generating sender key pairs. Contrary to the confidentiality notions, note that the first signcryption oracle, , has the sender index *i* as its input so that its simulation can be done without any guessing.

Next, we show separations among for .

Theorem 6. *(). Assume there exists a and smooth . Then, there exists 3-DOSC schemes and such that the former is secure in the sense of but which is not secure in the sense of , whereas the latter is secure in the sense of but which is not secure in the sense of .*

*Proof . *(sketch). and are described in Figure 8. In order to show that (or ) is not (or ), we construct adversary (or ) shown in Figure 9. Note that oracle (or ) always generates as an answer to the query so that can output any forgery using .

On the other hand, we can show that (or ) is (or ) in a similar fashion with the proof of Theorem 8 shown later.

#### 6. MDOSC Construction

In this section, we provide a generic construction of MDOSC with security proofs and compare it with previous signcryption schemes.

Using a (divisible) online/offline tag-based KEM, a divisible online/offline signature scheme, and a DEM as building blocks, we can derive 3-DOSC scheme . is described in Figure 8 without all boxed parts.

##### 6.1. Security

The following theorems guarantee the security of our construction.

Theorem 7. *( is ). If is and is then is , where , , and .*

We can prove this theorem in a similar fashion with the proof of Lemma B.2 described in Appendix B.2.

Theorem 8. *( is ). If is and is one-to-one then is , where , , and .*

*Proof. *Assume we have a *t*-time adversary that makes at most *q* queries to oracles , , and in order to break security of . We will construct adversary exploiting as a black box to attack security of . For any , we will show the following relation holds:In order to prove equation (1), we use and described in Figure 10. As with the proof of Lemma B.2, we simplify the game description by omitting or modifying the statements and the variables that play no role when .

Game is equivalent to the original attack game played by against . Hence, we haveGame is identical to except the following: computations of and are replaced by oracle invocations of and , respectively; one of the winning condition is replaced by . Note that , , and are exactly the ones in described in Figure 2.

Oracles and here can be used to simulate the original behavior of so that ’s views in these two games are equivalent.

In addition, we claim that implies . Let us assume , i.e., there exists some such that equals to . Then, also holds because of the correctness property of . Furthermore, also holds becausewhere the second equality follows from one-to-one property of . Hence, holds since we now have such that equals to .

Therefore, it follows thatWe now construct adversary satisfies the following relation:The description of adversary is shown in Figure 11. We can see adversary makes at most *q* queries to as well as , and its running time . It is easy to verify that ’s view in is equivalent to the one in so that the above relation holds.

In summary, we now have equation (1). Combining it with the assumptions that is , we have , which implies that is for , as desired.

From Theorems 2, 3, and 5, it follows that has the strongest security in the sense of both confidentiality and unforgeability:

Corollary 1. *( is ). Suppose is and is . Then, is , where , , and .*

Corollary 2. *( is ). Suppose is and is one-to-one. Then, is , where , , and .*

##### 6.2. Comparison

In Tables 1 and 2, we present a comparison of our construction with previous signcryption constructions in various viewpoints. Here, we consider the following three signcryption schemes (including ours) that satisfy the strongest notions of insider security in the multiuser setting without relying on random oracles: : the standard (i.e., not online/offline) signcryption scheme proposed by Chiba et al. [21] that consists of TBKEM, digital signature, and DEM. Here, we instantiate it with , TBKEM obtained from the PKE scheme by Boyen et al. [18] and Boneh-Boyen signature scheme [22]. : the incrementally executable signcryption scheme [12] that consists of TBKEM, digital signature, one-time signature, and DEM. Here, we instantiate it with , , and the specific DL-based one-time signature scheme [23]. : our proposed MDOSC described in Figure 8 without all boxed parts, which consists of DOTK, DOS, and DEM. Here, we instantiate it with , a concrete DOTK described in Section 3.3, and the concrete DOS proposed by Gao et al [4].

Note that we do not specify any instance of DEM since the selection of DEM does not cause the efficiency difference in the comparison.

Computational costs are measured in the same way as [21], that is, denotes *a* exponentiations, *b* multiexponentiations, and *c* pairing computations, and *W* denotes computation of the Waters hash [24]. Other computational overhead caused by multiplications, hash functions, and symmetric key primitives are ignored.

In terms of storage and ciphertext size, and denote the size of a bilinear group element from and , respectively. Similarly, denotes the size of a group element of , whereas denotes the output length of target-collision resistant hash function. The appended numerical values are instance bit-length of storage and ciphertext when we assume bits and bits to achieve 80-bit security. We also assume to capture typical IoT use cases where messages sent by IoT devices are significantly shorter than other cases.

Our construction exploits the multidivisible feature effectively to achieve both the shortest ciphertext size and the least computational cost in the phase 3 (i.e., online phase). With our , the expensive encryption process can also be performed in the phase 1 (i.e., *before* being given the recipient’s public key), whereas it can be only in the phase 2 (i.e., *after* being given the recipient’s public key) with . All the advantages enable lightweight IoT devices to transmit confidential as well as authenticated messages to the recipient devices in IoT application scenarios as described in Section 1.

#### 7. Conclusions

We presented a general concept of multidivisible online/offline cryptography (MDO cryptography), which covers the previous works including online/offline cryptographic schemes, divisible online/offline signatures, incrementally executable signcryptions, and multidivisible online/offline encryptions. We then presented the notion of multidivisible online/offline signcryptions (MDOSCs) as novel application of MDO cryptography. We defined several security notions for MDOSCs and show implications and separations between these security notions. We also presented a generic construction of MDOSC that achieves the strongest security notions with regard to confidentiality and unforgeability. MDOSC schemes allow the computationally restricted and/or bandwidth-restricted devices to transmit signed ciphertexts with low computational overhead and/or low-bandwidth network.

#### Appendix

#### A. Data Encapsulation Mechanism

A data encapsulation mechanism () consists of the following algorithms: (the *public parameter generation* algorithm): it outputs public parameters *λ* to be used by all parties. Public parameters *λ* contains a description of the key space, , which is usually identical to . We will generally assume that all algorithms take *λ* as an implicit input, even if it is not explicitly stated (the *encryption* algorithm): it takes as input the private key , and a message *m* from the associated message space, and outputs a ciphertext *C* (the deterministic *decryption* algorithm): it takes as input the private key , and a ciphertext *C*, and outputs either a message *m* or an error symbol

We require the correctness for DEM, namely, for any , any , and any *m*, we have .

A DEM is said to be *one-to-one* if for any *K*, *C*, and , implies . In other words, for any given *K* and *m*, there is at most one ciphertext *C* such that . As described in [25], this property is quite natural for a large number of DEMs.

We recall the security notion of indistinguishability against one-time chosen ciphertext attacks, , and its stronger variant, . The former is defined in [26], whereas the latter is defined in [27]. The decryption oracle in game can be accessed only after the adversary obtains the challenge ciphertext, whereas the one in does not have such restriction.

Let . The *X-advantage of ** against * is defined aswhere the attack game is defined in Figure 12. We say that is *-X-secure* if holds for any adversary that runs in time *t* and makes at most *q* queries to the oracle .

#### B. Proofs of Theorems

##### B.1. Proof of Theorem 2

Assume we have a *t*-time adversary that takes *n* receivers’ public keys, makes at most queries to , makes at most *q* queries per receiver to , makes at most queries to , and makes at most queries to , in order to break security of . Then, we will construct a -time adversary that takes a single receiver’s public key, makes only one query to , makes only one query to , makes only one query to , makes at most queries to , and exploits as a black box to attack the security of . For any , we will show the following relation holds:

In order to prove equation (B.2), we use the game sequence , where and , shown in Figure 13. Our proof is via a hybrid argument in a similar fashion with [20]. We can see that the ’s view in game is equivalent to the one in with , while the one in game is equivalent to the one in with . Thus, we have

Let denote the event that game does not set bad to . Similarly, we let denote the event that game sets bad to . We can see that is independent of ’s output. Hence, for any , it follows that

The second equality holds because is equivalent to the event that , where the choice of is independent of ’s view.

Game is the same as except that when bad is set to true, game outputs a random bit and halts in the middle of invocation. Game and are identical-until-bad so that for any , we have

The last equality holds because if occurs then the output of game is a random bit.

We now show how to construct adversary . The attack game defining of and the description of adversary against it are described in Figure 14. Note that oracle , , , and in are simplified but equivalent versions of , , , and , respectively. We can see adversary makes one query to , one query to , one query to and at most queries to , and its running time . In addition, for any , we can see that the ’s view in game with as well as (or ) is identical to the one in game (or ). Therefore, for any , it follows that