On the RCCA Security of Hybrid Signcryption for Internet of Things

With the rapid development of the Internet ofThings (IoT), a lot of sensitive information in our daily lives are now digitalized and open to remote access. The provision of security and privacy of such data would incur comprehensive cryptographic services and has raised wide concern. Hybrid signcryption schemes could achieve various kinds of cryptographic services (e.g., confidentiality, authenticity, and integrity) with much lower cost than the combination of separate traditional cryptographic schemes with each providing a single cryptographic service.Thus, hybrid signcryption schemes are very suitable for IoT environmentswhere resources are generally very constrained (e.g., lightweight sensors andmobile phones). To ensure that the overall hybrid signcryption scheme provides adequate cryptographic service (e.g., confidentiality, integrity, and authentication), its parts of KEM (key encryption mechanism) and DEM (data encryption mechanism) must satisfy some security requirements. Chosen-ciphertext attack (CCA) security has been widely accepted as the golden standard requirement for general encryption schemes. However, CCA security appears too strong in some conditions. Accordingly, Canetti et al. (CRYPTO 2003) proposed the notion of replayable CCA security (RCCA) for encryption schemes, which is a strictly weaker security notion thanCCA security and naturallymore efficient.This new security notion has proved to be sufficient for most existing applications of CCA security, e.g., encrypted password authentication. This is particularly promising for IoT environments, where security is demanding, yet resources are constrained. In this paper, we examine the RCCA security of the well-known SKEM+DEM style hybrid signcryption scheme by Dent at ISC 2005. Meanwhile, we also examine the RCCA security of the Tag-SKEM+DEM style hybrid signcryption scheme by Bjorstad and Dent at PKC 2006. We rigorously prove that a hybrid signcryption scheme can achieve RCCA security if both its SKEM part and its DEM part satisfy some security assumptions.


Introduction
With the booming development of wireless technology, Internet of Things (IoT) has seen its proliferation in various applications such as personal health, government work, and battle surveillance.How to ensure security and privacy of the sensitive data in these security-critical applications is a challenging issue, because it would generally incur comprehensive cryptographic services.Hybrid signcryption schemes could achieve various kinds of cryptographic services (e.g., confidentiality, authenticity, and integrity) with much lower cost than the combination of separate traditional cryptographic schemes with each providing a single cryptographic service [1].Thus, hybrid signcryption schemes are very suitable for IoT environments where resources are generally very constrained (e.g., lightweight sensors and mobile phones).
The first signcryption scheme was proposed by Zheng [2] at CRYPTO'97.The notion of confidentiality for a signcryption scheme is analogous to an original encryption scheme, while the nonrepudiation service is analogous to a digital signature one [3].Since then, various kinds of signcryption schemes have been suggested.At 2002, Lee [4] proposed identity-based signcryption; At AsiaCCS'08, Barbosa et al. [5] proposed certificateless signcryption.At IMACC'13, Nakano et al. [6] presented two generic constructions of signcryption in the standard model.At 2017, Li et al. [7] proposed a signcryption for cloud computing.At PQCrypto'18 Sato et al. [8] proposed lattice-based signcryption without random oracles.At the same time, Datta et al. [9] proposed the functional signcryption.
In addition, a number of signcryption schemes have been proposed for the IoT environments (e.g., key establishment over ATM networks [10], defense against fragment duplication attack in 6LoWPAN networks [11], short signcryption scheme for IoT [12], and provably secure signcryption for IoT [13]).Belguith et al. [14] proposed privacy preserving attribute based signcryption for IoT.
However, in the traditional signcryption schemes, the keyed encapsulation encryption is generally not made full use of, and the length of messages is always related to the signcryption scheme.Further, the major weakness of asymmetric encryption schemes is that the computational efficiency is worse than these symmetric ones [15].Accordingly, the notion of hybrid signcryption is proposed.Hybrid signcryption uses a symmetric encryption scheme to improve the overall performance and flexibility of asymmetric signcryption.Hybrid signcryption can simultaneously combine the main advantages of a public key encryption and a digital signature scheme with much lower cost when compared with traditional schemes [1,16].As sensor nodes in IoT are resource-constrained (e.g., limited battery power) and deployed to run for years, hybrid cryptography is particularly suitable for data storage and transmission to achieve secure and efficient communication [17].At 2004, Dent [15] proposed a formal composition model for hybrid signcryption, and this model covers Zheng's scheme [2].Later, Bjorstad et al. [18] proposed an improve signcryption scheme with tag-KEMs, Li et al. [19] proposed a certificateless hybrid signcryption scheme, and Zhou [20] proposed an improved certificateless hybrid signcryption scheme.Due to the usage of a symmetric encryption scheme to overcome the weakness and restricted message space of traditional asymmetric encryption schemes, these hybrid signcryption schemes can make the length of message independent of the security of the overall signcryption scheme.
Secure encryption is one of the most fundamental tasks in cryptographic schemes, while CCA security has been widely accepted as the golden standard requirement for encryption schemes [21,22].However, chosen-ciphertext attack security appears to be too strong in many conditions; there exist many encryption schemes that are not CCA secure but still have practical applications [23].Here we take a CCA secure public key encryption scheme PKE as example.We change it into a public key encryption scheme PKE' , which is equal to public key encryption scheme PKE except that this encryption oracle algorithm appends a bit 0 to each ciphertext and the decryption oracle algorithm of PKE' discards this bit 0 of a ciphertext.Then, one naturally obtains a different ciphertext decrypted to the same message as the original one.However, this change takes no real consequence in most situation, because the modified scheme PKE appears to be as secure as the scheme PKE in most situations.This example is also used in [23].
Accordingly, Canetti et al. [23] proposed the RCCA security notion at CRYPTO 2003.RCCA security is a strictly weaker security notion than CCA security, which has proved to be abundant for most cryptographic primitives, e.g., encrypted password authentication [24].There are some studies (e.g., [23,25]) about the RCCA security of hybrid cryptography, and there are also several studies (e.g., [2,3,15]) about the CCA security of hybrid signcryption.As far as we know, there is no work about examining the RCCA security of hybrid signcryption.To fill the gap, in this paper we consider the RCCA security of hybrid signcryption and show that hybrid signcryption can achieve RCCA security (rather than only CCA security) based on certain conditions.

Main Contributions.
In this paper, we examine the RCCA security of the hybrid signcryption scheme Tag-SKEM+DEM [18] and the hybrid signcryption scheme SKEM+DEM [3].We will show the following: (1) The hybrid signcryption scheme (SKEM+DEM) can be RCCA-secure if the scheme Tag-SKEM is RCCA-secure and the scheme DEM is RCCA-secure.(2) The hybrid encryption scheme (Tag-SKEM+DEM) can be RCCA-secure if the signcryption scheme Tag-SKEM is RCCA-secure and the scheme DEM is RCCA-secure.Although our results might be expected and somewhat straightforward, we concretely confirm such expectations with a formal proof.When giving our proof, we mainly use the hybrid game-based reduction technique presented in [26][27][28].

Related Works and Discussions.
It is obvious that if the hybrid signcryption scheme is going to provide an integrity and authentication service, then its KEM part and DEM part must satisfy some kind of security criterion.Dent et al. [15] examined the CCA security of hybrid signcryption schemes (SKEM+DEM and Tag-SKEM+DEM).Chen et al. [27] examined the RCCA security for hybrid encryption scheme KEM+DEM.Cui et al. [29] gave two kinds of RKA-secure signcryption schemes.In 2017, Dai et al. [30] considered the ECCA security for hybrid encryptions Tag-KEM+DEM and KEM+Tag-DEM.Abe et al. [26] provided a hybrid encryption scheme Tag-KEM+DEM, and they presented a useful way to get CCA secure hybrid encryptions.Cramer et al. [31] have shown that the hybrid encryption scheme Tag-KEM+DEM is CCA secure if its KEM part is CCA secure and its DEM part is one-time secure.
As, for the scheme Tag-SKEM+DEM, the ciphertext of scheme DEM is a tag of the scheme Tag-SKEM, one may think that the security assumption of scheme SKEM could be weakened to chosen plaintext attack (CPA) security when considering the RCCA security of signcryption.As it is impossible to make a simulation for the decryption oracle query for an adversary when the adversary attacks the hybrid signcryption, we leave it as an open problem that the security of scheme SKEM and DEM could be relaxed to a weaker security (e.g., CPA).One may also think that, with the RCCA security of Tag-KEM and one-time security of DEM, one can get the RCCA security of hybrid signcryption scheme Tag-KEM+DEM.However, the adversary cannot generate useful challenge ciphers if the adversary does not change the tag used for the scheme Tag-DEM.In this paper, when proving our results, we make a perfect simulation for the adversary, who initiates a IND-RCCA experiment to hybrid signcryption.We summarise the hybrid cryptology and their security in Table 1.
Organizations of the Paper.In Section 2, we review some basic notations and definitions.In Section 3 we review the definition of general hybrid signcryption scheme, SKEM+ DEM and Tag-SKEM + DEM, and then we prove its RCCA security.In Section 4, we review our main conclusions.

Preliminaries
In this section, we will review some useful notations and cryptographic primitives that will be used throughout this paper.
Notations.We denote by 1  the security parameter and write   ←   to denote the algorithm that picks an  randomly from the set . PPT denotes probabilistic polynomial time.we write  ← (, , ⋅ ⋅ ⋅ ) to denote the algorithm that runs algorithm A with inputs (, , ⋅ ⋅ ⋅ ) and then outputs .We define a function negl() as negligible: if for any constant  > 0, there exits a  0 ∈ Z, such that for all  >  0 , negl() <  − .
2.1.RCCA Security Definition.PKE = (Gen, Enc, Dec) is a public key encryption (PKE) scheme that consists of three polynomial-time algorithms: (i) Gen is key generation algorithm that inputs the security parameter  and outputs a pair of public/private keys (, ).(ii) Enc is PPT encryption algorithm that encrypts a message  into a ciphertext .(iii) Dec is a deterministic decryption algorithm that decrypts a ciphertext  and outputs either message  or a reject symbol ⊥.Now, we define its RCCA security by describing the attack experiment between a challenger and an PPT adversary A = (A 1 , A 2 ) with the following experiment: (i) Setup: The adversary A queries Gen algorithm: (, ) ← Gen().

Signcryption Key Encryption Mechanism (SKEM) and
Its RCCA Security Notions.A signcryption key encryption mechanism SKEM = (KEM.Gen  , KEM.Gen  , KEM.Enc, KEM.Dec) is a asymmetric encryption scheme [3], which consists of the four algorithms with the following: (i) SKEM.Gen  is a PPT algorithm that inputs a security parameter 1  and outputs the sender's public/private key (  ,   ).(ii) SKEM.Gen  is a PPT algorithm that inputs a security parameter 1  and outputs the receiver's public/private key (  ,   ).(iii) SKEM.Enc is a PPT encryption algorithm that inputs the send's private key   and the receiver's public key   and outputs (K, C); here, K is a symmetric key and C is the key encapsulation of K. (iv) SKEM.Dec is a deterministic, polynomial-time decryption algorithm that inputs the sender's public key   , a key encapsulation c, and the receiver's private key   and outputs either a key K or the error symbol ⊥.
We now define its RCCA security by describing the attack experiment; this experiment is played by an adversary A = (A

Data Encryption Mechanism and Its IND-RCCA Security.
A signcryption data encryption mechanism DEM is a symmetric encryption scheme, which consists of the following two algorithms: DEM.ENC, DEM.Dec.
(i) DEM.Enc :  ← DEM.Enc(K, ); DEM.Enc is a polynomial-time encryption algorithm; DEM.Enc encrypts  by using a key K and outputs the corresponding ciphertext .(ii) DEM.Dnc :  ← DEM.Dec(K, ); DEM.Dec is a polynomial-time decryption algorithm; it inputs ciphertext  and decrypts the cipher  by using the same key K.
We define its IND-RCCA security by describing the attack experiment; this experiment is played by an adversary A = (A 1 , A 2 ) and the challenger:

The RCCA Security of Hybrid Signcryption Schemes
In this section, we will recall the definition of hybrid signcryption which is adapted by Dent and An [15,33].Some definitions include the verification algorithm, whose aim is to provide nonrepudiation.However, in their view, nonrepudiation is unnecessary for most cryptography applications and hence will not be discussed further.Next, we examine the RCCA security for hybrid signcryption and consider the outsider security (the adversary is third party, neither sender nor receiver) of hybrid signcryption, which is proposed by Dent in [3].

SKEM+DEM Hybrid Signcryption Scheme and Its
Here, we assume the adversary A 1 at most makes the   queries to the encryption-decryption oracle, the running times of A 1 and A 2 are equal to that of adversary A, and   is the signcryption scheme DEM's key space.
Proof.Fix adversary A and ; A is a PPT IND-RCCA adversary, which attacks the hybrid signcryption scheme SKEM + DEM; then we proved the theorem by the following experiments.
Experiment 0 : This is an IND-RCCA experiment on the signcryption scheme SKEM + DEM, which is played by an adversary A = (A 1 , A 2 ) and the challenger.(We denote by  0 the event of adversary A succeeding in this experiment.)(i) Setup: The adversary A makes queries to key generation algorithm (  ,   ) ← SKEM.Gen  (1 If  ∈ { 0 ,  1 }, the challenger responds to A 2 with  or else responds to A 2 with . (v) Guess stage: In the end, the adversary A outputs a guessing bit   ∈ {0, 1}.
The following conclusion holds: Experiment 1 : We now modify experiment  0 to obtain a new experiment  1 .These two experiments are identical except that we use a uniformly random key K 0  ←  K  to compute the challenge cipher  * = ( * ,  * ) in step 3 of Game 0 ; the challenge cipher  * = ( * ,  * ) is computed by the encryption algorithm SKEM.Enc(  ,   , K 0 ) and  ← DEM.Enc  ().To maintain consistency, the challenger should use the symmetric key K 0 to answer the decryption oracle algorithm query (  , , .).Hence, the distinction between experiment  0 and experiment  1 mainly lies in how the scheme SKEM runs.(Denote by  1 the sign of the adversary A succeeding in this experiment.)We have the following conclusion.
Lemma 2. There is an adversary A 1 , and its running time is equal to the running time of adversary A; the following conclusion holds: Proof.We prove the lemma by constructing an adversary A 1 who attacks the signcryption scheme SKEM.The adversary A 1 simulates the environment for A, their interactions can be described as follows: (i) Setup: This has completed the construction of A 1 .By description, we can see that the adversary A 1 played a perfectly simulated decryption for adversary A unless the cipher  * is decrypted to K 1 and test is returned by the correct answer from the decryption oracle SKEM.Dec for every query.However, the probability of this event is 1/|K  | since in that case the key K 1 is uniformly random and independent of the opinion of the adversary A 1 for each such query.
(i) If  = 0, we can obtain that cipher  is computed by a random key K 0 ; meanwhile, the opinion of the adversary A is equal to that in Experiment 0 .
(ii) If  = 1, we can obtain that K 1 is corresponding correct key embedded in the cipher ; meanwhile, the opinion of the adversary A is equal to that in Experiment 1 .
Thus, ( We can get the following conclusion: Lemma 2 is proved. In the stage of experiment  1 's encryption and decryption oracle algorithms, we use a uniformly random key K 0 , so the challenger cipher  * is not be decrypted.From this point, we notice that the challenge cipher  * is generated by using a random symmetric key K 0 in experiment  1 .Meanwhile, the other cipher  =  * is decrypted by using random key K 0 , which has no other role in experiment  1 .Hence, in experiment  1 , the adversary A plays an adaptive replayable chosen ciphertext attack against (RCCA) the signcryption scheme DEM in substance, so the following conclusion holds.Lemma 3.There is a probabilistic adversary A 2 , and its running time is equal to the running time of the adversary A, such that the following conclusion holds: Proof.The symmetric key K 0 was chosen uniformly, randomly, and independently, so the challenge cipher  does not reveal related information about which message was encrypted.Hence, to gain success in experiment 2, the adversary must learn some information from the challenger cipher .We prove Lemma 3 by constructing a probabilistic adversary A 2 , who attacks the signcryption scheme DEM, and A 2 provides an environment for the adversary A. Now, we describe their interactions: (i) Setup: ←  K  , runs  * ← SKEM.Enc(  ,  R , K 1 ), and sends the challenge  * = ( * ,  * ) to A. We notice that the symmetric key K 1 was chosen as the encryption key of scheme DEM and embedded in cipher  * , which is uniformly random and independent of each other.This has completed the description of the adversary A 2 .By our construction, it is obvious that the adversary A 2 plays a perfectly simulated decryption for A, and whenever A gets success, so does A 2 .We have the following conclusion: We can know that the advantage of A in experiment 0 is which is negligible; we have proved Theorem 1.
(iii) An encryption algorithm Tag-KEM.Enc : It runs (, K) ← Tag-KEM.Key(  ,   ).Tag-KEM.Key(⋅) is a PPT algorithm that inputs the private key of sender   and public key of receiver   and outputs one-time key K and Intermediate state information .Choose   ←  {0, 1}  and compute  ←  TKEM.Enc(, ,   ,   , ).Tag-KEM.Enc is a PPT algorithm that encrypts the key K (embedded in ) into cipher  along with a tag  ∈  and returns a cipher ; here,  is called a tag.
(iv) An decryption algorithm Tag-KEM.Dec : K ← Tag-KEM.Dec(  ,   , , ).TKEM.Dec is a deterministic decryption verification algorithm for a signcryption cipher, which inputs the receiver's private key   , the cipher c, the sender's public key   , and a tag ; the decryption oracle Tag-KEM.Dec returns a key K or reject symbol ⊥.
Then the hybrid signcryption scheme can be constructed as follows: (i) Key generation algorithm Gen(1  ): Gen  (1  ) is a probabilistic receiver's key generation algorithm that inputs a 1  and outputs the receiver's public/private key pair (  ,   ); we write this as (  ,   ) ← Gen  (1  ).Gen  (1  ) is a probabilistic receiver key generation algorithm, which takes a as input a security parameter 1  and as output a receiver's public/private key pair (  ,   ); we write this as (  ,   ) ← Gen  (1  ).(ii) An encryption algorithm signcrypt : Tag-SKEM.
Finally, it outputs the message  or "reject" symbol ⊥.

The RCCA Security of Hybrid Signcryption Scheme Tag-SKEM+DEM
Theorem 6.The hybrid signcryption scheme (Tag-SKEM + DEM) is constructed from a scheme Tag-SKEM and a scheme DEM.If the signcryption scheme Tag-SKEM is IND-RCCA secure and the signcryption scheme DEM is IND-RCCA secure, then the hybrid signcryption scheme (Tag-SKEM + DEM) is also IND-RCCA secure.For every PPT adversary A, there are probabilistic adversary A 1 and adversary A 2 , whose running times are essentially equal to that of adversary A, such that for all  ≥ 0, the following holds.
Here, we assume the adversary at most makes the   queries to the encryption-decryption oracle algorithm and K  is the scheme DEM's key space.
Proof.We prove the theorem by constructing a PPT adversary A who attacks the hybrid signcryption scheme Tag-SKEM + DEM with the following experiments.(We denote by   the event of the adversary A succeeding in the -th game.)Experiment 0 : This is the IND-RCCA experiment on the signcryption scheme Tag-SKEM+DEM, and this experiment is played between an adversary A and the challenger as follows: (i) Setup: The adversary queries a key generation oracle.←  K  to encrypt the message  0 in step 3 of experiment 0 ; hence, we get the following conclusion.Lemma 7.There exists a probabilistic adversary A 1 , and its running time is equal to that of adversary A, such that the following conclusion holds: Here, we assume the adversary at most makes the   queries to the encryption-decryption oracle algorithm.
Proof.We prove the lemma by constructing an adversary A 1 who attacks signcryption scheme Tag-SKEM.The adversary A 1 simulates an environment for adversary A; their interactions can be described as follows: (i) Stage 1: The adversary A 2 was given (  ,   , K  ), and at the same time, (  ,   ) was sent to adversary A.
(   This has completed the description of A 1 ; it is clear that the adversary A 1 plays a perfectly simulated decryption for A unless the cipher  * is decrypted to K 1 and test is returned by the correct answer from the decryption oracle Tag-SKEM.Dec for every query.However, the probability of this event is 1/|K  | since in that case the key K 1 is random and independent of the opinion of the adversary A 1 for each such query.(ii) If  = 1, we can know that the key K 1 is the correct key embedded in the cipher  and the view of A is equal to that in Experiment 1 .Accordingly, Thus, Hence, Lemma 2 is proved.Next, we show that the adversary A playing Experiment 1 essentially conducts an IND-RCCA attack on the signcryption scheme DEM; we claim the following.
Lemma 8.There is a probabilistic adversary A 2 , and its running time is equal to that of A, and the following conclusion holds: Proof.This can be shown by constructing an adversary A 2 who attacks the signcryption scheme DEM.The adversary A 2 simulates the environment for adversary A; their interactions can be described as follows: (i) The adversary A 2 answers A's decryption query  = (  ,   ) with the following: (1) If  ∈ { 0 ,  1 }, then adversary A 2 sends    to adversary A. (2) Otherwise, adversary A 2 sends  to adversary A.
Here, we notice that the key K 0 chosen by the signcryption scheme DEM's encryption oracle and embedded in the cipher  * is randomly chosen and independent.
(v) Stage 5: In the end, the adversary A outputs   ∈ {0, 1}, and the adversary A also outputs   =   .
We have described the construction of the adversary A 2 .A 2 plays a perfect simulation Experiment for A; the view of A is equal to that in Experiment 0 and Experiment We have proved Theorem 6.

Conclusion
We have examined the RCCA security of two representative hybrid signcryption schemes, i.e., SKEM + DEM [3] and Tag-SKEM+DEM [18], in this paper.We proved that the hybrid signcryption scheme SKEM+DEM is RCCA-secure if the signcryption scheme SKEM is RCCA-secure and the signcryption scheme DEM is RCCA-secure.Meanwhile, we showed that the hybrid encryption scheme Tag-SKEM + DEM can be RCCAsecure if the signcryption scheme Tag-SKEM is RCCA-secure and the scheme DEM is RCCA-secure.

(iii) Setup 2 :
The adversary A 2 continues to make queries cipher  to Dec:  ← Dec(, K); here,  is not equal to the challenge cipher  * .If  ∈ { 0 ,  1 }, Dec responds to adversary A with , or else Dec responds to adversary A with .(iv) Guess stage: In the end, the adversary A outputs   ∈ {0, 1}.We define Adv IND−RCCA DEM,A() = |Pr[ =   ]−1/2| in the above experiment.If for any PPT adversary A, the function Adv IND−RCCA DEM,A 2 () is negligible, the scheme DEM is IND-RCCA secure.

(iv) Stage 2 :
The adversary inputs (  ,   ) and makes continuous queries  = (, ) to decryption oracle algorithm.Here, we require that adversary A 2 cannot query (  ,  * ) to the decryption oracle algorithm.However, we admit adversary  2 can make a query to the decryption oracle algorithm on (   , ) for any cipher    ̸ =    and on (   , ) for any  ̸ =  * .The adversary A 2 uses the secret key   to run the decryption oracle algorithm and answer the decryption query  = (, ) of adversary A with the following:(a) If   =  * , hence   ̸ =  * .Then The adversary A 2 runs the decryption oracle K ← SKEM.Dec(  ,   , ).If K =⊥, the adversary A 2 responds to A with ⊥ or else  ← DEM.Dec(K, ).If  ∈ { 0 ,  1 }, the adversary A 2 responds to A with , or else A 2 responds to A with .(v) Guess Stage: Finally, adversary A outputs a bit   ∈ {0, 1} and A 2 also outputs a bit   .
(a) If ⊥ is returned, then the adversary A 1 responds to A with ⊥.(b) If ⊥ is returned and   ̸ =  * , then A 1 uses   to decrypt the cipher .

( 1 )( 1 )(v) Stage 5 :
If  0 or  0 is returned, then the adversary A 1 responds to A with .(2)Otherwise, A 1 responds to A with the result.(c)If  is returned and cipher   =  * , then the adversary A 1 responds to A with .(d) If K 1 is returned, then the adversary uses K 1 to decrypt the cipher .If  0 or  0 is returned, then the adversary A 1 responds to adversary A with .(2) Otherwise, A 1 responds to adversary A with the result.In the end, the adversary A outputs a guess bit   ∈ {0, 1}, and A 1 outputs a bit   =   .
(i) If  = 0, we can know that random key K 0 is used for computing the cipher  and the view of A is identical to that in Experiment 0 .Accordingly, Pr[  =  |  = 0] = Pr[ 2 ].
(a) If K  =⊥, then A 2 responds to A with ⊥.(b) If K  = K 1 and  =  * , then A 2 responds to A with    .(c) If K  = K 1 and  ̸ =  * , then A 2 responds to A with .(d) If K  ̸ = K 1 , then A 2 uses K  to decrypt the cipher .

Table 1 :
The hybrid cryptology and their security notion * .

Stage 1: The
adversary A 1 queries a ciphertext  to Dec:  ← Dec(, ), and adversary A 1 responds with .  ) =  * , and, finally, sends the challenge  * to A 1 .(iv) Stage 2: The adversary A 2 makes continuous queries  to Dec; here, we require that the cipher  is not identical to the challenge cipher  * .The decryption algorithm runs  ← Dec(, ).Finally, if  ∈ { 0 ,  1 }, adversary A 2 responds with , or else adversary A 2 responds with  or reject symbol ⊥. (v) Guess stage: The adversary A outputs   ∈ {0, 1}.