On the Construction of Public Key Encryption with Sender Recovery

This paper investigates public key encryption that has a desirable feature of allowing the sender of a ciphertext to recover the original plaintext from the ciphertext without:, relying on a recipient's private decryption key (PKE-SR). We propose two efficient methods for converting KEM/DEM (key encapsulation mechanisms/data encapsulation mechanisms) to PKE-SR. The first method, called pre-KEM seeding, can be applied to a large class of KEM/DEM constructions including those based on the discrete logarithm problem. Following the idea of pre-KEM seeding, we propose an efficient PKE-SR using DHIES, which has only one more additional element of length 160-bit in ciphertext than that of the original MITES. Furthermore, we show that PKE-SR can be constructed from identity based encryptions using the method of pre-KEM seeding. The second method, called post-KEM converging, is more powerful and can be employed to convert any secure KEM/DEM into a secure PEE-SR. Post-KEM converging takes advantages of an interesting property, called collision accessibility, of sibling intractable hashing. For both methods, added costs in ciphertext length and computation are minimal, making them a particularly attractive "drop-in" replacement in applications where plaintexts need to be recovered efficiently by the sender alone. We further explore the problem of constructing PEE-SR without redundancy and show such a construction for one-bit encryptions.