Efficient Public Key Encryption Admitting Decryption by Sender

This paper investigates public key encryption that has a desirable feature of allowing the sender of a ciphertext to recover the original plaintext from the ciphertext without relying on a recipient's private decryption key PKE-SR. We propose two efficient methods for converting KEM/DEM to PKE-SR. The first method, called pre-KEM seeding, can be applied to a large class of KEM/DEM constructions including those based on the discrete logarithm problem. The second method, called post-KEM converging, is more powerful and can be employed to convert any secure KEM/DEM into a secure PKE-SR. Post-KEM converging takes advantages of an interesting property, called collision accessibility, of sibling intractable hashing. For both methods, added costs in ciphertext length and computation are minimal, making them a particularly attractive "drop-in" replacement in applications where plaintexts need to be recovered efficiently by the sender alone.