On the Construction of Public Key Encryption with Sender Recovery

This paper investigates public key encryption that has a desirable feature of allowing the sender of a ciphertext to recover the original plaintext from the ciphertext with-out relying on a recipient's private decryption key (PKE-SR). We propose two efficient methods for converting KEM/DEM (key encapsulation mechanisms/data encapsulation mechanisms) to PKE-SR. The first method, called pre-KEM seeding, can be applied to a large class of KEM/DEM constructions including those based on the discrete logarithm problem. Following the idea of pre-KEM seeding, we propose an efficient PKE-SR using DHIES, which has only one more additional element of length 160-bit in ciphertext than that of the original DHIES. Furthermore, we show that PKE-SR can be constructed from identity based encryptions using the method of pre-KEM seeding. The second method, called post-KEM converging, is more powerful and can be employed to convert any secure KEM/DEM into a secure PKE-SR. Post-KEM converging takes advantages of an interestin...