{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T06:58:04Z","timestamp":1769929084829,"version":"3.49.0"},"reference-count":38,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2007,11,8]],"date-time":"2007-11-08T00:00:00Z","timestamp":1194480000000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Cryptol"],"published-print":{"date-parts":[[2008,1]]},"DOI":"10.1007\/s00145-007-9010-x","type":"journal-article","created":{"date-parts":[[2007,11,7]],"date-time":"2007-11-07T21:45:27Z","timestamp":1194471927000},"page":"97-130","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":65,"title":["Tag-KEM\/DEM: A New Framework for Hybrid Encryption"],"prefix":"10.1007","volume":"21","author":[{"given":"Masayuki","family":"Abe","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rosario","family":"Gennaro","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kaoru","family":"Kurosawa","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2007,11,8]]},"reference":[{"key":"9010_CR1","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"130","DOI":"10.1007\/3-540-48405-1_9","volume-title":"Advances in Cryptology\u2014CRYPTO\u201999","author":"M. Abe","year":"1999","unstructured":"M. Abe, Robust distributed multiplication without interaction, in Advances in Cryptology\u2014CRYPTO\u201999, ed. by M. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 130\u2013147"},{"key":"9010_CR2","doi-asserted-by":"crossref","unstructured":"M. Abe, S. Fehr, Adaptively secure Feldman VSS and applications to universally-composable threshold cryptography. IACR ePrint Archive 2004\/119, June 10 2004. Preliminary version was presented in CRYPTO 2004","DOI":"10.1007\/978-3-540-28628-8_20"},{"key":"9010_CR3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"128","DOI":"10.1007\/11426639_8","volume-title":"Advances in Cryptology\u2014EUROCRYPT 2005","author":"M. Abe","year":"2005","unstructured":"M. Abe, R. Gennaro, K. Kurosawa, V. Shoup, Tag-KEM\/DEM: a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM, in Advances in Cryptology\u2014EUROCRYPT 2005, ed. by R. Cramer. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 128\u2013146. Also available at IACR e-print 2005\/027 and 2004\/194"},{"key":"9010_CR4","doi-asserted-by":"crossref","unstructured":"M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in First ACM Conference on Computer and Communication Security (Association for Computing Machinery, 1993), pp. 62\u201373","DOI":"10.1145\/168588.168596"},{"key":"9010_CR5","doi-asserted-by":"crossref","unstructured":"M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theorems for non-cryptographic fault-tolerant distributed computation, in Proceedings of the 20th Annual ACM Symposium on the Theory of Computing, pp. 1\u201310, 1988","DOI":"10.1145\/62212.62213"},{"key":"9010_CR6","unstructured":"K. Bentahar, P. Farshim, M. Malone-Lee, N. Smart, Generic constructions of identity-based and certificateless KEMs. IACR e-print Archive 058\/2005, 2005"},{"key":"9010_CR7","series-title":"Lecture Notes in Computer Science","first-page":"1","volume-title":"Advances in Cryptology\u2014CRYPTO\u201998","author":"D. Bleichenbacher","year":"1998","unstructured":"D. Bleichenbacher, Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1, in Advances in Cryptology\u2014CRYPTO\u201998, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 1\u201312"},{"key":"9010_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"275","DOI":"10.1007\/3-540-44647-8_17","volume-title":"Advances in Cryptology\u2014CRYPTO 2001","author":"D. Boneh","year":"2001","unstructured":"D. Boneh, Simplified OAEP for the RSA and Rabin functions, in Advances in Cryptology\u2014CRYPTO 2001, ed. by J. Killian. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp.\u00a0275\u2013291"},{"key":"9010_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"223","DOI":"10.1007\/978-3-540-24676-3_14","volume-title":"Advances in Cryptology\u2014EUROCRYPT 2004","author":"D. Boneh","year":"2004","unstructured":"D. Boneh, X. Boyen, Efficient selective-ID secure identity based encryption, in Advances in Cryptology\u2014EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 223\u2013238"},{"key":"9010_CR10","doi-asserted-by":"crossref","unstructured":"D. Boneh, J. Katz, Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. Technical Report 2004\/261, IACR ePrint archive, 2004","DOI":"10.1007\/978-3-540-30574-3_8"},{"key":"9010_CR11","doi-asserted-by":"crossref","unstructured":"X. Boyen, Q. Mei, B. Waters, Direct chosen ciphertext security from identity-based techniques, in ACM Conference on Computer and Communications Security (ACM, 2005), pp. 320\u2013329. Also available at IACR e-print 2005\/288","DOI":"10.1145\/1102120.1102162"},{"key":"9010_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"226","DOI":"10.1007\/11605805_15","volume-title":"Topics in Cryptology\u2014CT-RSA 2006","author":"D. Boneh","year":"2006","unstructured":"D. Boneh, X. Boyen, S. Halevi, Chosen ciphertext secure public key threshold encryption without random oracles, in Topics in Cryptology\u2014CT-RSA 2006, ed. by T. Rabin, S. Halevi. Lecture Notes in Computer Science, vol. 3860 (Springer, Berlin, 2006), pp. 226\u2013243"},{"key":"9010_CR13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1007\/3-540-48910-X_7","volume-title":"Advances in Cryptology\u2014EUROCRYPT\u201999","author":"R. Canetti","year":"1999","unstructured":"R. Canetti, S. Goldwasser, An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack, in Advances in Cryptology\u2014EUROCRYPT\u201999, ed. by J. Stern. Lecture Notes in Computer Science, vol. 1592 (Springer, Berlin, 1999), pp. 90\u2013106"},{"key":"9010_CR14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"565","DOI":"10.1007\/978-3-540-45146-4_33","volume-title":"Advances in Cryptology\u2014CRYPTO 2003","author":"R. Canetti","year":"2003","unstructured":"R. Canetti, H. Krawczyk, J. Nielsen, Relaxing chosen-ciphertext security, in Advances in Cryptology\u2014CRYPTO 2003, ed. by D. Boneh. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 565\u2013582. Also available at IACR ePrint archive 2003\/174"},{"key":"9010_CR15","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"207","DOI":"10.1007\/978-3-540-24676-3_13","volume-title":"Advances in Cryptology\u2014EUROCRYPT 2004","author":"R. Canetti","year":"2004","unstructured":"R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption, in Advances in Cryptology\u2014EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027 (Springer, Berlin, 2004), pp. 207\u2013222"},{"key":"9010_CR16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"13","DOI":"10.1007\/BFb0055717","volume-title":"Advances in Cryptology\u2014CRYPTO\u201998","author":"R. Cramer","year":"1998","unstructured":"R. Cramer, V. Shoup, A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack, in Advances in Cryptology\u2014CRYPTO\u201998, ed. by H. Krawczyk. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 13\u201325"},{"key":"9010_CR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"45","DOI":"10.1007\/3-540-46035-7_4","volume-title":"Advances in Cryptology\u2014EUROCRYPTO 2002","author":"R. Cramer","year":"2002","unstructured":"R. Cramer, V. Shoup, Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption, in Advances in Cryptology\u2014EUROCRYPTO 2002, ed. by L. Knudsen. Lecture Notes in Computer Science, vol. 2332 (Springer, Berlin, 2002), pp. 45\u201364"},{"issue":"1","key":"9010_CR18","doi-asserted-by":"publisher","first-page":"167","DOI":"10.1137\/S0097539702403773","volume":"33","author":"R. Cramer","year":"2003","unstructured":"R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167\u2013226 (2003)","journal-title":"SIAM J. Comput."},{"key":"9010_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"133","DOI":"10.1007\/978-3-540-40974-8_12","volume-title":"9th IMA International Conference on Cryptography and Coding","author":"A. Dent","year":"2003","unstructured":"A. Dent, A designer\u2019s guide to KEMs, in 9th IMA International Conference on Cryptography and Coding, ed. by K.G. Paterson. Lecture Notes in Computer Science, vol. 2898 (Springer, Berlin, 2003), pp.\u00a0133\u2013151"},{"key":"9010_CR20","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"307","DOI":"10.1007\/0-387-34805-0_28","volume-title":"Advances in Cryptology\u2014CRYPTO\u201989","author":"Y.G. Desmedt","year":"1990","unstructured":"Y.G. Desmedt, Y. Frankel, Threshold cryptosystems, in Advances in Cryptology\u2014CRYPTO\u201989, ed. by G. Brassard. Lecture Notes in Computer Science, vol. 435 (Springer, Berlin, 1990), pp. 307\u2013315"},{"issue":"2","key":"9010_CR21","doi-asserted-by":"publisher","first-page":"391","DOI":"10.1137\/S0097539795291562","volume":"30","author":"D. Dolev","year":"2000","unstructured":"D. Dolev, C. Dwork, M. Naor, Nonmalleable cryptography. SIAM J. Comput. 30(2), 391\u2013437 (2000)","journal-title":"SIAM J. Comput."},{"key":"9010_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"537","DOI":"10.1007\/3-540-48405-1_34","volume-title":"Advances in Cryptology\u2014CRYPTO\u201999","author":"E. Fujisaki","year":"1999","unstructured":"E. Fujisaki, T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, in Advances in Cryptology\u2014CRYPTO\u201999, ed. by M. Wiener. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin, 1999), pp. 537\u2013554"},{"key":"9010_CR23","unstructured":"R. Gennaro, V. Shoup, A note on an encryption scheme of Kurosawa and Desmedt. Technical Report 2004\/194, IACR ePrint archive, 2004"},{"key":"9010_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"179","DOI":"10.1007\/978-3-540-28628-8_11","volume-title":"Advances in Cryptology\u2014CRYPTO 2004","author":"C. Gentry","year":"2004","unstructured":"C. Gentry, How to compress Rabin ciphertexts and signatures (and more), in Advances in Cryptology\u2014CRYPTO 2004, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 179\u2013200"},{"key":"9010_CR25","doi-asserted-by":"crossref","unstructured":"O. Goldreich, S. Micali, A. Wigderson, How to play any mental game or a completeness theorem for protocols with honest majority, in Proceedings of the 19th annual ACM Symposium on the Theory of Computing, New York City, pp. 218\u2013229, 1987","DOI":"10.1145\/28395.28420"},{"key":"9010_CR26","unstructured":"J. Herranz, D. Hofheinz, E. Kiltz, The Kurosawa-Desmedt key encapsulation is not chosen-ciphertext secure. IACR e-print Archive 2006\/207, 2005"},{"key":"9010_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"221","DOI":"10.1007\/3-540-45539-6_16","volume-title":"Advances in Cryptology\u2014EUROCRYPT\u00a02000","author":"S. Jarecki","year":"2000","unstructured":"S. Jarecki, A. Lysyanskaya, Adaptively secure threshold cryptography: introducing concurrency, removing erasures (extended abstract), in Advances in Cryptology\u2014EUROCRYPT\u00a02000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 221\u2013242"},{"key":"9010_CR28","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"581","DOI":"10.1007\/11681878_30","volume-title":"Theory of Cryptography\u2014TCC\u201906","author":"E. Kiltz","year":"2006","unstructured":"E. Kiltz, Chosen-ciphertext security from tag-based encryption, in Theory of Cryptography\u2014TCC\u201906, ed. by S. Halevi, T. Rabin. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp.\u00a0581\u2013600"},{"key":"9010_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"426","DOI":"10.1007\/978-3-540-28628-8_26","volume-title":"Advances in Cryptology\u2014CRYPTO 2004","author":"K. Kurosawa","year":"2004","unstructured":"K. Kurosawa, Y. Desmedt, A new paradigm of hybrid encryption scheme, in Advances in Cryptology\u2014CRYPTO 2004, ed. by M. Franklin. Lecture Notes in Computer Science, vol. 3152 (Springer, Berlin, 2004), pp. 426\u2013442"},{"key":"9010_CR30","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"171","DOI":"10.1007\/978-3-540-24638-1_10","volume-title":"Theory of Cryptography\u2014TCC\u201904","author":"P. MacKenzie","year":"2004","unstructured":"P. MacKenzie, M.K. Reiter, K. Yang, Alternatives to non-malleability: definitions, constructions, and applications, in Theory of Cryptography\u2014TCC\u201904, ed. by M. Naor. Lecture Notes in Computer Science, vol. 2951 (Springer, Berlin, 2004), pp. 171\u2013190"},{"key":"9010_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"426","DOI":"10.1007\/978-3-540-30576-7_23","volume-title":"Theory of Cryptography\u2014TCC\u201905","author":"W. Nagao","year":"2005","unstructured":"W. Nagao, Y. Manabe, T. Okamoto, A universally composable secure channel based on the KEM-DEM framework, in Theory of Cryptography\u2014TCC\u201905. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 426\u2013444"},{"key":"9010_CR32","doi-asserted-by":"crossref","unstructured":"M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks. In Proceedings of the 22nd annual ACM Symposium on the Theory of Computing, pp. 427\u2013437, 1990","DOI":"10.1145\/100216.100273"},{"key":"9010_CR33","series-title":"Lecture Notes in Computer Science","volume-title":"RSA\u20192001","author":"T. Okamoto","year":"2001","unstructured":"T. Okamoto, D. Pointcheval, REACT: Rapid enhanced-security asymmetric cryptosystem transform, in RSA\u20192001. Lecture Notes in Computer Science (Springer, Berlin, 2001)"},{"key":"9010_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"433","DOI":"10.1007\/3-540-46766-1_35","volume-title":"Advances in Cryptology\u2014CRYPTO\u201991","author":"C. Rackoff","year":"1992","unstructured":"C. Rackoff, D. Simon, Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack, in Advances in Cryptology\u2014CRYPTO\u201991. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1992), pp. 433\u2013444"},{"key":"9010_CR35","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"crossref","first-page":"275","DOI":"10.1007\/3-540-45539-6_19","volume-title":"Advances in Cryptology\u2014EUROCRYPT\u00a02000","author":"V. Shoup","year":"2000","unstructured":"V. Shoup, Using hash functions as a hedge against chosen ciphertext attack, in Advances in Cryptology\u2014EUROCRYPT\u00a02000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 275\u2013288"},{"key":"9010_CR36","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"239","DOI":"10.1007\/3-540-44647-8_15","volume-title":"Advances in Cryptology\u2014CRYPTO 2001","author":"V. Shoup","year":"2001","unstructured":"V. Shoup, OAEP reconsidered, in Advances in Cryptology\u2014CRYPTO 2001. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 239\u2013259"},{"key":"9010_CR37","unstructured":"V. Shoup, ISO 18033-2: An emerging standard for public-key encryption (committee draft). Available at \n                    http:\/\/shoup.net\/iso\/\n                    \n                  , June 3 2004"},{"issue":"2","key":"9010_CR38","doi-asserted-by":"crossref","first-page":"75","DOI":"10.1007\/s00145-001-0020-9","volume":"15","author":"V. Shoup","year":"2002","unstructured":"V. Shoup, R. Gennaro, Securing threshold cryptosystems against chosen ciphertext attack. J. Cryptol. 15(2), 75\u201396 (2002)","journal-title":"J. Cryptol."}],"container-title":["Journal of Cryptology"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-007-9010-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00145-007-9010-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-007-9010-x","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00145-007-9010-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,4,8]],"date-time":"2020-04-08T08:37:03Z","timestamp":1586335023000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00145-007-9010-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2007,11,8]]},"references-count":38,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2008,1]]}},"alternative-id":["9010"],"URL":"https:\/\/doi.org\/10.1007\/s00145-007-9010-x","relation":{},"ISSN":["0933-2790","1432-1378"],"issn-type":[{"value":"0933-2790","type":"print"},{"value":"1432-1378","type":"electronic"}],"subject":[],"published":{"date-parts":[[2007,11,8]]},"assertion":[{"value":"22 May 2005","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"22 June 2007","order":2,"name":"revised","label":"Revised","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"8 November 2007","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}