Anamorphic Encryption with CCA Security: A Standard Model Construction
Pith reviewed 2026-05-10 18:08 UTC · model grok-4.3
The pith
Generic constructions from any randomness-recoverable KEM yield CCA-secure anamorphic encryption in the standard model.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
We formalize AKEM and give generic constructions that achieve sIND-CCA security in the standard model for the anamorphic (covert) channel, with security holding even against an adversary who obtains the decapsulation key, provided the underlying KEM is injective.
What carries the argument
The Anamorphic Key Encapsulation Mechanism (AKEM), which augments a standard KEM with mechanisms for embedding and extracting hidden messages using recovered randomness, while preserving CCA security.
If this is right
- Covert channels can now be CCA-secure within the KEM-DEM framework used in modern encryption.
- The scheme resists key compromise by a powerful adversary for the hidden message.
- Instantiations are possible with any KEM supporting randomness recovery and injectivity.
- Both public-key and symmetric-key anamorphic variants are supported.
Where Pith is reading between the lines
- This approach may extend to other post-compromise security scenarios in cryptography.
- Practical deployment could enhance secure messaging apps with deniable or covert features.
- Future work might explore efficiency improvements or integration with specific KEMs.
Load-bearing premise
The base key encapsulation mechanism must be injective, meaning each ciphertext corresponds to a unique randomness value, and must allow recovery of that randomness.
What would settle it
An attack that recovers the hidden message from an anamorphic ciphertext when the decapsulation key is known, using a specific injective KEM that supports randomness recovery.
read the original abstract
Anamorphic encryption serves as a vital tool for covert communication, maintaining secrecy even during post-compromise scenarios. Particularly in the receiver-anamorphic setting, a user can shield hidden messages even when coerced into surrendering their secret keys. However, a major bottleneck in existing research is the reliance on CPA-security, leaving the construction of a generic, CCA-secure anamorphic scheme in the standard model as a persistent open challenge. To bridge this gap, we formalize the Anamorphic Key Encapsulation Mechanism (AKEM), encompassing both Public-Key (PKAKEM) and Symmetric-Key (SKAKEM) variants. We propose generic constructions for these primitives, which can be instantiated using any KEM that facilitates randomness recovery. Notably, our framework achieves strong IND-CCA (sIND-CCA) security for the covert channel. We provide a rigorous formal proof in the standard model, demonstrating resilience against a "dictator" who controls the decapsulation key. The security of our approach is anchored in the injective property of the base KEM, which ensures a unique mapping between ciphertexts and randomness. By integrating anamorphism into the KEM-DEM paradigm, our work significantly enhances the practical utility of covert channels within modern cryptographic infrastructures.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces Anamorphic Key Encapsulation Mechanisms (AKEM) in both public-key (PKAKEM) and symmetric-key (SKAKEM) variants. It gives generic constructions that integrate anamorphism into the KEM-DEM paradigm and achieve strong IND-CCA (sIND-CCA) security for the covert channel in the standard model. The constructions are instantiated from any KEM supporting randomness recovery; security is proven rigorously against a dictator adversary who controls the decapsulation key, with the proof anchored in the injectivity of the base KEM (unique ciphertext-to-randomness mapping).
Significance. If the claimed standard-model proof holds, the result closes a persistent open problem by lifting anamorphic encryption from CPA to CCA security without random oracles or non-standard assumptions. The generic nature of the construction, together with the explicit resilience to key coercion, would materially improve the practicality of covert channels in post-compromise settings and strengthen the KEM-DEM paradigm.
minor comments (3)
- The abstract states that a 'rigorous formal proof' is provided but supplies no high-level reduction sketch or security-definition reference; adding a one-paragraph outline of the proof strategy would improve accessibility without lengthening the paper.
- Notation for the two AKEM variants (PKAKEM vs. SKAKEM) and the precise interface of the randomness-recovery oracle should be introduced with explicit syntax and correctness conditions in the preliminaries section.
- The manuscript would benefit from an explicit statement of the exact security definition (sIND-CCA) used for the covert channel, including the precise role of the dictator oracle, to allow direct comparison with prior CPA anamorphic definitions.
Simulated Author's Rebuttal
We thank the referee for the positive summary of our work and the recommendation for minor revision. We are pleased that the referee recognizes the significance of lifting anamorphic encryption to sIND-CCA security in the standard model via generic constructions from injective KEMs with randomness recovery.
Circularity Check
No significant circularity
full rationale
The paper presents a generic construction of AKEM (PK and SK variants) from any base KEM supporting randomness recovery and injectivity. Security for the covert channel is reduced to these external properties of the base KEM via a claimed standard-model proof; no equations, definitions, or steps within the paper reduce the claimed sIND-CCA result to a self-definition, a fitted parameter renamed as prediction, or a load-bearing self-citation chain. The construction integrates anamorphism into the KEM-DEM paradigm without internal circularity.
Axiom & Free-Parameter Ledger
axioms (2)
- domain assumption The underlying KEM is injective, ensuring a unique mapping between ciphertexts and randomness.
- domain assumption The base KEM supports randomness recovery.
invented entities (1)
-
Anamorphic Key Encapsulation Mechanism (AKEM)
no independent evidence
Lean theorems connected to this paper
-
IndisputableMonolith/Cost/FunctionalEquation.leanwashburn_uniqueness_aczel unclear?
unclearRelation between the paper passage and the cited Recognition theorem.
The security of our approach is anchored in the injective property of the base KEM, which ensures a unique mapping between ciphertexts and randomness.
What do these tags mean?
- matches
- The paper's claim is directly supported by a theorem in the formal canon.
- supports
- The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
- extends
- The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
- uses
- The paper appears to rely on the theorem as machinery.
- contradicts
- The paper's claim conflicts with a theorem or certificate in the canon.
- unclear
- Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.
Reference graph
Works this paper leans on
-
[1]
Cryptology ePrint Archive (2015)
Rogaway, P.: The moral character of cryptographic work. Cryptology ePrint Archive (2015)
work page 2015
-
[2]
Persiano, G., Phan, D.H., Yung, M.: Anamorphic encryption: Private communi- cation against a dictator. In: Advances in Cryptology–EUROCRYPT 2022: 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings, Part II. pp. 34–63. Springer (2022)
work page 2022
-
[3]
In: International Confer- ence on the Theory and Application of Cryptology and Information Security
Wang, Y., Chen, R., Huang, X., Yang, G., Yung, M.: Sender-anamorphic encryption reformulated: Achieving robust and generic constructions. In: International Confer- ence on the Theory and Application of Cryptology and Information Security. pp. 135-167. Springer (2023)
work page 2023
-
[4]
In: Annual International Conference on the Theory and Applications of Cryptographic Techniques
Banfi, F., Gegier, K., Hirt, M., Maurer, U., Rito, G.: Anamorphic encryption, re- visited. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 3-32. Springer (2024)
work page 2024
-
[5]
Proceedings on Privacy Enhancing Technologies2023(4), 170–183 (2023)
Kutylowski, M., Persiano, G., Phan, D.H., Yung, M., Zawada, M.: The self-anti- censorship nature of encryption: On the prevalence of anamorphic cryptography. Proceedings on Privacy Enhancing Technologies2023(4), 170–183 (2023)
work page 2023
-
[6]
In: Annual International Cryptology Conference
Persiano, G., Phan, D.H., Yung, M.: Public-key anamorphism in (CCA-secure) public-key encryption and beyond. In: Annual International Cryptology Conference. pp. 422–455. Springer (2024)
work page 2024
-
[7]
Catalano, D., Giunta, E., Migliaro, F.: Anamorphic encryption: New constructions and homomorphic realizations. In: Advances in Cryptology–EUROCRYPT 2024: 41st Annual International Conference on the Theory and Applications of Crypto- graphic Techniques, Proceedings, Part II. pp. 33–62. Springer (2024)
work page 2024
-
[8]
Cryptology ePrint Archive (2025) Title Suppressed Due to Excessive Length 25
Banerjee, S., Pal, T., Rupp, A., Slamanig, D.: Simple Public Key Anamorphic En- cryption and Signature using Multi-Message Extensions. Cryptology ePrint Archive (2025) Title Suppressed Due to Excessive Length 25
work page 2025
-
[9]
In: Advances in Cryptology–CRYPTO 2003: 23rd Annual International Cryptology Conference, Proceedings
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Advances in Cryptology–CRYPTO 2003: 23rd Annual International Cryptology Conference, Proceedings. pp. 565–582. Springer (2003)
work page 2003
-
[10]
In: International Conference on Applied Cryp- tography and Network Security
Faonio, A., Fiore, D.: Improving the efficiency of re-randomizable and replayable CCA secure public key encryption. In: International Conference on Applied Cryp- tography and Network Security. pp. 271–291. Springer (2020)
work page 2020
-
[11]
In: Annual International Cryptology Conference
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric en- cryption schemes. In: Annual International Cryptology Conference. pp. 537–554. Springer (1999)
work page 1999
-
[12]
Journal of the ACM (JACM)51(4), 557–594 (2004)
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. Journal of the ACM (JACM)51(4), 557–594 (2004)
work page 2004
-
[13]
In: Annual International Cryptology Conference
Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transfor- mation in the quantum random-oracle model. In: Annual International Cryptology Conference. pp. 356–383. Springer (2019)
work page 2019
-
[14]
In: International Conference on the Theory and Applications of Cryp- tographic Techniques
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: International Conference on the Theory and Applications of Cryp- tographic Techniques. pp. 207-222. Springer (2004)
work page 2004
-
[15]
Cryptology ePrint Archive (2025)
Choi, W., Collins, D., Liu, X., Zikas, V.: A unified treatment of anamorphic en- cryption. Cryptology ePrint Archive (2025)
work page 2025
-
[16]
In: Annual International Conference on the Theory and Applications of Cryptographic Techniques
Abe, M., Gennaro, R., Kurosawa, K., Shoup, V.: Tag-KEM/DEM: A new frame- work for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 128–146. Springer (2005)
work page 2005
-
[17]
In: Theory of Cryptography Conference
Nagao, W., Manabe, Y., Okamoto, T.: A universally composable secure channel based on the KEM-DEM framework. In: Theory of Cryptography Conference. pp. 426–444. Springer (2005)
work page 2005
-
[18]
In: International Conference on the Theory and Application of Cryptology and Information Security
Chen, R., Huang, X., Yung, M.: Subvert KEM to break DEM: practical algorithm- substitution attacks on public-key encryption. In: International Conference on the Theory and Application of Cryptology and Information Security. pp. 98–128. Springer (2020)
work page 2020
-
[19]
In: IMA International Conference on Cryptography and Coding
Dent, A.W.: A designer’s guide to KEMs. In: IMA International Conference on Cryptography and Coding. pp. 133–151. Springer (2003)
work page 2003
-
[20]
In: Annual International Conference on the Theory and Applications of Cryptographic Techniques
Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 520–551. Springer (2018)
work page 2018
-
[21]
SIAM Journal on Computing17(2), 373–386 (1988)
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseu- dorandom functions. SIAM Journal on Computing17(2), 373–386 (1988)
work page 1988
-
[22]
Journal of Computer and System Sciences61(3), 362– 399 (2000)
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences61(3), 362– 399 (2000)
work page 2000
-
[23]
In: Annual International Conference on the Theory and Applications of Cryptographic Techniques
Dodis, Y., Kiltz, E., Pietrzak, K., Wichs, D.: Message authentication, revisited. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 355–374. Springer (2012)
work page 2012
-
[24]
In:InternationalConferenceontheTheoryandApplicationsofCryptographicTech- niques
Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In:InternationalConferenceontheTheoryandApplicationsofCryptographicTech- niques. pp. 255–271. Springer (2003)
work page 2003
-
[25]
In: European Symposium on Research in Computer Security
Möller, B.: A public-key encryption scheme with pseudo-random ciphertexts. In: European Symposium on Research in Computer Security. pp. 335–351. Springer (2004)
work page 2004
-
[26]
Theory of Cryptography Conference
Boneh, D., Kim, S., Wu, D.J.: Constrained keys for invertible pseudorandom func- tions. Theory of Cryptography Conference. pp. 237–263. Springer (2017) 26 S. Wang et al
work page 2017
-
[27]
Boyen, X., Izabachène, M., Li, Q.: Secure Hybrid Encryption in the Standard Model from Hard Learning. In: Post-Quantum Cryptography: 12th International Workshop, PQCrypto 2021, Daejeon, South Korea, July 20–22, 2021, Proceedings. pp. 399–418. Springer (2021)
work page 2021
-
[28]
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (2018)
work page 2018
-
[29]
Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., Wright, T.: Transport Layer Security (TLS) Extensions. RFC 4366 (2006)
work page 2006
-
[30]
Eastlake, D.: Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066 (2011)
work page 2011
-
[31]
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (2008)
work page 2008
-
[32]
In: Annual International Cryptology Conference
Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. In: Annual International Cryptology Conference. pp. 260–274. Springer (2001)
work page 2001
-
[33]
Journal of Cryptology30(3), 889-919 (2017)
Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under chosen- plaintext attack. Journal of Cryptology30(3), 889-919 (2017)
work page 2017
-
[34]
Jonsson, J., Kaliski, B.: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447, RFC Editor (2003)
work page 2003
-
[35]
In: Cryptographers’ Track at the RSA Conference
Yao, F.F., Yin, Y.L.: Design and analysis of password-based key derivation func- tions. In: Cryptographers’ Track at the RSA Conference. pp. 245-261. Springer (2005)
work page 2005
-
[36]
Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869 (2010)
work page 2010
-
[37]
In: Annual Cryptology Conference
Krawczyk, H.: Cryptographic extraction and key derivation: The HKDF scheme. In: Annual Cryptology Conference. pp. 631–648. Springer (2010)
work page 2010
-
[38]
International Organization for Standardization, Geneva, Switzerland (2006)
ISO/IEC: ISO/IEC 18033-2:2006: Information technology – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers. International Organization for Standardization, Geneva, Switzerland (2006)
work page 2006
-
[39]
Federal Information Processing Standards Publication (FIPS) 203, U.S
National Institute of Standards and Technology: Module-Lattice-Based Key- Encapsulation Mechanism Standard. Federal Information Processing Standards Publication (FIPS) 203, U.S. Department of Commerce (2024)
work page 2024
-
[40]
In: Advances in Cryptology–EUROCRYPT 2010
Kiltz, E., Mohassel, P., O’Neill, A.: Adaptive trapdoor functions and chosen- ciphertext security. In: Advances in Cryptology–EUROCRYPT 2010. pp. 673–692. Springer (2010)
work page 2010
-
[41]
In: Pro- ceedings of the 40th annual ACM symposium on Theory of computing (STOC)
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Pro- ceedings of the 40th annual ACM symposium on Theory of computing (STOC). pp. 120–129. ACM (2008)
work page 2008
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.