pith. sign in

arxiv: 2604.07771 · v1 · submitted 2026-04-09 · 💻 cs.CR

Anamorphic Encryption with CCA Security: A Standard Model Construction

Pith reviewed 2026-05-10 18:08 UTC · model grok-4.3

classification 💻 cs.CR
keywords anamorphic encryptionCCA securitystandard modelkey encapsulation mechanismcovert channelsIND-CCA securityrandomness recovery
0
0 comments X

The pith

Generic constructions from any randomness-recoverable KEM yield CCA-secure anamorphic encryption in the standard model.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces formal definitions for Anamorphic Key Encapsulation Mechanisms in both public-key and symmetric-key settings. It provides generic constructions that achieve strong IND-CCA security for the covert channel while remaining secure against a dictator controlling the decapsulation key. These constructions rely on the injectivity of the base KEM to ensure unique mappings and support randomness recovery. By embedding anamorphism into the KEM-DEM paradigm, the work addresses the previous limitation of only CPA-secure schemes and enables practical use in standard cryptographic systems.

Core claim

We formalize AKEM and give generic constructions that achieve sIND-CCA security in the standard model for the anamorphic (covert) channel, with security holding even against an adversary who obtains the decapsulation key, provided the underlying KEM is injective.

What carries the argument

The Anamorphic Key Encapsulation Mechanism (AKEM), which augments a standard KEM with mechanisms for embedding and extracting hidden messages using recovered randomness, while preserving CCA security.

If this is right

  • Covert channels can now be CCA-secure within the KEM-DEM framework used in modern encryption.
  • The scheme resists key compromise by a powerful adversary for the hidden message.
  • Instantiations are possible with any KEM supporting randomness recovery and injectivity.
  • Both public-key and symmetric-key anamorphic variants are supported.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • This approach may extend to other post-compromise security scenarios in cryptography.
  • Practical deployment could enhance secure messaging apps with deniable or covert features.
  • Future work might explore efficiency improvements or integration with specific KEMs.

Load-bearing premise

The base key encapsulation mechanism must be injective, meaning each ciphertext corresponds to a unique randomness value, and must allow recovery of that randomness.

What would settle it

An attack that recovers the hidden message from an anamorphic ciphertext when the decapsulation key is known, using a specific injective KEM that supports randomness recovery.

read the original abstract

Anamorphic encryption serves as a vital tool for covert communication, maintaining secrecy even during post-compromise scenarios. Particularly in the receiver-anamorphic setting, a user can shield hidden messages even when coerced into surrendering their secret keys. However, a major bottleneck in existing research is the reliance on CPA-security, leaving the construction of a generic, CCA-secure anamorphic scheme in the standard model as a persistent open challenge. To bridge this gap, we formalize the Anamorphic Key Encapsulation Mechanism (AKEM), encompassing both Public-Key (PKAKEM) and Symmetric-Key (SKAKEM) variants. We propose generic constructions for these primitives, which can be instantiated using any KEM that facilitates randomness recovery. Notably, our framework achieves strong IND-CCA (sIND-CCA) security for the covert channel. We provide a rigorous formal proof in the standard model, demonstrating resilience against a "dictator" who controls the decapsulation key. The security of our approach is anchored in the injective property of the base KEM, which ensures a unique mapping between ciphertexts and randomness. By integrating anamorphism into the KEM-DEM paradigm, our work significantly enhances the practical utility of covert channels within modern cryptographic infrastructures.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 3 minor

Summary. The paper introduces Anamorphic Key Encapsulation Mechanisms (AKEM) in both public-key (PKAKEM) and symmetric-key (SKAKEM) variants. It gives generic constructions that integrate anamorphism into the KEM-DEM paradigm and achieve strong IND-CCA (sIND-CCA) security for the covert channel in the standard model. The constructions are instantiated from any KEM supporting randomness recovery; security is proven rigorously against a dictator adversary who controls the decapsulation key, with the proof anchored in the injectivity of the base KEM (unique ciphertext-to-randomness mapping).

Significance. If the claimed standard-model proof holds, the result closes a persistent open problem by lifting anamorphic encryption from CPA to CCA security without random oracles or non-standard assumptions. The generic nature of the construction, together with the explicit resilience to key coercion, would materially improve the practicality of covert channels in post-compromise settings and strengthen the KEM-DEM paradigm.

minor comments (3)
  1. The abstract states that a 'rigorous formal proof' is provided but supplies no high-level reduction sketch or security-definition reference; adding a one-paragraph outline of the proof strategy would improve accessibility without lengthening the paper.
  2. Notation for the two AKEM variants (PKAKEM vs. SKAKEM) and the precise interface of the randomness-recovery oracle should be introduced with explicit syntax and correctness conditions in the preliminaries section.
  3. The manuscript would benefit from an explicit statement of the exact security definition (sIND-CCA) used for the covert channel, including the precise role of the dictator oracle, to allow direct comparison with prior CPA anamorphic definitions.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive summary of our work and the recommendation for minor revision. We are pleased that the referee recognizes the significance of lifting anamorphic encryption to sIND-CCA security in the standard model via generic constructions from injective KEMs with randomness recovery.

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper presents a generic construction of AKEM (PK and SK variants) from any base KEM supporting randomness recovery and injectivity. Security for the covert channel is reduced to these external properties of the base KEM via a claimed standard-model proof; no equations, definitions, or steps within the paper reduce the claimed sIND-CCA result to a self-definition, a fitted parameter renamed as prediction, or a load-bearing self-citation chain. The construction integrates anamorphism into the KEM-DEM paradigm without internal circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

The central claim rests on the existence of KEMs satisfying injectivity and randomness recovery; these are treated as given properties of the base primitive rather than new assumptions invented here.

axioms (2)
  • domain assumption The underlying KEM is injective, ensuring a unique mapping between ciphertexts and randomness.
    Invoked to anchor the security proof against a dictator controlling the decapsulation key.
  • domain assumption The base KEM supports randomness recovery.
    Required for the generic construction of AKEM from ordinary KEMs.
invented entities (1)
  • Anamorphic Key Encapsulation Mechanism (AKEM) no independent evidence
    purpose: New primitive that formalizes anamorphic encryption with CCA security for both public-key and symmetric-key settings.
    Introduced to enable the generic construction and security definition.

pith-pipeline@v0.9.0 · 5526 in / 1400 out tokens · 47554 ms · 2026-05-10T18:08:48.744948+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

41 extracted references · 41 canonical work pages

  1. [1]

    Cryptology ePrint Archive (2015)

    Rogaway, P.: The moral character of cryptographic work. Cryptology ePrint Archive (2015)

  2. [2]

    In: Advances in Cryptology–EUROCRYPT 2022: 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings, Part II

    Persiano, G., Phan, D.H., Yung, M.: Anamorphic encryption: Private communi- cation against a dictator. In: Advances in Cryptology–EUROCRYPT 2022: 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings, Part II. pp. 34–63. Springer (2022)

  3. [3]

    In: International Confer- ence on the Theory and Application of Cryptology and Information Security

    Wang, Y., Chen, R., Huang, X., Yang, G., Yung, M.: Sender-anamorphic encryption reformulated: Achieving robust and generic constructions. In: International Confer- ence on the Theory and Application of Cryptology and Information Security. pp. 135-167. Springer (2023)

  4. [4]

    In: Annual International Conference on the Theory and Applications of Cryptographic Techniques

    Banfi, F., Gegier, K., Hirt, M., Maurer, U., Rito, G.: Anamorphic encryption, re- visited. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 3-32. Springer (2024)

  5. [5]

    Proceedings on Privacy Enhancing Technologies2023(4), 170–183 (2023)

    Kutylowski, M., Persiano, G., Phan, D.H., Yung, M., Zawada, M.: The self-anti- censorship nature of encryption: On the prevalence of anamorphic cryptography. Proceedings on Privacy Enhancing Technologies2023(4), 170–183 (2023)

  6. [6]

    In: Annual International Cryptology Conference

    Persiano, G., Phan, D.H., Yung, M.: Public-key anamorphism in (CCA-secure) public-key encryption and beyond. In: Annual International Cryptology Conference. pp. 422–455. Springer (2024)

  7. [7]

    In: Advances in Cryptology–EUROCRYPT 2024: 41st Annual International Conference on the Theory and Applications of Crypto- graphic Techniques, Proceedings, Part II

    Catalano, D., Giunta, E., Migliaro, F.: Anamorphic encryption: New constructions and homomorphic realizations. In: Advances in Cryptology–EUROCRYPT 2024: 41st Annual International Conference on the Theory and Applications of Crypto- graphic Techniques, Proceedings, Part II. pp. 33–62. Springer (2024)

  8. [8]

    Cryptology ePrint Archive (2025) Title Suppressed Due to Excessive Length 25

    Banerjee, S., Pal, T., Rupp, A., Slamanig, D.: Simple Public Key Anamorphic En- cryption and Signature using Multi-Message Extensions. Cryptology ePrint Archive (2025) Title Suppressed Due to Excessive Length 25

  9. [9]

    In: Advances in Cryptology–CRYPTO 2003: 23rd Annual International Cryptology Conference, Proceedings

    Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Advances in Cryptology–CRYPTO 2003: 23rd Annual International Cryptology Conference, Proceedings. pp. 565–582. Springer (2003)

  10. [10]

    In: International Conference on Applied Cryp- tography and Network Security

    Faonio, A., Fiore, D.: Improving the efficiency of re-randomizable and replayable CCA secure public key encryption. In: International Conference on Applied Cryp- tography and Network Security. pp. 271–291. Springer (2020)

  11. [11]

    In: Annual International Cryptology Conference

    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric en- cryption schemes. In: Annual International Cryptology Conference. pp. 537–554. Springer (1999)

  12. [12]

    Journal of the ACM (JACM)51(4), 557–594 (2004)

    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. Journal of the ACM (JACM)51(4), 557–594 (2004)

  13. [13]

    In: Annual International Cryptology Conference

    Don, J., Fehr, S., Majenz, C., Schaffner, C.: Security of the Fiat-Shamir transfor- mation in the quantum random-oracle model. In: Annual International Cryptology Conference. pp. 356–383. Springer (2019)

  14. [14]

    In: International Conference on the Theory and Applications of Cryp- tographic Techniques

    Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: International Conference on the Theory and Applications of Cryp- tographic Techniques. pp. 207-222. Springer (2004)

  15. [15]

    Cryptology ePrint Archive (2025)

    Choi, W., Collins, D., Liu, X., Zikas, V.: A unified treatment of anamorphic en- cryption. Cryptology ePrint Archive (2025)

  16. [16]

    In: Annual International Conference on the Theory and Applications of Cryptographic Techniques

    Abe, M., Gennaro, R., Kurosawa, K., Shoup, V.: Tag-KEM/DEM: A new frame- work for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 128–146. Springer (2005)

  17. [17]

    In: Theory of Cryptography Conference

    Nagao, W., Manabe, Y., Okamoto, T.: A universally composable secure channel based on the KEM-DEM framework. In: Theory of Cryptography Conference. pp. 426–444. Springer (2005)

  18. [18]

    In: International Conference on the Theory and Application of Cryptology and Information Security

    Chen, R., Huang, X., Yung, M.: Subvert KEM to break DEM: practical algorithm- substitution attacks on public-key encryption. In: International Conference on the Theory and Application of Cryptology and Information Security. pp. 98–128. Springer (2020)

  19. [19]

    In: IMA International Conference on Cryptography and Coding

    Dent, A.W.: A designer’s guide to KEMs. In: IMA International Conference on Cryptography and Coding. pp. 133–151. Springer (2003)

  20. [20]

    In: Annual International Conference on the Theory and Applications of Cryptographic Techniques

    Saito, T., Xagawa, K., Yamakawa, T.: Tightly-secure key-encapsulation mechanism in the quantum random oracle model. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 520–551. Springer (2018)

  21. [21]

    SIAM Journal on Computing17(2), 373–386 (1988)

    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseu- dorandom functions. SIAM Journal on Computing17(2), 373–386 (1988)

  22. [22]

    Journal of Computer and System Sciences61(3), 362– 399 (2000)

    Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences61(3), 362– 399 (2000)

  23. [23]

    In: Annual International Conference on the Theory and Applications of Cryptographic Techniques

    Dodis, Y., Kiltz, E., Pietrzak, K., Wichs, D.: Message authentication, revisited. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. pp. 355–374. Springer (2012)

  24. [24]

    In:InternationalConferenceontheTheoryandApplicationsofCryptographicTech- niques

    Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In:InternationalConferenceontheTheoryandApplicationsofCryptographicTech- niques. pp. 255–271. Springer (2003)

  25. [25]

    In: European Symposium on Research in Computer Security

    Möller, B.: A public-key encryption scheme with pseudo-random ciphertexts. In: European Symposium on Research in Computer Security. pp. 335–351. Springer (2004)

  26. [26]

    Theory of Cryptography Conference

    Boneh, D., Kim, S., Wu, D.J.: Constrained keys for invertible pseudorandom func- tions. Theory of Cryptography Conference. pp. 237–263. Springer (2017) 26 S. Wang et al

  27. [27]

    In: Post-Quantum Cryptography: 12th International Workshop, PQCrypto 2021, Daejeon, South Korea, July 20–22, 2021, Proceedings

    Boyen, X., Izabachène, M., Li, Q.: Secure Hybrid Encryption in the Standard Model from Hard Learning. In: Post-Quantum Cryptography: 12th International Workshop, PQCrypto 2021, Daejeon, South Korea, July 20–22, 2021, Proceedings. pp. 399–418. Springer (2021)

  28. [28]

    RFC 8446 (2018)

    Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446 (2018)

  29. [29]

    RFC 4366 (2006)

    Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., Wright, T.: Transport Layer Security (TLS) Extensions. RFC 4366 (2006)

  30. [30]

    RFC 6066 (2011)

    Eastlake, D.: Transport Layer Security (TLS) Extensions: Extension Definitions. RFC 6066 (2011)

  31. [31]

    RFC 5246 (2008)

    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (2008)

  32. [32]

    In: Annual International Cryptology Conference

    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is secure under the RSA assumption. In: Annual International Cryptology Conference. pp. 260–274. Springer (2001)

  33. [33]

    Journal of Cryptology30(3), 889-919 (2017)

    Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under chosen- plaintext attack. Journal of Cryptology30(3), 889-919 (2017)

  34. [34]

    RFC 3447, RFC Editor (2003)

    Jonsson, J., Kaliski, B.: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. RFC 3447, RFC Editor (2003)

  35. [35]

    In: Cryptographers’ Track at the RSA Conference

    Yao, F.F., Yin, Y.L.: Design and analysis of password-based key derivation func- tions. In: Cryptographers’ Track at the RSA Conference. pp. 245-261. Springer (2005)

  36. [36]

    RFC 5869 (2010)

    Krawczyk, H., Eronen, P.: HMAC-based Extract-and-Expand Key Derivation Function (HKDF). RFC 5869 (2010)

  37. [37]

    In: Annual Cryptology Conference

    Krawczyk, H.: Cryptographic extraction and key derivation: The HKDF scheme. In: Annual Cryptology Conference. pp. 631–648. Springer (2010)

  38. [38]

    International Organization for Standardization, Geneva, Switzerland (2006)

    ISO/IEC: ISO/IEC 18033-2:2006: Information technology – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers. International Organization for Standardization, Geneva, Switzerland (2006)

  39. [39]

    Federal Information Processing Standards Publication (FIPS) 203, U.S

    National Institute of Standards and Technology: Module-Lattice-Based Key- Encapsulation Mechanism Standard. Federal Information Processing Standards Publication (FIPS) 203, U.S. Department of Commerce (2024)

  40. [40]

    In: Advances in Cryptology–EUROCRYPT 2010

    Kiltz, E., Mohassel, P., O’Neill, A.: Adaptive trapdoor functions and chosen- ciphertext security. In: Advances in Cryptology–EUROCRYPT 2010. pp. 673–692. Springer (2010)

  41. [41]

    In: Pro- ceedings of the 40th annual ACM symposium on Theory of computing (STOC)

    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Pro- ceedings of the 40th annual ACM symposium on Theory of computing (STOC). pp. 120–129. ACM (2008)