On the security of public key cryptosystems with a double decryption mechanism

In public key encryption schemes with a double decryption mechanism (DD-PKE), decryption can be done in either of two ways: by the user owning the secret/public key pair corresponding to the ciphertext, or by a trusted party holding a sort of master secret-key. In this note we argue that the classical security notion for standard public key encryption schemes does not suffice for DD-PKE schemes, and propose a new natural definition. Additionally, we illustrate the usefulness of the new security definition by showing that a DD-PKE scheme presented in the workshop Selected Areas in Cryptography 2005 is insecure under this augmented security notion. © 2008 Elsevier B.V. All rights reserved.This work is partially supported by the Spanish Ministerio de Educación y Ciencia, under projects ARES (Consolider Ingenio 2010 CSD2007-00004), CRISIS (TIN2006-09242) and eAEGIS (TSI2007-65406-C03-02), and by the Gene-ralitat de Catalunya (grant 2005-SGR-00093)Peer Reviewe