International Journal of Information Security manuscript No. (will be inserted by the editor) Fujisaki-Okamoto Hybrid Encryption Revisited David Galindo, Sebasti` a Mart´ ın, Paz Morillo, Jorge L. Villar Dep. Matem`atica Aplicada IV. Universitat Polit` ecnica de Catalunya Campus Nord, c/Jordi Girona, 1-3, 08034 Barcelona e-mail: {dgalindo,sebasm,paz,jvillar}@mat.upc.es Abstract At Crypto’99, Fujisaki and Okamoto [11] presented a generic transformation from weak secure asymmetric and symmetric schemes into an IND-CCA hybrid encryption scheme in the Random Oracle Model, which has been extensively used in several cryptographic scenarios. The work we present here forms part of the careful revision of the provable security tech- niques initiated by Shoup in [25], in so far as we find some ambiguities in the proof of this generic conversion, which can lead to false claims. Con- sequently, the original conversion is modified and the class of asymmetric primitives that can be used is shortened. Furthermore, the concept of Easy Verifiable Primitive is formalized, showing its connection with the gap prob- lems introduced in [18]. Using these ideas, a completely new security proof for the modified transformation is given, which is phrased using currently widely accepted techniques. The reduction thereby obtained turns out to be tight, enhancing the concrete security claimed in the original work for the Easy Verifiable Primitives. For the rest of primitives, the concrete security is improved at the cost of stronger assumptions. Finally, the resistance of the new conversion against reject timing attacks is addressed. Key words public-key cryptography, chosen-ciphertext security, tight re- duction, Random Oracle Model, Okamoto-Uchiyama scheme. 1 Introduction When developing a new public key encryption scheme, there are two basic criteria that a designer wishes to ensure: security and efficiency. Security is obviously the main concern, and it is expressed in terms of an attacker’s goal against the scheme and the means it uses. The standard security notion for a