We study plaintext awareness for hybrid encryptions. Based on a binary relation R, we define a new notion of PA2 (or R-PA2 for short) and a notion of IND-CCA2 (or R-IND-CCA2 for short) for key encapsulation mechanism (KEM). We define a relation R DEM from the description of data encryption mechanism (DEM). We prove two composition results, which holds with or without (public) random oracles.
a. When KEM, with R DEM -PA2 and R DEM -IND-CCA2 security, composes with a one-time pseudorandom and unforgeable (OT-PUE) DEM, the resulting hybrid encryption is PA2 secure. OT-PUE is weak and even unnecessarily passively secure and can be realized by a one-time pad encryption followed by a pseudorandom function.
b. If KEM is R DEM -IND-CCA and DEM is passively secure and unforgeable, the hybrid encryption (KEM, DEM) is IND-CCA2 secure.
As an application, we show that DHIES, a public key encryption scheme by Abdalla et al. [1] and now in IEEE P1361a and ANSI X.963, is PA2 secure. As another application, we prove that a hash proof system based hybrid encryption is PA2. Consequently, this especially implies that the concrete Kurosawa-Desmedt hybrid encryption (CRYPTO04) is PA2.