Abstract
Anonymity of public key encryption (PKE) requires that, in a multi-user scenario, the PKE ciphertexts do not leak information about which public keys are used to generate them. Corruptions are common threats in the multi-user scenario but anonymity of PKE under corruptions is less studied in the literature. In TCC 2020, Benhamouda et al. first provide a formal characterization for anonymity of PKE under a specific type of corruption. However, no known PKE scheme is proved to meet their characterization.
To the best of our knowledge, all the PKE application scenarios which require anonymity also require confidentiality. However, in the work by Benhamouda et al., different types of corruptions for anonymity and confidentiality are considered, which can cause security pitfalls. What’s worse, we are not aware of any PKE scheme which can provide both anonymity and confidentiality under the same types of corruptions.
In this work, we introduce a new security notion for PKE called ANON-RSO\(_{ {k} }\) &C security, capturing anonymity under corruptions. We also introduce SIM-RSO\(_{ {k} }\) &C security which captures confidentiality under the same types of corruptions. We provide a generic framework of constructing PKE scheme which can achieve the above two security goals simultaneously based on a new primitive called key and message non-committing encryption (KM-NCE). Then we give a general construction of KM-NCE utilizing a variant of hash proof system (HPS) called Key-Openable HPS. We also provide Key-Openable HPS instantiations based on the matrix decisional Diffie-Hellman assumption. Therefore, we can obtain various concrete PKE instantiations achieving the two security goals in the standard model with compact ciphertexts. Furthermore, for some PKE instantiation, its security reduction is tight.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In the Committee-Selection phase of the evolving-committee proactive secret sharing scheme considered in [5], some users are selected as committee members. Each committee member will encrypt one fresh secret key using its long term public key (\(\textsf{ct}\leftarrow \mathcal {E}_1.\textsf{Enc}_{\textsf{pk}}(\textsf{esk})\)). Since the same user may be selected as a committee member multiple times, the user’s public key may be used multiple times to encrypt multiple messages.
- 2.
Actually, it does not make sense to only consider the anonymity of some PKE without considering its confidentiality. If confidentiality can be sacrificed, one can trivially achieve anonymity by assigning the identity map as the encryption and decryption algorithm, so that the ciphertext equals the message and is independent of any public key.
- 3.
Ciphertext overhead means the ciphertext bitlength minus plaintext bitlength [15].
- 4.
Tight reduction means that the security loss of the reduction is independent of the number of users, the number of challenges and the number of queries raised by the adversary.
- 5.
For \({\textsf{PKE}}=({\textsf{Setup}},{\textsf{Gen}},{\textsf{Enc}},{\textsf{Dec}})\), we require that (i) the public parameter \(\textsf{pp}\) generated by Setup can be used for multiple users, and (ii) Gen does not output tk (i.e., the key generation algorithm of PKE firstly invokes the key generation algorithm of KM-NCE to generate (pk, sk, tk), and then outputs (pk, sk), ignoring tk).
- 6.
Actually, \(\pi \) is only statistical close to uniform. According to the leftover hash lemma together with the union bound, the statistically distance between \(\pi \) and uniform distribution over \(\varPi \) is bounded by \(\frac{l}{2}\sqrt{\frac{2}{q}}\), which is exponentially small for polynomially bounded \(l\). Therefore, we omit this statistical distance here.
- 7.
To get an instantiation \(\widetilde{\textsf{HPS}}\) which satisfies the conditions of Theorem 2, \(\widetilde{\textsf{HPS}}\) needs to share the same universe set \(\mathcal {X}\) with \(\textsf{HPS}\). In that way, we can set \((\mathcal {G},d, {k} ,\mathcal {D}_{d+ {k} ,d})\) in \({\widetilde{{\textsf{mpar}}}}\) to be exactly the same with the ones in \({\textsf{mpar}}\).
- 8.
Similarly, we set \({\widetilde{{\textsf{par}}}}:={\textsf{par}}\) and \({\widetilde{\textsf{td}}}:={\textsf{td}}\) to make sure \(\widetilde{\textsf{HPS}}\) shares the same language \(\mathcal {L}\) with \(\textsf{HPS}\).
References
Abdalla, M., Bellare, M., Neven, G.: Robust encryption. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 480–497. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_28
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_33
Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 645–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_38
Bellare, M., Stepanovs, I.: Security under message-derived keys: Signcryption in iMessage. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 507–537. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_17
Benhamouda, F., et al.: Can a public blockchain keep a secret? In: Pass, R., Pietrzak, K. (eds.) TCC 2020. LNCS, vol. 12550, pp. 260–290. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_10
Böhl, F., Hofheinz, D., Kraschewski, D.: On definitions of selective opening security. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 522–539. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_31
Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: STOC, pp. 639–648 (1996)
Canetti, R., Halevi, S., Katz, J.: Adaptively-secure, non-interactive public-key encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 150–168. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_9
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie–Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8
Han, S., Liu, S., Lyu, L., Gu, D.: Tight leakage-resilient CCA-security from quasi-adaptive hash proof system. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 417–447. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_15
Hara, K., Kitagawa, F., Matsuda, T., Hanaoka, G., Tanaka, K.: Simulation-based receiver selective opening CCA secure PKE from standard computational assumptions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 140–159. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_8
Hayashi, R., Tanaka, K.: The sampling twice technique for the RSA-based cryptosystems with anonymity. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 216–233. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_15
Hazay, C., Patra, A., Warinschi, B.: Selective opening security for receivers. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 443–469. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_19
Hofheinz, D., Jager, T., Rupp, A.: Public-key encryption with simulation-based selective-opening security and compact ciphertexts. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 146–168. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_6
Huang, Z., Lai, J., Chen, W., Au, M.H., Peng, Z., Li, J.: Simulation-based selective opening security for receivers under chosen-ciphertext attacks. Des. Codes Cryptogr. 87(6), 1345–1371 (2018). https://doi.org/10.1007/s10623-018-0530-1
Huang, Z., Lai, J., Han, S., Lyu, L., Weng, J.: Anonymous public key encryption under corruptions. Cryptology ePrint Archive (2022)
Jia, D., Lu, X., Li, B.: Receiver selective opening security from indistinguishability obfuscation. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 393–410. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49890-4_22
Jia, D., Lu, X., Li, B.: Constructions secure against receiver selective opening and chosen ciphertext attacks. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 417–431. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_24
Lee, Y., Lee, D.H., Park, J.H.: Tightly CCA-secure encryption scheme in a multi-user setting with corruptions. Des. Codes Cryptogr. 88(11), 2433–2452 (2020). https://doi.org/10.1007/s10623-020-00794-z
Mohassel, P.: A closer look at anonymity and robustness in encryption schemes. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 501–518. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_29
Qin, B., Liu, S., Chen, K.: Efficient chosen-ciphertext secure public-key encryption scheme with high leakage-resilience. IET Inf. Secur. 9(1), 32–42 (2015)
Yang, R., Lai, J., Huang, Z., Au, M.H., Xu, Q., Susilo, W.: Possibility and impossibility results for receiver selective opening secure PKE in the multi-challenge setting. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 191–220. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_7
Acknowledgment
We appreciate the anonymous reviewers for their valuable comments. This work was supported by National Natural Science Foundation of China (Grant Nos. 61922036, U2001205, 62002223, 61825203), Major Program of Guangdong Basic and Applied Research Project (Grant No. 2019B030302008), National Joint Engineering Research Center of Network Security Detection and Protection Technology, Guangdong Key Laboratory of Data Security and Privacy Preserving, Guangdong Provincial Science and Technology Project (Grant No. 2021A0505030033), Shanghai Sailing Program (20YF1421100), Young Elite Scientists Sponsorship Program by China Association for Science and Technology (YESS20200185), and the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (Grant agreement 802823).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Huang, Z., Lai, J., Han, S., Lyu, L., Weng, J. (2022). Anonymous Public Key Encryption Under Corruptions. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13793. Springer, Cham. https://doi.org/10.1007/978-3-031-22969-5_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-22969-5_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22968-8
Online ISBN: 978-3-031-22969-5
eBook Packages: Computer ScienceComputer Science (R0)