On Selective-Opening Attacks against Encryption Schemes
At FOCS’99, Dwork et al put forth the notion of ‘selective–opening attacks’ (SOAs, for short). In the literature, security against such attacks has been formalized via indistinguishability-based and simulation-based notions, respectively called IND-SO-CPA security and SIM-SO-CPA security. Furthermore, the IND-SO-CPA notion has been studied under two flavors – weak-IND-SO-CPA and full-IND-SO-CPA security. At Eurocrypt’09, Bellare et al showed the first positive results on SOA security of encryption schemes: 1) any lossy encryption scheme is weak-IND-SO-CPA secure; 2) any lossy encryption scheme with efficient openability is SIM-SO–CPA secure.
Despite rich further work on SOA security, the (un)feasibility of full–IND-SO-CPA remains a major open problem in the area of SOA security. The elusive nature of the full-IND-SO-CPA notion of security is attributed to a specific aspect of the security game, namely, the challenger requiring to perform a super-polynomial time task. Not only do we not know whether there exists a scheme that is full-IND-SO-CPA secure, but we also do not know concrete attacks against popular schemes such as the ElGamal and Cramer-Shoup schemes in the full-IND-SO-CPA model.
The contribution of our work is three-fold.
Motivated by the difficulty in understanding (un)feasibility of the full-IND-SO-CPA notion, we study a variant of this notion that is closer in spirit to the IND-CPA notion but still embodies the security captured by the full-IND-SO-CPA notion. We observe that the weak form of our variation does not introduce any significant change to the weak-IND-SO-CPA notion; that is, the weak form of our notion is equivalent to the weak-IND-SO-CPA notion.
Interestingly, we can show that a large class of encryption schemes can be proven insecure for the full form of our notion. The large class includes most known constructions of weak-IND-SO-CPA secure schemes and SIM-SO-CPA secure schemes and also popular schemes like the ElGamal and Cramer-Shoup schemes.
Our third contribution studies the complexity of SIM-SO-CPA security. Complementing the result of Bellare et al, we show that lossiness is not necessary to achieve SIM-SO-CPA security. More specifically, we present a SIM-SO-CPA scheme that is not a lossy encryption scheme (regardless of efficient openability). Since SIM-SO-CPA security implies weak-IND-SO-CPA security, it follows as a corollary that the converses of both the implications proved by Bellare et al do not hold. Furthermore, as a corollary of our techniques, on a slightly unrelated but useful note, we obtain that lossiness is not required to obtain non-committing encryption. Previously, at Eurocrypt’09, Fehr et al showed a construction of a non-committing encryption scheme from trapdoor permutations and this scheme was, as noted by the authors, possibly not lossy. Our scheme amounts to the first construction of a non-committing encryption scheme that is provably not lossy.
KeywordsEncryption Scheme Secure Scheme Security Notion Trapdoor Permutation Message Vector
Unable to display preview. Download preview PDF.
- [BDWY12]Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. In: Pointcheval, Johansson (eds.) [PJ12], pp. 645–662Google Scholar
- [CLOS02]Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: Reif, J.H. (ed.) STOC, pp. 494–503. ACM (2002)Google Scholar
- [DNRS99]Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.: Magic functions. In: Foundations of Computer Science (FOCS 1999), pp. 523–534 (1999)Google Scholar
- [HLOV09]Hemenway, B., Libert, B., Ostrovsky, R., Vergnaud, D.: Lossy encryption: Constructions from general assumptions and efficient selective opening chosen ciphertext security. Cryptology ePrint Archive, Report 2009/088 (2009), http://eprint.iacr.org/
- [Hof12]Hofheinz, D.: All-but-many lossy trapdoor functions. In: Pointcheval, Johansson (eds.) [PJ12], pp. 209–227Google Scholar