Kurosawa-Desmedt Meets Tight Security

Gay, Romain; Hofheinz, Dennis; Kohl, Lisa

doi:10.1007/978-3-319-63697-9_5

Romain Gay^15,16,
Dennis Hofheinz¹⁷ &
Lisa Kohl¹⁷

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10403))

Included in the following conference series:

Annual International Cryptology Conference

2906 Accesses
30 Citations

Abstract

At EUROCRYPT 2016, Gay et al. presented the first pairing-free public-key encryption (PKE) scheme with an almost tight security reduction to a standard assumption. Their scheme is competitive in efficiency with state-of-the art PKE schemes and has very compact ciphertexts (of three group elements), but suffers from a large public key (of about $200$ group elements).

In this work, we present an improved pairing-free PKE scheme with an almost tight security reduction to the Decisional Diffie-Hellman assumption, small ciphertexts (of three group elements), and small public keys (of six group elements). Compared to the work of Gay et al., our scheme thus has a considerably smaller public key and comparable other characteristics, although our encryption and decryption algorithms are somewhat less efficient.

Technically, our scheme borrows ideas both from the work of Gay et al. and from a recent work of Hofheinz (EUROCRYPT, 2017). The core technical novelty of our work is an efficient and compact designated-verifier proof system for an OR-like language. We show that adding such an OR-proof to the ciphertext of the state-of-the-art PKE scheme from Kurosawa and Desmedt enables a tight security reduction.

R. Gay—Supported by ERC Project aSCEND (639554).

D. Hofheinz—Supported by DFG grants HO 4534/4-1 and HO 4534/2-2.

L. Kohl—Supported by DFG grant HO 4534/2-2.

You have full access to this open access chapter, Download conference paper PDF

Simple and Efficient KDM-CCA Secure Public Key Encryption

On Constructing Pairing-Free Identity-Based Encryptions

Master-Key KDM-Secure IBE from Pairings

Keywords

1 Introduction

Tight security reductions. We are usually interested in cryptographic schemes that come with a security reduction to a computational assumption. A security reduction shows that every attack on the scheme can be translated into an attack on a computational assumption. Thus, the only way to break the scheme is to solve an underlying mathematical problem. We are most interested in reductions to well-investigated, “standard” assumptions, and in reductions that are “tight”. A tight security reduction ensures that the reduction translates attacks on the scheme into attacks on the assumption that are of similar complexity and success probability. In other words, the difficulty of breaking the scheme is quantitatively not lower than the difficulty of breaking the investigated assumption.

Tight security reductions are also beneficial from a practical point of view. Indeed, assume that we choose the keylength of a scheme so as to guarantee that the only way to break that scheme is to break a computational assumption on currently secure parameters.^{Footnote 1} Then, a tight reduction enables smaller keylength recommendations (than with a non-tight reduction in which, say, the attack on the assumption is much more complex than the attack on the scheme).

Tightly secure PKE schemes. The focus of this paper are public-key encryption (PKE) schemes with a tight security reduction. The investigation of this topic was initiated already in 2000 by Bellare, Boldyreva, and Micali [3]. However, the first tightly secure encryption scheme based on a standard assumption was presented only in 2012 [13], and was far from practical. Many more efficient schemes were proposed [1, 2, 4, 5, 10,11,12, 15, 19, 20] subsequently, but Gay et al. [9] (henceforth GHKW) were the first to present a pairing-free tightly secure PKE scheme from a standard assumption. Their PKE scheme has short ciphertexts (of three group elements), and its efficiency compares favorably with the popular Cramer-Shoup encryption scheme. Still, the GHKW construction suffers from a large public key (of about 200 group elements). Figure 1 summarizes relevant features of selected existing PKE schemes.

Our contribution. In this work, we construct a pairing-free PKE scheme with an almost^{Footnote 2} tight security reduction to a standard assumption (the Decisional Diffie-Hellman assumption), and with short ciphertexts and keys. Our scheme improves upon GHKW in that it removes its main disadvantage (of large public keys), although our encryption and decryption algorithms are somewhat less efficient than those of GHKW.

Our construction can be seen as a variant of the state-of-the-art Kurosawa-Desmedt PKE scheme [17] with an additional consistency proof. This consistency proof ensures that ciphertexts are of a special form, and is in fact very efficient (in that it only occupies one additional group element in the ciphertext). This proof is the main technical novelty of our scheme, and is the key ingredient to enable an almost tight security reduction.

Technical overview. The starting point of our scheme is the Kurosawa-Desmedt PKE scheme from [17]. In this scheme, public parameters, public keys, and ciphertexts are of the following form:^{Footnote 3}

(1)

Here, $\mathbf {E} $ is the encryption algorithm of a symmetric authenticated encryption scheme, and $H$ is a collision-resistant hash function.

In their (game-based) proof of IND-CCA security (with one scheme instance and one challenge ciphertext), Kurosawa and Desmedt proceed as follows: first, they use the secret key $\mathbf {k}_0,\mathbf {k}_1$ to generate the value $K$ in the challenge ciphertext from a given $[\mathbf {c}]=[\mathbf {A}\mathbf {r}]$ (through $K=[(\mathbf {k}_0+\tau \mathbf {k}_1)^\top \mathbf {c}]$). This enables the reduction to forget the witness $\mathbf {r}$, and thus to modify the distribution of $\mathbf {c}$. Next, Kurosawa and Desmedt use the Decisional Diffie-Hellman (DDH) assumption to modify the setup of $\mathbf {c}$ to a random vector not in the span of $\mathbf {A}$. Finally, they argue that this change effectively randomizes the value $K$ from the challenge ciphertext (which then enables a reduction to the security of $\mathbf {E} $).

To see that $K$ is indeed randomized, note that once $\mathbf {c}\notin \mathrm {span} (\mathbf {A})$, the value $K=[(\mathbf {k}_0+\tau \mathbf {k}_1)^\top \mathbf {c}]$ depends on entropy in $\mathbf {k}_0,\mathbf {k}_1$ that is not leaked through ${ pk }$. Furthermore, Kurosawa and Desmedt show that even a decryption oracle leaks no information about that entropy. (Intuitively, this holds since any decryption query with $\mathbf {c}\in \mathrm {span} (\mathbf {A})$ only reveals information about $\mathbf {k}_0,\mathbf {k}_1$ that is already contained in ${ pk }$. On the other hand, any decryption query with $\mathbf {c}\notin \mathrm {span} (\mathbf {A})$ results in a computed key $K$ that is independently random, and thus will lead the symmetric authenticated encryption scheme to reject the whole ciphertext.)

An argument of Bellare, Boldyreva, and Micali [3] (which is applied in [3] to the related Cramer-Shoup encryption scheme) shows that the security proof for the Kurosawa-Desmedt scheme carries over to a setting with many users. Due to the re-randomizability properties of the DDH assumption, the quality of the corresponding security reduction does not degrade in the multi-user scenario. The security proof of Kurosawa and Desmedt does however not immediately scale to a larger number of ciphertexts. Indeed, observe that the final argument to randomize $K$ relies on the entropy in $\mathbf {k}_0,\mathbf {k}_1$. Since this entropy is limited, only a limited number of ciphertexts (per user) can be randomized at a time.^{Footnote 4}

First trick: randomize $\mathbf{k }_0$ . In our scheme, we adapt two existing techniques for achieving tight security. The first trick, which we borrow from GHKW [9] (who in turn build upon [5, 15]), consists in modifying the secret key $\mathbf {k}_0,\mathbf {k}_1$ first, before randomizing the values $K$ from challenge ciphertexts. Like the original Kurosawa-Desmedt proof, our argument starts out by first using $\mathbf {k}_0,\mathbf {k}_1$ to generate challenge ciphertexts, and then simultaneously randomizing all values $\mathbf {c}$ from challenges (using the re-randomizability of DDH). But then we use another reduction to DDH, with the DDH challenges embedded into $\mathbf {k}_0$ and in all challenge $\mathbf {c}$, to simultaneously randomize all challenge $K$ at once.

During this last reduction, we will (implicitly) set up $\mathbf {k}_0=\mathbf {k}_0'+\alpha \mathbf {A}^\perp $ for a known $\mathbf {k}_0'$, a known $\mathbf {A}^\perp \in \mathbb {Z} _{|\mathbb {G}|}^{2\times 1}$ with $(\mathbf {A}^\perp )^\top \mathbf {A}=\mathbf {0}$, and an unknown $\alpha \in \mathbb {Z} _{|\mathbb {G}|}$ from the DDH challenge $[\alpha ,\beta ,\gamma ]$. We can thus decrypt all ciphertexts with $\mathbf {c}\in \mathrm {span} (\mathbf {A})$ (since $\mathbf {k}_0^\top \mathbf {A}\mathbf {r}=\mathbf {k}_0'^\top \mathbf {A}\mathbf {r}$), and randomize all challenge ciphertexts (since their $\mathbf {c}$ satisfies $\mathbf {c}\notin \mathrm {span} (\mathbf {A})$ and thus allows to embed $\beta $ and $\gamma $ into $\mathbf {c}$ and $K$, respectively). However, we will not be able to answer decryption queries with $\mathbf {c}\notin \mathrm {span} (\mathbf {A})$. Hence, before applying this trick, we will need to make sure that any such decryption query will be rejected anyway.

Second trick: the consistency proof. We do not know how to argue (with a tight reduction) that such decryption queries are rejected in the original Kurosawa-Desmedt scheme from (1). Instead, we introduce an additional consistency proof in the ciphertext, so ciphertexts in our scheme now look as follows:

(2)

Here, $\pi $ is a proof (yet to be described) that shows the following statement:

$$\begin{aligned} \mathbf {c}\in \mathrm {span} (\mathbf {A}) \;\vee \; \mathbf {c}\in \mathrm {span} (\mathbf {A}_0) \;\vee \; \mathbf {c}\in \mathrm {span} (\mathbf {A}_1), \end{aligned}$$

(3)

where $\mathbf {A}_0,\mathbf {A}_1\in \mathbb {Z} _{|\mathbb {G}|}^{2\times 1}$ are different (random but fixed) matrices. Our challenge ciphertexts will satisfy (3) at all times, even after their randomization.

We will then show that all “inconsistent” decryption queries (with $\mathbf {c}\notin \mathrm {span} (\mathbf {A})$) are rejected with a combination of arguments from GHKW [9] and Hofheinz [11]. We will proceed in a number of hybrids. In the $i$-th hybrid, all challenge ciphertexts are prepared with a value of $\mathbf {k}_0+\mathbf {F} _i(\tau _{|i})$ instead of $\mathbf {k}_0$, where $\mathbf {F} _i(\tau _{|i})$ is a random function applied to the first $i$ bits of $\tau $. Likewise, in all decryption queries with inconsistent $\mathbf {c}$ (i.e., with $\mathbf {c}\notin \mathrm {span} (\mathbf {A})$), we use $\mathbf {k}_0+\mathbf {F} _i(\tau _{|i})$. Going from the $i$-th to the $(i+1)$-th hybrid proceeds in a way that is very similar to the one from GHKW: First, we set up the $\mathbf {c}$ value in each challenge ciphertext to be in $\mathrm {span} (\mathbf {A}_{\tau _{i+1}})$, where $\tau _{i+1}$ is the $(i+1)$-th bit of the respective $\tau $.

Next, we add a dependency of the used $\mathbf {k}_0$ on the $(i+1)$-th bit of $\tau $. (That is, depending on $\tau _{i+1}$, we will use two different values of $\mathbf {k}_0$ both for preparing challenge ciphertexts, and for answering decryption queries.) This is accomplished by adding random values $\mathbf {k}_{\varDelta }$ with $\mathbf {k}_{\varDelta }^\top \mathbf {A}_{\tau _{i+1}}=0$ to $\mathbf {k}_0$. Indeed, for challenge ciphertexts, adding such $\mathbf {k}_{\varDelta }$ values results in the same computed keys $K$, and thus cannot be detected. We note however that at this point, we run into a complication: since decryption queries need not have $\mathbf {c}\in \mathrm {span} (\mathbf {A}_{\tau _{i+1}})$, we cannot simply add random values $\mathbf {k}_{\varDelta }$ with $\mathbf {k}_{\varDelta }^\top \mathbf {A}_{\tau _{i+1}}=0$ to $\mathbf {k}_0$. (This could be detected in case $\mathbf {c}\notin \mathrm {span} (\mathbf {A}_{\tau _{i+1}})$.) Instead, here we rely on a trick from [11], and use that even adversarial $\mathbf {c}$ values must lie in $\mathrm {span} (\mathbf {A})$ or $\mathrm {span} (\mathbf {A}_b)$ for $b\in \{0,1\}$. (This is also the reason why we will eventually have to modify and use $\mathbf {k}_1$. We give more details on this step inside.)

Once $\mathbf {k}_0$ is fully randomized, the resulting $K$ computed upon decryption queries with $\mathbf {c}\notin \mathrm {span} (\mathbf {A})$ will also be random, and thus any such decryption query will be rejected. Hence, using the first trick above, security of our scheme follows.

We finally mention that our complete scheme generalizes to weaker assumptions, including the $k$-Linear family of assumptions (see Fig. 1).

Relation to existing techniques. We borrow techniques from both GHKW [9] and Hofheinz [11], but we need to modify and adapt them for our strategy in several important respects. While the argument from [9] also relies on a consistency proof that a given ciphertext lies in one of three linear subspaces ($\mathrm {span} (\mathbf {A})$ or $\mathrm {span} (\mathbf {A}_b)$), their consistency proof is very different from ours. Namely, their consistency proof is realized entirely through a combination of different linear hash proof systems, and requires orthogonal subspaces $\mathrm {span} (\mathbf {A}_b)$. This requires a large number (i.e., $2\lambda $) of hash proof systems, and results in large public keys to accommodate their public information. Furthermore, the ciphertexts in GHKW require a larger $[\mathbf {c}]\in \mathbb {G}^{3k}$ (compared to the Kurosawa-Desmedt scheme), but no explicit proof $\pi $ in $C$ This results in ciphertexts of the same size as ours.

On the other hand, [11] presents a scheme with an explicit consistency proof $\pi $ for a statement similar to ours (and also deals with the arising technical complications sketched above similarly). But his construction and proof are aimed at a more generic setting which also accommodates the DCR assumption (both for the PKE and consistency proof constructions). As a consequence, his construction does not modify the equivalent of our secret key $\mathbf {k}_0,\mathbf {k}_1$ at all, but instead modifies ciphertexts directly. This makes larger public keys and ciphertexts with more “randomization slots” necessary (see Fig. 1), and in fact also leads to a more complicated proof. Furthermore, in the discrete-log setting, the necessary “OR”-style proofs from [11] require pairings, and thus his PKE scheme does as well. In contrast, our scheme requires only a weaker notion of “OR”-proofs, and we show how to instantiate this notion without pairings.

Crucial ingredient: efficient pairing-free OR-proofs. In the above argument, a crucial component is of course a proof $\pi $ for (3). We present a designated-verifier proof $\pi $ that only occupies one group element (in the DDH case) in C. While the proof nicely serves its purpose in our scheme, we also remark that our construction is not as general as one would perhaps like: in particular, honest proofs (generated with public information and a witness) can only be generated for $\mathbf {c}\in \mathrm {span} (\mathbf {A})$ (but not for $\mathbf {c}\in \mathrm {span} (\mathbf {A}_0)$ or $\mathbf {c}\in \mathrm {span} (\mathbf {A}_1)$).

Our proof system is perhaps best described as a randomized hash proof system. We will outline a slightly simpler version of the system which only proves $\mathbf {c}\in \mathrm {span} (\mathbf {A})\vee \mathbf {c}\in \mathrm {span} (\mathbf {A}_0)$. In that scheme, the public key contains a value $[\mathbf {k}_y^\top \mathbf {A}]$, just like in a linear hash proof system (with secret key $\mathbf {k}_y$) for showing $\mathbf {c}\in \mathrm {span} (\mathbf {A})$ (see, e.g., [7]). Now given either the secret key $\mathbf {k}_y$ or a witness $\mathbf {r}$ to the fact that $\mathbf {c}=\mathbf {A}\mathbf {r}$, we can compute $[\mathbf {k}_y^\top \mathbf {c}]$. The idea of our system is to encrypt this value $[\mathbf {k}_y^\top \mathbf {c}]$ using a special encryption scheme that is parameterized over $\mathbf {c}$ (and whose public key is also part of the proof system’s public key). The crucial feature of that encryption scheme is that it becomes lossy if and only if $\mathbf {c}\in \mathrm {span} (\mathbf {A}_0)$.

We briefly sketch the soundness of our proof system: we claim that even in a setting in which an adversary has access to many simulated proofs for valid statements (with $\mathbf {c}\in \mathrm {span} (\mathbf {A})\cup \mathrm {span} (\mathbf {A}_0)$), it cannot forge proofs for invalid statements. Indeed, proofs with $\mathbf {c}\in \mathrm {span} (\mathbf {A})$ only depend on (and thus only reveal) the public key $[\mathbf {k}_y^\top \mathbf {A}]$. Moreover, by the special lossiness of our encryption scheme, proofs with $\mathbf {c}\in \mathrm {span} (\mathbf {A}_0)$ do not reveal anything about $\mathbf {k}_y$. Hence, an adversary will not gain any information about $\mathbf {k}_y$ beyond $\mathbf {k}_y^\top \mathbf {A}$. However, any valid proof for $\mathbf {c}\notin \mathrm {span} (\mathbf {A})\cup \mathrm {span} (\mathbf {A}_0)$ would reveal the full value of $\mathbf {k}_y$, and thus cannot be forged by an adversary that sees only proofs for valid statements.

We remark that our proof system has additional nice properties, including a form of on-the-fly extensibility to more general statements (and in particular to more than two “OR branches”. We formalize this type of proof systems as “qualified proof systems” inside.

Roadmap. After recalling some preliminaries in Sect. 2, we introduce the notion of designated-verifier proof systems in Sect. 3, along with an instantiation in Sect. 4. Finally, in Sect. 5, we present our encryption scheme (in form of a key encapsulation mechanism).

2 Preliminaries

2.1 Notations

We start by introducing some notation used throughout this paper. First we denote by $\lambda \in \mathbb {N}$ the security parameter. By $\mathsf {negl} :\mathbb {N}\rightarrow \mathbb {R}_{\ge 0}$ we denote a negligible function. For an arbitrary set $\mathcal {B}$, by $x \leftarrow _{R}\mathcal {B}$ we denote the process of sampling an element x from $\mathcal {B}$ uniformly at random. For any bit string $\tau \in \{0,1\}^*$, we denote by $\tau _i$ the i-th bit of $\tau $ and by $\tau _{|i} \in \{0,1\}^i$ the bit string comprising the first i bits of $\tau $.

Let p be a prime, and $k,\ell \in \mathbb {N}$ such that $\ell >k$. Then for any matrix $\mathbf {A}\in \mathbb {Z}_p^{\ell \times k}$, we write $\overline{\mathbf {A}} \in \mathbb {Z}_p^{k \times k}$ for the upper square matrix of $\mathbf {A}$, and $\underline{\mathbf {A}} \in \mathbb {Z}_p^{(\ell -k) \times k}$ for the lower $\ell -k$ rows of $\mathbf {A}$. With

$$\mathrm {span} (\mathbf {A}):=\{\mathbf {A}\mathbf {r}\mid \mathbf {r}\in \mathbb {Z}_p^k\}\subset \mathbb {Z}_p^\ell ,$$

we denote the span of $\mathbf {A}$.

For vectors $\mathbf {v}\in \mathbb {Z}_p^{2k}$, by $\overline{\mathbf {v}}\in \mathbb {Z}_p^k$ we denote the vector consisting of the upper k entries of $\mathbf {v}$ and accordingly by $\underline{\mathbf {v}}\in \mathbb {Z}_p^k$ we denote the vector consisting of the lower k entries of $\mathbf {v}$.

As usual by $\mathbf {A}^\top \in \mathbb {Z}_p^{k\times \ell }$ we denote the transpose of $\mathbf {A}$ and if $\ell =k$ and $\mathbf {A}$ is invertible by $\mathbf {A}^{-1}\in \mathbb {Z}_p^{\ell \times \ell }$ we denote the inverse of $\mathbf {A}$.

For $\ell \ge k$ by $\mathbf {A}^\perp $ we denote a matrix in $\mathbb {Z}_p^{\ell \times (\ell -k)}$ with $\mathbf {A}^\top \mathbf {A}^\perp =\mathbf 0 $ and rank $\ell -k$. We denote the set of all matrices with these properties as

$$\mathsf {orth}(\mathbf {A}):=\{\mathbf {A}^\perp \in \mathbb {Z}_p^{\ell \times (\ell -k)}\mid \mathbf {A}^\top \mathbf {A}^\perp =\mathbf 0 \text{ and } \mathbf {A}^\bot \text{ has } \text{ rank } \ell -k\}.$$

2.2 Hash Functions

A hash function generator is a probabilistic polynomial time algorithm $\mathcal {H}$ that, on input $1^\lambda $, outputs an efficiently computable function $\mathsf {H}: \{0,1\}^* \rightarrow \{0,1\}^\lambda $, unless domain and co-domain are explicitly specified.

Definition 1

(Collision Resistance). We say that a hash function generator $\mathcal {H}$ outputs collision-resistant functions $\mathsf {H}$, if for all PPT adversaries $\mathcal {A} $ and $\mathsf {H}\leftarrow _{R}\mathcal {H}(1^\lambda )$ it holds

$$\begin{aligned} \mathrm {Adv}^{ \mathrm{CR} }_{\mathcal {H},\mathcal {A}} (\lambda ) := \Pr \left[ x \ne x' \wedge \mathsf {H}(x) = \mathsf {H}(x') \mid (x,x') \leftarrow \mathcal {A} (1^\lambda ,\mathsf {H})\right] \le \mathsf {negl} (\lambda ). \end{aligned}$$

We say a hash function is collision resistant if it is sampled from a collision resistant hash function generator.

Definition 2

(Universality). We say a hash function generator $\mathcal {H}$ is universal, if for every $x,x^\prime \in \{0,1\}^*$ with $x\ne x^\prime $ it holds

$$\mathrm {Pr}\left[ \mathsf {h}(x)=\mathsf {h}(x^\prime )\mid \mathsf {h}\leftarrow _{R}\mathcal {H}(1^\lambda )\right] =\frac{1}{2^\lambda }.$$

We say a hash function is universal if it is sampled from a universal hash function generator.

Lemma 1

(Leftover Hash Lemma [16]). Let $\mathcal {X},\mathcal {Y}$ be sets, $\ell \in \mathbb {N}$ and $\mathsf {h}:\mathcal {X}\rightarrow \mathcal {Y}$ be a universal hash function. Then for all $X \leftarrow _{R}\mathcal {X}$, $U\leftarrow _{R}\mathcal {Y}$ and $\varepsilon >0$ with $\log |\mathcal {X}| \ge \log |\mathcal {Y}| + 2 \log {\varepsilon }$ we have

$$\varDelta \left( (\mathsf {h},\mathsf {h}(X)),(\mathsf {h},U)\right) \le \frac{1}{\varepsilon },$$

where $\varDelta $ denotes the statistical distance.

2.3 Prime-Order Groups

Let $\mathbf {GGen} $ be a PPT algorithm that on input $1^\lambda $ returns a description $\mathcal {G}=(\mathbb {G},p,P)$ of an additive cyclic group $\mathbb {G}$ of order p for a $2\lambda $-bit prime p, whose generator is P.

We use the representation of group elements introduced in [8]. Namely, for $a \in \mathbb {Z}_p$, define $[a] = a P \in \mathbb {G}$ as the implicit representation of a in $\mathbb {G}$. More generally, for a matrix $\mathbf {A}= (a_{ij}) \in \mathbb {Z}_p^{\ell \times k}$ we define $[\mathbf {A}]$ as the implicit representation of $\mathbf {A}$ in $\mathbb {G}$:

$$[\mathbf {A}] := \begin{pmatrix} {a_{11}}P &{} ... &{} {a_{1k}} P\\ &{} &{} \\ {a_{\ell 1}}P&{} ... &{} {a_{\ell k}}P \end{pmatrix} \in \mathbb {G}^{\ell \times k}$$

Note that from $[a] \in \mathbb {G}$ it is hard to compute the value a if the discrete logarithm assumption holds in $\mathbb {G}$. Obviously, given $[a],[b] \in \mathbb {G}$ and a scalar $x \in \mathbb {Z}_p$, one can efficiently compute $[ax] \in \mathbb {G}$ and $[a+b] \in \mathbb {G}$.

We recall the definitions of the Matrix Decision Diffie-Hellman (MDDH) assumption from [8].

Definition 3

(Matrix Distribution). Let $k,\ell \in \mathbb {N}$, with $\ell > k$ and p be a $2\lambda $-bit prime. We call $\mathcal {D}_{\ell ,k}$ a matrix distribution if it outputs matrices in $\mathbb {Z}_p^{\ell \times k}$ of full rank k in polynomial time.

In the following we only consider matrix distributions $\mathcal {D}_{\ell ,k}$, where for all $\mathbf {A}\leftarrow _{R}\mathcal {D}_{\ell ,k}$ the first k rows of $\mathbf {A}$ form an invertible matrix.

The $\mathcal {D}_{\ell ,k}$-Matrix Diffie-Hellman problem is, for a randomly chosen $\mathbf {A}\leftarrow _{R}\mathcal {D}_{\ell ,k}$, to distinguish the between tuples of the form $([\mathbf {A}],[\mathbf {A}\mathbf {w}])$ and $([\mathbf {A}],[\mathbf {u}])$, where $\mathbf {w}\leftarrow _{R}\mathbb {Z}_p^k$ and $\mathbf {u}\leftarrow _{R}\mathbb {Z}_p^{\ell }$.

Definition 4

( $\mathcal {D}_{\ell ,k}$ -Matrix Diffie-Hellman $\mathcal {D}_{\ell ,k}$ -MDDH). Let $\mathcal {D}_{\ell ,k}$ be a matrix distribution. We say that the $\mathcal {D}_{\ell ,k}$-Matrix Diffie-Hellman ($\mathcal {D}_{\ell ,k}$-MDDH) assumption holds relative to a prime order group $\mathbb {G}$ if for all PPT adversaries $\mathcal {A} $,

$$\begin{aligned} \mathrm {Adv}^{ \mathrm{mddh} }_{\mathbb {G},\mathcal {D}_{\ell ,k},\mathcal {A}} (\lambda ) :&= \left| \Pr [\mathcal {A} (\mathcal {G},[\mathbf {A}], [\mathbf {A}\mathbf {w}])=1]-\Pr [\mathcal {A} (\mathcal {G},[\mathbf {A}], [\mathbf {u}]) =1] \right| \\ {}&\le \mathsf {negl} (\lambda ), \end{aligned}$$

where the probabilities are taken over $\mathcal {G}:= (\mathbb {G},p,P) \leftarrow _{R}\mathbf {GGen} (1^\lambda )$, $\mathbf {A}\leftarrow _{R}\mathcal {D}_{\ell ,k}, \mathbf {w}\leftarrow _{R}\mathbb {Z}_p^k, \mathbf {u}\leftarrow _{R}\mathbb {Z}_p^{\ell }$.

For $Q \in \mathbb {N}$, $\mathbf {W}\leftarrow _{R}\mathbb {Z}_p^{k \times Q}$ and $\mathbf {U}\leftarrow _{R}\mathbb {Z}_p^{\ell \times Q}$, we consider the Q-fold $\mathcal {D}_{\ell ,k}$-MDDH assumption, which states that distinguishing tuples of the form $([\mathbf {A}], [\mathbf {A}\mathbf {W}])$ from $([\mathbf {A}], [\mathbf {U}])$ is hard. That is, a challenge for the Q-fold $\mathcal {D}_{\ell ,k}$-MDDH assumption consists of Q independent challenges of the $\mathcal {D}_{\ell ,k}$-MDDH Assumption (with the same $\mathbf {A}$ but different randomness $\mathbf {w}$). In [8] it is shown that the two problems are equivalent, where the reduction loses at most a factor $\ell -k$.

Lemma 2

(Random self-reducibility of $\mathcal {D}_{\ell ,k}$ -MDDH, [8]). Let $\ell ,k,$ $Q \in \mathbb {N}$ with $\ell >k$ and $Q > \ell -k$. For any PPT adversary $\mathcal {A} $, there exists an adversary $\mathcal {B} $ such that $T(\mathcal {B}) \approx T(\mathcal {A}) + Q\cdot \mathsf {poly}(\lambda )$ with $\mathsf {poly}(\lambda )$ independent of $T(\mathcal {A})$, and

Here

where the probability is over $\mathcal {G}:= (\mathbb {G},p,P) \leftarrow _{R}\mathbf {GGen} (1^\lambda )$, $\mathbf {A}\leftarrow _{R}\mathcal {U}_{\ell ,k}, \mathbf {W}\leftarrow _{R}\mathbb {Z}_p^{k \times Q}$ and $\mathbf {U}\leftarrow _{R}\mathbb {Z}_p^{\ell \times Q}$.

The uniform distribution is a particular matrix distribution that deserves special attention, as an adversary breaking the $\mathcal {U}_{\ell ,k}$-MDDH assumption can also distinguish between real MDDH tuples and random tuples for all other possible matrix distributions.

Definition 5

(Uniform distribution). Let $\ell ,k\in \mathbb {N}$, with $\ell \ge k$, and a prime p. We denote by $\mathcal {U}_{\ell ,k}$ the uniform distribution over all full-rank $\ell \times k$ matrices over $\mathbb {Z}_p$. Let $\mathcal {U}_k:=\mathcal {U}_{k+1,k}$.

Lemma 3

( $\mathcal {D}_{\ell ,k}$ -MDDH $\Rightarrow \mathcal {U}_{\ell ,k}$ -MDDH, [8]). Let $\mathcal {D}_{\ell ,k}$ be a matrix distribution. For any adversary $\mathcal {A} $ on the $\mathcal {U}_{\ell ,k}$-distribution, there exists an adversary $\mathcal {B} $ on the $\mathcal {D}_{\ell ,k}$-assumption such that $T(\mathcal {B}) \approx T(\mathcal {A})$ and $\mathrm {Adv}^{ \mathrm{mddh} }_{\mathbb {G},\mathcal {U}_{\ell ,k},\mathcal {A}} (\lambda ) =\mathrm {Adv}^{ \mathrm{mddh} }_{\mathbb {G},\mathcal {D}_{\ell ,k},\mathcal {B}} (\lambda ) $.

We state a tighter random-self reducibility property for case of the uniform distribution.

Lemma 4

(Random self-reducibility of $\mathcal {U}_{\ell ,k}$ -MDDH, [8]). Let $\ell ,k,$ $Q \in \mathbb {N}$ with $\ell >k$. For any PPT adversary $\mathcal {A} $, there exists an adversary $\mathcal {B} $ such that $T(\mathcal {B}) \approx T(\mathcal {A}) + Q\cdot \mathsf {poly}(\lambda )$ with $\mathsf {poly}(\lambda )$ independent of $T(\mathcal {A})$, and

We also recall this property of the uniform distribution, stated in [9].

Lemma 5

( $\mathcal {U}_{k}$ -MDDH $\Leftrightarrow \mathcal {U}_{\ell ,k}$ -MDDH). Let $\ell ,k \in \mathbb {N}$, with $\ell > k$. For any adversary $\mathcal {A} $, there exists an adversary $\mathcal {B} $ (and vice versa) such that $T(\mathcal {B}) \approx T(\mathcal {A})$ and $\mathrm {Adv}^{ \mathrm{mddh} }_{\mathbb {G},\mathcal {U}_{\ell ,k},\mathcal {A}} (\lambda ) =\mathrm {Adv}^{ \mathrm{mddh} }_{\mathbb {G},\mathcal {U}_{k},\mathcal {B}} (\lambda ) $ .

In this paper, for efficiency considerations, and to simplify the presentation of the proof systems in Sect. 3, we are particularly interested in the case $k=1$, which corresponds to the DDH assumption, that we recall here.

Definition 6

(DDH). We say that the DDH assumption holds relative to a prime order group $\mathbb {G}$ if for all PPT adversaries $\mathcal {A} $,

$$\begin{aligned} \mathrm {Adv}^{ \mathrm{ddh} }_{\mathbb {G},\mathcal {A}} (\lambda ) :&= \left| \Pr [\mathcal {A} (\mathcal {G},[a],[r],[ar])=1]-\Pr [\mathcal {A} (\mathcal {G},[a],[r],[b] \right| \le \mathsf {negl} (\lambda ), \end{aligned}$$

where the probabilities are taken over $\mathcal {G}:= (\mathbb {G},p,P) \leftarrow _{R}\mathbf {GGen} (1^\lambda )$, $a,b,r \leftarrow _{R}~\mathbb {Z}_p$.

Note that the DDH assumption is equivalent to $\mathcal {D}_{2,1}$-MDDH, where $\mathcal {D}_{2,1}$ is the distribution that outputs matrices ${1 \atopwithdelims ()a}$, for $a\leftarrow _{R}\mathbb {Z}_p$ chosen uniformly at random.

2.4 Public-Key Encryption

Definition 7

(Public-Key Encryption). A public-key encryption scheme is a tuple of three PPT algorithms $(\mathbf {Gen},\mathbf {Enc},\mathbf {Dec})$ such that:

$\mathbf {Gen} (1^\lambda )$: returns a pair $({ pk }, sk )$ of a public and a secret key.
$\mathbf {Enc} ({ pk },M)$: given a public key ${ pk }$ and a message $M\in \mathcal {M}(\lambda )$, returns a ciphertext C.
$\mathbf {Dec} ({ pk }, sk ,C)$: deterministically decrypts the ciphertext C to obtain a message M or a special rejection symbol $\bot $.

We say $\mathbf {PKE}:= (\mathbf {Gen},\mathbf {Enc},\mathbf {Dec})$ is perfectly correct, if for all $\lambda \in \mathbb {N}$,

$$\begin{aligned} \Pr [\mathbf {Dec} ({ pk }, sk ,\mathbf {Enc} ({ pk },M))=M]=1, \end{aligned}$$

where the probability is over $({ pk }, sk ) \leftarrow _{R}\mathbf {Gen} (1^\lambda )$ , $C\leftarrow _{R}~\mathbf {Enc} ({ pk },M)$.

Definition 8

(Multi-ciphertext CCA security). For any public-key encryption scheme $\mathbf {PKE} =(\mathbf {Gen},\mathbf {Enc},\mathbf {Dec})$ and any stateful adversary $\mathcal {A}$, we define the following security experiment:

We say $\mathbf {PKE} $ is IND-CCA secure, if for all PPT adversaries $\mathcal {A}$, the advantage

2.5 Key Encapsulation Mechanism

Instead of presenting an IND-CCA secure encryption scheme directly, we construct a key encapsulation mechanism (KEM) and prove that it satisfies the security notion of indistinguishability against constrained chosen-ciphertext attacks (IND-CCCA) [14]. By the results of [14], together with an arbitrary authenticated symmetric encryption scheme, this yields an IND-CCA secure hybrid encryption.^{Footnote 5} Roughly speaking, the CCCA security experiment, in contrast to the CCA experiment, makes an additional requirement on decryption queries. Namely, in addition to the ciphertext, the adversary has to provide a predicate implying some partial knowledge about the key to be decrypted. The idea of hybrid encryption and the notion of a KEM was first formalized in [6].

Definition 9

(Key Encapsulation Mechanism). A key encapsulation mechanism is a tuple of PPT algorithms $(\mathbf {KGen},\mathbf {KEnc},\mathbf {KDec})$ such that:

$\mathbf {KGen} (1^\lambda )$: generates a pair $({ pk }, sk )$ of keys.
$\mathbf {KEnc} ({ pk })$: on input ${ pk }$, returns a ciphertext C and a symmetric key $K \in \mathcal {K}(\lambda )$, where $\mathcal {K}(\lambda )$ is the key-space.
$\mathbf {KDec} ({ pk }, sk ,C)$: deterministically decrypts the ciphertext C to obtain a key $K \in \mathcal {K}(\lambda )$ or a special rejection symbol bot.

We say $ (\mathbf {Gen},\mathbf {Enc},\mathbf {Dec})$ is perfectly correct, if for all $\lambda \in \mathbb {N}$,

$$\begin{aligned} \Pr [\mathbf {KDec} ({ pk }, sk ,C)=K]=1, \end{aligned}$$

where $({ pk }, sk ) \leftarrow _{R}\mathbf {Gen} (1^\lambda )$, $(K,C)\leftarrow _{R}\mathbf {KEnc} ({ pk })$ and the probability is taken over the random coins of $\mathbf {Gen} $ and $\mathbf {KEnc} $.

As mentioned above, for constrained chosen ciphertext security, the adversary has to have some knowledge about the key up front in order to make a decryption query. As in [14] we will use a measure for the uncertainty left and require it to be negligible for every query, thereby only allowing decryption queries where the adversary has a high prior knowledge of the corresponding key. We now provide a formal definition.

Definition 10

(Multi-ciphertext IND-CCCA security). For any key encapsulation mechanism $\mathbf {KEM} =(\mathbf {KGen},\mathbf {KEnc},\mathbf {KDec})$ and any stateful adversary $\mathcal {A} $, we define the following experiment:

Here $\mathrm {\mathsf {pred}}_i:\mathcal {K}(\lambda )\mapsto \{0,1\}$ denotes the predicate sent in the i-th decryption query, which is required to be provided as the description of a polynomial time algorithm (which can be enforced for instance by requiring it to be given in form of a circuit). Let further $Q_{\mathbf {dec}}$ be the number of total decryption queries made by $\mathcal {A} $ during the experiment, which are independent of the environment (hereby we refer to the environment the adversary runs in) without loss of generality. The uncertainty of knowledge about the keys corresponding to decryption queries is defined as

$$\mathrm {uncert}_{\mathcal {A}}(\lambda ):=\dfrac{1}{Q_{\mathbf {dec}}}\sum \limits _{i=1}^{Q_{\mathbf {dec}}}\mathrm {Pr}_{K\leftarrow _{R}\mathcal {K}(\lambda )}[\mathrm {\mathsf {pred}}_i(K)=1].$$

We say that the key encapsulation mechanism $\mathbf {KEM} $ is IND-CCCA secure, if for all PPT adversaries with negligible $\mathrm {uncert}_{\mathcal {A}}(\lambda )$, for the advantage we have

Note that the term $\mathrm {uncert}_{\mathcal {A}}(\lambda )$ in the final reduction (proving IND-CCA security of the hybrid encryption scheme consisting of an unconditionally one-time secure authenticated encryption scheme and an IND-CCCA secure KEM) is statistically small (due to the fact that the symmetric building block is unconditionally secure). Thus we are able obtain a tight security reduction even if the term $\mathrm {uncert}_{\mathcal {A}}(\lambda )$ is multiplied by the number of encryption and decryption queries in the security loss (as it will be the case for our construction).

3 Qualified Proof Systems

The following notion of a proof system is a combination of a non-interactive designated verifier proof system and a hash proof system. Our combined proofs consist of a proof $\varPi $ and a key K, where the key K can be recovered by the verifier with a secret key and the proof $\varPi $. The key K can be part of the key in the key encapsulation mechanism presented later and thus will not enlarge the ciphertext size.

Definition 11

(Proof system). Let $\mathcal {L} =\{\mathcal {L} _{ pars }\}$ be a family of languages indexed by the public parameters $ pars $, with $\mathcal {L} _{ pars }\subseteq \mathcal {X} _{ pars }$ and an efficiently computable witness relation $\mathcal {R}$. A proof system for $\mathcal {L} $ is a tuple of PPT algorithms $(\mathbf {PGen}, \mathbf {PPrv}, \mathbf {PVer}, \mathbf {PSim})$ such that:

$\mathbf {PGen} (1^\lambda )$: generates a public key $ ppk $ and a secret key $ psk $.
$\mathbf {PPrv} ( ppk , x, w)$: given a word $x\in \mathcal {L} $ and a witness w with $\mathcal {R}(x,w)=1$, deterministically outputs a proof $\varPi $ and a key K.
$\mathbf {PVer} ( ppk , psk ,x,\varPi )$: on input $ ppk $, $ psk $, $x\in \mathcal {X} $ and $\varPi $, deterministically outputs a verdict $b\in \{0,1\}$ and in case $b=1$ additionally a key K, else $\bot $.
$\mathbf {PSim} ( ppk , psk ,x)$: given the keys $ ppk $, $ psk $ and a word $x\in \mathcal {X} $, deterministically outputs a proof $\varPi $ and a key K.

The following definition of a qualified proof system is a variant of “benign proof systems” as defined in [11] tailored to our purposes. Compared to benign proof systems, our proof systems feature an additional “key derivation” stage, and satisfy a weaker soundness requirement (that is of course still sufficient for our purpose). We need to weaken the soundness condition (compared to benign proof systems) in order to prove soundness of our instantiation.

We will consider soundness relative to a language $\mathcal {L}^{\mathrm {snd}}\supseteq \mathcal {L} $. An adversary trying to break soundness has access to an oracle simulating proofs and keys for statements randomly chosen from $\mathcal {L}^{\mathrm {snd}} \setminus \mathcal {L}^{\mathrm {}}$ and a verification oracle, which only replies other than $\bot $ if the adversary provides a valid proof and has a high a-priori knowledge of the corresponding key. The adversary wins if it can provide a valid verification query outside $\mathcal {L}^{\mathrm {snd}}$. The adversary loses immediately if it provides a valid verification query in $\mathcal {L}^{\mathrm {snd}}\setminus \mathcal {L}^{\mathrm {}}$. This slightly weird condition is necessitated by our concrete instantiation which we do not know how to prove sound otherwise. We will give more details in the corresponding proof in Sect. 4.2. The weaker notion of soundness still suffices to prove our KEM secure, because we employ soundness at a point where valid decryption queries in $\mathcal {L}^{\mathrm {snd}}\setminus \mathcal {L}^{\mathrm {}}$ end the security experiment anyway.

Definition 12

(Qualified Proof System). Let $\mathbf {PS} =(\mathbf {PGen}, \mathbf {PPrv},$ $ \mathbf {PVer}, \mathbf {PSim})$ be a proof system for a family of languages $\mathcal {L}=\{\mathcal {L}_{ pars }\}$. Let $\mathcal {L}^{\mathrm {snd}}= \{\mathcal {L}^{\mathrm {snd}}_{ pars }\}$ be a family of languages, such that $\mathcal {L}^{\mathrm {}}_{ pars } \subseteq \mathcal {L}^{\mathrm {snd}}_{ pars }$. We say that $\mathbf {PS} $ is $\mathcal {L}^{\mathrm {snd}}$-qualified, if the following properties hold:

Completeness: For all possible public parameters $ pars $, for all words $x~\in ~\mathcal {L}$, and all witnesses w such that $\mathcal {R}(x,w)=1$, we have
$$\begin{aligned} \Pr [\mathbf {PVer} ( ppk , psk ,x,\varPi )=(1,K)]=1, \end{aligned}$$
where the probability is taken over $( ppk , psk )\leftarrow _{R}\mathbf {PGen} ~(1^\lambda )$ and $(\varPi ,K):= \mathbf{PPrv}(ppk,x,w)$.
Uniqueness of the proofs: For all possible public parameters $ pars $, all key pairs $( ppk , psk )$ in the output space of $\mathbf {PGen} ~(1^\lambda )$, and all words $x~\in ~\mathcal {L}$, there exists at most one $\varPi $ such that $\mathbf {PVer} ( ppk , psk ,x,\varPi )$ outputs the verdict 1.
Perfect zero-knowledge: For all public parameters $ pars $, all key pairs $( ppk , psk )$ in the range of $\mathbf {PGen} (1^\lambda )$, all words $x\in \mathcal {L}$, and all witnesses w with $\mathcal {R}(x,w)=1$, we have
$$\mathbf {PPrv} ( ppk ,x,w)=\mathbf {PSim} ( ppk , psk ,x).$$
Constrained $\mathcal {L}^{\mathrm {snd}}$ -soundness: For any stateful PPT adversary $\mathcal {A} $, we consider the following soundness game (where $\mathbf {PSim} $ and $\mathbf {PVer} $ are implicitly assumed to have access to $ ppk $):

Let $Q_{\mathbf {ver}}$ be the total number of oracle queries to $\mathcal {O}_{\mathbf {ver}} $ and $\mathrm {\mathsf {pred}}_i$ be the predicate submitted by $\mathcal {A} $ on the i-th query. The adversary $\mathcal {A} $ loses and the experiment aborts if the verification oracle answers lose on some query of $\mathcal {A} $. The adversary $\mathcal {A} $ wins, if the oracle $\mathcal {O}_{\mathbf {ver}} $ returns win on some query $(x,\varPi ,\mathsf {pred})$ of $\mathcal {A} $ with $x\notin \mathcal {L}^{\mathrm {snd}}$ and the following conditions hold:

The predicate corresponding to the i-th query is of the form $\mathrm {\mathsf {pred}}_i:\mathcal {K}\cup \{\bot \}\rightarrow \{0,1\}$ with $\mathrm {\mathsf {pred}}_i(\bot )=0$ for all $i\in \{1,\dots ,Q_{\mathbf {ver}}\}$.
For all environments $\mathcal {E}$ having at most running time of the described constrained soundness experiment, we require that
$$\mathrm {uncert}^{\mathrm {snd}}_{\mathcal {A}}(\lambda ):=\dfrac{1}{Q_{\mathbf {ver}}}\sum \limits _{i=1}^{Q_{\mathbf {ver}}}\mathrm {Pr}_{K\in \mathcal {K}}[\mathrm {\mathsf {pred}}_i(K)=1 \text{ when } \mathcal {A} \text{ runs } \text{ in } \mathcal {E}]$$
is negligible in $\lambda $.

Note that in particular the adversary cannot win anymore after the verification oracle replied lose on one of its queries, as in this case the experiment directly aborts and outputs 0. Let $\mathrm {Adv}^{ \mathrm{csnd} }_{\mathcal {L}^{\mathrm {snd}},\mathbf {PS},\mathcal {A}} (\lambda ) := \Pr [\mathrm {Exp} ^{\mathrm {csnd}}_{\mathbf {PS},\mathcal {A}}(\lambda )=1]$, where the probability is taken over the random coins of $\mathcal {A} $ and $\mathrm {Exp} ^{\mathrm {csnd}}_{\mathbf {PS},\mathcal {A}}$. Then we say constrained $\mathcal {L}^{\mathrm {snd}}$-soundness holds for $\mathbf {PS} $, if for every PPT adversary $\mathcal {A} $, $\mathrm {Adv}^{ \mathrm{csnd} }_{\mathcal {L}^{\mathrm {snd}},\mathbf {PS},\mathcal {A}} (\lambda ) =\mathsf {negl} (\lambda )$.

To prove security of the key encapsulation mechanism later, we need to switch between two proof systems. Intuitively this provides an additional degree of freedom, allowing to randomize the keys of the challenge ciphertexts gradually. To justify this transition, we introduce the following notion of indistinguishable proof systems.

Definition 13

( $\mathcal {L}^{\mathrm {snd}}$ -indistinguishability of two proof systems). Let $\mathcal {L}^{\mathrm {}}\subseteq \mathcal {L}^{\mathrm {snd}}$ be (families of) languages. Let $\mathbf {PS} _0:=(\mathbf {PGen} _0,\mathbf {PPrv} _0,\mathbf {PVer} _0,$ $\mathbf {PSim} _0)$ and $\mathbf {PS} _1:=(\mathbf {PGen} _1,\mathbf {PPrv} _1,\mathbf {PVer} _1,\mathbf {PSim} _1)$ proof systems for $\mathcal {L}^{\mathrm {}}$. For every adversary $\mathcal {A} $, we define the following experiment (where $\mathbf {PSim} _b$ and $\mathbf {PVer} _b$ are implicitly assumed to have access to $ ppk $):

As soon as $\mathcal {A} $ has submitted one query which is replied with lose by the verification oracle, the experiment aborts and outputs 0.

We define the advantage function

We say $\mathbf {PS} _0$ and $\mathbf {PS} _1$ are $\mathcal {L}^{\mathrm {snd}}$-indistinguishable, if for all (unbounded) algorithms $\mathcal {A} $ the advantage is negligible in $\lambda $.

Note that we adopt a different (and simpler) definition for the verification oracle in the indistinguishability game than in the soundness game, in particular it leaks more information about the keys. We can afford this additional leakage for indistinguishability, but not for soundness.

In order to prove security of the key encapsulation mechanism presented in Sect. 5, we will require one proof system and the existence of a second proof system it can be extended to. We capture this property in the following definition.

Definition 14

( $\widetilde{\mathcal {L}^{\mathrm {snd}}}$ -extensibility of a proof system). Let $\mathcal {L}^{\mathrm {}}\subseteq \mathcal {L}^{\mathrm {snd}}\subseteq \widetilde{\mathcal {L}^{\mathrm {snd}}}$ be three (families of) languages. An $\mathcal {L}^{\mathrm {snd}}$-qualified proof system $\mathbf {PS} $ for language $\mathcal {L}^{\mathrm {}}$ is said to be $\widetilde{\mathcal {L}^{\mathrm {snd}}}$-extensible if there exists a proof system $\widetilde{\mathbf {PS}}$ for $\mathcal {L}^{\mathrm {}}$ that complies with $\widetilde{\mathcal {L}^{\mathrm {snd}}}$-constrained soundness and such that $\mathbf {PS} $ and $\widetilde{\mathbf {PS}}$ are $\mathcal {L}^{\mathrm {snd}}$-indistinguishable.

4 The OR-Proof

In the following sections we explain how the public parameters $ pars _{\mathbf {PS}}$ are sampled, how our system of OR-languages is defined and how to construct a qualified proof system complying with constrained soundness respective to these languages.

4.1 Public Parameters and the OR-Languages

First we need to choose a $k\in \mathbb {N}$ depending on the assumption we use to prove security of our constructions. We invoke $\mathbf {GGen} (1^\lambda )$ to obtain a group description $\mathcal {G}=(\mathbb {G},p,P)$ with $|\mathbb {G} |\ge 2^{2\lambda }$. Next we sample matrices $\mathbf {A}\leftarrow _{R}~\mathcal {D}_{2k,k}$ and $\mathbf {A}_0\leftarrow _{R}\mathcal {U}_{2k,k}$, where we assume without loss of generality that $\overline{\mathbf {A}}_0$ is full rank. Let $\mathcal {H}_0$ and $\mathcal {H}_1$ be universal hash function generators returning functions of the form $\mathsf {h}_0:\mathbb {G} ^{k+1}\rightarrow \mathbb {Z}_p^k$ and $\mathsf {h}_1:\mathbb {G} ^2\rightarrow \mathbb {Z}_p$ respectively. Let $\mathsf {h}_0\leftarrow _{R}\mathcal {H}_0$ and $\mathsf {h}_1\leftarrow _{R}\mathcal {H}_1$.

Altogether we define the public parameters for our proof system to comprise

$$ pars _{\mathbf {PS}} := (k,\mathcal {G},[\mathbf {A}],[\mathbf {A}_0],\mathsf {h}_0,\mathsf {h}_1).$$

We assume from now that all algorithms have access to $ pars _{\mathbf {PS}}$ without explicitly stating it as input.

Additionally let $\mathbf {A}_1\in \mathbb {Z}_p^{2k\times k}$ be a matrix distributed according to $\mathcal {U}_{2k,k}$ with the restriction $\overline{\mathbf {A}}_0=\overline{\mathbf {A}}_1$. Then we define the languages

A crucial building block for the key encapsulation mechanism will be a proof system $\mathbf {PS} $ that is $\mathcal {L}_{\mathrm {snd}} $-qualified and $\widetilde{\mathcal {L}_{\mathrm {snd}}}$-extensible. We give a construction based on $\mathcal {D}_{2k,k}$-MDDH in the following section.

4.2 A Construction Based on MDDH

The goal of this section is to construct an $\mathcal {L}_{\mathrm {snd}} $-qualified proof system for $\mathcal {L} $ based on $\mathcal {D}_{2k,k}$-MDDH for any matrix distribution $\mathcal {D}_{2k,k}$ (see Definition 3). To this aim we give a proof system $Pre\mathbf {PS}:=(Pre\mathbf {PGen},$ $Pre\mathbf {PPrv},$ $Pre\mathbf {PVer},$ $Pre\mathbf {PSim})$ for $\mathcal {L} $ in Fig. 2.

In case $k=1$ this is sufficient, namely setting , , and , we can prove that is $\mathcal {L}_{\mathrm {snd}} $-qualified under the DDH assumption. For the case $k>1$ we give the construction of $\mathbf {PS} $ in the full version.

As a compromise between generality and readability, we decided to give the proof in full detail for $k=1$ (i.e. the DDH case), while sticking to the general matrix notation. As for $k=1$ a vector in $\mathbb {Z}_p^k=\mathbb {Z}_p^1$ is merely a single element, we do not use bold letters to denote for instance x and r in $\mathbb {Z}_p$ (other than in Fig. 2).

Theorem 1

If the DDH assumption holds in $\mathbb {G}$, and $\mathsf {h}_0$, $\mathsf {h}_1$ are universal hash functions, then for $k=1$ the proof system described in Fig. 2 is $\mathcal {L}^{\mathrm {snd}}$-qualified. Further, the proof system $\mathbf {PS} $ is $\widetilde{\mathcal {L}_{\mathrm {snd}}}$-extensible.

Proof

Completeness and perfect zero-knowledge follow straightforwardly from the fact that for all $r \in \mathbb {Z}_p$, $[\mathbf {K}_{ x} \mathbf {A}] r = \mathbf {K}_{ x}[\mathbf {A}r]$ and $[\mathbf {K}_y \mathbf {A}] r=\mathbf {K}_y[\mathbf {A}r]$.

Uniqueness of the keys follows from the fact that the verification algorithm computes exactly one proof $[\pi ]$ (plus the corresponding key $[\kappa ]$), and aborts if $[\pi ]\ne [\pi ^\star ]$.

We prove in Lemm 6 that $\mathbf {PS} $ satisfies constrained $\mathcal {L}^{\mathrm {snd}}$-soundness.

In the full version we prove that $\mathbf {PS} $ is $\widetilde{\mathcal {L}^{\mathrm {snd}}}$-extensible. $\square $

Lemma 6

(Constrained $\mathcal {L}^{\mathrm {snd}}$ -soundness of PS). If the DDH assumption holds in $\mathbb {G}$, and $\mathsf {h}_0$, $\mathsf {h}_1$ are universal hash functions, then the proof system $\mathbf {PS} $ described in Fig. 2 (for $k=1$) complies with constrained $\mathcal {L}^{\mathrm {snd}}$-soundness. More precisely, for every adversary $\mathcal {A} $, there exists an adversary $\mathcal {B} $ such that $T(\mathcal {B}) \approx T(\mathcal {A}) + (Q_{\mathbf {sim}}+Q_{\mathbf {ver}}) \cdot \mathsf {poly}(\lambda )$ and

where $Q_{\mathbf {ver}}$, $Q_{\mathbf {sim}}$ are the number of calls to $\mathcal {O}_{\mathbf {ver}} $ and $\mathcal {O}_{\mathbf {sim}} $ respectively, $\mathrm {uncert}^{\mathrm {snd}}_{\mathcal {A}}(\lambda )$ describes the uncertainty of the predicates provided by $\mathcal {A} $ (see Definition 12) and $\mathsf {poly}$ is a polynomial function independent of $T(\mathcal {A})$.

Note that, as explained in Sect. 2.5, in the proof of IND-CCA security of the final hybrid encryption scheme (where we will employ constrained $\mathcal {L}_{\mathrm {snd}} $-soundness of $\mathbf {PS} $ to prove IND-CCCA security of our KEM), the term $\mathrm {uncert}^{\mathrm {snd}}_{\mathcal {A}}(\lambda )$ will be statistically small, so we can afford to get a security loss of ${Q_{\mathbf {ver}}}\cdot \mathrm {uncert}^{\mathrm {snd}}_{\mathcal {A}}(\lambda )$ without compromising tightness.

Proof

We prove $\mathcal {L}_{\mathrm {snd}} $-soundness of $\mathbf {PS} $ via a series of games, described in Fig. 3. We start by giving a short overview of the proof.

The idea is to first randomize x used in simulated proofs of statements $[\mathbf {c}]\in \mathcal {L}_{\mathrm {snd}} \setminus \mathcal {L}^{\mathrm {}}$, using the DDH assumption and the Leftover Hash Lemma (Lemma 1). This makes $[\pi ,\kappa ]$ an encryption of y that becomes lossy if and only if $[\mathbf {c}]\in \mathrm {span} ([\mathbf {A}_0])$. For the final proof step, let $([\mathbf {c}],[\pi ],[\kappa ])$ be an honestly generated combined proof (with randomized x) with $[\mathbf {c}]\in \mathcal {L}_{\mathrm {snd}} $, that is there exists an $r\in \mathbb {Z}_p$ such that either $[\mathbf {c}]=[\mathbf {A}r]$ or $[\mathbf {c}]=[\mathbf {A}_0r]$. In the former case, we have $y=\mathsf {h}_1(\mathbf {K}_y^\top [\mathbf {c}])=\mathsf {h}_1([\mathbf {K}_y\mathbf {A}]r)$, thus no information about $\mathbf {K}_y$ is leaked apart from what is already contained in the public key. In the latter case, we have $[\pi ,\kappa ] = {[\mathbf {A}_0]}\cdot x+ {[\mathbf {c}]}\cdot y=[\mathbf {A}_0]( x+ r\cdot y)$, thus y, and in particular $\mathbf {K}_y$, are completely hidden by the randomized x. This implies that even knowing many sound tuples $([\mathbf {c}],[\pi ],[\kappa ])$ for $[\mathbf {c}]\in \mathcal {L}_{\mathrm {snd}} $, an adversary cannot do better than guessing y to produce a valid key for a statement outside $\mathcal {L}_{\mathrm {snd}} $, and therefore, only has negligible winning chances.

We start with the constrained $\mathcal {L}_{\mathrm {snd}} $-soundness game, which we refer to as game $\mathbf {G}$. In the following we want to bound the probability

We denote the probability that the adversary $\mathcal {A} $ wins the game $\mathbf {G}_i$ by

$$\varepsilon _i:=\mathrm {Adv}^{ }_{\mathbf {G}_i,\mathcal {A}} (\lambda ).$$

$\mathbf {G}\, \rightsquigarrow \, \mathbf {G}_0$: From game $\mathbf {G}_0$ on, on a valid verification query $([\mathbf {c}],\varPi ,\mathsf {pred})$ the verification oracle will not return lose and abort anymore, but instead simply return $\bot $. This can only increase the winning chances of an adversary $\mathcal {A} $. Thus we obtain

$$\varepsilon \le \varepsilon _0.$$

$\mathbf {G}_0\, \rightsquigarrow \, \mathbf {G}_1$ : We show that $\varepsilon _1 \ge \varepsilon _0$. The difference between $\mathbf {G}_0$ and $\mathbf {G}_1$ is that from game $\mathbf {G}_1$ on the oracle $\mathcal {O}_{\mathbf {ver}} $, on input $([\mathbf {c}],\varPi ,\mathsf {pred})$, first checks if $[\mathbf {c}] \in \mathrm {span} ([\mathbf {A}])$. If this is the case, $\mathcal {O}_{\mathbf {ver}} $ behaves as in game $\mathbf {G}_0$. Otherwise, it does not check if $[\pi ^\star ]=[\pi ]$ anymore, and it computes

$$[\kappa ]=\underline{\mathbf {A}}_0 \overline{\mathbf {A}}_0^{-1}\left( [\pi ^\star ]-\overline{[\mathbf {c}]}\cdot y\right) + \underline{[\mathbf {c}]}\cdot y,$$

where y is computed as in $\mathbf {G}_0$. Note that this computation requires to know $\mathbf {A}_0$, but not $\mathbf {K}_{ x}$, since x is not computed explicitly. This will be crucial for the transition to game $\mathbf {G}_2$.

We again have to show that this can only increase the winning chances of the adversary, in particular we have to show that this change does not affect the adversaries view on non-winning queries.

First, from game $\mathbf {G}_0$ on the verification oracle $\mathcal {O}_{\mathbf {ver}} $ always returns $\bot $ on queries from $\mathcal {L}_{\mathrm {snd}} \backslash \mathcal {L} $, and thus games $\mathbf {G}_0$ and $\mathbf {G}_1$ only differ when $\mathcal {O}_{\mathbf {ver}} $ is queried on statements with $[\mathbf {c}] \notin \mathcal {L}_{\mathrm {snd}} $. Therefore it remains to show that for any query $([\mathbf {c}],[\pi ^\star ],\mathsf {pred})$ to $\mathcal {O}_{\mathbf {ver}} $ with $[\mathbf {c}] \notin \mathcal {L}_{\mathrm {snd}} $, we have that if the query is winning in $\mathbf {G}_0$, then it is also winning in $\mathbf {G}_1$. Suppose $([\mathbf {c}],[\pi ^\star ],\mathrm {pred})$ satisfies the winning condition in $\mathbf {G}_0$. Then, it must hold true that $[\pi ^\star ] = \overline{[\mathbf {A}_0]}\cdot \mathbf {x}+ \overline{[\mathbf {c}]}\cdot y$ and $\mathsf {pred}\left( \underline{[\mathbf {A}_0]}\cdot \mathbf {x}+ \underline{[\mathbf {c}]}\cdot y\right) =1$. In $\mathbf {G}_1$, the key is computed as

$$\underline{\mathbf {A}}_0 \overline{\mathbf {A}}_0^{-1}\left( [\pi ^\star ]-\overline{[\mathbf {c}]}\cdot y\right) + \underline{[\mathbf {c}]}\cdot y=\underline{[\mathbf {A}_0]}\cdot \mathbf {x}+ \underline{[\mathbf {c}]}\cdot y,$$

and thus the query is also winning in $\mathbf {G}_1$.

Note that for this step it is crucial that we only require a weakened soundness condition of our proof systems (compared to benign proof systems [11]). Namely, if instead the verification oracle in the soundness experiment $\mathcal {O}_{\mathbf {ver}} $ returned the key $[\kappa ]$ for valid statements $x\in \mathcal {L}^{\mathrm {snd}} \backslash \mathcal {L} $, we could not argue that the proof transition does necessarily at most increase the winning chances of an adversary. This holds true as in game $\mathbf {G}_1$ on a statement $x\in \mathcal {L}^{\mathrm {snd}} \backslash \mathcal {L} $ with non-valid proof (but with valid predicate respective to the proof) the key would be returned, whereas in game $\mathbf {G}_0$ “$\bot $” would be returned.

$\mathbf {G}_1\,\rightsquigarrow \, \mathbf {G}_2$ : In this transition, we use the DDH assumption to change the way x is computed in simulated proofs. More precisely, we build an adversary $\mathcal {B} $ such that $T(\mathcal {B}) \approx T(\mathcal {A}) + (Q_{\mathbf {ver}}+ Q_{\mathbf {sim}}) \cdot \mathsf {poly}(\lambda )$ and

$$\begin{aligned} |\varepsilon _2 - \varepsilon _1| \le \mathrm {Adv}^{ \mathrm{ddh} }_{\mathbb {G},\mathcal {B}} (\lambda )+2^{-\varOmega (\lambda )}. \end{aligned}$$

Let $([\mathbf {B}],[\mathbf {h}_1,\dots ,\mathbf {h}_{Q_{\mathbf {sim}}}])$ be a $Q_{\mathbf {sim}}$-fold DDH challenge. We build the adversary $\mathcal {B} $ as follows. First $\mathcal {B} $ picks $\mathbf {A}, \mathbf {A}_0, \mathbf {A}_1$ as described in Sect. 4.1. Further $\mathcal {B} $ chooses $\mathbf {K}_{ x}^\prime \leftarrow _{R}\mathbb {Z}_p^{2\times 2 }$ and $\mathbf {K}_{y}\leftarrow _{R}\mathbb {Z}_p^{2\times 2}$ and implicitely sets $\mathbf {K}_x=\mathbf {K}_x^\prime +\mathbf {U}(\mathbf {A}^\bot )^\top $ for some $\mathbf {A}^\bot \in \mathsf {orth}(\mathbf {A})$, where $\mathbf {U}\in \mathbb {Z}_p^{2 \times 1}$ depends on the $Q_{\mathbf {sim}}$-fold DDH challenge (and cannot be computed by $\mathcal {B} $). This will allow $\mathcal {B} $ to embed the $Q_{\mathbf {sim}}$-fold DDH challenge into simulation queries. Note that even though $\mathcal {B} $ does not know $\mathbf {K}_x$ explicitly, the special form of $\mathbf {K}_x$ still allows $\mathcal {B} $ to compute the public parameters $[\mathbf {K}_{ x} \mathbf {A}]=[\mathbf {K}_{ x}^\prime \mathbf {A}]$ and $[\mathbf {K}_y \mathbf {A}]$.

For queries to $\mathcal {O}_{\mathbf {ver}} $ containing $[\mathbf {c}] \in \mathcal {L} $, in order to compute x, $\mathcal {B} $ computes $\mathbf {K}_{ x}[\mathbf {c}]=\mathbf {K}_{ x}^\prime [\mathbf {c}]$ using $\mathbf {K}_{ x}^\prime $ (note that $\mathcal {B} $ can check if $[\mathbf {c}] \in \mathcal {L} $ since it knows $\mathbf {A}$). Answering queries to $\mathcal {O}_{\mathbf {ver}} $ for $\mathbf {c}\notin \mathcal {L} $ does not require knowledge of x. Both cases can thus be handled without concrete knowledge of $\mathbf {K}_{ x}$.

The adversary $\mathcal {B} $ prepares for queries to the simulation oracle $\mathcal {O}_{\mathbf {sim}} $ as follows. First it chooses $w\leftarrow \mathbb {Z}_p$ and defines . Note that with overwhelming probability over the choices of $\mathbf {A}$ and $\mathbf {A}_0$, the matrix $(\mathbf {A}^\bot )^\top \mathbf {A}_0$ is full rank and thus $(\mathbf {K}_{ x}^\prime + \mathbf {U}(\mathbf {A}^\bot )^\top )\mathbf {A}_0$ is distributed statistically close to uniform over $\mathbb {Z}_p$. Therefore replacing $[(\mathbf {K}_{ x}^\prime + \mathbf {U}(\mathbf {A}^\bot )^\top )\mathbf {A}_0]$ by $[\mathbf {V}]$ is statistically indistinguishable for the adversary $\mathcal {A} $.

On the i-th query to $\mathcal {O}_{\mathbf {sim}} $, for all $i \in [Q_{\mathbf {sim}}]$, the adversary $\mathcal {B} $ defines and computes . Further $\mathcal {B} $ can compute as before. In case of a real DDH challenge, we have $\mathbf {h}_i=\mathbf {B}r_i$ for $r_i\leftarrow _{R}\mathbb {Z}_p$ and thus we have $[\mathbf {c}_i]=[\mathbf {A}_0 r_i]$ and $ x=\mathsf {h}_0(w\cdot {[\mathbf {B}r_i]})=\mathsf {h}_0([\mathbf {V}r_i])$. By our previous considerations $[\mathbf {V}r_i]$ is statistically close to $\mathbf {K}_{ x}[\mathbf {c}_i]$ and thus adversary $\mathcal {B} $ simulates game $\mathbf {G}_1$. In case the adversary was given a random challenge, the $\mathbf {h}_i$ are distributed uniformly at random and the adversary simulates game $\mathbf {G}_2$. Now we can employ the random self-reducibility of DDH (Lemma 2) to obtain an adversary as claimed.

Note that in order to prove this transition we require that in the definition of constrained soundness the simulation oracle returns random challenges (otherwise we would not be able to embedd the DDH challenge into simulation queries). This is another reason why we cannot directly employ the notion of benign proof systems [11].

$\mathbf {G}_2 \rightsquigarrow \mathbf {G}_3$ : As $\mathsf {h}_0$ is universal, we can employ the Leftover Hash Lemma (Lemma 1) to switch $(\mathsf {h}_0,\mathsf {h}_0([\mathbf {v}]))$ to $(\mathsf {h}_0,\mathbf {u})$ in all simulation queries, where $\mathbf {u}\leftarrow _{R}\mathbb {Z}_p$. A hybrid argument yields

$$|\varepsilon _2-\varepsilon _3|\le Q_{\mathbf {sim}}/p.$$

Game $\mathbf {G}_3$ : We show that $\varepsilon _3 \le {Q_{\mathbf {ver}}}\cdot \mathrm {uncert}^{\mathrm {snd}}_{\mathcal {A}}(\lambda )$, where $Q_{\mathbf {ver}}$ is the number of queries to $\mathcal {O}_{\mathbf {ver}} $ and $\mathrm {uncert}^{\mathrm {snd}}_{\mathcal {A}}(\lambda )$ describes the uncertainty of the predicates provided by the adversary as described in Definition 12.

We use a hybrid argument over the $Q_{\mathbf {ver}}$ queries to $\mathcal {O}_{\mathbf {ver}} $. To that end, we introduce games $\mathbf {G}_{3.i}$ for $i=0,\ldots ,Q_{\mathbf {ver}}$, defined as $\mathbf {G}_3$ except that for its first i queries $\mathcal {O}_{\mathbf {ver}} $ answers $\bot $ on any query $([\mathbf {c}],[\pi ],\mathsf {pred})$ with $[\mathbf {c}]\notin \mathcal {L}_{\mathrm {snd}} $. We have $\varepsilon _{3} = \varepsilon _{3.0}$, $\varepsilon _{3.Q_{\mathbf {ver}}}=0$ and we show that for all $i =0,\ldots ,Q_{\mathbf {ver}}-1$ it holds

$$\begin{aligned} |\varepsilon _{3.i} - \varepsilon _{3.(i+1)}| \le \mathop {\Pr }\limits _{K \in \mathcal {K}}[\mathsf {pred}_{i+1}(K)=1]+2^{-\varOmega (\lambda )}, \end{aligned}$$

where $\mathsf {pred}_{i+1}$ is the predicate contained in the $i+1$-th query to $\mathcal {O}_{\mathbf {ver}} $.

Games $\mathbf {G}_{3.i}$ and $\mathbf {G}_{3.(i+1)}$ behave identically on the first i queries to $\mathcal {O}_{\mathbf {ver}} $. An adversary can only distinguish between the two, if it manages to provide a valid $(i+1)$-st query $([\mathbf {c}],[\pi ],\mathsf {pred})$ to $\mathcal {O}_{\mathbf {ver}} $ with $[\mathbf {c}]\notin \mathcal {L}_{\mathrm {snd}} $. In the following we bound the probability of this happening.

From queries to $\mathcal {O}_{\mathbf {sim}} $ and the first i queries to $\mathcal {O}_{\mathbf {ver}} $ the adversary can only learn valid tuples $([\mathbf {c}],[\pi ],[\kappa ])$ with $[\mathbf {c}]\in \mathcal {L}_{\mathrm {snd}} $. As explained in the beginning, such combined proofs reveal nothing about $\mathbf {K}_y$ beyond what is already revealed in the public key, as either $[\mathbf {c}]=[\mathbf {A}r]$ for an $r\in \mathbb {Z}_p$ and $y=\mathsf {h}_1([\mathbf {K}_y\mathbf {c}])=\mathsf {h}_1([\mathbf {K}_y\mathbf {A}]r)$ or $[\mathbf {c}]=[\mathbf {A}_0 r]$ and $[\pi ,\kappa ]=[\mathbf {A}_0](x+r\cdot y)$. In the former case y itself reveals no more about $\mathbf {K}_y$ than the public key, while in the latter case y is hidden by the fully randomized x.

For any $[\mathbf {c}]\notin \mathcal {L}_{\mathrm {snd}} $, $y=\mathsf {h}_1[\mathbf {K}_y\mathbf {c}]$ computed by $\mathcal {O}_{\mathbf {ver}} $ is distributed statistically close to uniform from the adversary’s point of view because of the following. First we can replace $\mathbf {K}_y$ by $\mathbf {K}_y+\mathbf {U}(\mathbf {A}^\bot )^\top $ for $\mathbf {U}\leftarrow _{R}\mathbb {Z}_p^{2\times 1}$ and $\mathbf {A}^\bot \in \mathsf {orth}(\mathbf {A})$ as both are distributed identically. By our considerations, this extra term is neither revealed through the public key, nor through the previous queries to $\mathcal {O}_{\mathbf {sim}} $ and $\mathcal {O}_{\mathbf {ver}} $.

Now Lemma 1 (Leftover Hash Lemma) implies that the distribution of y is statistically close to uniform as desired. Since $[\mathbf {c}] \notin \mathrm {span} ([\mathbf {A}_0])$ we have $\underline{[\mathbf {c}]} - \underline{[\mathbf {A}_0]} \overline{\mathbf {A}}_0^{-1} \overline{[\mathbf {c}]} \ne 0$, thus the key

$$[\kappa ]: = \underline{\mathbf {A}}_0 \overline{\mathbf {A}}_0^{-1}[\pi ^\star ] + \underbrace{\left( \underline{[\mathbf {c}]} - \underline{\mathbf {A}}_0 \overline{\mathbf {A}}_0^{-1} \overline{[\mathbf {c}]}\right) }_{\ne 0}\cdot y$$

computed by $\mathcal {O}_{\mathbf {ver}} $ is statistically close to uniform over $\mathbb {Z}_p$. Altogether we obtain:

$$\begin{aligned} \varepsilon _3 \le Q_{\mathbf {ver}}\cdot \mathrm {uncert}^{\mathrm {snd}}_{\mathcal {A}}(\lambda )+Q_{\mathbf {ver}}\cdot 2^{-\varOmega (\lambda )}. \end{aligned}$$

5 Key Encapsulation Mechanism

In this section we present our CCCA-secure KEM that builds upon a qualified proof system for the OR-language as presented in Sect. 4.

Ingredients. Let $ pars _{\mathbf {PS}}$ be the public parameters for the underlying qualified proof system comprising $\mathcal {G}=(\mathbb {G},p,P)$ and $\mathbf {A},\mathbf {A}_0\in \mathbb {Z}_p^{2k\times k}$ (as defined in Sect. 4.1). Recall that $\mathcal {L} = \mathrm {span} ([\mathbf {A}])$, $ \mathcal {L}_{\mathrm {snd}} = \mathrm {span} ([\mathbf {A}])\cup \mathrm {span} ([\mathbf {A}_0])$ and $\widetilde{\mathcal {L}_{\mathrm {snd}}}= \mathrm {span} ([\mathbf {A}])\cup \mathrm {span} ([\mathbf {A}_0])\cup \mathrm {span} ([\mathbf {A}_1])$ (for $\mathbf {A}_1\in \mathbb {Z}_p^{2k\times k}$ as in Sect. 4.1). Let further $\mathcal {H}$ be a collosion resistant hash function generator returning functions of the form $\mathsf {H}:\mathbb {G}^k\rightarrow \{0,1\}^{\lambda }$ and let $\mathsf {H}\leftarrow _{R}\mathcal {H}$. We will sometimes interpret values $\tau \in \{0,1\}^{\lambda }$ in the image of $\mathsf {H}$ as elements in $\mathbb {Z}_p$ via the map $\tau \mapsto \sum _{i=1}^\lambda \tau _{i}\cdot 2^{i-1}$.

In the following we assume that all algorithms implicitly have access to the public parameters $ pars _{\mathbf {KEM}}:=( pars _{\mathbf {PS}},\mathsf {H})$.

Proof systems. We employ an $\mathcal {L}_{\mathrm {snd}} $-qualified and $\widetilde{\mathcal {L}_{\mathrm {snd}}}$-extensible proof system $\mathbf {PS}:=$ $(\mathbf {PGen},\mathbf {PPrv},\mathbf {PVer},\mathbf {PSim})$ for the language $\mathcal {L} $ as provided in Fig. 2 (respectively for $k>1$ as provided in the full version). We additionally require that the key space is a subset of $\mathbb {G} $, which is satisfied by our construction in Sect. 4.

Construction. The construction of the KEM is given in Fig. 4.

Efficiency. When using our qualified proof system from Sect. 4 (respectively for $k>1$ from the full version) to instantiate $\mathbf {PS} $, the public parameters comprise $4k^2$ group elements (plus the descriptions of the group itself and four hash functions). Further public keys and ciphertexts of our KEM contain $8k+2k^2$, resp. $4k$ group elements for $k>1$.

We stress that our scheme does not require pairings and can be implemented with $k=1$, resulting in a tight security reduction to the DDH assumption in $\mathbb {G}$. As in this case the upper entries of the matrix $\mathbf {A}$ is 1, we get by with $3$ group elements in the public parameters. Further, we can save one hash function due to the simpler underlying proof system. For the same reason, in case $k=1$ public keys and ciphertexts contain $6$, resp. $3$ group elements. Compared to the GHKW scheme [9], our scheme thus has ciphertexts of the same size, but significantly smaller public keys.

Without any optimizations, encryption and decryption take $8k^2+12k$, resp. $6k^2+14k$ exponentiations for $k>1$. For DDH we have 11 for both cases (again due to the simpler proof system and the distribution). Since most of these are multi-exponentiations, however, there is room for optimizations. In comparison, encryption and decyption in the GHKW scheme take $3k^2+k$, resp. $3k$ exponentiations (plus about $\lambda k$ group operations for encryption, and again with room for optimizations). The main reason for our somewhat less efficient operations is the used qualified proof system. We explicitly leave open the construction of a more efficient proof system.

To turn the KEM into a IND-CCA secure hybrid encryption scheme, we require a quantitatively stronger security of the symmetric building block than [9]. Namely, the uncertainty $\mathrm {uncert}_{\mathcal {A}}(\lambda )$ in our scheme has a stronger dependency on the number of queries ($Q_{\mathbf {enc}}\cdot Q_{\mathbf {dec}}$ instead of $Q_{\mathbf {enc}}+Q_{\mathbf {dec}}$). This necessitates to increase the key size of the authenticated encryption scheme compared to [9]. Note though that one-time secure authenticated encryption schemes even exist unconditionally and therefore in the reduction proving security of the hybrid encryption scheme, the uncertainty $\mathrm {uncert}_{\mathcal {A}}(\lambda )$ will be statistically small.

Theorem 2

(Security of the KEM). If $\mathbf {PS} $ is $\mathcal {L}_{\mathrm {snd}} $-qualified and $\widetilde{\mathcal {L}_{\mathrm {snd}}}$-extensible to $\widetilde{\mathbf {PS}}$, if $\mathsf {H}$ is a collision resistant hash function and if the $\mathcal {D}_{2k,k}\text{- }$MDDH assumption holds in $\mathbb {G}$, then the key encapsulation mechanism $\mathbf {KEM} $ described in Fig. 4 is perfectly correct and IND-CCCA secure. More precisely, for every IND-CCCA adversary $\mathcal {A} $ that makes at most $Q_{\mathbf {enc}}$ encryption and $Q_{\mathbf {dec}}$ decryption queries, there exist adversaries $\mathcal {B}^{\mathrm {mddh}} $, $\mathcal {B} ^{\mathrm {csnd}}$, $\mathcal {B} ^{\mathrm {ind}}$, $\mathcal {B} ^{\widetilde{\mathrm {csnd}}}$ and $\mathcal {B} ^{\mathrm {cr}}$ with running time $T(\mathcal {B}^{\mathrm {mddh}})\approx T(\mathcal {B} ^{\mathrm {csnd}})\approx T(\mathcal {B} ^{\mathrm {ind}})\approx T(\mathcal {B} ^{\mathrm {csnd}})\approx T(\mathcal {B} ^{\mathrm {cr}}) \approx T(\mathcal {A})+(Q_{\mathbf {enc}}+Q_{\mathbf {dec}})\cdot \mathsf {poly}(\lambda )$ respectively $T(\mathcal {B} ^{\widetilde{\mathrm {csnd}}}) \approx T(\mathcal {A})+(Q_{\mathbf {enc}}+Q_{\mathbf {enc}}\cdot Q_{\mathbf {dec}})\cdot \mathsf {poly}(\lambda ) $ where $\mathsf {poly}$ is a polynomial independent of $T(\mathcal {A})$, and such that

Proof

We use a series of games to prove the claim. We denote the probability that the adversary $\mathcal {A} $ wins the i-th Game $\mathbf {G}_i$ by $\varepsilon _i$. An overview of all games is given in Fig. 5.

The goal is to randomize the keys of all challenge ciphertexts and thereby reducing the advantage of the adversary to 0. The methods employed here for a tight security reduction require us to ensure that $\mathcal {O}_{\mathbf {dec}} $ aborts on ciphertexts which are not in the span of $[\mathbf {A}]$, as we will no longer be able to answer those. The justification of this step relies crucially on the additional consistency proof $\varPi $ and can be found in the full version.

Game $\mathbf {G}_0$ : This game is the IND-CCCA security game (Definition 10).

$\mathbf {G}_0\,\rightsquigarrow \, \mathbf {G}_1$ : From game $\mathbf {G}_1$ on, we restrict the adversary to decryption queries with a fresh tag, that is, a tag which has not shown up in any previous encryption query. There are two conceivable bad events, where the adversary reuses a tag.

The first event is due to a collision of the hash function. That is, $\mathcal {A} $ provides a decryption query $([\mathbf {c}],\varPi )$, such that there exists a challenge ciphertext $[\mathbf {c}^\prime ]$ from a previous encryption query with $\overline{[\mathbf {c}]}\ne \overline{[\mathbf {c}^\prime ]}$, but $\mathsf {H}(\overline{[\mathbf {c}]})=\mathsf {H}(\overline{[\mathbf {c}^\prime ]})$. In that case we can straightforwardly employ $\mathcal {A} $ to obtain an adversary $\mathcal {B} $ attacking the collision resistance of $\mathsf {H}$ in time $T(\mathcal {B})\approx T(\mathcal {A})+(Q_{\mathbf {enc}}+Q_{\mathbf {dec}})\cdot \mathsf {poly}(\lambda )$ for a polynomial $\mathsf {poly}$ independent of $T(\mathcal {A})$. Thereby we obtain an upper bound on the described event of $\mathrm {Adv}^{ cr }_{\mathsf {H},\mathcal {B}} (\lambda )$.

In the second event, $\mathcal {A} $ provides a valid decryption query $([\mathbf {c}],\varPi )$, such that $\overline{[\mathbf {c}]}=\overline{[\mathbf {c}^\prime ]}$ for a previous challenge ciphertext $[\mathbf {c}^\prime ]\ne [\mathbf {c}]$. By the properties of $\mathbf {PS} $, the proof corresponding to a ciphertext $[\mathbf {c}]$ is unique, which in particular implies $[\mathbf {c}]\notin \mathrm {span} ([\mathbf {A}])$. We bound the probability that $\mathcal {A} $ submits a valid decryption query $([\mathbf {c}],\varPi )$ such that $[\mathbf {c}]\notin \mathrm {span} ([\mathbf {A}])$ by $Q_{\mathbf {dec}}\cdot \mathrm {uncert}_{\mathcal {A}}(\lambda )$, using a series of hybrids: For $i=0,\dots ,Q_{\mathbf {dec}}$ let $\mathbf {G}_{0.i}$ be defined like $\mathbf {G}_0$, except $\mathcal {O}_{\mathbf {dec}} $ checks the freshness of $\tau $ for the first i queries and operates as in game $\mathbf {G}_0$ from the $(i+1)$-st query on. Note that game $\mathbf {G}_{0.0}$ equals $\mathbf {G}_0$ and game $\mathbf {G}_{0.Q_{\mathbf {dec}}}$ equals $\mathbf {G}_1$. We show that for all $i \in \{0,\ldots ,Q_{\mathbf {dec}}-1\}$:

$$|\varepsilon _{0.i}-\varepsilon _{0.(i+1)}|\le \Pr _{K \leftarrow _{R}\mathcal {K}}[\mathsf {pred}_{i+1}(K)=1].$$

Game $\mathbf {G}_{0.i}$ and game $\mathbf {G}_{0.(i+1)}$ only differ when the $(i+1)$-st query to $\mathcal {O}_{\mathbf {dec}} $ is valid with $\overline{[\mathbf {c}]}=\overline{[\mathbf {c}^\prime ]}$ for a previous challenge ciphertext $[\mathbf {c}^\prime ]\ne [\mathbf {c}]$. As all challenge ciphertexts are in $\mathrm {span} ([\mathbf {A}])$, they do not reveal anything about $\mathbf {k}_0$ beyond the public key $[\mathbf {k}_0^\top \mathbf {A}]$. Thus, for $[\mathbf {c}]\notin \mathrm {span} ([\mathbf {A}])$, the value $\mathbf {k}_0^\top [\mathbf {c}]$ looks uniformly random from the adversary’s point of view, proving the claimed distance between game $\mathbf {G}_{0.i}$ and game $\mathbf {G}_{0.(i+1)}$. Altogether we obtain

$\mathbf {G}_1\,\rightsquigarrow \, \mathbf {G}_2$ : From $\mathbf {G}_2$ on, the way challenge ciphertexts are computed is changed. Namely, the simulation algorithmen $\mathbf {PSim} ( psk ,[\mathbf {c}])$ is used instead of $\mathbf {PPrv} ( ppk ,[\mathbf {c}],\mathbf {r})$ to compute $(\varPi ,[\kappa ])$. Since for all challenge ciphertexts we have $[\mathbf {c}] \in \mathcal {L} $, the proofs and keys are equal by the perfect zero-knowledge property of $\mathbf {PS} $, and thus we have

$$\varepsilon _1 = \varepsilon _2.$$

$\mathbf {G}_2\,\rightsquigarrow \, \mathbf {G}_3$ : Game $\mathbf {G}_3$ is like $\mathbf {G}_2$ except the vectors $[\mathbf {c}]$ in the challenge ciphertexts are chosen randomly in the span of $[\mathbf {A}_0]$.

We first employ the $Q_{\mathbf {enc}}$-fold $\mathcal {D}_{2k,k}$-MDDH assumption to tightly switch the vectors in the challenge ciphertexts from $\mathrm {span} ([\mathbf {A}])$ to uniformly random vectors over $\mathbb {G}^{2k}$. Next we use the $Q_{\mathbf {enc}}$-fold $\mathcal {U}_{2k,k}$-MDDH assumption to switch these vectors from random to $[\mathbf {A}_0 \mathbf {r}]$.

To be specific, we build adversaries $\mathcal {B} $, $\mathcal {B} ^\prime $ such that for a polynomial $\mathsf {poly}$ independent of $T(\mathcal {A})$ we have $T(\mathcal {B}) \approx T(\mathcal {B} ^\prime ) \approx T(\mathcal {A})+(Q_{\mathbf {enc}}+Q_{\mathbf {dec}})\cdot \mathsf {poly}(\lambda )$ and

Let $([\mathbf {A}],[\mathbf {v}_1|\dots |\mathbf {v}_{Q_{\mathbf {enc}}}])$ with $[\mathbf {A}]\in \mathbb {G}^{2k\times k}$ and be the $Q_{\mathbf {enc}}$-fold $\mathcal {D}_{2k,k}$-MDDH challenge received by $\mathcal {B} $. Then $\mathcal {B} $ samples $( ppk , psk ) \leftarrow _{R}\mathbf {PGen} (1^\lambda )$, $\mathbf {k}_0, \mathbf {k}_1 \leftarrow _{R}\mathbb {Z}_p^{2k}$, $b\leftarrow _{R}\{0,1\}$ and sends the public key ${ pk }:= ( ppk ,[\mathbf {k}_0^\top \mathbf {A}],$ $[\mathbf {k}_1^\top \mathbf {A}])$ to $\mathcal {A} $.

On the i-th query to $\mathcal {O}_{\mathbf {enc}} $, $\mathcal {B} $ sets the challenge ciphertext to $[\mathbf {c}] := [\mathbf {v}_i]$, next computes $\tau := \mathsf {H}(\overline{[\mathbf {c}]})$, $(\varPi ,[\kappa ]):=\mathbf {PSim} ( psk ,[\mathbf {v}_i])$ and finally $K_1:=(\mathbf {k}_0^\top +\tau \mathbf {k}_1^\top )[\mathbf {c}]$ (and $K_0\leftarrow _{R}\mathcal {K}(\lambda )$ as usual). As $\mathcal {B} $ has generated the secret key itself, for decryption queries it can simply follow $\mathbf {KDec} ({ pk }, sk ,C)$.

In case $[\mathbf {V}]=[\mathbf {A}\mathbf {R}]$, $\mathcal {B}$ perfectly simulates game $\mathbf {G}_2$. In case $[\mathbf {V}]$ is uniformly random over $\mathbb {G}^{2k \times Q_{\mathbf {enc}}}$, $\mathcal {B}$ simulates an intermediary game $\mathbf {H}$, where the challenge ciphertexts are chosen uniformly at random. Analogously we construct an adversary $\mathcal {B} ^\prime $ on the $Q_{\mathbf {enc}}$-fold $\mathcal {U}_{2k,k}$-MDDH assumption, who simulates game $\mathbf {H}$ if $[\mathbf {V}]$ is uniformly at random over $\mathbb {G}^{2k \times Q_{\mathbf {enc}}}$, and game $\mathbf {G}_3$, if $[\mathbf {V}]=[\mathbf {A}_0\mathbf {R}]$. Altogether this proves the claim stated above.

Finally, from Lemma 4 (random self-reducibility of $\mathcal {U}_{2k,k}$-MDDH), Lemma 3 ($\mathcal {D}_{2k,k}$-MDDH $\Rightarrow $ $\mathcal {U}_{2k,k}$-MDDH), and Lemma 2 (random self-reducibility of $\mathcal {D}_{2k,k}$-MDDH), we obtain an adversary $\mathcal {B} ^{\prime \prime }$ such that $T(\mathcal {B} ^{\prime \prime }) \approx T(\mathcal {A}) + (Q_{\mathbf {enc}}+Q_{\mathbf {dec}})\cdot \mathsf {poly}(\lambda )$ where $\mathsf {poly}$ is independent of $T(\mathcal {A})$ and

$$ |\varepsilon _2 - \varepsilon _3| \le (1+k)\cdot \mathrm {Adv}^{ \mathrm{mddh} }_{\mathbb {G},\mathcal {D}_{2k,k},\mathcal {B} ^{\prime \prime }} (\lambda ) + \frac{2}{p-1}.$$

$\mathbf {G}_3\rightsquigarrow \mathbf {G}_4$ : We now restrict the adversary to decryption queries with $[\mathbf {c}]\in \mathrm {span} ([\mathbf {A}])$. For the justification we refer to the full version.

$\mathbf {G}_4 \rightsquigarrow \mathbf {G}_5$ : In game $\mathbf {G}_5$, we change the keys $[\kappa ]$ computed by $\mathcal {O}_{\mathbf {enc}} $ to random over $\mathbb {G}$. This is justified as follows.

Firstly, we can replace $\mathbf {k}_0$ by $\mathbf {k}_0 + {\mathbf {A}^\bot \mathbf {u}}$ with $\mathbf {u}\leftarrow _{R}\mathbb {Z}_p^{k}$ and $\mathbf {A}^\bot \in \mathsf {orth}(\mathbf {A})$, as those are identically distributed. Note that this change does neither affect the public key, nor the decryption queries, since for all . Thus, the term $\mathbf {A}^\bot \mathbf {u}$ only shows up when $\mathcal {O}_{\mathbf {enc}} $ computes the value $[(\mathbf {A}^\bot \mathbf {u})^\top \mathbf {A}_{0} \mathbf {r}]$ for $\mathbf {r}\leftarrow _{R}\mathbb {Z}_p^{k}$ as part of the key $K_1$ (the key that is not chosen at random by the security experiment).

Secondly, the distributions $(\mathbf {A}^\bot \mathbf {u})^\top \mathbf {A}_{0} \text{ and } \mathbf {v}^\top \leftarrow _{R}\mathbb {Z}_p^{1 \times k}$ are $1-2^{-\varOmega (\lambda )}$-close.

Altogether, we obtain that $\mathcal {O}_{\mathbf {enc}} $, on its j-th query for each $j \in [Q_{\mathbf {enc}}]$, can compute key $K_1$ for , and as

We then switch from $([\mathbf {r}_j],[\mathbf {v}^\top \mathbf {r}_j])$ to $([\mathbf {r}_j],[z_j])$, where $z_j$ is a uniformly random value over $\mathbb {G}$, using the $Q_{\mathbf {enc}}$-fold $\mathcal {U}_{k}$-MDDH assumption as follows. On input $([\mathbf {B}],[\mathbf {h}_1|\dots |\mathbf {h}_{Q_{\mathbf {enc}}}])$ with $\mathbf {B}\leftarrow _{R}\mathcal {U}_{k}$ (that is $\mathbf {B}\in \mathbb {Z}_p^{(k+1)\times k}$) and $\mathbf {h}_1,\dots , \mathbf {h}_{Q_{\mathbf {enc}}}\in \mathbb {Z}_p^{k+1}$, $\mathcal {B} $ samples $( ppk , psk ) \leftarrow _{R}\mathbf {PGen} (1^\lambda )$, $\mathbf {k}_0, \mathbf {k}_1 \leftarrow _{R}\mathbb {Z}_p^{2k}$, $b\leftarrow _{R}\{0,1\}$ and sends the public key ${ pk }:= ( ppk ,[\mathbf {k}_0^\top \mathbf {A}],$ $[\mathbf {k}_1^\top \mathbf {A}])$ to $\mathcal {A} $. In the following for all $j\in Q_{\mathbf {enc}}$ let $\overline{[\mathbf {h}_j]}\in \mathbb {G}^{k}$ comprise the upper $k$ entries and $\underline{[\mathbf {h}_j]}\in \mathbb {G}$ the $(k+1)$-st entry of $[\mathbf {h}_j]$ and similar for $[\mathbf {B}]$ let $\overline{[\mathbf {B}]}\in \mathbb {G}^{k\times k}$ be the upper square matrix of $[\mathbf {B}]$ and $\underline{[\mathbf {B}]}\in \mathbb {G}^{1\times k}$ comprise the last row.

On the j-th encryption query, $\mathcal {B} $ sets (and thus ) and computes the key as

The adversary $\mathcal {B} $ can answer decryption queries as usual using $\mathbf {k}_0$, as decryption queries outside $\mathcal {L} $ are rejected.

Now if $([\mathbf {B}],[\mathbf {h}_1|\dots |\mathbf {h}_{Q_{\mathbf {enc}}}])$ was a real $\mathcal {U}_{k}$-MDDH challenge, we have $\mathbf {h}_j=\mathbf {B}\mathbf {s}_j$ for a $\mathbf {s}_j\leftarrow _{R}\mathbb {Z}_p^{k}$ and thus we have $\mathbf {r}_j= \overline{\mathbf {B}}\mathbf {s}_j$ and $\underline{[\mathbf {h}_j]}= \underline{[\mathbf {B}]}\mathbf {s}_j=\underline{[\mathbf {B}]}\overline{\mathbf {B}}^{-1}\mathbf {r}_j$. Note that the distribution of $\underline{[\mathbf {B}]}\overline{\mathbf {B}}^{-1}$ is statistically close to the distribution of $\mathbf {v}^\top $ and therefore $\mathcal {B} $ simulates game $\mathbf {G}_4$. In case $\mathbf {h}_j$ was chosen uniformly at random from $\mathbb {Z}_p^{k+1}$, the adversary $\mathcal {B} $ simulates game $\mathbf {G}_5$ instead. In the end adversary $\mathcal {B} $ can thus forward the output of $\mathcal {A} $ to its own experiment.

Finally, Lemmas 3, 4 and 5 yield the existence of an adversary $\mathcal {B} ^\prime $ such that $T(\mathcal {B} ^\prime ) \approx T(\mathcal {A}) + (Q_{\mathbf {enc}}+ Q_{\mathbf {dec}}) \cdot \mathsf {poly}(\lambda )$ where $\mathsf {poly}$ is a polynomial independent of $T(\mathcal {A})$, and

$$\begin{aligned} |\varepsilon _4 - \varepsilon _5| \le \mathrm {Adv}^{ \mathrm{mddh} }_{\mathbb {G},\mathcal {D}_{2k,k},\mathcal {B} ^\prime } (\lambda ) + 2^{-\varOmega (\lambda )}. \end{aligned}$$

Game $\mathbf {G}_5$ : In this game, the keys $K_1$ computed by $\mathcal {O}_{\mathbf {enc}} $ are uniformly random, since the value $[\kappa ]$ which shows up in $K_1 := [(\mathbf {k}_0 + \tau \mathbf {k}_1)^\top \mathbf {c}] + [\kappa ]$ is uniformly random for each call to $\mathcal {O}_{\mathbf {enc}} $. The same holds true for the keys $K_0$ which are chosen at random from $\mathcal {K}(\lambda )$ throughout all games. Therefore, the output of $\mathcal {O}_{\mathbf {enc}} $ is now independent of the bit b chosen in $\mathrm {Exp} ^{\mathrm {ccca}}_{\mathbf {KEM},\mathcal {A}}(\lambda )$. This yields

$$\varepsilon _5=0.$$

$\square $

Notes

1.
This is unfortunately different from current practice, which does not take into account security reductions at all: practical keylength recommendations are such that known attacks on the scheme itself are infeasible [18].
2.
Like [5], we call our reduction almost tight, since its loss (of $\lambda $) is independent of the number of challenges and users, but not constant.
3.
In this paper, we use an implicit notation for group elements. That is, we write $[\mathbf {x}]:=g^{\mathbf {x}}\in \mathbb {G}^n$ for a fixed group generator $g\in \mathbb {G}$ and a vector $\mathbf {x}\in \mathbb {Z} _{|\mathbb {G}|}^n$, see [8]. We also use the shorthand notation $[\mathbf {x},\mathbf {y}]:=([\mathbf {x}],[\mathbf {y}])$.
4.
We note that a generic hybrid argument shows the security of the Kurosawa-Desmedt scheme in a multi-ciphertext setting. However, the corresponding security reduction loses a factor of $Q$ in success probability, where $Q$ is the number of challenge ciphertexts.
5.
The corresponding reduction is tight also in the multi-user and multi-ciphertext setting. Suitable (one-time) secure symmetric encryption schemes exist even unconditionally [14].

References

Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged one-time signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36362-7_20
Chapter Google Scholar
Attrapadung, N., Hanaoka, G., Yamada, S.: A framework for identity-based encryption with almost tight security. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 521–549. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_22
Chapter Google Scholar
Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). doi:10.1007/3-540-45539-6_18
Chapter Google Scholar
Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) identity-based encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_23
Chapter Google Scholar
Chen, J., Wee, H.: Fully, (almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-1_25
Chapter Google Scholar
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Article MathSciNet MATH Google Scholar
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). doi:10.1007/3-540-46035-7_4
Chapter Google Scholar
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-1_8
Chapter Google Scholar
Gay, R., Hofheinz, D., Kiltz, E., Wee, H.: Tightly CCA-secure encryption without pairings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 1–27. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_1
Chapter Google Scholar
Gong, J., Chen, J., Dong, X., Cao, Z., Tang, S.: Extended nested dual system groups, revisited. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 133–163. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49384-7_6
Chapter Google Scholar
Hofheinz, D.: Adaptive partitioning. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 489–518. Springer, Cham (2017). doi:10.1007/978-3-319-56617-7_17
Chapter Google Scholar
Hofheinz, D.: Algebraic partitioning: fully compact and (almost) tightly secure cryptography. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 251–281. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49096-9_11
Chapter Google Scholar
Hofheinz, D., Jager, T.: Tightly secure signatures and public-key encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_35
Chapter Google Scholar
Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74143-5_31
Chapter Google Scholar
Hofheinz, D., Koch, J., Striecks, C.: Identity-based encryption with (almost) tight security in the multi-instance, multi-ciphertext setting. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 799–822. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46447-2_36
Google Scholar
Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions (extended abstracts). In: 21st ACM STOC, pp. 12–24. ACM Press, May 1989
Google Scholar
Kurosawa, K., Desmedt, Y.: A new paradigm of hybrid encryption scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28628-8_26
Chapter Google Scholar
Lenstra, A.K., Verheul, E.R.: Selecting cryptographic key sizes. J. Cryptol. 14(4), 255–293 (2001)
Article MathSciNet MATH Google Scholar
Libert, B., Joye, M., Yung, M., Peters, T.: Concise multi-challenge CCA-secure encryption and signatures with almost tight security. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 1–21. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45608-8_1
Google Scholar
Libert, B., Peters, T., Joye, M., Yung, M.: Compactly hiding linear spans. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 681–707. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_28
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

Département d’informatique de l’ENS École normale supérieure, CNRS, PSL Research University, 75005, Paris, France
Romain Gay
INRIA, Paris, France
Romain Gay
Karlsruhe Institute of Technology, Karlsruhe, Germany
Dennis Hofheinz & Lisa Kohl

Authors

Romain Gay
View author publications
You can also search for this author in PubMed Google Scholar
Dennis Hofheinz
View author publications
You can also search for this author in PubMed Google Scholar
Lisa Kohl
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Romain Gay .

Editor information

Editors and Affiliations

University of Maryland, College Park, Maryland, USA
Jonathan Katz
UC San Diego, La Jolla, California, USA
Hovav Shacham

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Gay, R., Hofheinz, D., Kohl, L. (2017). Kurosawa-Desmedt Meets Tight Security. In: Katz, J., Shacham, H. (eds) Advances in Cryptology – CRYPTO 2017. CRYPTO 2017. Lecture Notes in Computer Science(), vol 10403. Springer, Cham. https://doi.org/10.1007/978-3-319-63697-9_5

Download citation

DOI: https://doi.org/10.1007/978-3-319-63697-9_5
Published: 02 August 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-63696-2
Online ISBN: 978-3-319-63697-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Kurosawa-Desmedt Meets Tight Security

Abstract

Similar content being viewed by others

Simple and Efficient KDM-CCA Secure Public Key Encryption

On Constructing Pairing-Free Identity-Based Encryptions

Master-Key KDM-Secure IBE from Pairings

Keywords

1 Introduction

2 Preliminaries

2.1 Notations

2.2 Hash Functions

Definition 1

Definition 2

Lemma 1

2.3 Prime-Order Groups

Definition 3

Definition 4

Lemma 2

Definition 5

Lemma 3

Lemma 4

Lemma 5

Definition 6

2.4 Public-Key Encryption

Definition 7

Definition 8

2.5 Key Encapsulation Mechanism

Definition 9

Definition 10

3 Qualified Proof Systems

Definition 11

Definition 12

Definition 13

Definition 14

4 The OR-Proof

4.1 Public Parameters and the OR-Languages

4.2 A Construction Based on MDDH

Theorem 1

Proof

Lemma 6

Proof

5 Key Encapsulation Mechanism

Theorem 2

Proof

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation