Abstract
We study public key encryptions (PKE) of simulation-based security against sender selective-opening (SIM-SSO) attacks, where the attacker can corrupt a subset of senders, learning the plaintexts together with the corresponding randomness. Concretely:
-
We present a generic construction of SIM-SSO security under chosen plaintext attacks (SIM-SSO-CPA) by combining a lossy encryption given by Hemenway et al. (Asiacrypt 2011), along with a tailored compression algorithm. Our construction gives a simple and modular security analysis. We then present an instantiation based on the Matrix Diffie-Hellman Assumption.
-
We show that the PKE construction from Boneh-Gentry-Hamburg scheme (FOCS 2007), and construction from a (public-key based) variant of Cocks’ scheme (Peikert, Vaikuntanathan and Waters, Crypto 2008) are SIM-SSO-CPA secure. Even if these results may seem natural, not surprising at all, their SIM-SSO-CPA security have not been explicitly reported so far.
-
We further show that two PKE constructions from homomorphic trapdoor commitments (Groth, Ostrovsky and Sahai, Crypto 2006, Eurocrypt 2006) are SIM-SSO-CPA secure.
This work is Supported by the “Strategic Priority Program” of Chinese Academy of Sciences, Grant No. Y2W0012306, and the National Nature Science Foundation of China (No.61502484).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 645–662. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_38
Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_1
Böhl, F., Hofheinz, D., Kraschewski, D.: On definitions of selective opening security. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 522–539. Springer, Heidelberg (2012). doi:10.1007/978-3-642-30057-8_31
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28628-8_3
Boneh, D., Gentry, C., Hamburg, M.: Space-efficient identity based encryption without pairings. In: 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2007), pp. 647–657 (2007)
Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30576-7_18
Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997). doi:10.1007/BFb0052229
Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001). doi:10.1007/3-540-45325-3_32
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). doi:10.1007/3-540-46035-7_4
Deng, Y., Song, X., Yu, J., Chen, Y.: On instance compression, schnorr/guillou-quisquater, and the security of classic protocols for unique witness relations. IACR Cryptol. ePrint Archive 2017, 390 (2017)
Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. In: 40th Annual Symposium on Foundations of Computer Science, FOCS 1999, pp. 523–534 (1999)
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40084-1_8
Fehr, S., Hofheinz, D., Kiltz, E., Wee, H.: Encryption schemes secure against chosen-ciphertext selective opening attacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 381–402. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13190-5_20
Fuchsbauer, G., Heuer, F., Kiltz, E., Pietrzak, K.: Standard security does imply security against selective opening for markov distributions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 282–305. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49096-9_12
Fujisaki, E.: All-but-many encryption – a new framework for fully-equipped UC commitments. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 426–447. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45608-8_23
Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006). doi:10.1007/11818175_6
Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006). doi:10.1007/11761679_21
Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zero-knowledge. J. ACM 59(3), 11:1–11:35 (2012)
Harnik, D., Naor, M.: On the compressibility of NP instances and cryptographic applications. SIAM J. Comput. 39(5), 1667–1713 (2010)
Hazay, C., Patra, A., Warinschi, B.: Selective opening security for receivers. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 443–469. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48797-6_19
Hemenway, B., Libert, B., Ostrovsky, R., Vergnaud, D.: Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 70–88. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25385-0_4
Hofheinz, D.: All-but-many lossy trapdoor functions. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 209–227. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_14
Hofheinz, D., Jager, T., Rupp, A.: Public-key encryption with simulation-based selective-opening security and compact ciphertexts. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 146–168. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53644-5_6
Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 121–145. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53644-5_5
Hofheinz, D., Rupp, A.: Standard versus selective opening security: separation and equivalence results. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 591–615. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54242-8_25
Huang, Z., Liu, S., Qin, B.: Sender-equivocable encryption schemes secure against chosen-ciphertext attacks revisited. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 369–385. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36362-7_23
Jia, D., Lu, X., Li, B.: Receiver selective opening security from indistinguishability obfuscation. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 393–410. Springer, Cham (2016). doi:10.1007/978-3-319-49890-4_22
Jia, D., Lu, X., Li, B.: Constructions secure against receiver selective opening and chosen ciphertext attacks. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 417–431. Springer, Cham (2017). doi:10.1007/978-3-319-52153-4_24
Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 78–95. Springer, Heidelberg (2005). doi:10.1007/11426639_5
Liu, S., Paterson, K.G.: Simulation-based selective opening CCA security for PKE from key encapsulation mechanisms. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 3–26. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46447-2_1
Naor, M., Segev, G.: Public-key cryptosystems resilient to key leakage. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 18–35. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_2
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). doi:10.1007/3-540-48910-X_16
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). doi:10.1007/978-3-540-85174-5_31
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 187–196 (2008)
Wee, H.: KDM-security via homomorphic smooth projective hashing. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9615, pp. 159–179. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49387-8_7
Acknowledgments
The authors would like to thank the anonymous reviewers for their invaluable comments and suggestions. The authors are also grateful to Xin Wang and Haiyang Hu for helpful discussions and advice.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A: Security Proof of the Instantiation in Sect. 3.4
A: Security Proof of the Instantiation in Sect. 3.4
We show that the instantiation satisfies the four properties of a lossy encryption scheme with efficient weak opening.
Proof
- Correctness.:
-
This follows readily from the correctness of \(\mathcal {D}_{l, k}\)-MDDH-based hash proof system.
- Indistinguishability.:
-
It is obvious that \((\mathcal {G}\), \([\mathbf {A} {\varvec{w}}])\) and \((\mathcal {G}, [{\varvec{u}}])\) are computationally indistinguishable under the \(\mathcal {D}_{l, k}\)-MDDH assumption.
- Lossiness.:
-
Consider the lossy public key \([{\varvec{x}}] = [{\varvec{u}}]\) where \({\varvec{u}} \leftarrow \mathbb {Z}^l_{q}\). According to the smoothness property of the \(\mathcal {D}_{l, k}\)-MDDH-based hash proof system, \([{{\varvec{k}}}^{\mathrm {T}} {\varvec{u}}]\) is statistically indistinguishable from a random element in \(\mathbb {G}\). Since \(\mathrm {H}([{{\varvec{k}}}^T {\varvec{u}}])\) is statistically close to uniform distribution over \(\{0, 1\}\), hence \(\mathrm {H}([{{\varvec{k}}}^T {\varvec{u}}])\) \(\oplus m\) will also be statistically close to uniform distribution over \(\{0, 1\}\) for any message m.
- Efficient weak openability.:
-
Please read Sect. 3.2.
Remarks. Note that if we do not require the property of efficient weak openability, the compress function \(\mathrm {H}\) is unnecessary. In this case, we need to make some changes of the construction. The Injective key generation algorithm and Lossy key generation algorithm will not change. It only needs to modify the encryption and decryption algorithm.
-
Encryption: On input a message \(m \in \mathbb {G}\), picks \({\varvec{k}} \in \mathbb {Z}^l_q\), \({{\varvec{c}}_1} = [ {\varvec{k}}^{\mathrm {T}} \mathbf {A}]\), \(c_2 = [{\varvec{k}}^{\mathrm {T}} {\varvec{x}}] \cdot m\). Outputs ciphertext \(c = ({{\varvec{c}}_1}, c_2)\).
-
Decryption: Given ciphertext \(c = ({{\varvec{c}}_1}, c_2)\), \(sk = {\varvec{w}}\). Outputs \(m = ( c_2 \cdot m)/[ {{\varvec{c}}_1} \cdot {\varvec{w}}]\).
The modified construction is an instantiation of the generic lossy encryption in [21] (as well as the dual Cramer-Shoup scheme in [35], Sect. 2.2), and correctness can be easily verified. While \([{\varvec{x}}] \in \mathcal {X}\), smoothness property shows that \([{\varvec{k}}^{\mathrm {T}} {\varvec{x}}]\) is completely undetermined. But without the compress function \(\mathrm {H}\), the space of random coins is large, so algorithm Opener needs to compute the set of all \({{\varvec{k}}}^\mathbf{: } \in \mathbb {Z}^l_q\) such that \([{\varvec{k'}}^{\mathrm {T}} \mathbf {A}] = [{{\varvec{k}}}^{\mathrm {T}} \mathbf {A}]\) until \([{\varvec{k'}}^{\mathrm {T}} {\varvec{x}}] \cdot m' = [{{\varvec{k}}}^{\mathrm {T}} {\varvec{x}}] \cdot m\). Hence, Opener may not efficient. According to the result in [2], the modified scheme only achieves IND-SSO-CPA security.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zhu, D., Zhang, R., Jia, D. (2017). Public-Key Encryption with Simulation-Based Sender Selective-Opening Security. In: Okamoto, T., Yu, Y., Au, M., Li, Y. (eds) Provable Security. ProvSec 2017. Lecture Notes in Computer Science(), vol 10592. Springer, Cham. https://doi.org/10.1007/978-3-319-68637-0_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-68637-0_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68636-3
Online ISBN: 978-3-319-68637-0
eBook Packages: Computer ScienceComputer Science (R0)