Public-Key Encryption with Simulation-Based Sender Selective-Opening Security

Abstract

We study public key encryptions (PKE) of simulation-based security against sender selective-opening (SIM-SSO) attacks, where the attacker can corrupt a subset of senders, learning the plaintexts together with the corresponding randomness. Concretely:

• We present a generic construction of SIM-SSO security under chosen plaintext attacks (SIM-SSO-CPA) by combining a lossy encryption given by Hemenway et al. (Asiacrypt 2011), along with a tailored compression algorithm. Our construction gives a simple and modular security analysis. We then present an instantiation based on the Matrix Diffie-Hellman Assumption.

• We show that the PKE construction from Boneh-Gentry-Hamburg scheme (FOCS 2007), and construction from a (public-key based) variant of Cocks’ scheme (Peikert, Vaikuntanathan and Waters, Crypto 2008) are SIM-SSO-CPA secure. Even if these results may seem natural, not surprising at all, their SIM-SSO-CPA security have not been explicitly reported so far.

• We further show that two PKE constructions from homomorphic trapdoor commitments (Groth, Ostrovsky and Sahai, Crypto 2006, Eurocrypt 2006) are SIM-SSO-CPA secure.

This work is Supported by the “Strategic Priority Program” of Chinese Academy of Sciences, Grant No. Y2W0012306, and the National Nature Science Foundation of China (No.61502484).

A: Security Proof of the Instantiation in Sect. 3.4

We show that the instantiation satisfies the four properties of a lossy encryption scheme with efficient weak opening.

Proof

 

Correctness.:

This follows readily from the correctness of \(\mathcal {D}_{l, k}\)-MDDH-based hash proof system.

Indistinguishability.:

It is obvious that \((\mathcal {G}\), \([\mathbf {A} {\varvec{w}}])\) and \((\mathcal {G}, [{\varvec{u}}])\) are computationally indistinguishable under the \(\mathcal {D}_{l, k}\)-MDDH assumption.

Lossiness.:

Consider the lossy public key \([{\varvec{x}}] = [{\varvec{u}}]\) where \({\varvec{u}} \leftarrow \mathbb {Z}^l_{q}\). According to the smoothness property of the \(\mathcal {D}_{l, k}\)-MDDH-based hash proof system, \([{{\varvec{k}}}^{\mathrm {T}} {\varvec{u}}]\) is statistically indistinguishable from a random element in \(\mathbb {G}\). Since \(\mathrm {H}([{{\varvec{k}}}^T {\varvec{u}}])\) is statistically close to uniform distribution over \(\{0, 1\}\), hence \(\mathrm {H}([{{\varvec{k}}}^T {\varvec{u}}])\) \(\oplus m\) will also be statistically close to uniform distribution over \(\{0, 1\}\) for any message m.

Efficient weak openability.:

Please read Sect. 3.2.

 

Remarks. Note that if we do not require the property of efficient weak openability, the compress function \(\mathrm {H}\) is unnecessary. In this case, we need to make some changes of the construction. The Injective key generation algorithm and Lossy key generation algorithm will not change. It only needs to modify the encryption and decryption algorithm.

• Encryption: On input a message \(m \in \mathbb {G}\), picks \({\varvec{k}} \in \mathbb {Z}^l_q\), \({{\varvec{c}}_1} = [ {\varvec{k}}^{\mathrm {T}} \mathbf {A}]\), \(c_2 = [{\varvec{k}}^{\mathrm {T}} {\varvec{x}}] \cdot m\). Outputs ciphertext \(c = ({{\varvec{c}}_1}, c_2)\).

• Decryption: Given ciphertext \(c = ({{\varvec{c}}_1}, c_2)\), \(sk = {\varvec{w}}\). Outputs \(m = ( c_2 \cdot m)/[ {{\varvec{c}}_1} \cdot {\varvec{w}}]\).

The modified construction is an instantiation of the generic lossy encryption in [21] (as well as the dual Cramer-Shoup scheme in [35], Sect. 2.2), and correctness can be easily verified. While \([{\varvec{x}}] \in \mathcal {X}\), smoothness property shows that \([{\varvec{k}}^{\mathrm {T}} {\varvec{x}}]\) is completely undetermined. But without the compress function \(\mathrm {H}\), the space of random coins is large, so algorithm Opener needs to compute the set of all \({{\varvec{k}}}^\mathbf{: } \in \mathbb {Z}^l_q\) such that \([{\varvec{k'}}^{\mathrm {T}} \mathbf {A}] = [{{\varvec{k}}}^{\mathrm {T}} \mathbf {A}]\) until \([{\varvec{k'}}^{\mathrm {T}} {\varvec{x}}] \cdot m' = [{{\varvec{k}}}^{\mathrm {T}} {\varvec{x}}] \cdot m\). Hence, Opener may not efficient. According to the result in [2], the modified scheme only achieves IND-SSO-CPA security.