Abstract
We initiate the study of publickey encryption (PKE) schemes and keyencapsulation mechanisms (KEMs) that retain security even when public parameters (primes, curves) they use may be untrusted and subverted. We define a strong security goal that we call ciphertext pseudorandomness under parameter subversion attack (CPRPSA). We also define indistinguishability (of ciphertexts for PKE, and of encapsulated keys from random ones for KEMs) and publickey hiding (also called anonymity) under parameter subversion attack, and show they are implied by CPRPSA, for both PKE and KEMs. We show that hybrid encryption continues to work in the parameter subversion setting to reduce the design of CPRPSA PKE to CPRPSA KEMs and an appropriate form of symmetric encryption. To obtain efficient, ellipticcurvebased KEMs achieving CPRPSA, we introduce efficientlyembeddable group families and give several constructions from ellipticcurves.
Download conference paper PDF
1 Introduction
This paper initiates a study of publickey encryption (PKE) schemes, and keyencapsulation mechanisms (KEMs), resistant to subversion of public parameters. We give definitions, and efficient, ellipticcurvebased schemes. As a tool of independent interest, we define efficientlyembeddable group families and construct them from elliptic curves.
Parameter subversion. Many cryptographic schemes rely on some trusted, public parameters common to all users and implementations. Sometimes these are specified in standards. The Oakley primes [39], for example, are a small number of fixed prime numbers widely used for discretelogbased systems. For ECC (Elliptic Curve Cryptography), the parameters are particular curves. Examples include the P192, P224, ... curves from the FIPS1864 [38] standard and Ed25519 [16].
There are many advantages to such broad use of public parameters. For example, it saves implementations from picking their own parameters, a task that can be errorprone and difficult to do securely. It also makes keygeneration faster and allows concretesecurity improvements in the multiuser setting [7]. Recent events indicate, however, that public parameters also bring a risk, namely that they can be subverted. The representative example is DualEC. We refer to [19] for a comprehensive telling of the story. Briefly, Dual EC was a PRG whose parameters consisted of a description of a cyclic group and two generators of the group. If the discrete logarithm of one generator to base the other were known, security would be compromised. The Snowden revelations indicate that NIST had adopted parameters provided by the NSA and many now believe these parameters had been subverted, allowing the NSA to compromise the security of Dual EC. Juniper’s use of Dual EC further underscores the dangers [21].
Security in the face of parameter subversion. DGGJR [26] and BFS [9] initiated the study of cryptography that retains security in the face of subverted parameters, the former treating PRGs and the latter treating NIZKs, where the parameter is the common reference string. In this paper we treat encryption. We define what it means for parameterusing PKE schemes and KEMs to retain security in the face of subversion of their parameters. With regard to schemes, ECC relies heavily on trusted parameters. Accordingly we focus here, providing various efficient ellipticcurvebased schemes that retain security in the face of parameter subversion.
Current mitigations. In practice, parameters are sometimes specified in a verifiable way, for example derived deterministically (via a public algorithm) from publiclyverifiable coins. The coins could be obtained by applying a hash function like SHA1 to some specified constants (as is in fact done for the FIPS1864 curves [38] and in the ECC brainpool project), via the first digits of the irrational number \(\pi \), or via lottery outcomes [5]. This appears to reduce the possibility of subversion, but BCCHLN [15] indicate that the potential of subverting elliptic curves still remains, so there is cause for caution even in this regard. Also, even if such mechanisms might “work” in some sense, we need definitions to understand what “work” means, and proofs to ensure definitions are met. Our work gives such definitions.
Background. A PKE scheme specifies a parameter generation algorithm that returns parameters \(\pi \), a keygeneration algorithm that takes \(\pi \) and returns a public key \( pk \) and matching secret key \( sk \), an encryption algorithm that given \(\pi , pk \) and message m returns a ciphertext c, and a decryption algorithm that given \(\pi , sk ,c\) recovers m. We denote the classical notions of security by \(\mathrm {IND}\)—indistinguishability of ciphertexts under chosenciphertext attack [8, 22]—and \(\mathrm {PKH}\)—publickey hiding, also called anonymity, this asks that ciphertexts not reveal the public key under which they were created [6]. For KEMs, parameter and key generation are the same, encryption is replaced by encapsulation—it takes \(\pi , pk \) to return an encapsulated key K and a ciphertext c that encapsulates K—and decryption is replaced by decapsulation—given \(\pi , sk ,c\) it recovers K. We continue to denote the classical goals by \(\mathrm {IND}\)—this now asks for indistinguishability of encapsulated keys from random under chosenciphertext attack [23]—and \(\mathrm {PKH}\). We stress that these classical notions assume honest parameter generation, meaning the parameters are trusted.
We know that, in this setting, \(\mathrm {IND}\) PKE is reduced, via hybrid encryption, to \(\mathrm {IND}\) KEMs and indcpa symmetric encryption [23]. To the best of our knowledge, no analogous result exists for \(\mathrm {PKH}\).
Mass surveillance activities have made apparent the extent to which privacy can be violated purely by access to metadata, including who is communicating with whom. PKE and KEMs providing \(\mathrm {PKH}\) are tools towards systems that do more to hide identities of communicants. We will thus target this goal in the parameter subversion setting as well.
Definitions and relations. For both PKE and KEMs, we formulate a goal called ciphertext pseudorandomness under parameter subversion attack, denoted \(\mathrm {CPR}\hbox {}\mathrm {PSA}\). It asks that ciphertexts be indistinguishable from strings drawn randomly from the ciphertext space, even under a chosenciphertext attack (CCA). We also extend the abovediscussed classical goals to the parameter subversion setting, defining \(\mathrm {IND}\hbox {}\mathrm {PSA}\) and \(\mathrm {PKH}\hbox {}\mathrm {PSA}\). For both PKE (Proposition 1) and KEMs (Proposition 2) we show that \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) implies both \(\mathrm {IND}\hbox {}\mathrm {PSA}\) and \(\mathrm {PKH}\hbox {}\mathrm {PSA}\). We thus get the relations between the new and classical notions summarized in Fig. 1. (Here \(\mathrm {CPR}\) is obtained by dropping the PSA in \(\mathrm {CPR}\hbox {}\mathrm {PSA}\), meaning it is our definition with honest parameter generation. This extends the notions of [26, 37] to allow a CCA.)
We ask whether we can reduce the design of \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) PKE to the design of \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) KEMs via hybrid encryption. Proposition 3 says the answer is yes, but, interestingly, requires that the KEM has an extra property of welldistributed ciphertexts that we denote \(\mathrm {WDC}\hbox {}\mathrm {PSA}\). (The symmetric encryption scheme is required to have pseudorandom ciphertexts. Such symmetric schemes are easily obtained.) We now have a single, strong target for constructions, namely \(\mathrm {CPR}\hbox {}\mathrm {PSA}\)+\(\mathrm {WDC}\hbox {}\mathrm {PSA}\) KEMs. (By the above they imply \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) PKE, which in turn implies \(\mathrm {IND}\hbox {}\mathrm {PSA}\) PKE and \(\mathrm {PKH}\hbox {}\mathrm {PSA}\) PKE.) Our goal thus becomes to build efficient KEMs that are \(\mathrm {CPR}\hbox {}\mathrm {PSA}\)+\(\mathrm {WDC}\hbox {}\mathrm {PSA}\).
Parameterfree schemes. We say that a scheme (PKE or KEM) is parameter free if there are no parameters. (Formally, the parameters are the empty string \(\varepsilon \).) Note that a parameterfree scheme that is \(\mathrm {XXX}\) secure is trivially also \(\mathrm {XXX}\hbox {}\mathrm {PSA}\) secure. (\(\mathrm {XXX}\in \{\mathrm {CPR},\mathrm {IND},\mathrm {PKH}\}\).) This is an important observation, and some of our schemes will indeed be parameterfree, but, as we discuss next, this observation does not trivialize the problem.
Issues and challenges. In an attempt to achieve PSA security through the above observation, we could consider the following simple way to eliminate parameters. Given a \(\mathrm {XXX}\)secure parameterusing scheme, build a parameterfree version of it as follows: the new scheme sets its parameters to the empty string; key generation runs the old parameter generation algorithm to get \(\pi \), then the old key generation algorithm to get \( pk \) and \( sk \), setting the new public and secret keys to \((\pi , pk )\) and \((\pi , sk )\), respectively; encryption and decryption can then follow the old scheme. This trivial construction, however, has drawbacks along two dimensions that we expand on below: (1) security and (2) efficiency.
With regard to security, the question is, if the old scheme is \(\mathrm {XXX}\), is the new one too? (If so, it is also \(\mathrm {XXX}\hbox {}\mathrm {PSA}\), since it is parameter free, so we only need to consider the classical notions.) The answer to the question is yes if \(\mathrm {XXX}=\mathrm {IND}\), but no if \(\mathrm {XXX}\in \{\mathrm {PKH},\mathrm {CPR}\}\). Imagine, as typical, that the parameters describe a group. Then in the new scheme, different users use different, independent groups. This will typically allow violation of \(\mathrm {PKH}\) [6]. For example, in the El Gamal KEM, a ciphertext is a group element, so if two users have groups \(\mathbb {G}_0\) and \(\mathbb {G}_1\), respectively, one can determine which user generated a ciphertext by seeing to which of the two groups it belongs. The same is true for RSA where the group \(\mathbb {G}_i = \mathbb {Z}_{N_i}\) is determined by the modulus \(N_i\) in the key of user i. Even when the moduli have the same bit length, attacks in [6] show how to violate \(\mathrm {PKH}\)security of the simple RSA KEM.
With regard to efficiency, the drawback is that we lose the benefits of parameterusing schemes noted above. In particular, keygeneration is less efficient (because it involves parameter generation for the old scheme, which can be costly), and public keys are longer (because they contain the parameters of the old scheme). We aim to retain, as much as possible, the efficiency benefits of parameters while adding resistance to PSA.
BBDP [6] give (1) parameterfree \(\mathrm {IND}\)+\(\mathrm {PKH}\) RSAbased PKE schemes and (2) parameterusing discretelog based \(\mathrm {IND}\)+\(\mathrm {PKH}\) PKE schemes. The former, since parameterfree, are \(\mathrm {IND}\hbox {}\mathrm {PSA}\)+\(\mathrm {PKH}\hbox {}\mathrm {PSA}\), but they are not \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) and they are not as efficient as ECCbased schemes. The latter, while ECCbased and fast, are not secure against PSA.
The open question that emerges is thus to design efficient, ECCbased KEMs that are \(\mathrm {CPR}\hbox {}\mathrm {PSA}\)+\(\mathrm {WDC}\hbox {}\mathrm {PSA}\). The technical challenge is to achieve \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) (and thus \(\mathrm {PKH}\hbox {}\mathrm {PSA}\)) even though the groups of different users may be different.
Overview of the approach. We introduce and formalize efficientlyembeddable group (eeg) families and identify desirable security properties for them. We give a transform constructing \(\mathrm {CPR}\hbox {}\mathrm {PSA}\)+\(\mathrm {WDC}\hbox {}\mathrm {PSA}\) KEMs from secure eeg families. This reduces our task to finding secure eeg families. We propose several instantiations of eeg families from elliptic curves with security based on different assumptions. An overview of the resulting KEMs is given in Table 1. We discuss our results in greater detail below.
Efficientlyembeddable group families. As described above, having users utilize different groups typically enables linking ciphertexts to the intended receiver and hence violating \(\mathrm {CPR}\hbox {}\mathrm {PSA}\). However, certain families of groups allow to efficiently map group elements to a space, which is independent of the particular group of the family. Building on these types of group families it is possible to achieve \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) secure encryption while still allowing each user to choose his own group.
We formalize the required properties via efficiently embeddable group families, a novel abstraction that we believe is of independent interest. An eeg family \(\mathsf {EG}\) specifies a parameter generation algorithm \(\mathsf {EG{.}P}\) sampling parameters to be used by the other algorithms, and a group generation algorithm \(\mathsf {EG{.}G}\) sampling a group from the family. Embedding algorithm \(\mathsf {EG{.}E}\) embeds elements of the group into some embedding space \(\mathsf {EG{.}ES}\). The group element can be recovered using inversion algorithm \(\mathsf {EG{.}I}\). An important property is that the embedding space only depends on the parameters and in particular not on the used group. Looking ahead, the KEM’s public key will contain a group sampled with \( \mathsf {EG{.}S}\) and ciphertexts will be embeddings. We require two security properties for \(\mathsf {EG}\) in order to achieve \(\mathrm {CPR}\hbox {}\mathrm {PSA}\)+\(\mathrm {WDC}\hbox {}\mathrm {PSA}\) KEMs. Both assume parameter subversion attacks and are defined with respect to a sampling algorithm \( \mathsf {EG{.}S}\), which samples (not necessarily uniformly distributed) group elements. The first, embedding pseudorandomness (\({\mathrm {EPR}\hbox {}\mathrm {PSA}}\)), is that embeddings of group elements sampled with \( \mathsf {EG{.}S}\) are indistinguishable from uniform. Further we give a definition the strong computational DiffieHellman assumption (\(\mathrm {sCDH}\hbox {}\mathrm {PSA}\)) with respect to \(\mathsf {EG}\)—an adaption of the interactive assumption introduced in [2] to our setting. It differs from the usual strong computational DiffieHellman assumption in two points. The group used for the challenge is sampled using \(\mathsf {EG{.}G}\) on a parameter of the adversary’s choice and additionally one of the exponents used in the challenge is sampled with sampling algorithm \( \mathsf {EG{.}S}\).
Key ecapsulation mechanisms from eeg families. We provide a transform \(\mathbf {eegToKE1}\) of eeg families to secure KEMs. If the eeg family is both \({\mathrm {EPR}\hbox {}\mathrm {PSA}}\) and \(\mathrm {sCDH}\hbox {}\mathrm {PSA}\) the resulting KEM is \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) and \(\mathrm {WDC}\hbox {}\mathrm {PSA}\).
Key encapsulation from weaker assumptions. In the full version of this paper [4] we give a second transform \(\mathbf {eegToKE2}\) from eeg families to secure KEMs. It is applicable to eeg families consisting of groups, which order has no small prime factors. Its security is based on the weaker computational DiffieHellman assumption (\(\mathrm {CDH}\hbox {}\mathrm {PSA}\)), i.e. it achieves a \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) and \(\mathrm {WDC}\hbox {}\mathrm {PSA}\) KEM under the weaker assumption that \(\mathsf {EG}\) is both \({\mathrm {EPR}\hbox {}\mathrm {PSA}}\) and \(\mathrm {CDH}\hbox {}\mathrm {PSA}\). However, this comes at the cost of larger key size and slower encryption and decryption.
Instantiations from elliptic curves. We propose several instantiations of eeg families from elliptic curves. It is well known that elliptic curves are not all equal in security. We target ellipticcurve groups over the field \(\mathbb {F}_p\) for a large odd prime p since they are less vulnerable to discretelogfinding attacks than groups over fields of characteristic two [28, 40]. While the usage of standardized primes allows for more efficient implementations, several cryptanalysts further suggest that p should be as random as possible for maximal security, see for example Brainpool’s RFC on ECC [36]. These constraints make building eeg families more challenging. We offer solutions for both cases. We first identify an eeg family implicitly given in prior work [34, 37]. The family consists of curvetwist pairs of elliptic curves. Its embedding space depends on the modulus p of the underlying field, which serves as parameter of the construction.
Building on eeg family \(\mathsf {EG}_{\text {twist}}\) we also provide alternatives, which no longer rely on a fixed modulus. The constructions have empty parameters and p is sampled at random in the group generation algorithm. The technical challenge is to still achieve pseudorandom embeddings in an embedding space independent of the group. Our solution \(\mathsf {EG}_{\text {twistrs}}^{\ell }\) achieves this by using rejection sampling with cutoff parameter \(\ell \). Its embedding space consists of bit strings of length only dependent on the security parameter. The sampling algorithm has a worstcase running time of \(\ell \) exponentiations, but the average cost is two exponentiations independently of \(\ell \). Eeg family \(\mathsf {EG}_{\text {twistre}}\) uses a range expansion technique from [33] and improves on \(\mathsf {EG}_{\text {twistrs}}^{\ell }\) both in terms of efficiency and security. As in the other construction embeddings are bit strings, but sampling only requires a single exponentiation.
Security of the instantiations. We now discuss the security properties of our instantiations in greater detail. An overview is given in Table 2. All of our constructions achieve \({\mathrm {EPR}\hbox {}\mathrm {PSA}}\) statistically. Embeddings in eeg families \(\mathsf {EG}_{\text {twist}}\), and \(\mathsf {EG}_{\text {twistre}}\) are perfectly random, i.e. any (unbounded) adversary has advantage 0 in breaking \({\mathrm {EPR}\hbox {}\mathrm {PSA}}\). For family \(\mathsf {EG}_{\text {twistrs}}^{\ell }\) the advantage decays exponentially in the cutoff bound \(\ell \).
DiffieHellman problem \(\mathrm {sCDH}\hbox {}\mathrm {PSA}\) is non standard. It is defined with respect to the eeg family’s sampling algorithm and assumes parameter subversion attacks. However, for all of our proposed instantiations we are able to show that \(\mathrm {sCDH}\hbox {}\mathrm {PSA}\) can be reduced to assumptions, which no longer depend on the sampling algorithms, but use uniformly sampled exponents instead. Considering the parameters of our constructions, they belong to one of two classes. Eeg familiy \(\mathsf {EG}_{\text {twist}}\) uses the modulus p as parameter, which might be subject to subversion. Accordingly \(\mathrm {sCDH}\hbox {}\mathrm {PSA}\) in this case corresponds to the assumption that the adversary’s possibility to choose p does not improve its capacities in solving DiffieHellman instances on either the curve or its twist for a curvetwist pair sampled from the family. Eeg families \(\mathsf {EG}_{\text {twistrs}}^{\ell }\) and \(\mathsf {EG}_{\text {twistre}}\) serve as more conservative alternatives. They are parameterfree and each user choses his own modulus at random, resulting in the weaker assumption that solving DiffieHellman instances over curves sampled with respect to a randomly chosen modulus is hard.
Instantiations from Elligator curves. In the full version of this paper [4] we provide alternatives to our curvetwist pair based constructions. Eeg families \(\mathsf {EG}_{\text {ell1}}^{\ell }\), \(\mathsf {EG}_{\text {ell2}}^{\ell }\), \(\mathsf {EG}_{\text {ell1rs}}^{\ell }\) and \(\mathsf {EG}_{\text {ell2rs}}^{\ell }\) make use of the Elligator1 and Elligator2 curves of [17]. \(\mathsf {EG}_{\text {ell1}}^{\ell }\) and \(\mathsf {EG}_{\text {ell2}}^{\ell }\) were implicitly given in [17] and use the modulus of the underlying field as parameter. Constructions \(\mathsf {EG}_{\text {ell1rs}}^{\ell }\) and \(\mathsf {EG}_{\text {ell2rs}}^{\ell }\) serve as parameterfree alternatives.
Related work. One might consider generating parameters via a multiparty computation protocol so that no particular party controls the outcome. It is unclear however what parties would perform this task and why one might trust any of them. PKE resistant to parameter subversion provides greater security.
Parameter subversion as we consider it allows the adversary full control of the parameters. This was first considered for NIZKs [9] and (under the term backdoored) for PRGs [25, 26]. Various prior works, in various contexts, considered relaxing the assumptions on parameters in some way [20, 30, 32, 35], but these do not allow the adversary full control of the parameters and thus do not provide security against what we call parameter subversion.
Algorithmsubstitution attacks, studied in [3, 10,11,12, 24], are another form of subversion, going back to the broader framework of kleptography [43, 44]. The cliptography framework of RTYZ [41] aims to capture many forms of subversion. In [42] the same authors consider PKE that retains security in the face of substitution of any of its algorithms, but do not consider parameter subversion.
2 Preliminaries
Notation. We let \(\varepsilon \) denote the empty string. If X is a finite set, we let denote picking an element of X uniformly at random and assigning it to x. All our algorithms are randomized and polynomial time (PT) unless stated otherwise. An adversary is an algorithm. Running time is worst case. If A is an algorithm, we let \(y \leftarrow A(x_1,\ldots ;r)\) denote running A with random coins r on inputs \(x_1,\ldots \) and assigning the output to y. We let be the result of picking r at random and letting \(y \leftarrow A(x_1,\ldots ;r)\). We let \([A(x_1,\ldots )]\) denote the set of all possible outputs of A when invoked with inputs \(x_1,\ldots \). We use the code based game playing framework of [14]. (See Fig. 3 for an example.) By \(\Pr [\mathrm {G}]\) we denote the probability that the execution of game \(\mathrm {G}\) results in the game returning \(\mathsf {true}\). We also adopt the convention that the running time of an adversary refers to the worst case execution time of the game with the adversary. This means that the time taken for oracles to compute replies to queries is included. The random oracle model [13] is captured by a game procedure \({ \textsc {RO}}\) that implements a variable output length random oracle. It takes a string x and an integer m and returns a random mbit string. We denote by \(\mathcal {P}_k\) the set of primes of bit length k and by [d] the set \(\{ 0, \dots , d1 \}\). Furthermore, the uniform distribution on M is denoted by \(U_M\). If two random variables X and Y are equal in distribution we write \(X\sim Y\). The statistical distance between X and Y is denoted by \(\varDelta (X;Y)\). If \(\varDelta (X;Y) \le \delta \) we say X is \(\delta \)close to Y.
3 PublicKey Encryption Resistant to Parameter Subversion
In this section we recall publickey encryption schemes and key encapsulation mechanisms. For both primitives we define the strong security notion of pseudorandomness of ciphertexts in the setting of parameter subversion and show that it implies both indistinguishability of encryptions and publickey hiding. We further define the security notion of welldistributedness of ciphertexts for key encapsulation mechanisms. Finally, we recall symmetric encryption schemes and revisit the hybrid encryption paradigm in the setting of ciphertext pseudorandomness under parameter subversion attacks.
3.1 PublicKey Encryption Schemes
Below we give a syntax for publickey encryption schemes. It follows [23], but uses slightly different notation and includes an additional algorithm setting up global parameters to be utilized by all users. We then formalize a novel security requirement of pseudorandomness of ciphertexts under parameter subversion attacks (\(\mathrm {CPR}\hbox {}\mathrm {PSA}\)), which says that even if the parameters of the scheme are controlled by the adversary, ciphertexts obtained under any public key are indistinguishable from random elements of the ciphertext space, which depends only on the security parameter, the message length and the global parameters. We then recall two existing requirements of publickey encryption schemes adapting them to the setting of parameter subversion attacks. The first is the wellknown notion of indistinguishability of encryptions [31], the second, from [1, 6], is that ciphertexts under different public keys are indistinguishable, which they called anonymity or key hiding and we call publickey hiding. In Proposition 1 we show that the first requirement implies the other two, allowing us to focus on it subsequently. We model the possibility of subverted parameters by having the adversary provide the parameters, which are used in the security games.
PublicKey Encryption. A publickey encryption scheme (PKE) \({\mathsf {PE}}\) specifies the following. Parameter generation algorithm \({\mathsf {PE{.}P}}\) takes input \(1^k\), where \(k\in \mathbb {N}\) is the security parameter, and returns global parameters \(\pi \). Keygeneration algorithm \({\mathsf {PE{.}G}}\) takes input \(1^k, \pi \) and returns a tuple \(( pk , sk )\) consisting of the public (encryption) key \( pk \) and matching secret (decryption) key \( sk \). \({\mathsf {PE{.}CS}}\) associates to k, \(\pi \) and message length \(m\in \mathbb {N}\) a finite set \({\mathsf {PE{.}CS}}(k,\pi ,m)\) that is the ciphertext space of \({\mathsf {PE}}\). Encryption algorithm \({\mathsf {PE{.}E}}\) takes \(1^k,\pi , pk \) and a message \(M\in \{0,1\}^*\) and returns a ciphertext \(c\in {\mathsf {PE{.}CS}}(k,\pi ,\left M \right )\). Deterministic decryption algorithm \({\mathsf {PE{.}D}}\) takes \(1^k,\pi , sk \) and a ciphertext c and returns either a message \(M\in \{0,1\}^*\) or the special symbol \(\bot \) indicating failure. The correctness condition requires that for all \(k\in \mathbb {N}\), all \(\pi \in [{\mathsf {PE{.}P}}(1^k)] \), all \(( pk , sk ) \in [{\mathsf {PE{.}G}}(1^k,\pi )]\) and all \( M\in \{0,1\}^* \) we have \(\Pr _{}\mathopen {}\left[ {\mathsf {PE{.}D}}(1^k,\pi , sk ,c)=M\right] \mathclose {}\ge 1 {\mathsf {PE{.}de}}(k)\), where the probability is over and \({\mathsf {PE{.}de}}:\mathbb {N}\rightarrow \mathbb {R}_{\ge 0}\) is the decryption error of \({\mathsf {PE}}\). Our PKEs will be in the ROM [13], which means the encryption and decryption algorithms have access to a random oracle specified in the security games. Correctness must then hold for all choices of the random oracle. We say a PKE is parameterfree if \({\mathsf {PE{.}P}}\) returns \(\varepsilon \) on every input \(1^k\).
Ciphertext pseudorandomness. Consider game \(\mathbf {G}^{\mathrm {cpr}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {A}}(k)\) of Fig. 2 associated to PKE \({\mathsf {PE}}\), adversary \(\mathcal {A}\) and security parameter k, and let
We say that \({\mathsf {PE}}\) has pseudorandom ciphertexts under parameter subversion attacks (also called \(\mathrm {CPR}\hbox {}\mathrm {PSA}\)) if the function \(\mathbf {Adv}^{\mathrm {cpr}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {A}}(\cdot )\) is negligible for every \(\mathcal {A}\). In the game, b is a challenge bit. When \(b=1\), the challenge ciphertext \(c^*\) is an encryption of a message of the adversary’s choice, but if \(b=0\) it is chosen at random from the ciphertext space. Given the public key and challenge ciphertext, the adversary outputs a guess \(b'\) and wins if \(b'\) equals b, the game returning \(\mathsf {true}\) in this case and \(\mathsf {false}\) otherwise. The adversary has access to an oracle \( { \textsc {Init}}\), which sets up the public key using parameters of the adversary’s choice, and an oracle \( { \textsc {Enc}}\) to generate the challenge ciphertext. Furthermore it has access to the random oracle and a decryption oracle crippled to not work on the challenge ciphertext. We require that the adversary queries the oracles \( { \textsc {Init}}\) and \( { \textsc {Enc}}\) only once. Furthermore \( { \textsc {Init}}\) has to be queried before using any of the other oracles.
Indistinguishability of encryptions. Consider game \(\mathbf {G}^{\mathrm {ind}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {A}}(k)\) of Fig. 2 associated to PKE \({\mathsf {PE}}\), adversary \(\mathcal {A}\) and security parameter k, and let
We say that \({\mathsf {PE}}\) has indistinguishable encryptions under parameter subversion attacks (also called \( \mathrm {IND}\hbox {}\mathrm {PSA}\)) if the function \(\mathbf {Adv}^{\mathrm {ind}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {A}}(\cdot )\) is negligible for every \(\mathcal {A}\). In the game, b is a challenge bit. The adversary has access to an oracle \( { \textsc {Init}}\), which sets up the public key using parameters of the adversary’s choice, and an oracle \( { \textsc {Enc}}\), which receives as input two messages \( M_0 \), \( M_1 \) of the same length and outputs the challenge ciphertext \( c^* \). When \(b=0\), the challenge ciphertext is an encryption of \( M_0 \), if \(b=1\) an encryption of \( M_1 \). Given the public key and challenge ciphertext, the adversary outputs a guess \(b'\) and wins if \(b'\) equals b, the game returning \(\mathsf {true}\) in this case and \(\mathsf {false}\) otherwise. Again, the adversary has access to the random oracle and a decryption oracle crippled to not work on the challenge ciphertext. We require that the adversary queries the oracles \( { \textsc {Init}}\) and \( { \textsc {Enc}}\) only once. Furthermore \( { \textsc {Init}}\) has to be queried before using any of the other oracles.
Publickey hiding. Consider game \(\mathbf {G}^{\mathrm {pkh}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {A}}(k)\) of Fig. 2 associated to PKE \({\mathsf {PE}}\), adversary \(\mathcal {A}\) and security parameter k, and let
We say that \({\mathsf {PE}}\) is publickey hiding under parameter subversion attacks (also called \( \mathrm {PKH}\hbox {}\mathrm {PSA}\)) if the function \(\mathbf {Adv}^{\mathrm {pkh}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {A}}(\cdot )\) is negligible for every \(\mathcal {A}\). In the game, b is a challenge bit. Unlike the prior games, two key pairs are generated, not one. The challenge ciphertext \(c^*\) is an encryption of a message of the adversary’s choice under \( pk _b\). Given the public keys and the challenge ciphertext, the adversary outputs a guess \(b'\) and wins if \(b'\) equals b. This time the crippled decryption oracle returns decryptions under both secret keys. The adversary sets up the public keys with its call to oracle \( { \textsc {Init}}\), and an uses oracle \( { \textsc {Enc}}\) to generate the challenge ciphertext. Again we require that the adversary queries the oracles \( { \textsc {Init}}\) and \( { \textsc {Enc}}\) only once. Furthermore \( { \textsc {Init}}\) has to be queried before using any of the other oracles.
Relations. The following says that pseudorandomness of ciphertexts implies both indistinguishable encryptions and anonymity. We give both asymptotic and concrete statements of the results.
Proposition 1
Let \({\mathsf {PE}}\) be a PKE that has pseudorandom ciphertexts under parameter subversion attacks. Then:

1.
\({\mathsf {PE}}\) is \( \mathrm {IND}\hbox {}\mathrm {PSA}\). Concretely, given an adversary \(\mathcal {A}\) the proof specifies an adversary \(\mathcal {B}_0\) such that \(\mathbf {Adv}^{\mathrm {ind}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {A}}(k) \le 2\cdot \mathbf {Adv}^{\mathrm {cpr}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {B}_0}(k)\) for every \(k\in \mathbb {N}\), and \(\mathcal {B}_0\) has the same running time and query counts as \(\mathcal {A}\).

2.
\({\mathsf {PE}}\) is \( \mathrm {PKH}\hbox {}\mathrm {PSA}\). Concretely, given an adversary \(\mathcal {A}\) the proof specifies an adversary \(\mathcal {B}_1\) such that \(\mathbf {Adv}^{\mathrm {pkh}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {A}}(k) \le 2\cdot \mathbf {Adv}^{\mathrm {cpr}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {B}_1}(k)\) for every \(k\in \mathbb {N}\), and \(\mathcal {B}_0\) has the same running time and query counts as \(\mathcal {A}\).
The proof of the proposition can be found in the full version of this paper [4].
3.2 Key Encapsulation Mechanisms
Below we first give a syntax for key encapsulation mechanisms. It follows [23] but with notation a bit different and including an additional algorithm setting up global parameters to be utilized by all users. As for publickey encryption schemes we formalize the security requirement of pseudorandomness of ciphertexts under parameter subversion attacks (\( \mathrm {CPR}\hbox {}\mathrm {PSA}\)). We then adapt the two existing KEM requirements of indistinguishability of encryptions [23] and publickey hiding [1, 6] to the setting of parameter subversion attacks. In Proposition 2 we show that—as in the case of publickey encryption—the first requirement implies the other two. We furthermore define a new security requirement called welldistributedness of ciphertexts, which is necessary to achieve \( \mathrm {CPR}\hbox {}\mathrm {PSA}\) in the hybrid PKE construction. It states that keyciphertext pairs generated using the KEM’s encapsulation algorithm are indistinguishable from choosing a ciphertext at random and then computing its decapsulation.
KEMs. A key encapsulation mechanism (KEM) \({\mathsf {KE}}\) specifies the following. Parameter generation algorithm \( {\mathsf {KE{.}P}}\) takes input \(1^k \), where \(k\in \mathbb {N}\) is the security parameter, and returns global parameters \( \pi \). Keygeneration algorithm \({\mathsf {KE{.}G}}\) takes input \(1^k, \pi \) and returns a tuple \( ( pk , sk ) \) consisting of the public (encryption) key \( pk \) and matching secret (decryption) key \( sk \). \({\mathsf {KE{.}KS}}\) associates to k a finite set \({\mathsf {KE{.}KS}}(k)\) only depending on the security parameter that is the key space of \({\mathsf {KE}}\). \({\mathsf {KE{.}CS}}\) associates to k and parameters \( \pi \) a finite set \({\mathsf {KE{.}CS}}(k,\pi )\) that is the ciphertext space of \({\mathsf {KE}}\). Encapsulation algorithm \( {\mathsf {KE{.}E}}\) takes \(1^k,\pi , pk \) and returns (K, c) where \(K \in {\mathsf {KE{.}KS}}(k)\) is the encapsulated key and \( c \in {\mathsf {KE{.}CS}}(k,\pi )\) is a ciphertext encapsulating K. Deterministic decapsulation algorithm \( {\mathsf {KE{.}D}}\) takes \(1^k,\pi , sk \) and a ciphertext c and returns either a key \( K \in {\mathsf {KE{.}KS}}(k) \) or the special symbol \( \bot \) indicating failure. The correctness condition requires that for all \( k\in \mathbb {N}\), all \( \pi \in [{\mathsf {KE{.}P}}(1^k)] \) and all \(( pk , sk ) \in [{\mathsf {KE{.}G}}(1^k,\pi )]\) we have \(\Pr _{}\mathopen {}\left[ {\mathsf {KE{.}D}}(1^k,\pi , sk ,c)=K\right] \mathclose {}\ge 1 {\mathsf {KE{.}de}}(k)\), where the probability is over and \({\mathsf {KE{.}de}}:\mathbb {N}\rightarrow \mathbb {R}_{\ge 0}\) is the decryption error of \({\mathsf {KE}}\). Our KEMs will be in the ROM [13], which means the encapsulation and decapsulation algorithms have access to a random oracle specified in the security games. Correctness must then hold for all choices of the random oracle. We say a KEM is parameterfree if \( {\mathsf {KE{.}P}}\) returns \( \varepsilon \) on every input \( 1^k \).
Ciphertext pseudorandomness. Consider game \(\mathbf {G}^{\mathrm {cpr}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(k)\) of Fig. 3 associated to KEM \({\mathsf {KE}}\), adversary \(\mathcal {A}\) and security parameter k, and let
We say that \({\mathsf {KE}}\) has pseudorandom ciphertexts under parameter subversion attacks (also called \( \mathrm {CPR}\hbox {}\mathrm {PSA}\)) if the function \(\mathbf {Adv}^{\mathrm {cpr}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(\cdot )\) is negligible for every \(\mathcal {A}\). In the game, b is a challenge bit. When \(b=1\), the challenge key \(K^*\) and ciphertext \(c^*\) are generated via the encapsulation algorithm, but if \(b=0\) they are chosen at random, from the key space and ciphertext space, respectively. Given the public key, challenge key and challenge ciphertext, the adversary outputs a guess \(b'\) and wins if \(b'\) equals b, the game returning \(\mathsf {true}\) in this case and \(\mathsf {false}\) otherwise. The adversary has access to an oracle \( { \textsc {Init}}\), which sets up the challenge. We require that the adversary queries \( { \textsc {Init}}\) before using any of the other oracles and that it queries \({ \textsc {Init}}\) only once. Further the adversary has access to an oracle for decapsulation under \( sk \), crippled to not work when invoked on the challenge ciphertext. It, and the encapsulation and decapsulation algorithms, have access to the random oracle \({ \textsc {RO}}\). The parameters used in the game are provided by the adversary via its call to \({ \textsc {Init}}\).
Indistinguishability of encapsulated keys from random. Consider game \(\mathbf {G}^{\mathrm {ind}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(k)\) of Fig. 3 associated to KEM \({\mathsf {KE}}\), adversary \(\mathcal {A}\) and security parameter k, and let
We say that \({\mathsf {KE}}\) has encapsulated keys indistinguishable from random under parameter subversion attacks (also called \( \mathrm {IND}\hbox {}\mathrm {PSA}\)) if the function \(\mathbf {Adv}^{\mathrm {ind}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(\cdot )\) is negligible for every \(\mathcal {A}\). In the game, b is a challenge bit. When \(b=1\), the challenge key \(K^*\) and ciphertext \(c^*\) are generated via the encapsulation algorithm, while if \(b=0\) the key is switched to one drawn randomly from the key space, the ciphertext remaining real. Given the public key, challenge key and challenge ciphertext, the adversary outputs a guess \(b'\) and wins if \(b'\) equals b. Again the adversary has access to a crippled decapsulation oracle and the random oracle and provides the parameters used in the game via his call to the oracle \( { \textsc {Init}}\), which has to be queried before using any of the other oracles.
Publickey hiding. Consider game \(\mathbf {G}^{\mathrm {pkh}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(k)\) of Fig. 3 associated to KEM \({\mathsf {KE}}\), adversary \(\mathcal {A}\) and security parameter k, and let
We say that \({\mathsf {KE}}\) is publickey hiding under parameter subversion attacks (also called \( \mathrm {PKH}\hbox {}\mathrm {PSA}\)) if the function \(\mathbf {Adv}^{\mathrm {pkh}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(\cdot )\) is negligible for every \(\mathcal {A}\). In the game, b is a challenge bit. Unlike the prior games, two key pairs are generated, not one. The challenge key \(K^*\) and ciphertext \(c^*\) are generated via the encapsulation algorithm under \( pk _b\). Given the public keys, challenge key and challenge ciphertext, the adversary outputs a guess \(b'\) and wins if \(b'\) equals b. This time the crippled decapsulation oracle returns decapsulations under both secret keys. Again the adversary provides the parameters to be used in the game via his single call to the oracle \( { \textsc {Init}}\), which has to be queried before using any of the other oracles.
Relations. The following says that in the parameter subversion setting \( \mathrm {CPR}\hbox {}\mathrm {PSA}\) implies both \( \mathrm {IND}\hbox {}\mathrm {PSA}\) and \( \mathrm {PKH}\hbox {}\mathrm {PSA}\). We give both the asymptotic and concrete statements of the results.
Proposition 2
Let \({\mathsf {KE}}\) be a KEM that has pseudorandom ciphertexts under parameter subversion attacks. Then:

1.
\({\mathsf {KE}}\) is \( \mathrm {IND}\hbox {}\mathrm {PSA}\). Concretely, given an adversary \(\mathcal {A}\) the proof specifies an adversary \(\mathcal {B}\) such that \(\mathbf {Adv}^{\mathrm {ind}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(k) \le 2\cdot \mathbf {Adv}^{\mathrm {cpr}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {B}}(k)\) for every \(k\in \mathbb {N}\), and \(\mathcal {B}\) has the same running time and query counts as \(\mathcal {A}\).

2.
\({\mathsf {KE}}\) is \( \mathrm {PKH}\hbox {}\mathrm {PSA}\). Concretely, given an adversary \(\mathcal {A}\) the proof specifies an adversary \(\mathcal {B}\) such that \(\mathbf {Adv}^{\mathrm {pkh}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(k) \le 2\cdot \mathbf {Adv}^{\mathrm {cpr}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {B}}(k)\) for every \(k\in \mathbb {N}\), and \(\mathcal {B}\) has the same running time and query counts as \(\mathcal {A}\).
The proof of the proposition can be found in the full version of this paper [4].
Welldistributed ciphertexts. Consider game \( \mathbf {G}^{\mathrm {wdc}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(k) \) of Fig. 4 associated to KEM \( {\mathsf {KE}}\), adversary \( \mathcal {A}\) and security parameter k, and let
We say \( {\mathsf {KE}}\) has well distributed ciphertexts under parameter subversion attacks (also called \( \mathrm {WDC}\hbox {}\mathrm {PSA}\)), if the function \( \mathbf {Adv}^{\mathrm {wdc}\hbox {}\mathrm {psa}}_{{\mathsf {KE}},\mathcal {A}}(\cdot ) \) is negligible for every adversary \( \mathcal {A}\). In the game b is a challenge bit. If b equals 1 the adversary as response to querying the initialization procedure, which may be done at most once, receives a keyciphertext pair generated using \( {\mathsf {KE{.}E}}\). If b equals 0 it receives a pair \( (c^*,K^*) \) generated by choosing \( c^* \) at random and then setting \( K^* \) to be the decapsulation of \( c^* \). The adversary has access to a decryption oracle. We require that the adversary queries \( { \textsc {Init}}\) before querying any of the other oracles. Looking ahead, all of our instantiations achieve this notion statistically.
3.3 Symmetric Encryption
Below, we recall symmetric encryption. Our definition follows [23] but uses different notation. We further define the security notion of ciphertext pseudorandomness for symmetric key encryption.
OneTime symmetricKey Encryption. A symmetrickey encryption scheme (SKE) specifies the following. \( {\mathsf {SE{.}KS}}\) associates to security parameter k key space \( {\mathsf {SE{.}KS}}(k) \). \( {\mathsf {SE{.}CS}}\) associates to security parameter k and message length \( m\in \mathbb {N}\) the ciphertext space \( {\mathsf {SE{.}CS}}(k,m) \). Deterministic encryption algorithm \( {\mathsf {SE{.}E}}\) takes as input \( 1^k\), key \(K\in {\mathsf {SE{.}KS}}(k) \) and a message \( M\in \{0,1\}^* \) and returns ciphertext \( c\in {\mathsf {SE{.}CS}}(k,\left M \right ) \). Deterministic decryption algorithm \( {\mathsf {SE{.}D}}\) on input \( 1^k,K\in {\mathsf {SE{.}KS}}(k), c\in {\mathsf {SE{.}CS}}(k,m) \) returns either a message \( M\in \{0,1\}^m \) or the special symbol \( \bot \) indicating failure. For correctness we require that \( M={\mathsf {SE{.}D}}(1^k,K,c) \) for all k, all \( K\in {\mathsf {SE{.}KS}}(k) \) and all \( M\in \{0,1\}^* \), where \( c\leftarrow {\mathsf {SE{.}E}}(1^k,K,M) \).
Onetime security. Consider game \( \mathbf {G}^{\mathrm {cpr}}_{{\mathsf {SE}},\mathcal {A}}(k) \) of Fig. 5 associated to SKE \( {\mathsf {SE}}\), adversary \( \mathcal {A}\) and security parameter k, and let
We say that \( {\mathsf {SE}}\) has pseudorandom ciphertexts (also called \( \mathrm {CPR}\)) if the function \( \mathbf {Adv}^{\mathrm {cpr}}_{{\mathsf {SE}},\mathcal {A}}(\cdot ) \) is negligible for every \( \mathcal {A}\). We require that \( { \textsc {Enc}}\) is queried at most once.
3.4 PKE from Key Encapsulation and SymmetricKey Encryption
Below, we analyze hybrid encryption in the setting of parameter subversion. Formally we give a transform \( \mathbf {KEMToPE}\) that associates to KEM \( {\mathsf {KE}}\) and symmetrickey encryption scheme \( {\mathsf {SE}}\) a publickey encryption scheme \( {\mathsf {PE}}\). The construction essentially is the hybrid encryption scheme of [23] including an additional parameter generation algorithm. The scheme’s parameter generation, key generation encryption and decryption algorithms are in Fig. 6. \( {\mathsf {PE}}\)’s ciphertext space is given by \( {\mathsf {PE{.}CS}}(k,\pi ,m)={\mathsf {KE{.}CS}}(k,\pi )\times {\mathsf {SE{.}CS}}(k,m) \). It is easy to verify that \( {\mathsf {PE}}\) has decryption error \( {\mathsf {PE{.}de}}(k)={\mathsf {KE{.}de}}(k) \). The following essentially states that hybrid encryption also works in setting of ciphertext pseudorandomness under parameter subversion attacks, i.e., combining a KEM that is both \( \mathrm {CPR}\hbox {}\mathrm {PSA}\) and \( \mathrm {WDC}\hbox {}\mathrm {PSA}\) with a SKE that is \( \mathrm {CPR}\) yields a \( \mathrm {CPR}\hbox {}\mathrm {PSA}\) PKE, where the welldistributedness of the KEM’s ciphertext is necessary to correctly simulate the decryption oracle in the \( \mathrm {CPR}\hbox {}\mathrm {PSA}\) game with respect to \( {\mathsf {PE}}\).
Proposition 3
Let \( {\mathsf {KE}}\) a KEM and \( {\mathsf {SE}}\) a SE such that \( {\mathsf {KE{.}KS}}(k)={\mathsf {SE{.}KS}}(k) \) for all \( k\in \mathbb {N}\). Let \( {\mathsf {PE}}=\mathbf {KEMToPE}[{\mathsf {KE}},{\mathsf {SE}}] \) be the PKE associated to \( {\mathsf {KE}}\) and \( {\mathsf {SE}}\). If \( {\mathsf {KE}}\) is \( \mathrm {CPR}\hbox {}\mathrm {PSA}\) and \( \mathrm {WDC}\hbox {}\mathrm {PSA}\) and if \( {\mathsf {SE}}\) is \( \mathrm {CPR}\) then \( {\mathsf {PE}}\) is \(\mathrm {CPR}\hbox {}\mathrm {PSA}\) Concretely, given adversary \( \mathcal {A}\) against \( \mathbf {G}^{\mathrm {cpr}\hbox {}\mathrm {psa}}_{{\mathsf {PE}},\mathcal {A}}(k) \), there exist adversaries \( \mathcal {B}_1,\mathcal {B}_2,\mathcal {B}_3\) having the same running time and query count as \( \mathcal {A}\), which satisfy
The proof of the proposition can be found in the full version of this paper [4].
4 KEMs from Efficiently Embeddable Group Families
In this section we define efficiently embeddable group families (eeg). We define the security notion of pseudorandom embeddings under parameter subversion attacks (\( {\mathrm {EPR}\hbox {}\mathrm {PSA}}\)) and adapt the strong computational DiffieHellman problem (\( \mathrm {sCDH}\hbox {}\mathrm {PSA}\)) to the setting of efficiently embeddable group families and parameter subversion. Further we give a generic constructions of key encapsulation mechanisms from eeg families. It achieves security assuming the eeg family is \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) and \( {\mathrm {EPR}\hbox {}\mathrm {PSA}}\).
4.1 Efficiently Embeddable Group Families
Efficiently embeddable group families. An embeddable group family \( \mathsf {EG}\) specifies the following. Parameter generation algorithm \( \mathsf {EG{.}P}\) takes as input \( 1^k \), where \( k\in \mathbb {N}\) is the security parameter, and returns parameters \( \pi \). Group generation algorithm \( \mathsf {EG{.}G}\) on input \( 1^k,\pi \) returns a tuple \( G=(\langle \mathbb {G}\rangle ,n,g) \), where \(\langle \mathbb {G}\rangle \) is a description of a cyclic group \( \mathbb {G}\) of order n, and g is a generator of \(\mathbb {G}\). \( \mathsf {EG{.}ES}\) associates to k a finite set \(\mathsf {EG{.}ES}(k,\pi )\) called the embedding space that is only dependent on k and \( \pi \). Sampling algorithm \( \mathsf {EG{.}S}\) on input of \( 1^k,\pi \) and \( G \in [\mathsf {EG{.}G}(1^k,\pi )] \) outputs \( y \in \mathbb {Z}_n \). (Not necessarily uniformly distributed.) Embedding algorithm \( \mathsf {EG{.}E}\) receives as input \( 1^k \), \( \pi \), \( G \in [\mathsf {EG{.}G}(1^k,\pi )] \) and \( h \in \mathbb {G}\) and returns an element \( c \in \mathsf {EG{.}ES}(k,\pi ) \). Deterministic inversion algorithm \( \mathsf {EG{.}I}\) on input of \( 1^k \), \( \pi \), \( G \in [\mathsf {EG{.}G}(1^k,\pi )] \) and \( c \in \mathsf {EG{.}ES}(k,\pi ) \) returns an element of \( \mathbb {G}\). The correctness condition requires that for all \( k \in \mathbb {N}\), all \( \pi \in \mathsf {EG{.}P}(1^k) \) and all \( G \in [\mathsf {EG{.}G}(1^k,\pi )] \) we have \( \Pr _{}\mathopen {}\left[ \mathsf {EG{.}I}(1^k,\pi ,G, h)=g^y\right] \mathclose {} \ge 1\mathsf {EG{.}ie}(k) \), where the probability is over and , and \(\mathsf {EG{.}ie}:\mathbb {N}\rightarrow \mathbb {R}_{\ge 0}\) is the inversion error of \(\mathsf {EG}\). If \( \mathsf {EG{.}P}\) returns \( \varepsilon \) on every input \( 1^k \), i.e. if no parameters are used, we say that \( \mathsf {EG}\) is parameterfree.
Embedding Pseudorandomness. Consider game \( \mathbf {G}^{\mathrm {epr}\hbox {}\mathrm {psa}}_{\mathsf {EG},\mathcal {A}}(k) \) of Fig. 7 associated to eeg family \( \mathsf {EG}\), adversary \( \mathcal {A}\) and security parameter k. Let
We say that \(\mathsf {EG}\) has pseudorandom embeddings under parameter subversion attacks (also called \( {\mathrm {EPR}\hbox {}\mathrm {PSA}}\)) if the function \(\mathbf {Adv}^{\mathrm {epr}\hbox {}\mathrm {psa}}_{\mathsf {EG},\mathcal {A},\cdot }\) is negligible for every \(\mathcal {A}\). In the game, b is a challenge bit. When \(b=1\), the challenge embedding \(c^*\) is generated by sampling an exponent using \( \mathsf {EG{.}S}\) and embedding the group generator raised to the exponent with \( \mathsf {EG{.}E}\). If \(b=0\) the adversary is given an embedding sampled uniformly from the embedding space. Given the group and the embedding, the adversary outputs a guess \(b'\) and wins if \(b'\) equals b. The parameters used in the game are provided by the adversary making a single call to the oracle \( { \textsc {Init}}\). All of our instantiations sample exponents such that the resulting embeddings are statistically close to uniform on \( \mathsf {EG{.}ES}(k,\pi ) \), and hence achieve this notion statistically.
DiffieHellman problem with respect to \(\mathsf {EG}\). The computational DiffieHellman problem for a cyclic group \(\mathbb {G}\) of order n, which is generated by g, asks to compute \(g^{xy}\) given \(g^x \) and \(g^y\), where . In the strong computational DiffieHellman problem introduced by Abdalla et al. in [2] the adversary additionally has access to an oracle, which may be used to check whether \( Y^x =Z \) for group elements \( Y,Z \in \mathbb {G}\). We provide a definition for the strong computational DiffieHellman problem with respect to eeg families \( \mathsf {EG}\), which allows parameter subversion. An additional difference is that y is not chosen uniformly from \( \mathbb {Z}_n \) but instead sampled using \( \mathsf {EG{.}S}\).
Thus, consider game \( \mathbf {G}^{\mathrm {scdh}\hbox {}\mathrm {psa}}_{\mathsf {EG},\mathcal {A}}(k) \) of Fig. 8. The game is associated to eeg family \( \mathsf {EG}\), adversary \( \mathcal {A}\) and security parameter k. The adversary has access to an oracle \( { \textsc {Init}}\) setting up a problem instance according to the parameters it is provided. Let
We say that the strong computational DiffieHellman problem under parameter subversion (also called \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\)) is hard with respect to \( \mathsf {EG}\) if \( \mathbf {Adv}^{\mathrm {scdh}\hbox {}\mathrm {psa}}_{\mathsf {EG},\mathcal {A}} (\cdot )\) is negligible for every adversary \( \mathcal {A}\).
4.2 Key Encapsulation from Efficiently Embeddable Group Families
In this section we give a generic construction of a key encapsulation mechanism from an eeg family \(\mathsf {EG}\). Its security is based on the strong DiffieHellman problem, i.e. if \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) is hard with respect to \( \mathsf {EG}\), the KEM is \( \mathrm {IND}\hbox {}\mathrm {PSA}\). If additionally \( \mathsf {EG}\) has pseudorandom embeddings, the KEM has pseudorandom and welldistributed ciphertexts. The construction is similar to the standard El Gamal based key encapsulation mechanism as for example used in [2, 23]. As an intermediate step in the proof that the construction is \( \mathrm {CPR}\hbox {}\mathrm {PSA}\) we obtain that it is \( \mathrm {IND}\hbox {}\mathrm {PSA}\). The proof of this property follows the outlines of the proofs given in [2, 23]. Afterwards we use the pseudorandomness of the eeg family’s embeddings to show, that our construction achieves pseudorandom and welldistributed ciphertexts.
Formally, we define a transform \(\mathbf {eegToKE1}\) that associates to an eeg family \(\mathsf {EG}\) and a polynomial \(m :\mathbb {N}\rightarrow \mathbb {N}\) a KEM \({\mathsf {KE}}= \mathbf {eegToKE1}[\mathsf {EG},m]\). The parameter generation, key generation, encryption and decryption algorithms of \({\mathsf {KE}}\) are in Fig. 9. The construction is in the ROM, so that encryption and decryption invoke the \({ \textsc {RO}}\) oracle. The key space is \({\mathsf {KE{.}KS}}(k)=\{0,1\}^{m(k)}\). The ciphertext space \({\mathsf {KE{.}CS}}(k,\pi )=\mathsf {EG{.}ES}(k,\pi )\) is the embedding space of \(\mathsf {EG}\). It is easy to verify that \({\mathsf {KE{.}de}}= \mathsf {EG{.}ie}\), meaning the decryption error of the KEM equals the inversion error of the eeg family.
Security of the construction. The following says that if \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) is hard with respect to eeg family \(\mathsf {EG}\) then \( \mathbf {eegToKE1}[\mathsf {EG},m] \) has desirable security properties.
Theorem 4
Let \({\mathsf {KE}}= \mathbf {eegToKE1}[\mathsf {EG},m]\) be the KEM associated to eeg family \(\mathsf {EG}\) and polynomial \(m :\mathbb {N}\rightarrow \mathbb {N}\) as defined in Fig. 9. Assume that \( \mathsf {EG}\) is \( {\mathrm {EPR}\hbox {}\mathrm {PSA}}\) and that \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) is hard with respect to \( \mathsf {EG}\). Then

(i)
\( {\mathsf {KE}}\) has pseudorandom ciphertexts under parameter subversion attacks.

(ii)
\( {\mathsf {KE}}\) has welldistributed ciphertexts under parameter subversion attacks.
Moreover, if \( \mathsf {EG}\) is parameterfree so is \( {\mathsf {KE}}\). Concretely, given an adversary \( \mathcal {A}\) making at most q(k) queries to \( { \textsc {RO}}\) the proof specifies adversaries \( \mathcal {B}_1 \) and \( \mathcal {B}_2 \) having the same running time as \( \mathcal {A}\) satisfying
where \( \mathcal {B}_2 \) makes at most q(k) queries to \( { \textsc {ddh}}\). Furthermore given an adversary \( \mathcal {A}' \) the proof specifies an adversary \( \mathcal {B}' \) having the same running time as \( \mathcal {A}' \) such that,
The proof of the theorem can be found in the full version of this paper [4]. In the full version of this paper [4] we also provide a transform \( \mathbf {eegToKE2}\), which achieves security under the weaker \( \mathrm {CDH}\hbox {}\mathrm {PSA}\) assumption with respect to \( \mathsf {EG}\).
5 Efficiently Embeddable Group Families from CurveTwist Pairs
In this section we give instantiations of eeg families based on elliptic curves. The main tool of the constructions is a bijection of [34] mapping points of an elliptic curve and its quadratic twist to an interval of integers. We first give a construction using parameters, the parameter being a prime p of length k serving as the modulus of the prime field the curves are defined over. The construction has embedding space \( [2p+1] \). Since we assume, that the parameter shared by all users might be subject to subversion, security of this construction corresponds to the assumption that there exist no inherently bad choices for p, i.e. that for any sufficiently large prime p it is possible to find elliptic curves defined over \( \mathbb {F}_p \) on which the strong computational DiffieHellman assumption holds.
As an alternative we also give parameterfree eegfamilies whose security is based on the weaker assumption that for random kbit prime p it is possible to find elliptic curves defined over \( \mathbb {F}_p \), such that the strong computational DiffieHellman assumption holds. Since in this construction the modulus p is sampled along with the curve, it is no longer possible to use \( [2p+1] \) as the embedding space of the eeg family. We propose two solutions to overcome this, one using rejection sampling to restrict the embedding space to the set \( [2^k] \), the other one is based on a technique from [33] and expands the embedding space to \( [2^{k+1}] \).
5.1 Elliptic Curves
Let \( p \ge 5 \) be prime and \( \mathbb {F}_p \) a field of order p. An elliptic curve over \( \mathbb {F}_p \) can be expressed in short Weierstrass form, that is as the set of projective solutions of an equation of the form
where \( a,b \in \mathbb {F}_p \) with \( 4a^3 + 27b^2 \ne 0 \). We denote the elliptic curve generated by p, a, b by E(p, a, b) . E(p, a, b) possesses exactly one point with Zcoordinate 0, the so called point at infinity \( \mathcal {O}= (0:1:0) \). After normalizing by \( Z=1 \) the curve’s other points can be interpreted as the solutions \( (x,y) \in \mathbb {F}_p^2 \) of the affine equation \( y^2=x^3+ax+b \). It is possible to establish an efficiently computable group law on E(p, a, b) with \( \mathcal {O}\) serving as the neutral element of the group. We use multiplicative notation for the group law to be consistent with the rest of the paper.
Twists of Elliptic Curves. In [34, Sect. 4] Kaliski establishes the following onetoone correspondence between two elliptic curves defined over \( \mathbb {F}_{p} \) which are related by twisting and a set of integers.
Lemma 5
Let \( p \in \mathbb {N}_{\ge 5} \) be prime. Let \( u \in \mathbb {Z}_{p}\) be a quadratic nonresidue modulo p and \( a,b \in \mathbb {Z}_{p} \) such that \( 4a^3+27b^2 \not = 0\). Consider the elliptic curves \( E_0 := E(p,a,b)\) and \( E_1 :=E(p,au^2,bu^3) \). Then \( \left E_0 \right + \left E_1 \right = 2p +2 \). Furthermore, the functions \(l_0: E_0 \longrightarrow [2p+2]\) and \(l_1: E_1 \longrightarrow [2p+2]\) defined as
are injective with nonintersecting ranges, where \(\mathcal {O}_0 \) and \( \mathcal {O}_1 \) denote the neutral elements of \( E_0 \) and \( E_1 \) respectively.
Lemma 6
The functions \(l_0\) and \(l_1\) can be efficiently inverted. That is, given \(z \in [2p+1]\), one can efficiently compute the unique \((P,\delta ) \in E_0 \cup E_1 \times \{0,1\}\) such that \(l_\delta (P)=z\).
The proof of the lemma can be found in the full version of this paper [4].
Definition 7
A curvetwist generator \( \mathsf {TGen}\) on input of security parameter \( 1^k \) and a kbit prime p returns \( (G_0,G_1) \), where \( G_0=(\langle E_0\rangle ,n_0,g_0) \) and \( G_1=(\langle E_1\rangle ,n_1,g_1) \) are secure cyclic elliptic curves defined over the field \( \mathbb {F}_p \). More precisely we require \(E_0:= E(p,a,b) \) and \(E_1:= E(p,au^2,bu^3) \) for \( a,b \in \mathbb {F}_p \) such that \( (4a^3+27b^2) \ne 0 \) and quadratic nonresidue u. Furthermore we require that \( g_0 \) generates \( E_0 \) and \( g_1 \) generates \( E_1 \) as well as \( \left E_0 \right =n_0 \), \( \left E_1 \right =n_1 \) and \( \gcd (n_0,n_1)=1 \).
Generation of secure Twisted Elliptic Curves. There exist several proposals for properties an elliptic curve over a prime field \( \mathbb {F}_p \) should have to be considered secure (e.g., [18, 27]). Firstly, the elliptic curve’s order is required to be either the product of a big prime and a small cofactor—or preferably prime. Secondly, several conditions preventing the transfer of discrete logarithm problems on the curve to groups, where faster algorithms to compute discrete logarithms may be applied, should be fulfilled. Finally, for our applications we need both the elliptic curve and its quadratic twist to be secure, a property usually called twist security. For concreteness, we suggest to implement \( \mathsf {TGen}(1^k,p) \) by sampling the necessary parameters a, b, u with rejection sampling such that the resulting curve E(p, a, b) fulfills the three security requirement mentioned above. This way, \(\mathsf {TGen}\) can be implemented quite efficiently^{Footnote 1} and furthermore, with overwhelming probability, the resulting curve fulfills all relevant security requirements from [18, 27] that are not covered by the three security properties explicitly mentioned above.
Computational problems associated to \( \mathsf {TGen}\). Let \( \mathsf {TGen}\) a curvetwist generator. We give two versions of the strong computational DiffieHellman assumption with respect to \( \mathsf {TGen}\). In the first version the prime p on which \( \mathsf {TGen}\) is invoked is chosen by the adversary, while in the second version p is sampled uniformly at random from all kbit primes. For \( d\in \{0,1\}\) consider games \( \mathbf {G}^{\mathrm {twist}_d\hbox {}\mathrm {cp}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {A}}(\cdot ) \) and \( \mathbf {G}^{\mathrm {twist}_d\hbox {}\mathrm {up}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {A}}(\cdot ) \) of Fig. 10. We define advantage functions
Definition 8
Let \( \mathsf {TGen}\) be a curvetwist generator. We say the strong computational DiffieHellman assumption for chosen (uniform) primes holds with respect to curvetwist generator \( \mathsf {TGen}\), if both \( \mathbf {Adv}^{\mathrm {twist}_0\hbox {}\mathrm {cp}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {A}}{(\cdot )} \) and \( \mathbf {Adv}^{\mathrm {twist}_1\hbox {}\mathrm {cp}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {A}}{(\cdot )} \) (or \( \mathbf {Adv}^{\mathrm {twist}_0\hbox {}\mathrm {up}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},(P_k)_k,\mathcal {A}}{(\cdot )} \) and \( \mathbf {Adv}^{\mathrm {twist}_1\hbox {}\mathrm {up}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},(P_k)_k,\mathcal {A}}{(\cdot )} \) respectively) are negligible for all adversaries \( \mathcal {A}\).
5.2 An Eeg Family from Elliptic Curves
In [34] Kaliski implicitly gives an eeg family based on elliptic curves. The family is parameterusing, the parameter being a prime p serving as the modulus of the field the elliptic curves are defined over. The definition of eeg family \(\mathsf {EG}_{\text {twist}}\) may be found in Fig. 11. Parameter generation algorithm \( \mathsf {EG}_{\text {twist}}\mathsf {.P}\) on input of security parameter \( 1^k \) returns a randomly sampled kbit prime^{Footnote 2} p. Group generation algorithm \( \mathsf {EG}_{\text {twist}}\mathsf {.G}\) on input of parameter \( \pi =p \) checks, whether p is indeed a prime of appropriate length, and—if so—runs a curvetwist generator \( \mathsf {TGen}(1^k,\pi ) \) to obtain the description of two cyclic secure cyclic elliptic curves \( G_0=(\langle E_0\rangle ,n_0,g_0) \) and \( G_1=(\langle E_1\rangle ,n_1,g_1) \). Its output is \( (\langle \mathbb {G}\rangle ,n,g) \), where \( \mathbb {G}\leftarrow E_0 \times E_1 \) is the direct product of the two elliptic curves, \( n \leftarrow n_0 \cdot n_1 \) and \( g \leftarrow (g_0,g_1) \). Here we assume that the description \( \langle \mathbb {G}\rangle \) of \( \mathbb {G}\) includes the values \( n_0 \) and \( n_1 \), which are used by \( \mathsf {EG}_{\text {twist}}\)’s other algorithms. Note that \( \left \mathbb {G} \right =n \) and since \( n_0 \) and \( n_1 \) are coprime, g generates \( \mathbb {G}\). Furthermore, if we regard \( E_0 \) and \( E_1 \) as subgroups of \( \mathbb {G}= E_0 \times E_1 \) in the natural way, we may rewrite the set \( E_0 \cup E_1 \subseteq \mathbb {G}\) as
Algorithm \( \mathsf {EG}_{\text {twist}}\mathsf {.S}\) uses this property to efficiently sample \( y \in \mathbb {Z}_n \) such that \( g^y \sim U_{E_0 \cup E_1} \). It first samples . If \( z < n_0 \) it returns \( \varphi _{\text {crt}}(z,0) \). Else it returns \( \varphi _{\text {crt}}(0,zn_01) \). Here \( \varphi _{\text {crt}}\) denotes the canonical isomorphism \( \varphi _{\text {crt}}:\mathbb {Z}_{n_0}\times \mathbb {Z}_{n_1} \rightarrow \mathbb {Z}_n \). As a result satisfies \( y \sim U_M \), where \(M:= \{ y \in \mathbb {Z}_n \mid y \equiv 0 \mod n_0 \text { or } y \equiv 0 \mod n_1 \} \). Embedding algorithm \( \mathsf {EG}_{\text {twist}}\mathsf {.E}\) receives as input \( 1^k \), \( \pi \), G and \( h=(h_0,h_1) \in \mathbb {G}\). It first checks, whether h lies outside of the support \([ \mathsf {EG}_{\text {twist}}\mathsf {.S}(1^k,\pi ,G)] \) of the sampling algorithm, i.e. whether both \( h_0 \ne \mathcal {O}_0 \) and \( h_1 \ne \mathcal {O}_1 \). In this case the element is mapped to 0. If h is an element of \([ \mathsf {EG}_{\text {twist}}\mathsf {.S}(1^k,\pi ,G)] \), algorithm \( \mathsf {EG}_{\text {twist}}\mathsf {.E}\) returns \( l_0(h_0) \) if \( h_1= \mathcal {O}_1 \), and \( l_1(h_1) \) if \( h_1\ne \mathcal {O}_1 \). Here \( l_0 :E_0 \rightarrow [2p+2] \) and \( l_1 :E_1 \rightarrow [2p+2] \) denote the maps of Lemma 5. By Lemma 5 the map \( \mathsf {EG}_{\text {twist}}\mathsf {.E}(1^k,G,\cdot )_{E_0 \cup E_1} \) is a bijection between \( E_0 \cup E_1 \) and \( [2p+1] \) and we obtain \( \mathsf {EG}_{\text {twist}}\mathsf {.E}(1^k,G,g^y) \sim U_{[2p+1]} \) for y sampled with \( \mathsf {EG}_{\text {twist}}\mathsf {.S}(1^k,G) \). We obtain the following.
Lemma 9
\(\mathsf {EG}_{\text {twist}}\) as defined in Fig. 11 is an eeg family with embedding space \(\mathsf {EG}_{\text {twist}}\mathsf {.ES}(k,G)=[2p+1]\) and inversion error \( \mathsf {EG}_{\text {twist}}\mathsf {.ie}(k)=0 \). Furthermore \( \mathsf {EG}_{\text {twist}}\) has pseudorandom embeddings. More precisely, for every (potentially unbounded) adversary \( \mathcal {A}\) we have
A proof of the lemma can be found in the full version of the paper [4]. Concerning the hardness of \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) with respect to \( \mathsf {EG}_{\text {twist}}\) we obtain the following.
Lemma 10
Let \( \mathsf {EG}_{\text {twist}}\) be the embeddable group generator constructed with respect to twisted elliptic curve generator \( \mathsf {TGen}\) as described above. If the strong DiffieHellman assumption for chosen primes holds with respect to \( \mathsf {TGen}\), then the strong DiffieHellman assumption holds with respect to \( \mathsf {EG}_{\text {twist}}\).
Concretely for every adversary \( \mathcal {A}\) against game \(\mathbf {G}^{\mathrm {scdh}\hbox {}\mathrm {psa}}_{\mathsf {EG}_{\text {twist}},\mathcal {A}}(\cdot ) \), which makes at most Q queries to its \( \mathrm {DDH}\)oracle, there exist adversaries \( \mathcal {B}_0 \), \( \mathcal {B}_1 \) against games \( \mathbf {G}^{\mathrm {twist}_0\hbox {}\mathrm {cp}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {B}_0}(\cdot ) \) or \(\mathbf {G}^{\mathrm {twist}_1\hbox {}\mathrm {cp}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {B}_1}(\cdot ) \) respectively making at most Q queries to their \( \mathrm {DDH}\)oracles, satisfying
The proof of the lemma can be found in the full version of this paper [4].
5.3 A ParameterFree Eeg Family Using Rejection Sampling
Eeg family \( \mathsf {EG}_{\text {twist}}\) of Sect. 5.2 is parameterusing, the parameter being the size p of the field \( \mathbb {F}_p \). Correspondingly, hardness of \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) with respect to \( \mathsf {EG}_{\text {twist}}\) follows from the assumption, that the elliptic curves output by curvetwist generator \( \mathsf {TGen}\) are secure, independently of the prime p the curvetwist generator \( \mathsf {TGen}\) is instantiated with. In this section we show how \( \mathsf {EG}_{\text {twist}}\) can be used to construct an eeg family \( \mathsf {EG}_{\text {twistrs}}^{\ell }\) for which hardness of \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) follows from the weaker assumption that \( \mathsf {TGen}\) instantiated with a randomly chosen prime is able to sample secure elliptic curves. The construction is parameterfree and has embedding space \( [2^k] \). The size p of the field over which the elliptic curves are defined is now sampled as part of the group generation. The embedding algorithm uses rejection sampling to ensure that embeddings of group elements \( g^y \) for y sampled with \( \mathsf {EG}_{\text {twistrs}}^{\ell }\mathsf {.S}\) are elements of \( [2^k] \). The specification of \( \mathsf {EG}_{\text {twistrs}}^{\ell }\)’s algorithms may be found in Fig. 12.
Theorem 11
Let \( \ell : \mathbb {N}\rightarrow \mathbb {N}\) be a polynomial. \( \mathsf {EG}_{\text {twistrs}}^{\ell }\) as described above is an eeg family with embedding space \( \mathsf {EG}_{\text {twistrs}}^{\ell }\mathsf {.ES}(k,\pi )=[2^k] \) and inversion error \( \mathsf {EG}_{\text {twistrs}}^{\ell }\mathsf {.ie}(k) \le 2^{\ell (k)} \). Furthermore \( \mathsf {EG}_{\text {twistrs}}^{\ell }\) has pseudorandom embeddings. More precisely, for every (potentially unbounded) adversary \( \mathcal {A}\) we have
The proof of the theorem can be found in the full version of this paper [4]. As discussed above, we obtain that—assuming that \( \mathsf {TGen}\) invoked on randomly sampled prime p returns a secure curvetwist pair—the \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\)problem with respect to eeg family \( \mathsf {EG}_{\text {twistrs}}^{\ell }\) is hard.
Lemma 12
Let \( \ell : \mathbb {N}\rightarrow \mathbb {N}\) be a polynomial and \( \mathsf {EG}_{\text {twistrs}}^{\ell }\) the eeg family with underlying curvetwist generator \( \mathsf {TGen}\) as described above. If the sCDH assumption for uniform primes holds with respect to \( \mathsf {TGen}\), then \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) is hard with respect to \( \mathsf {EG}_{\text {twistrs}}^{\ell }\). Concretely, for every adversary \( \mathcal {A}\) against game \(\mathbf {G}^{\mathrm {scdh}\hbox {}\mathrm {psa}}_{\mathsf {EG}_{\text {twistrs}}^{\ell },\mathcal {A}}(\cdot ) \) making at most Q queries to its \( \mathrm {DDH}\)oracle there exist adversaries \( \mathcal {B}_0 \), \( \mathcal {B}_1 \) against \( \mathbf {G}^{\mathrm {twist}_0\hbox {}\mathrm {up}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {B}_0}(\cdot ) \) or \(\mathbf {G}^{\mathrm {twist}_1\hbox {}\mathrm {up}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {B}_1}(\cdot ) \) respectively, making at most Q queries to their \( \mathrm {DDH}\)oracles and running in the same time as \( \mathcal {A}\), which satisfy
for all \( k \in \mathbb {N}_{\ge 6} \).
The proof of the lemma can be found in the full version of this paper [4].
5.4 A ParameterFree Family Using Range Expansion
In this section we modify the algorithms of \( \mathsf {EG}_{\text {twist}}\) to obtain an embeddable group family \( \mathsf {EG}_{\text {twistre}}\) with embedding space \( \mathsf {EG}_{\text {twistre}}\mathsf {.ES}(k,\pi )= [2^{k+1}] \). The eeg family has inversion error \( \mathsf {EG}_{\text {twistre}}\mathsf {.ie}(k)=0 \) and achieves uniformly distributed embeddings. The construction is building on a technique introduced by Hayashi et al. [33], where it is used to expand the range of one way permutations. As in Sect. 5.3, the hardness \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) with respect to \( \mathsf {EG}_{\text {twistre}}\) is based on the hardness of the sCDH problem for uniform primes with respect to \( \mathsf {TGen}\). The sampling algorithm—in contrast to the construction based on rejection sampling—needs access to only one uniformly random sampled integer, performs at most one exponentiation in the group and uses at most one evaluation of \(\mathsf {EG}_{\text {twist}}\mathsf {.E}\) to output y with the correct distribution. Furthermore, exponents sampled by \( \mathsf {EG}_{\text {twistre}}\mathsf {.S}\) are distributed such that the eeg family achieves \( \mathsf {EG}_{\text {twistre}}\mathsf {.ie}(k)=0 \) and for every (potentially unbounded) adversary \( \mathcal {A}\) we additionally have \( \mathbf {Adv}^{\mathrm {epr}\hbox {}\mathrm {psa}}_{\mathsf {EG}_{\text {twistre}},\mathcal {A}}(k)=0 \).
The description of \( \mathsf {EG}_{\text {twistre}}\) may be found in Fig. 13. We now discuss the construction in greater detail. Let \( (G',p)=G\in [\mathsf {EG}_{\text {twistre}}\mathsf {.G}(k,\pi )] \), where \( G'=(\langle \mathbb {G}\rangle ,n,g) \). The idea of the construction is to partition \( [ \mathsf {EG}_{\text {twist}}\mathsf {.S}(1^k,p,G')] \) into two sets \( M_1 \), \( M_2 \) with \( M_1 \cup M_2 = [ \mathsf {EG}_{\text {twist}}\mathsf {.S}(1^k,p,G')] \), \( \{\mathsf {EG}_{\text {twist}}\mathsf {.E}(1^k,p,G',g^y) \mid y \in M_1\} = \{ 2^{k+1}(2p+1), \cdots , 2p \} \) and \(\{\mathsf {EG}_{\text {twist}}\mathsf {.E}(1^k,p,G',g^y) \mid y \in M_2 \} = \{ 0, \cdots , 2^{k+1}(2p+2) \} \). The sampling algorithm \( \mathsf {EG}_{\text {twistre}}\mathsf {.S}\) is constructed such that for y sampled by \( \mathsf {EG}_{\text {twistre}}\mathsf {.S}(1^k,\pi ,G) \), the probability \( \Pr _{}\mathopen {}\left[ y=y'\right] \mathclose {}\) equals \(2^{k} \) for all \( y' \in M_2 \) and \(2^{(k+1)} \) for all \( y' \in M_1 \). Embedding algorithm \( \mathsf {EG}_{\text {twistre}}\mathsf {.E}\) on input \( (1^k,\pi ,G,h) \) first computes \( c \leftarrow \mathsf {EG}_{\text {twist}}\mathsf {.E}(1^k,p,G',h) \). If \( c \in \{ 2^{k+1}(2p+1), \cdots , 2p \} \) its output remains unchanged. Otherwise it is shifted to \( \{ 2p+1, \cdots , 2^{k+1}1 \} \) with probability 1/2. In this way we achieve embeddings, which are uniformly distributed on \( \mathsf {EG}_{\text {twistre}}\mathsf {.ES}(k,\pi )=[2^{k+1}] \).
Our construction relies on the existence of a bijection \( \psi _G : [2p+1] \rightarrow [ \mathsf {EG}_{\text {twist}}\mathsf {.S}(1^k,p,G')] \) for all \( (G',p)=G \in [\mathsf {EG}_{\text {twistre}}\mathsf {.G}(1^k,\pi )] \). We use the bijection, which was implicitly given in the definition of \( \mathsf {EG}_{\text {twist}}\mathsf {.S}\). That is, for \( z \in [2p+1] \) we define
where \( \varphi _{\text {crt}} \) denotes the canonical isomorphism \( \mathbb {Z}_{n_0}\times \mathbb {Z}_{n_1} \rightarrow \mathbb {Z}_n \).
Theorem 13
\( \mathsf {EG}_{\text {twistre}}\) as specified in Fig. 13 is an embeddable group family with embedding space \( \mathsf {EG}_{\text {twistre}}\mathsf {.ES}(k,\pi )=[2^{k+1}] \) and inverson error \( \mathsf {EG}_{\text {twistre}}\mathsf {.ie}(k)=0 \). Furthermore \( \mathsf {EG}_{\text {twistre}}\) has pseudorandom embeddings. More precisely, for every (potentially unbounded) adversary \( \mathcal {A}\) we have
The proof of the theorem can be found in the full version of this paper [4]. As in the case of \( \mathsf {EG}_{\text {twistrs}}^{\ell }\), we obtain that—assuming that \( \mathsf {TGen}\) invoked on randomly sampled prime p returns a secure curvetwist pair—\(\mathrm {sCDH}\hbox {}\mathrm {PSA}\) with respect to eeg family \( \mathsf {EG}_{\text {twistre}}\) is hard.
Lemma 14
Let \( \mathsf {EG}_{\text {twistre}}\) be the eeg family defined above with underlying curvetwist generator \( \mathsf {TGen}\). If the sCDH assumption holds with respect to \( \mathsf {TGen}\), then \( \mathrm {sCDH}\hbox {}\mathrm {PSA}\) is hard with respect to \( \mathsf {EG}_{\text {twistre}}\). Concretely, for every adversary \( \mathcal {A}\) against \(\mathbf {G}^{\mathrm {scdh}\hbox {}\mathrm {psa}}_{\mathsf {EG}_{\text {twistre}},\mathcal {A}}(\cdot ) \) making at most Q queries to its \( \mathrm {DDH}\)oracle there exist adversaries \( \mathcal {B}_0 \), \( \mathcal {B}_1 \) against \( \mathbf {G}^{\mathrm {twist}_0\hbox {}\mathrm {up}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {B}_0}(\cdot ) \) or \(\mathbf {G}^{\mathrm {twist}_1\hbox {}\mathrm {up}\hbox {}\mathrm {scdh}}_{\mathsf {TGen},\mathcal {B}_1}(\cdot ) \) respectively running in the same time as \( \mathcal {A}\) and making at most Q queries to their \( \mathrm {DDH}\)oracles, which satisfy
The proof of the lemma can be found in the full version of this paper [4].
Notes
 1.
In [29] Galbraith and McKee consider elliptic curves E chosen uniformly from the set of elliptic curves over a fixed prime field \( \mathbb {F}_p \). They give a conjecture (together with some experimental evidence) for a lower bound on the probability of \( \left E \right \) being prime. Using a similar technique [27] argue, that the probability of a uniformly chosen elliptic curve over a fixed prime field \( \mathbb {F}_p \) to be both secure and twist secure is bounded from below by \( 0.5{/}{\log }^2(p)\). Since their definition of security of an elliptic curve includes primality of the curve order and since due to Lemma 5 the orders of curve and twist sum up to \( 2p+2\), this in particular implies that the curve and its twist are cyclic and have coprime group order.
 2.
In practice one would preferably instantiate \( \mathsf {EG}_{\text {twist}}\) with a standardized prime.
References
Abdalla, M., et al.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_13
Abdalla, M., Bellare, M., Rogaway, P.: The oracle DiffieHellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CTRSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3540453539_12
Ateniese, G., Magri, B., Venturi, D.: Subversionresilient signature schemes. In: Ray, I., Li, N., Kruegel, N. (eds.) ACM CCS 15: 22nd Conference on Computer and Communications Security, pp. 364–375. ACM Press, October 2015
Auerbach, B., Bellare, M., Kiltz, E.: Publickey encryption resistant to parameter subversion and its realization from efficientlyembeddable groups. Cryptology ePrint Archive, Report 2018/023 (2018). http://eprint.iacr.org/2018/023
Baignères, T., Delerablée, C., Finiasz, M., Goubin, L., Lepoint, T., Rivain, M.: Trap me if you can  million dollar curve. Cryptology ePrint Archive, Report 2015/1249 (2015). http://eprint.iacr.org/2015/1249
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Keyprivacy in publickey encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001). https://doi.org/10.1007/3540456821_33
Bellare, M., Boldyreva, A., Micali, S.: Publickey encryption in a multiuser setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). https://doi.org/10.1007/3540455396_18
Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for publickey encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055718
Bellare, M., Fuchsbauer, G., Scafuro, A.: NIZKs with an untrusted CRS: security in the face of parameter subversion. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016 Part II. LNCS, vol. 10032, pp. 777–804. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538906_26
Bellare, M., Hoang, V.T.: Resisting randomness subversion: fast deterministic and hedged publickey encryption in the standard model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015 Part II. LNCS, vol. 9057, pp. 627–656. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036_21
Bellare, M., Jaeger, J., Kane, D.: Masssurveillance without the state: strongly undetectable algorithmsubstitution attacks. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 15: 22nd Conference on Computer and Communications Security, pp. 1431–1440. ACM Press, October 2015
Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014 Part I. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662443712_1
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 93: 1st Conference on Computer and Communications Security, pp. 62–73. ACM Press, November 1993
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for codebased gameplaying proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Bernstein, D.J., Chou, T., Chuengsatiansup, C., Hülsing, A., Lange, T., Niederhagen, R., van Vredendaal, C.: How to manipulate curve standards: a white paper for the black hat. Cryptology ePrint Archive, Report 2014/571 (2014). http://eprint.iacr.org/2014/571
Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: Highspeed highsecurity signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642239519_9
Bernstein, D.J., Hamburg, M., Krasnova, A., Lange, T.: Elligator: ellipticcurve points indistinguishable from uniform random strings. In: Sadeghi, A.R., Gligor, V.D., Yung, M. (eds.) ACM CCS 13: 20th Conference on Computer and Communications Security, pp. 967–980. ACM Press, November 2013
Bernstein, D.J., Lange, T.: SafeCurves: choosing safe curves for ellipticcurve cryptography. https://safecurves.cr.yp.to. Accessed 18 May 2016
Bernstein, D.J., Lange, T., Niederhagen, R.: Dual EC: a standardized back door. Cryptology ePrint Archive, Report 2015/767 (2015). http://eprint.iacr.org/2015/767
Canetti, R., Pass, R., Shelat, A.: Cryptography from sunspots: how to use an imperfect reference string. In: 48th Annual Symposium on Foundations of Computer Science, pp. 249–259. IEEE Computer Society Press, October 2007
Checkoway, S., Cohney, S., Garman, C., Green, M., Heninger, N., Maskiewicz, J., Rescorla, E., Shacham, H., Weinmann, R.P.: A systematic analysis of the juniper dual EC incident. In: Proceedings of the 23rd ACM conference on Computer and communications security. ACM (2016)
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
Cramer, R., Shoup, V.: Design and analysis of practical publickey encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Degabriele, J.P., Farshim, P., Poettering, B.: A more cautious approach to security against mass surveillance. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 579–598. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662481165_28
Degabriele, J.P., Paterson, K.G., Schuldt, J.C.N., Woodage, J.: Backdoors in pseudorandom number generators: possibility and impossibility results. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016 Part I. LNCS, vol. 9814, pp. 403–432. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662530184_15
Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015 Part I. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468005_5
Flori, J.P., Plût, J., Reinhard, J.R., Ekerå, M.: Diversity and transparency for ECC. Cryptology ePrint Archive, Report 2015/659 (2015). http://eprint.iacr.org/
Frey, G.: How to disguise an elliptic curve (Weil descent). Talk given at ECC 1998 (1998)
Galbraith, S.D., McKee, J.: The probability that the number of points on an elliptic curve over a finite field is prime. J. Lond. Math. Soc. 62(3), 671–684 (2000)
Garg, S., Goyal, V., Jain, A., Sahai, A.: Bringing people of different beliefs together to do UC. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 311–328. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642195716_19
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)
Groth, J., Ostrovsky, R.: Cryptography in the multistring model. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 323–341. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540741435_18
Hayashi, R., Okamoto, T., Tanaka, K.: An RSA family of trapdoor permutations with a common domain and its applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 291–304. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540246329_21
Kaliski Jr., B.S.: Oneway permutations on elliptic curves. J. Cryptol. 3(3), 187–199 (1991)
Katz, J., Kiayias, A., Zhou, H.S., Zikas, V.: Distributing the setup in universally composable multiparty computation. In: Halldórsson, M.M., Dolev, S. (eds.) 33rd ACM Symposium Annual on Principles of Distributed Computing, pp. 20–29. Association for Computing Machinery, July 2014
Lochter, M., Mekle, J.: RFC 5639: ECC Brainpool Standard Curves & Curve Generation. Internet Engineering Task Force, March 2010
Möller, B.: A publickey encryption scheme with pseudorandom ciphertexts. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 335–351. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540301080_21
NIST: Digital signature standard (DSS) 2013. FIPS PUB 186–4
Orman, H.: The OAKLEY key determination protocol (1998)
Petit, C., Quisquater, J.J.: On polynomial systems arising from a Weil descent. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 451–466. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642349614_28
Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Cliptography: clipping the power of kleptographic attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016 Part II. LNCS, vol. 10032, pp. 34–64. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538906_2
Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Generic semantic security against a kleptographic adversary. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 17: 24th Conference on Computer and Communications Security, pp. 907–922. ACM Press, October 2017
Young, A., Yung, M.: The dark side of “blackbox” cryptography, or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996)
Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). https://doi.org/10.1007/3540690530_6
Acknowledgments
Benedikt Auerbach was supported by the NRW Research Training Group SecHuman. Mihir Bellare was supported in part by NSF grants CNS1526801 and CNS1717640, ERC Project ERCC FP7/615074 and a gift from Microsoft corporation. Eike Kiltz was supported in part by ERC Project ERCC FP7/615074 and by DFG SPP 1736 Big Data.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 International Association for Cryptologic Research
About this paper
Cite this paper
Auerbach, B., Bellare, M., Kiltz, E. (2018). PublicKey Encryption Resistant to Parameter Subversion and Its Realization from EfficientlyEmbeddable Groups. In: Abdalla, M., Dahab, R. (eds) PublicKey Cryptography – PKC 2018. PKC 2018. Lecture Notes in Computer Science(), vol 10769. Springer, Cham. https://doi.org/10.1007/9783319765785_12
Download citation
DOI: https://doi.org/10.1007/9783319765785_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783319765778
Online ISBN: 9783319765785
eBook Packages: Computer ScienceComputer Science (R0)