Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts

Conference paper

DOI: 10.1007/978-3-662-53644-5_6

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9986)
Cite this paper as:
Hofheinz D., Jager T., Rupp A. (2016) Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts. In: Hirt M., Smith A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science, vol 9986. Springer, Berlin, Heidelberg


In a selective-opening (SO) attack on an encryption scheme, an adversary \(A\) gets a number of ciphertexts (with possibly related plaintexts), and can then adaptively select a subset of those ciphertexts. The selected ciphertexts are then opened for \(A\) (which means that \(A\) gets to see the plaintexts and the corresponding encryption random coins), and \(A\) tries to break the security of the unopened ciphertexts.

Two main flavors of SO security notions exist: indistinguishability-based (IND-SO) and simulation-based (SIM-SO) ones. Whereas IND-SO security allows for simple and efficient instantiations, its usefulness in larger constructions is somewhat limited, since it is restricted to special types of plaintext distributions. On the other hand, SIM-SO security does not suffer from this restriction, but turns out to be significantly harder to achieve. In fact, all known SIM-SO secure encryption schemes either require \(\mathbf {O} (|m |)\) group elements in the ciphertext to encrypt \(|m |\)-bit plaintexts, or use specific algebraic properties available in the DCR setting.

In this work, we present the first SIM-SO secure PKE schemes in the discrete-log setting with compact ciphertexts (whose size is \(\mathbf {O} (1)\) group elements plus plaintext size). The SIM-SO security of our constructions can be based on, e.g., the \(k\)-linear assumption for any \(k\).

Technically, our schemes extend previous IND-SO secure schemes by the property that simulated ciphertexts can be efficiently opened to arbitrary plaintexts. We do so by encrypting the plaintext in a bitwise fashion, but such that each encrypted bit leads only to a single ciphertext bit (plus \(\mathbf {O} (1)\) group elements that can be shared across many bit encryptions). Our approach leads to rather large public keys (of \(\mathbf {O} (|m |^2)\) group elements), but we also show how this public key size can be reduced (to \(\mathbf {O} (|m |)\) group elements) in pairing-friendly groups.


Public-key encryption Selective-opening security Lossy encryption Matrix assumptions 

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.Ruhr-University BochumBochumGermany

Personalised recommendations