Selective Opening Security from Simulatable Data Encapsulation
In the realm of public-key encryption, the confidentiality notion of security against selective opening (SO) attacks considers adversaries that obtain challenge ciphertexts and are allowed to adaptively open them, meaning have the corresponding message and randomness revealed. SO security is stronger than IND-CCA and often required when formally arguing towards the security of multi-user applications. While different ways of achieving SO secure schemes are known, as they generally employ expensive asymmetric building blocks like lossy trapdoor functions or lossy encryption, such constructions are routinely left aside by practitioners and standardization bodies. So far, formal arguments towards the SO security of schemes used in practice (e.g., for email encryption) are not known.
In this work we shift the focus from the asymmetric to the symmetric building blocks of PKE and prove the following statement: If a PKE scheme is composed of a key encapsulation mechanism (KEM) and a blockcipher-based data encapsulation mechanism (DEM), and the DEM has specific combinatorial properties, then the PKE scheme offers SO security in the ideal cipher model. Fortunately, as we show, the required properties hold for popular modes of operation like CTR, CBC and CCM. This paper not only establishes the corresponding theoretical framework of analysis, but also contributes very concretely to practical cryptography by concluding that selective opening security is given for many real-world schemes.
KeywordsSelective Opening Challenge Ciphertext Decryption Oracle Partial Permutation Simulatable DEMs
We thank the reviewers for their helpful feedback. Felix Heuer was funded by the German Research Foundation (DFG) as part of the priority program 1736 Big Data: Scalable Cryptography. Bertram Poettering was supported by ERC Project ERCC (FP7/615074).
- 1.Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. Cryptology ePrint Archive, Report 2011/581 (2011). http://eprint.iacr.org/2011/581
- 5.Bellare, M., Yilek, S.: Encryption schemes secure under selective opening attack. Cryptology ePrint Archive, Report 2009/101 (2009). http://eprint.iacr.org/2009/101
- 8.Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: 28th ACM STOC, pp. 639–648. ACM Press, May 1996Google Scholar
- 12.Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. In: 40th FOCS, pp. 523–534. IEEE Computer Society Press, October 1999Google Scholar
- 13.Dworkin, M.J.: Spp. 800–38A: Recommendation for block cipher modes of operation: Methods and techniques. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2001)Google Scholar
- 14.Dworkin, M.J.: Spp. 800–38C: Recommendation for block cipher modes of operation: The CCM mode for authentication and confidentiality. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2007)Google Scholar
- 15.Dworkin, M.J.: Spp. 800–38D: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2007)Google Scholar
- 16.Dworkin, M.J.: Addendum to Spp. 800–38A: Recommendation for block cipher modes of operation: Three variants of ciphertext stealing for CBC mode. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2010)Google Scholar
- 19.Fuchsbauer, G., Heuer, F., Kiltz, E., Pietrzak, K.: Standard security does imply security against selective opening for markov distributions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 282–305. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49096-9_12 CrossRefGoogle Scholar
- 23.Heuer, F., Poettering, B.: Selective opening security from simulatable data encapsulation. Cryptology ePrint Archive, Report 2016/845 (2016). http://eprint.iacr.org/2016/845
- 24.Hofheinz, D., Jager, T., Rupp, A.: Public-key encryption with simulation-based selective-opening security and compact ciphertexts. Cryptology ePrint Archive, Report 2016/180 (2016). http://eprint.iacr.org/2016/180
- 25.Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. Cryptology ePrint Archive, Report 2015/792 (2015). http://eprint.iacr.org/2015/792
- 29.Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press, May 2008Google Scholar
- 30.Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 02, pp. 98–107. ACM Press, November 2002Google Scholar