Selective Opening Security from Simulatable Data Encapsulation

  • Felix HeuerEmail author
  • Bertram Poettering
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10032)


In the realm of public-key encryption, the confidentiality notion of security against selective opening (SO) attacks considers adversaries that obtain challenge ciphertexts and are allowed to adaptively open them, meaning have the corresponding message and randomness revealed. SO security is stronger than IND-CCA and often required when formally arguing towards the security of multi-user applications. While different ways of achieving SO secure schemes are known, as they generally employ expensive asymmetric building blocks like lossy trapdoor functions or lossy encryption, such constructions are routinely left aside by practitioners and standardization bodies. So far, formal arguments towards the SO security of schemes used in practice (e.g., for email encryption) are not known.

In this work we shift the focus from the asymmetric to the symmetric building blocks of PKE and prove the following statement: If a PKE scheme is composed of a key encapsulation mechanism (KEM) and a blockcipher-based data encapsulation mechanism (DEM), and the DEM has specific combinatorial properties, then the PKE scheme offers SO security in the ideal cipher model. Fortunately, as we show, the required properties hold for popular modes of operation like CTR, CBC and CCM. This paper not only establishes the corresponding theoretical framework of analysis, but also contributes very concretely to practical cryptography by concluding that selective opening security is given for many real-world schemes.


Selective Opening Challenge Ciphertext Decryption Oracle Partial Permutation Simulatable DEMs 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We thank the reviewers for their helpful feedback. Felix Heuer was funded by the German Research Foundation (DFG) as part of the priority program 1736 Big Data: Scalable Cryptography. Bertram Poettering was supported by ERC Project ERCC (FP7/615074).


  1. 1.
    Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. Cryptology ePrint Archive, Report 2011/581 (2011).
  2. 2.
    Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 645–662. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_38 CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01001-9_1 CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). doi: 10.1007/3-540-44448-3_41 CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Yilek, S.: Encryption schemes secure under selective opening attack. Cryptology ePrint Archive, Report 2009/101 (2009).
  6. 6.
    Böhl, F., Hofheinz, D., Kraschewski, D.: On definitions of selective opening security. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 522–539. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30057-8_31 CrossRefGoogle Scholar
  7. 7.
    Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997). doi: 10.1007/BFb0052229 CrossRefGoogle Scholar
  8. 8.
    Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: 28th ACM STOC, pp. 639–648. ACM Press, May 1996Google Scholar
  9. 9.
    Coron, J.-S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85174-5_1 CrossRefGoogle Scholar
  10. 10.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Dachman-Soled, D.: On minimal assumptions for sender-deniable public key encryption. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 574–591. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54631-0_33 CrossRefGoogle Scholar
  12. 12.
    Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. In: 40th FOCS, pp. 523–534. IEEE Computer Society Press, October 1999Google Scholar
  13. 13.
    Dworkin, M.J.: Spp. 800–38A: Recommendation for block cipher modes of operation: Methods and techniques. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2001)Google Scholar
  14. 14.
    Dworkin, M.J.: Spp. 800–38C: Recommendation for block cipher modes of operation: The CCM mode for authentication and confidentiality. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2007)Google Scholar
  15. 15.
    Dworkin, M.J.: Spp. 800–38D: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2007)Google Scholar
  16. 16.
    Dworkin, M.J.: Addendum to Spp. 800–38A: Recommendation for block cipher modes of operation: Three variants of ciphertext stealing for CBC mode. Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (2010)Google Scholar
  17. 17.
    Even, S., Mansour, Y.: A construction of a cipher from a single pseudorandom permutation. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 210–224. Springer, Heidelberg (1993). doi: 10.1007/3-540-57332-1_17 CrossRefGoogle Scholar
  18. 18.
    Fehr, S., Hofheinz, D., Kiltz, E., Wee, H.: Encryption schemes secure against chosen-ciphertext selective opening attacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 381–402. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13190-5_20 CrossRefGoogle Scholar
  19. 19.
    Fuchsbauer, G., Heuer, F., Kiltz, E., Pietrzak, K.: Standard security does imply security against selective opening for markov distributions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 282–305. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49096-9_12 CrossRefGoogle Scholar
  20. 20.
    Hazay, C., Patra, A., Warinschi, B.: Selective opening security for receivers. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 443–469. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48797-6_19 CrossRefGoogle Scholar
  21. 21.
    Hemenway, B., Ostrovsky, R., Rosen, A.: Non-committing encryption from Q-hiding. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 591–608. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46494-6_24 Google Scholar
  22. 22.
    Heuer, F., Jager, T., Kiltz, E., Schäge, S.: On the selective opening security of practical public-key encryption schemes. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 27–51. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46447-2_2 Google Scholar
  23. 23.
    Heuer, F., Poettering, B.: Selective opening security from simulatable data encapsulation. Cryptology ePrint Archive, Report 2016/845 (2016).
  24. 24.
    Hofheinz, D., Jager, T., Rupp, A.: Public-key encryption with simulation-based selective-opening security and compact ciphertexts. Cryptology ePrint Archive, Report 2016/180 (2016).
  25. 25.
    Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. Cryptology ePrint Archive, Report 2015/792 (2015).
  26. 26.
    Hofheinz, D., Rupp, A.: Standard versus selective opening security: separation and equivalence results. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 591–615. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54242-8_25 CrossRefGoogle Scholar
  27. 27.
    Kilian, J., Rogaway, P.: How to protect DES against exhaustive key search (an analysis of DESX). J. Cryptology 14(1), 17–35 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Liu, S., Paterson, K.G.: Simulation-based selective opening CCA security for PKE from key encapsulation mechanisms. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 3–26. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46447-2_1 Google Scholar
  29. 29.
    Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 187–196. ACM Press, May 2008Google Scholar
  30. 30.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 02, pp. 98–107. ACM Press, November 2002Google Scholar
  31. 31.
    Wee, H.: Zero knowledge in the random oracle model, revisited. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 417–434. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10366-7_25 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Horst Görtz Institute for IT SecurityRuhr University BochumBochumGermany

Personalised recommendations