Simulation-based selective opening security for receivers under chosen-ciphertext attacks

Abstract

Security against selective opening attack (SOA) for receivers requires that in a multi-user setting, even if an adversary has access to all ciphertexts, and adaptively corrupts some fraction of the users to obtain the decryption keys corresponding to some of the ciphertexts, the remaining (potentially related) ciphertexts retain their privacy. In this paper, we study simulation-based selective opening security for receivers of public key encryption (PKE) schemes under chosen-ciphertext attacks (RSIM-SO-CCA). Concretely, we first show that some known PKE schemes meet RSIM-SO-CCA security. Then, we introduce the notion of master-key SOA security for identity-based encryption (IBE), and extend the Canetti–Halevi–Katz transformation to show generic PKE constructions achieving RSIM-SO-CCA security. Finally, we show how to construct an IBE scheme achieving master-key SOA security.

Appendices

Appendix A: Proof of Lemma 3

Proof of Lemma 3

First, parse \(\mathbf pk [i]=(g_1, g_2, h, \theta , \varphi , hk)\), \(\mathbf sk [i]=(x, y, a, b, a', b')\) and \(\mathbf tk [i]=z\). Denote the \(i{\text {th}}\) challenge ciphertext in \(\mathbf G _{n+i-1}\) by \(\mathbf c [i]=(u,v,w,e)\). Let \(r_1:=\log _{g_1}u\) and \(r_2:=\log _{g_2}v=\log _{g_2}g_1+r_1.\) So we have \(r_1\ne r_2.\)

Game \(\mathbf G _{n+i-1}\) sets bad iff adversary A, without obtaining \(\mathbf sk [i]\) through the opening query, submits a decryption query \((i,c'=(u',v',w',e'))\) such that \((i,c')\notin C\), \(u'^{z}\ne v'\), and \(u'^{a+\alpha ' a'}v'^{b+\alpha ' b'}=e'\), where \(\alpha '=\textsf {HEvl}(hk,(u',v',w'))\). There are four possible cases.

Case 1\((u',v',w',e')=(u,v,w,e)\).

Since \((i,c')\notin C\), this case occurs only when A submits such a decryption query before receiving \(\mathbf c \). In \(\mathbf G _{n+i-1}\), u is uniformly and independently chosen from \(\mathbb {G}_q\). Notice that A makes at most \(q_d\) decryption queries, and that the best circumstance for A is that each decryption query will help A to eliminate one possible value of u. Hence, the probability that Case 1 occurs is at most \(\frac{q_d}{q-q_d}\), which is negligible.

We stress that this is a very loose bound. Because in \(\mathbf G _{n+i-1}\), \(v=g_1g_2^r\) and \(\mathbf c [i]\) is generated with \(\mathbf sk [i]\), the probability that A generates \(\mathbf c [i]\) beforehand is much less than \(\frac{q_d}{q-q_d}\).

Case 2\((u',v',w')=(u,v,w)\) and \(e'\ne e\).

In this case, \(\alpha '=\alpha \) and \(u'^{a+\alpha ' a'}v'^{b+\alpha ' b'}= u^{a+\alpha a'}v^{b+\alpha b'}=e\ne e'\). Hence, \(\mathbf G _{n+i-1}\) will not set bad.

Case 3\((u',v',w')\ne (u,v,w)\) and \(\alpha '=\alpha \).

Since Hash is a CR hash function, the probability that the adversary generates \((u',v',w')\) such that \(\textsf {HEvl}(hk,(u',v',w'))=\textsf {HEvl}(hk,(u,v,w))\) is negligible. Hence, Case 3 occurs with negligible probability.

Case 4\((u',v',w')\ne (u,v,w)\) and \(\alpha '\ne \alpha \).

Let \(r_1':=\log _{g_1}u'\) and \(r_2':=\log _{g_2}v'\). When \(\mathbf G _{n+i-1}\) sets bad, \(u'^{z}\ne v'\), which implies \(r_1'\ne r_2'\).

From the public key \(\mathbf pk \) and the challenge ciphertext vector \(\mathbf c \), for \(\mathbf sk [i]=(x, y, a, b, a', b')\), all the information on \((a, b, a', b')\) that A learns is:

$$\begin{aligned}&\log _{g_1}\theta =a+bz, \end{aligned}$$

(9)

$$\begin{aligned}&\log _{g_1}\varphi =a'+b'z, \end{aligned}$$

(10)

$$\begin{aligned}&\log _{g_1}e=r_1a+r_2zb+r_1\alpha a'+r_2z\alpha b'. \end{aligned}$$

(11)

For the decryption query \((i,(u',v',w',e'))\), \(\mathbf G _{n+i-1}\) sets bad only if

$$\begin{aligned} \log _{g_1}e'=r'_1a+r'_2zb+r'_1\alpha ' a'+r'_2z\alpha ' b'. \end{aligned}$$

(12)

Because

$$\begin{aligned} \left| \begin{array}{cccc} 1&{}z&{}0&{}0\\ 0&{}0&{}1&{}z\\ r_1~&{}~r_2z~&{}~r_1\alpha ~&{}~r_2z\alpha \\ r'_1~&{}~r'_2z~&{}~r'_1\alpha '~&{}~r'_2z\alpha '\\ \end{array} \right| =z^2(r_2-r_1)(r'_2-r'_1)(\alpha -\alpha ')\ne 0, \end{aligned}$$

Equations (9)–(12) are linearly independent. Therefore, the probability that A submits a decryption query \((i,(u',v',w',e'))\) where \(u'^z\ne v'\)for the first time, such that \(\mathbf G _{n+i-1}\) sets bad, is \(\frac{1}{q}\). At best, each decryption query will help the adversary to eliminate one possible value, so the possibility that \(\mathbf G _{n+i-1}\) sets bad in Case 4 is at most \(\frac{q_d}{q-q_d}\), which is negligible.

\(\square \)

Appendix B: Identity-based encryption

An IBE scheme consists of four PPT algorithms \((\textsf {{PGen}}, \textsf {{KGen}}, \textsf {{Enc}},\)\(\textsf {{Dec}})\). The parameter generation algorithm \(\textsf {{PGen}}\)\((1^\lambda )\) outputs a public parameter pp and a master secret key msk. The private key generation algorithm \(\textsf {{KGen}}(pp,msk,id)\) takes pp, msk and an identity id as input, and outputs a secret key \(sk_{id}\) for id. The encryption algorithm \(\textsf {{Enc}}(pp,id,m)\) taking pp, id and a message m as input, outputs a ciphertext c. The decryption algorithm \(\textsf {{Dec}}(pp,sk_{id},c)\), taking pp, \(sk_{id}\) and c as input, outputs a message m or \(\bot \), which indicates that c is invalid. For correctness, we require that for any valid identity id and valid message m, \((pp,msk)\leftarrow \textsf {{PGen}}(1^\lambda )\), \(c\leftarrow \textsf {{Enc}}(pp, id, m)\) and \(sk_{id}\leftarrow \textsf {{KGen}}(pp,msk,id)\), \(\textsf {{Dec}}(pp,sk_{id},c)=m\) with overwhelming probability.

Appendix C: Strong one-time signature

A signature scheme consists of three PPT algorithms \(\textsf {SIG}=(\textsf {{SGen}}, \textsf {{Sign}},\)\(\textsf {{Verf}})\). The key generation algorithm \(\textsf {{SGen}}(1^\lambda )\) outputs a signing/verification key pair \((sk_{\textsf {s}},vk_{\textsf {s}})\). The signing algorithm \(\textsf {{Sign}}(sk_{\textsf {s}},m)\) taking \(sk_{\textsf {s}}\) and a message m as input, outputs a signature sg. The verification algorithm \(\textsf {{Verf}}(vk_{\textsf {s}},m,sg)\), taking \(vk_{\textsf {s}}\), m and sg as input, returns \(b\in \{0,1\}\). For correctness, we require that for any valid message m, \((sk_{\textsf {s}},vk_{\textsf {s}})\leftarrow \textsf {{SGen}}(1^\lambda )\) and \(sg\leftarrow \textsf {{Sign}}(sk_{\textsf {s}}, m)\), \(\textsf {{Verf}}(vk_{\textsf {s}}, m, sg)=1\) with overwhelming probability. SIG is called strong one-time, if for any PPT adversary A, the advantage

$$\begin{aligned} \mathbf {Adv} _{\textsf {{SIG}}, A}^{\text {{str-ot}}}(\lambda ):=\Pr { \left[ \begin{array}{l} (sk_{\textsf {s}},vk_{\textsf {s}})\leftarrow \textsf {{SGen}}(1^\lambda ) \\ m\leftarrow A(vk_{\textsf {s}})\\ sg\leftarrow \textsf {{Sign}}(sk_{\textsf {s}}, m)\\ (m',sg')\leftarrow A(sg)\\ \end{array} \text {{{:}}} ~\begin{array}{l} (m',sg')\ne (m,sg) \bigwedge \\ ~\textsf {{Verf}}(vk_{\textsf {s}}, m, sg)=1\\ \end{array} \right] } \end{aligned}$$

is negligible.

Appendix D: Identity-based key encapsulation mechanism

According to [5], an identity-based key encapsulation mechanism (IB-KEM) scheme for a session key space \(\mathcal {K}\) consists of four PPT algorithms \((\textsf {{PGen}}, \textsf {{KGen}}, \textsf {{Encap}},\)\(\textsf {{Decap}})\). The parameter generation algorithm \(\textsf {{PGen}}(1^\lambda )\) outputs a public parameter pp and a master secret key msk. The private key generation algorithm \(\textsf {{KGen}}(pp,msk,id)\) takes pp, msk and an identity id as input, and outputs a secret key \(sk_{id}\) for id. The encapsulation algorithm \(\textsf {{Encap}}(pp,id)\) taking pp and id as input, outputs a session key \(k\in \mathcal {K}\) and a corresponding ciphertext c. The decapsulation algorithm \(\textsf {{Decap}}(pp,sk_{id},c)\), taking pp, \(sk_{id}\) and c as input, outputs a session key k or \(\bot \), which indicates that c is invalid. For correctness, we require that for any valid identity id, \((pp,msk)\leftarrow \textsf {{PGen}}(1^\lambda )\), \((k,c)\leftarrow \textsf {{Encap}}(pp, id)\) and \(sk_{id}\leftarrow \textsf {{KGen}}(pp,msk,id)\), \(\textsf {{Decap}}(pp,sk_{id},c)=k\) with overwhelming probability. For any blockcipher E, an IB-KEM is called E-independent if none of its four underlying algorithms invokes E in either direction.

The notion of IND-sID-CPA security for IB-KEM is very similar to IND-sID-CPA security for IBE. For constructions, any IND-sID-CPA secure IBE scheme (e.g., [7]) is an IB-KEM scheme achieving this security.