Possibility and Impossibility Results for Receiver Selective Opening Secure PKE in the Multi-challenge Setting

Yang, Rupeng; Lai, Junzuo; Huang, Zhengan; Au, Man Ho; Xu, Qiuliang; Susilo, Willy

doi:10.1007/978-3-030-64837-4_7

Rupeng Yang¹⁰,
Junzuo Lai¹¹,
Zhengan Huang¹²,
Man Ho Au¹⁰,
Qiuliang Xu¹³ &
…
Willy Susilo¹⁴

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12491))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

1578 Accesses
7 Citations

Abstract

Public key encryption (PKE) schemes are usually deployed in an open system with numerous users. In practice, it is common that some users are corrupted. A PKE scheme is said to be receiver selective opening (RSO) secure if it can still protect messages transmitted to uncorrupted receivers after the adversary corrupts some receivers and learns their secret keys. This is usually defined by requiring the existence of a simulator that can simulate the view of the adversary given only the opened messages. Existing works construct RSO secure PKE schemes in a single-challenge setting, where the adversary can only obtain one challenge ciphertext for each public key. However, in practice, it is preferable to have a PKE scheme with RSO security in the multi-challenge setting, where public keys can be used to encrypt multiple messages. In this work, we explore the possibility of achieving PKE schemes with receiver selective opening security in the multi-challenge setting. Our contributions are threefold. First, we demonstrate that PKE schemes with RSO security in the single-challenge setting are not necessarily RSO secure in the multi-challenge setting. Then, we show that it is impossible to achieve RSO security for PKE schemes if the number of challenge ciphertexts under each public key is a priori unbounded. In particular, we prove that no PKE scheme can be RSO secure in the k-challenge setting (i.e., the adversary can obtain k challenge ciphertexts for each public key) if its secret key contains less than k bits. On the positive side, we give a concrete construction of PKE scheme with RSO security in the k-challenge setting, where the ratio of the secret key length to k approaches the lower bound 1.

You have full access to this open access chapter, Download conference paper PDF

Receiver selective opening security for identity-based encryption in the multi-challenge setting

Article 17 November 2022

Receiver Selective Opening CCA Secure Public Key Encryption from Various Assumptions

Selective Opening Security for Receivers

1 Introduction

The standard notion of security for public key encryption (PKE) schemes is indistinguishability of 1-ciphertext (denoted as IND-CPA security). That is to say, given one challenge ciphertext to an adversary, which encrypts a message from a set of two messages chosen by the adversary, it could not distinguish which message is encrypted. Such a simple security notion in fact implies semantic security with multiple challenge ciphertexts, which prevents the adversary from learning any information about the encrypted messages after viewing a priori unbounded number of ciphertexts.

In many real world scenarios, the adversary may have the capability to learn internal states of partial users via corrupting their devices. Such attacks are called selective opening attacks [DNRS99]. A PKE scheme is said to be secure against selective opening attacks if it can still protect messages transmitted between uncorrupted users. Surprisingly, standard security does not imply security against selective opening attacks immediately [BDWY12, HR14, HRW16].

The formal study of selective opening secure PKE was initialized by Bellare et al. in [BHY09]. They consider two types of selective opening attacks, namely, sender selective opening (SSO) attacks, where the attacker corrupts senders and obtains the randomness used for encrypting messages, and receiver selective opening (RSO) attacks, where the attacker corrupts receivers and obtains their secret keys. Also, for each attack, security can be defined by either an indistinguishability-based definition, which extends the standard IND-CPA security to the selective opening setting, or a simulation-based definition, which defines semantic security against selective opening attackers. In all definitions, the adversary first gets some challenge ciphertexts, then it “opens” some of them via corrupting the related users. An indistinguishability-based definition ensures that the adversary is not able to distinguish encrypted messages in unopened ciphertexts, while in a simulation-based definition, there should exist a simulator that can simulate the view of the adversary given only the opened messages.

Since selective opening security can be defined in different manners, it is important to clarify relations between different definitions. As shown in [HPW15], indistinguishability-based selective opening security is not sufficient to imply simulation-based selective opening security in both the SSO setting and the RSO setting. Thus, for selective opening security, it is desirable to consider simulation-based definitions.^{Footnote 1}

It is also interesting to explore whether selective opening security in the single-challenge setting, i.e., each public key is only used once to produce a single challenge ciphertext, is enough for achieving selective opening security in the multi-challenge setting, where each public key can be reused to encrypt multiple challenge messages. This question is particularly important for the RSO setting, because all previous works in this area only consider how to construct encryption schemes secure in the single-challenge setting and it is unknown whether they are still secure in the more realistic multi-challenge setting.

1.1 Our Results

In this work, we initiate the study of RSO security in the multi-challenge setting. In particular, we consider an adversary that can obtain k challenge ciphertexts for each public key, and denote security in this setting as $\text {{RSO}}_{k}$ security.^{Footnote 2} We focus on simulation-based definitions and define security against both the chosen-plaintext adversary ($\text {{SIM-RSO}}_{k}\text {{-CPA}}$) and the chosen-ciphertext adversary ($\text {{SIM-RSO}}_{k}\text {{-CCA}}$). In summary, our contributions are as follows:

We show that RSO security in the single-challenge setting is not enough to guarantee RSO security in the multi-challenge setting. We demonstrate this by providing a PKE scheme that is $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure, but is not $\text {{SIM-RSO}}_{k+1}\text {{-CPA}}$ secure for any polynomial k (recall that RSO security in the single-challenge setting can be denoted as $\text {{RSO}}_{1}$ security). The PKE schemes build on an IND-CPA secure PKE scheme and a simulation-sound non-interactive zero-knowledge (NIZK) proof, thus, this also provides the first positive result for achieving RSO security in the multi-challenge setting.
We prove that it is impossible to achieve SIM-RSO security in the multi-challenge setting if we do not bound the number of challenge ciphertexts for each public key. In particular, we provide a lower bound on the secret key length for any PKE scheme with $\text {{RSO}}_{k}$ security in the non-programmable random oracle model, which indicates that the size of the secret key must be as large as the total number of message bits ever encrypted. For example, for any PKE with $\text {{RSO}}_{k}$ security, assuming its message space is $\{0,1\}^m$ and the secret key space is $\{0,1\}^{l}$, then we have $l \ge mk$.
We construct a concrete $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure PKE scheme from the DDH assumption, where the message space is $\{0,1\}$, the public key is a group element and the secret key only contains a number in $\mathbb {Z}_q$ and k bits.^{Footnote 3} This is nearly optimal in an asymptotic sense as the ratio of secret key length to k is $1+\frac{\log {q}}{k}$, which approaches the lower bound 1 as the messages number k increases.
We prove that the well-known Naor-Yung paradigm [NY90, Sah99] still works for SIM-RSO security and give a generic construction of $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure PKE scheme from a $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure PKE scheme, an IND-CPA secure PKE scheme, and a simulation-sound NIZK proof. The construction preserves the key length of the underlying $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure scheme. Thus, combining our (nearly) optimal $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure scheme with the generic construction, we obtain a (nearly) optimal $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure PKE scheme.

1.2 Technical Overview

In this section, we give a brief overview of how to achieve our negative and positive results. In a high-level, we first observe that a large enough secret key space (conditioned on some public information) is needed to achieve $\text {{RSO}}_{k}$ security, and employ this observation to lower bound the secret key length for any $\text {{RSO}}_{k}$ secure PKE scheme. Then we apply the observation to some concrete constructions and provide counterexamples separating $\text {{RSO}}_{k}$ security and $\text {{RSO}}_{k+1}$ security. Finally, we construct (nearly) optimal $\text {{RSO}}_{k}$ secure PKE scheme, whose secret key length approaches the above lower bound in an asymptotic sense.

Next, we describe the ideas in more detail.

On Lower Bounding Key Length of $\mathbf{RSO}_{k}$ Secure PKE scheme. We start by showing that a $\text {{RSO}}_{k}$ secure PKE scheme must have a long enough secret key. For simplicity of discussion, here we assume that the message space of the scheme is $\{0,1\}$ and explain why it cannot be $\text {{RSO}}_{k}$ secure if its secret key length contains at most $k-1$ bits.

Intuitively, this is because the number of possible secret keys are not enough to explain k messages. In more detail, to simulate an adversary’s output, a $\text {{RSO}}_{k}$ simulator^{Footnote 4} should generate challenge ciphertexts and send them to the adversary first. Then in the opening phase, on input the opened messages, the simulator needs to generate secret keys that can map each ciphertext to corresponding message. Remember that it needs to map k fixed ciphertexts to a vector of k 1-bit messages using each secret key. Thus, the number of candidate secret keys should be at least $2^{k}$ to guarantee that the simulator is able to choose the correct secret key for every possible messages vector. However, if the secret key length of the scheme does not exceed $k-1$, then the number of possible secret keys will not exceed $2^{k-1}$. That is to say, for at least half of the possible messages vectors, the simulator is not able to create a correct secret key to explain them. So, with probability 1/2 (assuming messages are sampled uniformly), the simulation will fail.

To formalize this intuition, we use ideas in previous works [Nie02, BSW11, BDWY12, BO13] that argue impossibility to achieve simulation-based security against a key-revealing attacker.^{Footnote 5} In a nutshell, given a hash function, which is modeled as a non-programmable random oracle, we define a $\text {{RSO}}_{k}$ adversary as follows. In the first phase, on receiving a set of n public keys $\textit{\textbf{PK}}=(pk_i)_{i\in [n]}$, it returns a uniform distribution; then in the second phase, on receiving a set of challenge ciphertexts $\textit{\textbf{CT}}$, it returns a set of indices $\mathcal {I} \subseteq [n]$, which is the hash of $(\textit{\textbf{PK}},\textit{\textbf{CT}})$; finally, on receiving the opened secret keys $\textit{\textbf{SK}}_{\mathcal {I}}$ and messages $\textit{\textbf{M}}_{\mathcal {I}}$^{Footnote 6}, it outputs $(\textit{\textbf{PK}},\textit{\textbf{CT}},\textit{\textbf{SK}}_{\mathcal {I}})$. Note that a simulator who would like to simulate the adversary’s view should generate $\textit{\textbf{PK}}$ and $\textit{\textbf{CT}}$ before viewing the opened messages, since otherwise, it has to invert the random oracle, which is infeasible. Thus, if we feed the simulator with different messages, it should create secret keys conditioned on fixed $\textit{\textbf{PK}}$ and $\textit{\textbf{CT}}$. As the number of possible messages is much larger than the number of possible secret keys^{Footnote 7}, such simulator does not exist.

On Separating $\text {{RSO}}_{k+1}$ Security and $\text {{RSO}}_{k}$ Security. Next, we explain how to construct a scheme that is $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure, but is not even $\text {{SIM-RSO}}_{k+1}\text {{-CPA}}$ secure. Our starting point is an encryption scheme $\mathsf {\Pi }_1$ from the well-known Naor-Yung paradigm [NY90, Sah99], which is proved to be $\text {{SIM-RSO}}_{1}\text {{-CCA}}$ secure for 1-bit message in [HKM+18]. We first recall the scheme briefly and show that it is not $\text {{SIM-RSO}}_{2}\text {{-CPA}}$ secure. Then we explain how to upgrade it to a scheme that is $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure, but is not $\text {{SIM-RSO}}_{k+1}\text {{-CPA}}$ secure.

The scheme $\mathsf {\Pi }_1$ relies on a normal PKE scheme $\mathsf {E}$ and a simulation-sound NIZK proof system. Its public key $PK=(pk_0,pk_1)$ is a pair of public keys of $\mathsf {E}$ and its secret key is $SK=(s,sk_s)$, where s is a bit and $sk_s$ is the secret key corresponding to $pk_s$. The encryption of a bit m includes an encryption of m under $pk_0$, an encryption of m under $pk_1$ and a proof indicating that the two ciphertexts encrypt the same message. To decrypt a ciphertext, the decryption algorithm first checks the validity of the proof attached and decrypts the ciphertext under $pk_s$ using $sk_s$.

The $\text {{SIM-RSO}}_{1}\text {{-CCA}}$ security of $\mathsf {\Pi }_1$ comes from the fact that given a malformed ciphertext, which encrypts a random bit b under $pk_0$ and encrypts $1-b$ under $pk_1$, one can open it to any message $m\in \{0,1\}$. In particular, if $m=b$, then the returned secret key is $(0,sk_0)$ and otherwise, the returned secret key is $(1,sk_1)$. In this way, to simulate the view of a $\text {{SIM-RSO}}_{1}\text {{-CCA}}$ adversary the simulator can generate such malformed ciphertext in the beginning and answer the opening query according to the opened messages. Indistinguishability between malformed ciphertexts and well-formed ciphertexts comes from security of $\mathsf {E}$ and zero-knowledge property of the underlying NIZK. Also, determining the secret keys until the opening stage will not affect answers to decryption oracle queries since the adversary is only allowed to submit a well-formed ciphertext, which are identically decrypted under $sk_0$ and $sk_1$.

Next, we show that if for each public key of $\mathsf {E}$, there exists at most one valid secret key for it and it is easy to check if a public key/secret key pair is valid^{Footnote 8}, $\mathsf {\Pi }_1$ will not be $\text {{SIM-RSO}}_{2}\text {{-CPA}}$ secure.

Our key observation is that in this case, while the number of possible secret keys is very large, the number of possible secret keys for a fixed public key is not enough to explain 2 messages. Recall that to prove $\text {{SIM-RSO}}_{2}\text {{-CPA}}$ security of $\mathsf {\Pi }_1$, we need a simulator that is forced to produce challenge ciphertexts before seeing the opened messages and is required to create the correct secret keys that maps the challenge ciphertexts to the opened messages. For a public key $PK=(pk_0,pk_1)$, the best possible strategy for the simulator to generate the challenge ciphertext seems to set the first ciphertext $CT_1=(\mathsf {E}.\mathtt {Enc}(pk_0,b_1),\mathsf {E}.\mathtt {Enc}(pk_1,1-b_1))$ and set the second ciphertext $CT_2=(\mathsf {E}.\mathtt {Enc}(pk_0,b_2),\mathsf {E}.\mathtt {Enc}(pk_1,1-b_2))$, where $b_1$ and $b_2$ are random bits. Then, in the opening phase, the simulator can return a secret key, which is either $(0,sk_0)$ or $(1,sk_1)$, to the adversary, where $sk_0,sk_1$ are the unique valid secret keys for $pk_0$ and $pk_1$ respectively. The secret key $(0,sk_0)$ can decrypt the challenger ciphertexts to $(b_1,b_2)$ and the secret key $(1,sk_1)$ can decrypt the challenger ciphertexts to $(1-b_1,1-b_2)$. But if the opened messages are $(b_1,1-b_2)$ or $(1-b_1,b_2)$, no secret key can map challenge ciphertexts to them. So, with probability 1/2 (assuming messages are sampled uniformly), the simulation will fail. Therefore, we can exploit the techniques for lower bounding secret key length of $\text {{RSO}}_{k}$ secure PKE schemes to compromise the $\text {{RSO}}_{2} $ security of $\mathsf {\Pi }_1$.

Next, we explain how to upgrade $\mathsf {\Pi }_1$ to a $\text {{RSO}}_{k}$-secure but $\text {{RSO}}_{k+1}$-insecure scheme. Our main idea is to use k pairs of public keys of $\mathsf {E}$ to encrypt messages. More precisely, to encrypt a bit m under a public key $PK=(pk_{1,0},pk_{1,1}, \ldots , pk_{k,0},pk_{k,1})$, the encryption algorithm first samples a k-bit string $(p_1, \ldots , p_k)$ that $p_1 \oplus \ldots \oplus p_k=m$, and then encrypts $p_i$ with $(pk_{i,0},pk_{i,1})$. Then it generates a NIZK proof proving the correctness of all k pairs of ciphertexts. The final ciphertext includes all 2k ciphertexts of $\mathsf {E}$ and the proof.

Now, to simulate the view of an adversary in a $\text {{SIM-RSO}}_k$ experiment, or alternatively, to generate k ciphertexts and open them to any k-bit string, the simulator generates the ciphertexts as follows:

where each $p_{i,j} \overset{\$}{\leftarrow }\{0,1\}$, and $CT_i$ consists of encryption of $(p_{i,j},p_{i,j})$ (or $(p_{i,i},1-p_{i,i})$) under public key $(pk_{j,0},pk_{j,1})$ and a fake proof generated by the NIZK simulator.

Note that, for each public key pair $(pk_{i,0},pk_{i,1})$, the simulator is only required to cheat on one ciphertext (the ones in a dashed box), thus it can succeed in finding the correct secret key.

The reason that the new scheme is not $\text {{SIM-RSO}}_{k+1}\text {{-CPA}}$ secure is the same as that why $\mathsf {\Pi _1}$ is not $\text {{SIM-RSO}}_{2}\text {{-CPA}}$ secure. Note that in the new scheme, the number of valid secret keys for a public key $PK=(pk_{1,0},pk_{1,1}, \ldots , pk_{k,0},pk_{k,1})$ is $2^k$, which is much less than the number of possible opening messages ($2^{k+1}$). Thus, we can use a similar strategy to show that no simulator is able to simulate the adversary’s view in a $\text {{SIM-RSO}}_{k+1}\text {{-CPA}}$ experiment.

On Constructing $\mathbf{RSO}_{k}$ Secure PKE Scheme with (Nearly) Optimal Secret Key Length. Now, we demonstrate how to achieve $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure PKE scheme with (nearly) optimal secret key length. Note that standard techniques for shortening secret keys of PKE schemes (e.g., deriving secret keys from a shorter seed via a pseudorandom generator) do not work here since in the receiver selective opening setting, the simulator needs to generate secret keys satisfying some conditions and using these techniques may lead to an inefficient simulator (e.g., the simulator may have to invert a pseudorandom generator).

Our starting point is the celebrated Cramer-Shoup encryption scheme [CS98], which was shown to be $\text {{SIM-RSO}}_{1}\text {{-CCA}}$ secure in [HKM+18, HLC+19]. Here, we will use its variant with CPA security ($\mathsf {\Pi }_{\text {CS-CPA}}$). We first reduce the key length of the scheme. Then, we upgrade it to be $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure via merely adding $k-1$ bits to the secret key. Finally, we transform the scheme into a $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure one by employing the well-known Naor-Yung double encryption paradigm [NY90, Sah99], where a normal IND-CPA secure PKE scheme and a simulation-sound NIZK proof is additionally used. In our construction, we fix the secret key of the new scheme to be the secret key of the underlying $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure scheme. Also, we need to tweak the security proof to fit the definition of SIM-RSO-CPA/CCA security.

Next, we first recall $\mathsf {\Pi }_{\text {CS-CPA}}$ and explain why it is $\text {{SIM-RSO}}_{1}\text {{-CPA}}$ secure. Then we provide a more detailed description on how to reduce its key length and how to upgrade the scheme to achieve $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ security.

The scheme $\mathsf {\Pi }_{\text {CS-CPA}}$ works in a cyclic group $\mathbb {G}$ of prime order q with generator g. Let $g_0=g^{a_0},g_1=g^{a_1},h=g^b$, then the secret key of the scheme is $(s_0,s_1) \in \mathbb {Z}_q^{2}$ and the public key is $ pk =g_0^{s_0} g_1^{s_1}$. To encrypt a bit $m\in \{0,1\}$, the encryption algorithm samples $w \overset{\$}{\leftarrow }\mathbb {Z}_q$, and computes the ciphertext $CT=(x_0,x_1,C)=(g_0^{w},g_1^{w}, pk ^{w} \cdot h^{m})$. The decryption algorithm tests if $x_0^{s_0} x_1^{s_1} = C$ and outputs 0 if this is the case.

To simulate the view of a $\text {{SIM-RSO}}_{1}\text {{-CPA}}$ adversary, the simulator can first sample $(s'_0,s'_1) \overset{\$}{\leftarrow }\mathbb {Z}_q^{2}$, compute $ pk =g_0^{s'_0} g_1^{s'_1}$ and generate a malformed ciphertext $CT=(x_0,x_1,C)=(g_0^{w_0},g_1^{w_1},x_0^{s'_0} x_1^{s'_1})$ for each receiver. Here, $w_0,w_1$ are distinct random elements in $\mathbb {Z}_q$ and the malformed ciphertext is indistinguishable from an honestly generated one due to the DDH assumption. Then, for each corrupted receiver, assuming the opened message is m, the simulator creates the secret key $(s_0,s_1)$ compatible with the current view by solving the following equations:

$$\begin{aligned} {\left\{ \begin{array}{ll} g_0^{s_0} g_1^{s_1}=g_0^{s'_0} g_1^{s'_1} \\ x_0^{s_0} x_1^{s_1} \cdot h^m=x_0^{s'_0} x_1^{s'_1} \end{array}\right. } \end{aligned}$$

(1)

which can be transformed into

$$\begin{aligned} {\left\{ \begin{array}{ll} a_0 s_0 + a_1 s_1 = a_0 s'_0 + a_1 s'_1 \\ a_0 w_0 s_0 + a_1 w_1 s_1 + b m =a_0 w_0 s'_0 + a_1 w_1 s'_1 \end{array}\right. } \end{aligned}$$

The equation has a solution since $w_0 \not = w_1$. Thus, the simulator can succeed in simulating the view of a $\text {{SIM-RSO}}_{1}\text {{-CPA}}$ adversary.

Reducing the Key Length. It is worth noting that in the scheme $\mathsf {\Pi }_{\text {CS-CPA}}$, some bits of the secret key are wasted. In particular, the simulator is able to simulate the view of the adversary if Equation (1) has solutions in both the case $m=0$ and that $m=1$. Thus, it is appealing to see if the equations still always have solutions in some smaller solution space.

We observe that, if we change the strategy of the simulator, then it is possible to reduce the secret key space to $\mathbb {Z}_q \times \{0,1\}$. In more detail, for each receiver, the simulator samples $(s'_0,s'_1) \overset{\$}{\leftarrow }\mathbb {Z}_q \times \{0,1\}$, computes $ pk =g_0^{s'_0} g_1^{s'_1}$ and changes the format of malformed ciphertext into $CT=(x_0,x_1,C)=(g_0^{w},g_1^{w} \cdot h^{\alpha },x_0^{s'_0} x_1^{s'_1})$. Here $\alpha =1$ if $s'_1=1$ and $\alpha =-1$ if $s'_1=0$, and the malformed ciphertext is still indistinguishable from an honestly generated one due to the DDH assumption. Now, the secret key $(s_0,s_1)$ needs to satisfy the following equation:

$$\begin{aligned} {\left\{ \begin{array}{ll} a_0 s_0 + a_1 s_1 = a_0 s'_0 + a_1 s'_1 \\ a_0 w s_0 + a_1 w s_1 + b \alpha s_1 + b m = a_0 w s'_0 + a_1 w s'_1 + b \alpha s'_1 \end{array}\right. } \end{aligned}$$

It is easy to see that if $m=0$, then $s_1=s'_1$ and thus $s_1 \in \{0,1\}$; if $m=1$, then $1= \alpha \cdot (s'_1 - s_1)$, which implies that 1) if $s'_1=1$, then $s_1=0$ and 2) if $s'_1=0$, then $s_1=1$. Therefore, the scheme is still secure if we reduce the secret key length to $\lceil \log {q} \rceil +1$.

Next, we show how to upgrade the revised scheme to achieving $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ security. Our first attempt is to use the idea in upgrading the counterexample $\mathsf {\Pi }_1$, i.e., secret sharing the message into k bits and using k independent instances of the scheme to encrypt each bit. However, this will lead to a scheme with key length $k\cdot (\lceil \log {q} \rceil +1)$, which is far from optimal.

To solve this problem, our key observation is that, when generating the k public key/secret key pairs, $s_0$ and the public key can be reused. More precisely, let $g_0=g^{a_0},g_1=g^{a_1}, \ldots , g_k=g^{a_k}, h=g^b$, then we set the secret key to be $(s_0,s_1, \ldots , s_k) \overset{\$}{\leftarrow }\mathbb {Z}_q \times \{0,1\}^{k}$ and set the public key to be $ pk =g_0^{s_0} g_1^{s_1} \ldots g_k^{s_k}$. Note that the secret key only contains $\lceil \log {q} \rceil +k$ bits. Then, to encrypt a bit $m\in \{0,1\}$, the encryption algorithm samples $w \overset{\$}{\leftarrow }\mathbb {Z}_q$, and computes the ciphertext $CT=(x_0,x_1, \ldots , x_k, C)=(g_0^{w},g_1^{w}, \ldots , g_k^{w}, pk ^{w} \cdot h^{m})$. The decryption algorithm tests if $x_0^{s_0} x_1^{s_1} \ldots x_k^{s_k} = C$ and outputs 0 if this is the case.

Next, we illustrate why the above scheme is $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure. For each receiver, the simulator samples $(s'_0,s'_1, \ldots , s'_k) \overset{\$}{\leftarrow }\mathbb {Z}_q \times \{0,1\}^{k}$ and computes $ pk =g_0^{s'_0} g_1^{s'_1} \ldots g_k^{s'_k}$. Also, it generates k malformed ciphertexts, where for the i-th ciphertext, $x_i$ is dishonestly created. That is, $CT_i=(x_{i,0},x_{i,1}, \ldots , x_{i,i}, \ldots x_{i,k}, C)=(g_0^{w_i},g_1^{w_i}, \ldots , g_i^{w_i} \cdot h^{\alpha _i}, \ldots ,g_k^{w_i}, x_{i,0}^{s'_0} x_{i,1}^{s'_1} \ldots x_{i,k}^{s'_k})$. Here $\alpha _i=1$ if $s'_i=1$ and $\alpha _i=-1$ if $s'_i=0$. Then, for each corrupted receiver, assuming the k opened messages are $m_1, \ldots , m_k$, the simulator creates the secret key $(s_0,s_1,\ldots ,s_k)$ compatible with the current view by solving the following equations:

$$\begin{aligned} {\left\{ \begin{array}{ll} \prod _{j=0}^{k} g_j^{s_j} =\prod _{j=0}^{k} g_j^{s'_j} \\ (\prod _{j=0}^{k} x_{1,j}^{s_{j}}) \cdot h^{m_1}=\prod _{j=0}^{k} x_{1,j}^{s'_{j}} \\ \qquad \vdots \\ (\prod _{j=0}^{k} x_{k,j}^{s_{j}}) \cdot h^{m_k}=\prod _{j=0}^{k} x_{k,j}^{s'_{j}} \end{array}\right. } \end{aligned}$$

This is equivalent to the following equation:

$$\begin{aligned} {\left\{ \begin{array}{ll} \sum _{j=0}^{k} a_j s_j = \sum _{j=0}^{k} a_j s'_j \\ (\sum _{j=0}^{k} a_j w_1 s_{j}) + b \alpha _1 s_1 + b m_1 = (\sum _{j=0}^{k} a_j w_1 s'_{j}) + b \alpha _1 s'_1\\ \qquad \vdots \\ (\sum _{j=0}^{k} a_j w_k s_{j}) + b \alpha _k s_k + b m_k = (\sum _{j=0}^{k} a_j w_k s'_{j}) + b \alpha _k s'_k \end{array}\right. } \end{aligned}$$

which can be transformed into

$$\begin{aligned} {\left\{ \begin{array}{ll} \sum _{j=0}^{k} a_j s_j = \sum _{j=0}^{k} a_j s'_j \\ m_1 = \alpha _1 (s'_1-s_1)\\ \qquad \vdots \\ m_k = \alpha _k (s'_k-s_k) \end{array}\right. } \end{aligned}$$

Note that, for $i\in [1,k]$, we can set $s_i=s'_i$ if $m_i=0$ and set $s_i=1-s'_i$ if $m_i=1$. Therefore, the simulator is able to produce a simulated secret key $(s_0,s_1,\ldots ,s_k) \in \mathbb {Z}_q \times \{0,1\}^{k}$ and thus can simulate the view of the $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ adversary.

1.3 Related Works

Since first proposed in [BHY09], PKE with selective opening security has been extensively studied. Numerous constructions of SSO secure PKE have been proposed based on various assumptions in previous works (see [FHKW10, HLOV11, Hof12, HLQ13, LP15, HJKS15, HP16, LSSS17, BL17, LLHG18] and references therein for more details).

In contrast, the setting of RSO security is less studied. It is folklore that (receiver) non-committing encryption schemes [CFGN96, Nie02, DN00, CHK05, CDSMW09] imply RSO secure PKE schemes. Then, in [HPW15], Hazay et al. show that RSO security is achievable from a variety of well-established cryptographic primitives and construct RSO secure PKE schemes from various assumptions. In subsequent works [JLL16, JLL17, HKM+18, HLC+19], chosen-ciphertext attacks (CCA) are also considered in the RSO setting and PKE schemes with RSO-CCA security are provided. Moreover, in [KT18], RSO-secure identity-based encryption scheme is constructed. However, in all these works, the proposed encryption schemes are only proved to have RSO security in the single-challenge setting.

1.4 Roadmap

We recall some preliminaries and define $\text {{RSO}}_{k}$ security in Sect. 2. Then in Sect. 3, we provide the lower bound for $\text {{RSO}}_{k}$ secure PKE scheme. Next, we show our counterexamples separating $\text {{RSO}}_{k}$ security and $\text {{RSO}}_{k+1}$ security in Sect. 4. Then, we construct (nearly) optimal PKE schemes with $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ security and $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ security in Sect. 5. Finally, in Sect. 6, we conclude our work with a few possible future works.

2 Preliminaries

Notations. For any positive integer n, we use [n] to denote the set $\{1, 2, \cdots , n\}$. For positive integers $n_1,n_2$ s.t. $n_1<n_2$, we use $[n_1,n_2]$ to denote the set $\{n_1, n_1+1, \cdots , n_2-1,n_2\}$. We use boldface to denote vectors, e.g., $\textit{\textbf{x}}$. We use $\textit{\textbf{x}}[i]$ to denote the i-th component of $\textit{\textbf{x}}$. Also, for a string $s\in \{0,1\}^*$, we use s[i] to denote the i-th bit of s.

For a finite set $\mathcal {S}$, we use $|\mathcal {S} |$ to denote the size of $\mathcal {S}$ and use $s \overset{\$}{\leftarrow }\mathcal {S}$ to denote the process of sampling s uniformly from $\mathcal {S}$. For a distribution $\mathcal {D}$, we use $x\leftarrow \mathcal {D}$ to denote the process of sampling x from $\mathcal {D}$. For a positive integer n, we use $\mathcal {U}_n$ to denote the uniform distribution over $\{0,1\}^n$.

For a probabilistic algorithm $\mathtt {A}$, we use $\mathtt {A}(x;r)$ to denote the process of running $\mathtt {A}$ on input x and inner randomness r. We write PPT for probabilistic polynomial-time. We use $\mathtt {negl}(\lambda )$ to denote a negligible function.

2.1 Assumptions and Cryptographic Primitives

The DDH Assumption. First, we recall the DDH assumption. Let $\mathbb {G}$ be a cyclic group of prime order q with a generator g. The DDH assumption requires that it is hard to distinguish $(g^a,g^b,g^c)$ and $(g^a,g^b,g^{ab})$, where $a,b,c \overset{\$}{\leftarrow }\mathbb {Z}_q$.

Unbounded Simulation-Sound NIZK Proofs. The notion of NIZK proof was proposed by Blum et al. in [BFM88]. As shown in [Sah99], an unbounded simulation-sound NIZK proof for every language in NP exists assuming the existence of (doubly-enhanced) trapdoor permutations.

Let $\mathtt {R}$ be an efficiently computable binary relation. A NIZK proof for a language $\mathcal {L}=\{x : \exists w, (x,w) \in \mathtt {R}\}$ consists of three PPT algorithms:

$\mathtt {Gen}$. On input the security parameter $\lambda $, the common reference string generation algorithm outputs a common reference string $\mathsf {crs}$.
$\mathtt {Prove}$. On input a common reference string $\mathsf {crs}$, a statement $x\in \mathcal {L}$ and a witness w for x, the proving algorithm outputs a proof $\pi $.
$\mathtt {Verify}$. On input a common reference string $\mathsf {crs}$, a statement x and a proof $\pi $, the verification algorithm outputs a bit indicating whether the proof is valid.

Also, it satisfies the following conditions:

Completeness. For any $(x,w) \in \mathtt {R}$, let $\mathsf {crs} \leftarrow \mathtt {Gen}(1^{\lambda })$ and $\pi \leftarrow \mathtt {Prove}(\mathsf {crs}, x, w)$, then we have $\mathtt {Verify}(\mathsf {crs}, x, \pi )=1$.
Unbounded Zero-Knowledge. There exists a PPT simulator $(\mathtt {S}_1,\mathtt {S}_2)$ that for any PPT adversary $\mathcal {A}$, we have
$$\begin{aligned} \left| \text {Pr}\begin{bmatrix} \begin{aligned} &{}\mathsf {crs} \leftarrow \mathtt {Gen}(1^{\lambda });\\ &{}\mathcal {A}^{\mathtt {P}(\mathsf {crs},\cdot ,\cdot )}(\mathsf {crs})=0 \end{aligned} \end{bmatrix} - \text {Pr}\begin{bmatrix} \begin{aligned} &{}(\mathsf {crs},\mathsf {td}) \leftarrow \mathtt {S}_1(1^{\lambda }); \\ &{}\mathcal {A}^{\mathtt {S}(\mathsf {crs},\mathsf {td},\cdot ,\cdot )}(\mathsf {crs})=0 \end{aligned} \end{bmatrix} \right| \le \mathsf {negl}(\lambda ) \end{aligned}$$
where $\mathtt {P}(\mathsf {crs},x,w)$ outputs $\mathtt {Prove}(\mathsf {crs},x,w)$ if $(x,w)\in \mathtt {R}$ and outputs $\perp $ otherwise; $\mathtt {S}(\mathsf {crs},\mathsf {td},x,w)$ outputs $\mathtt {S}_2(\mathsf {crs},\mathsf {td},x)$ if $(x,w)\in \mathtt {R}$ and outputs $\perp $ otherwise.
Unbounded Simulation-Soundness. Let $(\mathtt {S}_1,\mathtt {S}_2)$ be a PPT simulator for the zero-knowledge property of the NIZK proof. For any unbounded adversary $\mathcal {A}$, we have
$$\begin{aligned} \text {Pr}\begin{bmatrix} \begin{aligned} &{}(\mathsf {crs},\mathsf {td}) \leftarrow \mathtt {S}_1(1^{\lambda });\\ &{}(x,\pi ) \leftarrow \mathcal {A}^{\mathtt {S}(\mathsf {crs},\mathsf {td},\cdot )}(\mathsf {crs}); \\ &{}\text {Let } Q \text { be list of input/output} \\ &{}\text {pairs for the oracle } \mathtt {S} \end{aligned} \quad : \quad \begin{aligned} &{} (x,\pi ) \not \in Q \wedge x\not \in \mathcal {L} \\ &{} \wedge \mathtt {Verify}(\mathsf {crs},x,\pi )=1 \end{aligned} \end{bmatrix} \le \mathsf {negl}(\lambda ) \end{aligned}$$

where $\mathtt {S}(\mathsf {crs},\mathsf {td},x)$ outputs $\mathtt {S}_2(\mathsf {crs},\mathsf {td},x)$.

2.2 PKE with $\text {{RSO}}_{k}$ Security

A public key encryption scheme $\mathsf {PKE}=(\mathtt {Setup},\mathtt {Gen}, \mathtt {Enc}, \mathtt {Dec})$ consists of four PPT algorithms:

$\mathtt {Setup}$. On input the security parameter $1^\lambda $, the setup algorithm outputs the public parameter $\mathsf {pp}$.
$\mathtt {Gen}$. On input the public parameter $\mathsf {pp}$, the key generation algorithm outputs a public key pk and a secret key sk.
$\mathtt {Enc}$. On input the public parameter $\mathsf {pp}$, the public key pk and a message m, the encryption algorithm outputs a ciphertext ct.
$\mathtt {Dec}$. On input the public parameter $\mathsf {pp}$, the public key pk, the secret key sk and a ciphertext ct, the decryption algorithm outputs a message m.

Correctness of $\mathsf {PKE}$ requires that $\text {Pr}[\mathtt {Dec}(\mathsf {pp},pk,sk,ct)\not =m] \le \mathtt {negl}(\lambda )$ for any message m, where $\mathsf {pp} \leftarrow \mathtt {Setup}(1^{\lambda }),(pk,sk) \leftarrow \mathtt {Gen}(\mathsf {pp}), ct \leftarrow \mathtt {Enc}(\mathsf {pp},pk,m)$.

The basic security requirement of PKE schemes is IND-CPA security:

Definition 2.1

(IND-CPA Security). We say that a PKE scheme $\mathsf {PKE}=(\mathtt {Setup},\mathtt {Gen}, \mathtt {Enc}, \mathtt {Dec})$ is IND-CPA secure if for any PPT adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)$,

$$\begin{aligned} \text {Pr}[ \mathsf {pp} \leftarrow \mathtt {Setup}(1^{\lambda }), (pk,sk) \leftarrow \mathtt {Gen}(\mathsf {pp}), ( state ,m^*_0,m^*_1) \leftarrow \mathcal {A}_1(pp,pk),\\ b \overset{\$}{\leftarrow }\{0,1\}, ct^* \leftarrow \mathtt {Enc}(\mathsf {pp},pk,m^*_b): \quad \mathcal {A}_2( state ,ct^*)=b ] \le 1/2+\mathtt {negl}(\lambda ) \end{aligned}$$

In this work, we also consider the stronger receiver selective opening security for PKE schemes. Next, we provide definitions of $\text {{RSO}}_{k}$ security, which are adapted from previous works [HPW15, HKM+18, HLC+19]. Our definitions consider chosen-plaintext attackers and chosen-ciphertext attackers respectively and in both cases, we will define security in a simulation-based sense.

Definition 2.2

(SIM-RSO$_{k}$-CPA Security). We say that a PKE scheme $\mathsf {PKE}=(\mathtt {Setup},\mathtt {Gen}, \mathtt {Enc}, \mathtt {Dec})$ is $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure, if for any polynomially bounded function $n>0$, any PPT adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2,\mathcal {A}_3)$, there exists a PPT simulator $\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3)$, such that for any PPT distinguisher $\mathcal {D}$,

$$ |\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-real}}_{\mathsf {PKE},\mathcal {A},n}(\lambda ))=1] - \text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-ideal}}_{\mathsf {PKE},\mathcal {S},n}(\lambda ))=1] | \le \mathtt {negl}(\lambda )$$

where $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-real}}_{\mathsf {PKE},\mathcal {A},n}$ and $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-ideal}}_{\mathsf {PKE},\mathcal {S},n}$ are defined in Fig. 1.

Definition 2.3

(SIM-RSO$_{k}$-CCA Security). We say that a PKE scheme $\mathsf {PKE}=(\mathtt {Setup},\mathtt {Gen}, \mathtt {Enc}, \mathtt {Dec})$ is $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure, if for any polynomially bounded function $n>0$, any PPT adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2,\mathcal {A}_3)$, there exists a PPT simulator $\mathcal {S}=(\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3)$, such that for any PPT distinguisher $\mathcal {D}$,

$$\begin{aligned} |\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CCA-real}}_{\mathsf {PKE},\mathcal {A},n}(\lambda ))=1] - \text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CCA-ideal}}_{\mathsf {PKE},\mathcal {S},n}(\lambda ))=1] | \le \mathtt {negl}(\lambda ) \end{aligned}$$

where $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CCA-real}}_{\mathsf {PKE},\mathcal {A},n}$ and $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CCA-ideal}}_{\mathsf {PKE},\mathcal {S},n}$ are defined in Fig. 1.

3 Lower Bound for PKE with $\text {{RSO}}_{k}$ Security

In this section, we establish a lower bound on the secret key size of a PKE scheme with $\text {{RSO}}_{k}$ security. Roughly, we show that a PKE scheme cannot be $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure (this also implies that it is not $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure) if the length of its secret key is not k times larger than the length of message. Formally, we have:

Theorem 3.1

Let $\mathsf {\Pi }=(\mathtt {Setup},\mathtt {Gen}, \mathtt {Enc}, \mathtt {Dec})$ be a PKE scheme with secret key space $\mathcal {SK}$ and message space $\mathcal {M}$ (w.l.o.g, we assume $\mathcal {SK}=\{0,1\}^{l}$ and $\mathcal {M}=\{0,1\}^{{m}}$). If $l \le {m}k-1$, then $\mathsf {\Pi }$ is not $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure in the non-programmable random oracle model.

Proof

Let $H:\{0,1\}^* \rightarrow \{0,1\}^h$ be a hash function, which is modeled as a non-programmable random oracle. Let $\mathcal {PP}$, $\mathcal {PK}$ and $\mathcal {C}$ be the public parameters set, the public key space and the ciphertext space of $\mathsf {\Pi }$ respectively. Also, let $a=\lceil \log {|\mathcal {PP} |} \rceil $, $b=\lceil \log {|\mathcal {PK} |} \rceil $, $c=\lceil \log {|\mathcal {C} |} \rceil $ and let $\kappa =a+b+ck+2$. Let $n=h+1$, $\epsilon =1/(4\kappa )$.

Consider the concrete adversary $\mathcal {A}=(\mathcal {A}_1, \mathcal {A}_2, \mathcal {A}_3)$ and distinguisher $\mathcal {D}$ defined in Fig. 2. Next, we show that for any PPT simulator $\mathcal {S}=(\mathcal {S}_1, \mathcal {S}_2,\mathcal {S}_3)$:

$$\begin{aligned} |\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-real}}_{\mathsf {\Pi },\mathcal {A},n}(\lambda ))=1] - \text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-ideal}}_{\mathsf {\Pi },\mathcal {S},n}(\lambda ))=1] | > \epsilon \end{aligned}$$

First, by the correctness of $\mathsf {\Pi }$, we have

$$\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-real}}_{\mathsf {\Pi },\mathcal {A},n}(\lambda ))=1] \le \mathtt {negl}(\lambda )$$

Next, fixing any PPT simulator $\mathcal {S}=(\mathcal {S}_1, \mathcal {S}_2,\mathcal {S}_3)$^{Footnote 9}, let

$$\begin{aligned} \delta = \text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-ideal}}_{\mathsf {\Pi },\mathcal {S},n}(\lambda ))=1] \end{aligned}$$

Then, it is sufficient to show that $\delta $ is notably larger than $\epsilon $. Concretely, we will argue that $\delta \ge 1/(2\kappa )$ in the remaining part of the proof.

To lower bound $\delta $, we consider an auxiliary experiment $\mathtt {Exp}_{\mathsf {\Pi },\mathcal {S},\mathcal {D},n,k,\kappa }$ defined in Fig. 3 and analyze the distribution of its output. Here, we use $\mathcal {R}_{D}$ to denote the distribution of the randomness for the distinguisher $\mathcal {D}$ (the randomness is used in the decryption algorithm of $\mathsf {\Pi }$) and use $\mathcal {D}(\cdot , \cdot , \cdot ,\cdot ;R)$ to denote running the distinguisher $\mathcal {D}$ with randomness R.

Lemma 3.1

$\text {Pr}[\mathtt {Exp}_{\mathsf {\Pi },\mathcal {S},\mathcal {D},n,k,\kappa }=0] \le 1/4$.

Proof

Assume the experiment outputs 0. First, we have $\mathcal {M}=\mathcal {U}_{{m}nk}$, thus, for each $\iota \in [\kappa ],i \in [n], j \in [k]$, $m^{\iota }_{i,j}$ is sampled uniformly at random from $\{0,1\}^{{m}}$. Also, we know that $n \in \mathcal {I}$ and for $\iota \in [\kappa ]$ and $j\in [k]$, we set $PK^{\iota }=PK^{\iota }_{n}$, $C^{\iota }_{j}=C^{\iota }_{n,j}$, $SK^{\iota }=SK^{\iota }_{n}$, and $m^{\iota }_{j}=m^{\iota }_{n,j}$. Moreover, we have $(\mathsf {PP}^{\iota -1},(PK^{\iota -1}, C^{\iota -1}_{j})_{j\in [k]}) = (\mathsf {PP}^{\iota },(PK^{\iota }, C^{\iota }_{j})_{j\in [k]})$ for all $\iota \in [n]$ and thus we can write $\mathsf {PP}^{\iota }$ as $\mathsf {PP}$, $PK^{\iota }$ as PK and $C^{\iota }_{j}$ as $C_{j}$. Finally, for all $\iota \in [\kappa ]$ and $j\in [k]$, we have $m^{\iota }_{j} = \mathtt {Dec}(\mathsf {PP},PK,SK^{\iota },C_{j};r^{\iota }_j)$, where $r^{\iota }_j$ is the randomness for $\mathtt {Dec}$ derived deterministically from R.

Next, for any randomness R (which determines $(r^{\iota }_j)_{\iota \in [\kappa ],j\in [k]}$), we analyze the probability that all above requirements are satisfied.

First, fix any tuple $(\mathsf {PP}, PK, \textit{\textbf{C}}=(C_1, \ldots , C_{k}),\textit{\textbf{SK}}=(SK^{1}, \ldots , SK^{\kappa }))$ in $\{0,1\}^{a+b+ck+l\kappa }$, which is not necessary the output of the simulator, then we have

$$ \text {Pr}[\forall \iota \in [\kappa ],j\in [k], m^{\iota }_{j} =\mathtt {Dec}(\mathsf {PP},PK,SK^{\iota },C_{j};r^{\iota }_j)] = \frac{1}{2^{{m}k \kappa }} $$

where the probability is taken over the random choice of each $m^{\iota }_j$.

As the total possible ways to choose $\mathsf {PP}$, PK, $\textit{\textbf{C}}=(C_1, \ldots , C_{k})$, and $\textit{\textbf{SK}}=(SK^{1}, \ldots , SK^{\kappa })$ does not exceed $2^{a+b+ck+l\kappa }=2^{(l+1)\kappa -2}$, we have

$$\begin{aligned}&\text {Pr}[\exists \mathsf {PP}, PK, \textit{\textbf{C}}, \textit{\textbf{SK}}: \forall \iota \in [\kappa ],j\in [k], \\&m^{\iota }_{j} =\mathtt {Dec}(\mathsf {PP},PK,SK^{\iota },C_{j};r^{\iota }_j)] \le \frac{2^{(l+1)\kappa -2}}{2^{{m}k\kappa }} \le \frac{2^{{m}k\kappa -2}}{2^{{m}k\kappa }} = \frac{1}{4} \end{aligned}$$

Therefore, the probability that the auxiliary experiment $\mathtt {Exp}_{\mathsf {\Pi },\mathcal {S},\mathcal {D},n,k,\kappa }$ outputs 0 does not exceed 1/4. $\square $

Lemma 3.2

$\text {Pr}[\mathtt {Exp}_{\mathsf {\Pi },\mathcal {S},\mathcal {D},n,k,\kappa }=1] \le \kappa \cdot \delta $.

Proof

First, note that randomness of the experiment $\mathtt {Exp}_{\mathsf {\Pi },\mathcal {S},\mathcal {D},n,k,\kappa }$ comes from three parts, namely, R, randomness of the simulator $\mathcal {S}$ (denoted as $\rho $ here) and randomness used in sampling $m^{\iota }_{i,j}$. Let $\mathcal {R}_S$ be the distribution of the randomness for the simulator $\mathcal {S}$. Let

$$ f(R,\rho )=\text {Pr}\begin{bmatrix} \begin{aligned} &{}(\mathcal {M},s_1) = \mathcal {S}_1(1^{\lambda };\rho );\\ &{}(\mathcal {I},s_2) = \mathcal {S}_2(s_1);\\ &{}\textit{\textbf{M}} := (m_{i,j})_{i\in [n],j\in [k]} \leftarrow \mathcal {M};\\ &{}out = \mathcal {S}_3((m_{i,j})_{i\in \mathcal {I}, j \in [k]},s_2); \end{aligned} \quad : \quad \begin{aligned} \mathcal {D}(\textit{\textbf{M}}, \mathcal {M}, \mathcal {I},out;R)=1 \end{aligned} \end{bmatrix} $$

where the probability is taken over the random choice of each $\textit{\textbf{M}}$. Then, we have

$$ \begin{aligned}&\text {Pr}[\mathtt {Exp}_{\mathsf {\Pi },\mathcal {S},\mathcal {D},n,k,\kappa }=1] \\ =&\mathbb {E}_{R \leftarrow \mathcal {R}_D, \rho \leftarrow \mathcal {R}_S} (1-(1-f(R,\rho ))^{\kappa }) \\ \le&\mathbb {E}_{R \leftarrow \mathcal {R}_D, \rho \leftarrow \mathcal {R}_S} (\kappa \cdot f(R,\rho ) )\\ =&\kappa \cdot \mathbb {E}_{R \leftarrow \mathcal {R}_D, \rho \leftarrow \mathcal {R}_S} f(R,\rho ) \\ =&\kappa \cdot \delta \end{aligned} $$

where the second inequality comes from the Bernoulli’s inequality. $\square $

Lemma 3.3

$\text {Pr}[\mathtt {Exp}_{\mathsf {\Pi },\mathcal {S},\mathcal {D},n,k,\kappa }=2] \le 1/4$.

Proof

This comes from the collision resistant property of the non-programmable random oracle, which is a random function whose output is not controlled by the simulator.

Assuming that H has been queried (either by the adversary, the distinguisher or the simulator) Q times, where Q is a polynomial. Then the probability that there exists two distinct queries $x_1,x_2$ s.t. $H(x_1)=H(x_2)$ does not exceed $\frac{Q^2}{2^{h}}$, which is negligible.

However, if the experiment outputs 2 with a non-negligible probability (e.g., 1/4), then, via running the experiment, one can find $\iota \in [\kappa ]$ that

1)
$(\mathsf {PP}^{\iota -1},(PK^{\iota -1}_i, C^{\iota -1}_{i,j})_{i\in [n],j\in [k]}) \not = (\mathsf {PP}^{\iota },(PK^{\iota }_i, C^{\iota }_{i,j})_{i\in [n],j\in [k]})$
2)
$H(\mathsf {PP}^{\iota -1},(PK^{\iota -1}_i, C^{\iota -1}_{i,j})_{i\in [n],j\in [k]}) = H(\mathsf {PP}^{\iota },(PK^{\iota }_i, C^{\iota }_{i,j})_{i\in [n],j\in [k]}) = (t[1], \ldots , t[h])$, where $t[i]=1 \text { iff } i\in {\mathcal {I}}$ (otherwise, the experiment will output 1)

with a non-negligible probability, which makes a contradiction. $\square $

Finally, combining Lemma 3.1 to Lemma 3.3, we have

$$ 1 \le 1/4 + \kappa \cdot \delta + 1/4 $$

which implies $\delta \ge \frac{1}{2\kappa }$ and this completes the proof. $\square $

Remark 3.1

Theorem 3.1 claims that if the key length of a PKE scheme is not large enough, then it is impossible to prove its $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ security even in the non-programmable random oracle model. At first glance, this also rules out standard model achievability of $\text {{RSO}}_{k}$ security for PKE schemes with short keys. However, as stated in [BO13], impossibility result in non-programmable random oracle model does not extend to that in standard model naturally, since the adversary in the non-programmable random oracle model is also able to access the random oracle and thus is stronger than a standard model adversary.

Nonetheless, We can adapt the proof for Theorem 3.1 to achieve the same lower bound (i.e. $l>{m}k-1$) in the standard model. More precisely, the revised proof is identical to proof of Theorem 3.1, except that we use a collision resistant hash function to replace the use of non-programmable random oracle. But the proof only works in the auxiliary input model, where all participants, including the adversary, the distinguisher, and the simulator, are given some common auxiliary input in the beginning. Here, the auxiliary input is a random key for the underlying collision resistant hash function.

4 $\text {{RSO}}_{k}$ Security $\not \Rightarrow $ $\text {{RSO}}_{k+1}$ Security

We present counterexamples that separate the $\text {{RSO}}_{k}$ security and the $\text {{RSO}}_{k+1}$ security in this section. More precisely, for any polynomial k, we construct a PKE scheme $\mathsf {\Pi }$ that is $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure in the standard model but is not $\text {{SIM-RSO}}_{k+1}\text {{-CPA}}$ secure in the non-programmable random oracle model.

Let $\lambda $ be the security parameter and let k be a positive integer that is polynomial in $\lambda $.

Let $\mathsf {E}=(\mathsf {E}.\mathtt {Setup},\mathsf {E}.\mathtt {Gen},\mathsf {E}.\mathtt {Enc},\mathsf {E}.\mathtt {Dec})$ be a CPA Secure PKE scheme with a deterministic decryption algorithm and an additional verification algorithm $\mathtt {Ver}$. The algorithm $\mathtt {Ver}$ takes as input a public parameter $\mathsf {pp}$ and a public key/secret key pair (pk, sk), and outputs a bit indicating if (pk, sk) is a valid key pair. Also, we require that $\mathsf {E}$ has the following two properties:

Verification Correctness. Let $\mathsf {pp} \leftarrow \mathsf {E}.\mathtt {Setup}(1^{\lambda })$, $(pk,sk) \leftarrow \mathsf {E}.\mathtt {Gen}(\mathsf {pp})$, then $\text {Pr}[\mathsf {E}.\mathtt {Ver}(\mathsf {pp},pk,sk)=1]=1$.
Key Uniqueness. For any $\mathsf {pp}$ and for any pk, $| \{sk \mid \mathsf {E}.\mathtt {Ver}(\mathsf {pp},pk,sk)=1 \} | \le 1$.

It is easy to see that the well-known ElGamal encryption scheme satisfies this property.

Let $\mathsf {NIZK}=(\mathsf {NIZK}.\mathtt {Gen},\mathsf {NIZK}.\mathtt {Prove},\mathsf {NIZK}.\mathtt {Verify})$ be an unbounded simulation-sound NIZK proof system for NP. In particular, we will use it to prove the following language:

$$\begin{aligned} \{(\mathsf {pp}, (pk_{\imath ,\jmath },c_{\imath ,\jmath })_{\imath \in [k], \jmath \in \{0,1\}}) :&\exists ((p_{\imath }, r_{\imath ,\jmath })_{\imath \in [k], \jmath \in \{0,1\}}), \\&\quad \quad (c_{\imath ,\jmath } = \mathsf {E}.\mathtt {Enc}(\mathsf {pp}, pk_{\imath ,\jmath }, p_{\imath }; r_{\imath ,\jmath }))_{\imath \in [k], \jmath \in \{0,1\}}\} \end{aligned}$$

The PKE scheme $\mathsf {\Pi }=(\mathtt {Setup},\mathtt {Gen},\mathtt {Enc},\mathtt {Dec})$ works as follows:

$\mathtt {Setup}$. On input a security parameter $\lambda $, the setup algorithm computes $\mathsf {pp} \leftarrow \mathsf {E}.\mathtt {Setup}(1^{\lambda })$ and $\mathsf {crs} \leftarrow \mathsf {NIZK}.\mathtt {Gen}(1^{\lambda })$. The public parameter for $\mathsf {\Pi }$ is $\mathsf {PP}=(\mathsf {pp},\mathsf {crs})$.
$\mathtt {Gen}$. On input a public parameter $\mathsf {PP}=(\mathsf {pp},\mathsf {crs})$, the key generation algorithm first computes $(pk_{\imath ,\jmath }, sk_{\imath ,\jmath }) \leftarrow \mathsf {E}.\mathtt {Gen}(\mathsf {pp})$ for $\imath \in [k]$ and $\jmath \in \{0,1\}$. Then it samples $s_1, \ldots , s_k \overset{\$}{\leftarrow }\{0,1\}$. The public key $PK=(pk_{\imath ,\jmath })_{\imath \in [k],\jmath \in \{0,1\}}$ and the secret key $SK=(s_{\imath },sk_{\imath ,s_{\imath }})_{\imath \in [k]}$.
$\mathtt {Enc}$. On input a public parameter $\mathsf {PP}=(\mathsf {pp},\mathsf {crs})$, a public key $PK=(pk_{\imath ,\jmath })_{\imath \in [k],\jmath \in \{0,1\}}$ and a message $m \in \{0,1\}$, the encryption algorithm first samples $p_1, \ldots , p_{k}$ uniformly at random from $\{0,1\}$ s.t. $m=p_1 \oplus p_2 \oplus \ldots \oplus p_k$. Then for $\imath \in [k], \jmath \in \{0,1\}$, it samples $r_{\imath ,\jmath }$ randomly from the randomness space of $\mathsf {E}$ and computes $c_{\imath ,\jmath }=\mathsf {E}.\mathtt {Enc}(\mathsf {pp},pk_{\imath ,\jmath },p_{\imath };r_{\imath ,\jmath })$. Finally, it computes $\pi \leftarrow \mathsf {NIZK}.\mathtt {Prove}(\mathsf {crs},(\mathsf {pp}, (pk_{\imath ,\jmath },c_{\imath ,\jmath })_{\imath \in [k], \jmath \in \{0,1\}}),((p_{\imath }, r_{\imath ,\jmath })_{\imath \in [k], \jmath \in \{0,1\}}) )$. The ciphertext is $C=((c_{\imath ,\jmath })_{\imath \in [k], \jmath \in \{0,1\}},\pi )$.
$\mathtt {Dec}$. On input a public parameter $\mathsf {PP}=(\mathsf {pp},\mathsf {crs})$, a public key $PK=(pk_{\imath ,\jmath })_{\imath \in [k],\jmath \in \{0,1\}}$, a secret key $SK=(s_{\imath },sk_{\imath ,s_{\imath }})_{\imath \in [k]}$ and a ciphertext $C=((c_{\imath ,\jmath })_{\imath \in [k], \jmath \in \{0,1\}},\pi )$, the decryption algorithm first checks if $\pi $ is valid and aborts with a decryption failure symbol $\perp $ if it is not the case. Otherwise, it computes $p_{\imath }=\mathsf {E}.\mathtt {Dec}(\mathsf {pp},pk_{\imath ,s_{\imath }},sk_{\imath ,s_{\imath }},c_{\imath ,s_{\imath }})$ and outputs $m=p_1 \oplus \ldots \oplus p_k$.

Theorem 4.1

If $\mathsf {E}$ is an CPA secure PKE scheme and $\mathsf {NIZK}$ is a simulation-sound NIZK proof system, then $\mathsf {\Pi }$ is $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure in the standard model.

Theorem 4.2

If $\mathsf {E}$ is a PKE scheme with deterministic decryption algorithm, verification correctness and key uniqueness, then $\mathsf {\Pi }$ is not $\text {{SIM-RSO}}_{k+1}\text {{-CPA}}$ secure in the non-programmable random oracle model.

Proofs of Theorem 4.1 and Theorem 4.2 are provided in the full version.

Note that we can also prove that $\mathsf {\Pi }$ is not $\text {{SIM-RSO}}_{k+1}\text {{-CPA}}$ secure in the standard model, but similar to the setting discussed in Remark 3.1, we need to assume that all participants, including the adversary, the distinguisher, and the simulator, are given some common auxiliary input in the beginning.

5 $\text {{RSO}}_{k}$ Secure PKE with (Nearly) Optimal Secret Key Length

In this section, we construct $\text {{RSO}}_{k}$ secure PKE schemes with secret key length $l = k + O(\lambda )$. Here the ratio of secret key length to the messages number k is $\frac{l}{k}=1+o(1)$. As shown in Sect. 3, no PKE scheme can achieve $\text {{RSO}}_{k}$ security if $l \le k-1$ (i.e., $\frac{l}{k}<1$). Thus, our schemes are optimal in an asymptotic sense.

Next, in Sect. 5.1, we first construct an optimal $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure scheme from the DDH assumption. Then in Sect. 5.2, we upgrade the scheme to achieve $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ security by using a NIZK proof system.

5.1 $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ Secure PKE with (Nearly) Optimal Secret Key Length

Let $\lambda $ be the security parameter and let k be a positive integer that is polynomial in $\lambda $. Let $\mathcal {G}$ be a group generator algorithm that takes as input a security parameter $\lambda $ and outputs a multiplicative cyclic group $\mathbb {G}$ of prime order q and a generator g of $\mathbb {G}$.

The PKE scheme $\mathsf {\Pi }=(\mathtt {Setup},\mathtt {Gen},\mathtt {Enc},\mathtt {Dec})$ works as follows:

$\mathtt {Setup}$. On input a security parameter $\lambda $, the setup algorithm first generates $(\mathbb {G},q,g) \leftarrow \mathcal {G}(1^{\lambda })$ and samples $a_0, a_1, \ldots a_k, b \overset{\$}{\leftarrow }\mathbb {Z}_q$. Then it computes $g_{\imath }=g^{a_{\imath }}$ for $\imath \in [0,k]$ and $h=g^b$. The public parameter for $\mathsf {\Pi }$ is $\mathsf {PP}=(\mathbb {G},q,g,g_0, g_1, \ldots ,g_{k},h)$.
$\mathtt {Gen}$. On input a public parameter $\mathsf {PP}=(\mathbb {G},q,g,g_0, g_1, \ldots ,g_{k},h)$, the key generation algorithm first samples $s_0 \overset{\$}{\leftarrow }\mathbb {Z}_q$ and $s_1, \ldots s_k \overset{\$}{\leftarrow }\{0,1\}$ and sets the secret key $ sk =(s_0,s_1, \ldots , s_k)$. Then it computes the public key $ pk =\prod _{\imath \in [0,k]}g_{\imath }^{s_{\imath }}$.
$\mathtt {Enc}$. On input a public parameter $\mathsf {PP}=(\mathbb {G},q,g,g_0, g_1, \ldots ,g_{k},h)$, a public key $ pk $ and a message $m \in \{0,1\}$, the encryption algorithm first samples $w\overset{\$}{\leftarrow }\mathbb {Z}_q$. Then it computes $\textit{\textbf{x}}=(x_0, x_1, \ldots ,x_k)=(g_0^{w}, g_1^{w}, \ldots , g_k^w)$, $K= pk ^w$ and $C=K \cdot h^m$. The ciphertext $CT=(\textit{\textbf{x}},C)$.
$\mathtt {Dec}$. On input a public parameter $\mathsf {PP}=(\mathbb {G},q,g,g_0, g_1, \ldots ,g_{k},h)$, a secret key $ sk =(s_0,s_1, \ldots , s_k)$ and a ciphertext $CT=(x_0, x_1, \ldots , x_k, C)$, the decryption algorithm first computes $K'=\prod _{\imath \in [0,k]} x_{\imath }^{s_{\imath }}$. Then it outputs 0 if $C=K'$ and outputs 1 if $C=K' \cdot h$. Otherwise, it outputs a decryption failure symbol $\perp $.

Security. Security of $\mathsf {\Pi }$ is guaranteed by the following theorem. We put the proof of Theorem 5.1 in Sect. 5.3.

Theorem 5.1

Assuming the DDH assumption holds in group $\mathbb {G}$, $\mathsf {\Pi }$ is a PKE scheme with $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ security.

Key Length. The secret key length of $\mathsf {\Pi }$ is $k+\log {q}$, where $\log {q}$ is determined by the security parameter $\lambda $ and is independent of the parameter k. For example, if we instantiate the scheme with an elliptic curve group and hope to achieve a 80-bit security, then we can fix $\log {q}=160$. In this case, the ratio of key length to messages number k is $\frac{k+\log {q}}{k}=1+\frac{160}{k}=1+o(1)$.

5.2 $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ Secure PKE with (Nearly) Optimal Secret Key Length

Let $\lambda $ be the security parameter and let k be a positive integer that is polynomial in $\lambda $. Let $\mathsf {\Pi }'=(\mathsf {\Pi }'.\mathtt {Setup},\mathsf {\Pi }'.\mathtt {Gen},\mathsf {\Pi }'.\mathtt {Enc},\mathsf {\Pi }'.\mathtt {Dec})$ be a $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure PKE scheme. Let $\mathsf {E}=(\mathsf {E}.\mathtt {Setup},\mathsf {E}.\mathtt {Gen},\mathsf {E}.\mathtt {Enc},\mathsf {E}.\mathtt {Dec})$ be a CPA-secure PKE scheme. Let $\mathsf {NIZK}=(\mathsf {NIZK}.\mathtt {Gen},\mathsf {NIZK}.\mathtt {Prove},\mathsf {NIZK}.\mathtt {Verify})$ be a an unbounded simulation-sound NIZK proof for NP. In particular, we will use it to prove the following language:

$$\begin{aligned}&\{(\mathsf {pp}_1, pk_1,c_1, \mathsf {pp}_2,pk_2,c_2) : \exists (m,r_1,r_2), \\&\quad c_1= \mathsf {\Pi }'.\mathtt {Enc}(\mathsf {pp}_1, pk_1, m; r_1) \wedge c_2= \mathsf {E}.\mathtt {Enc}(\mathsf {pp}_2, pk_2, m; r_2)\} \end{aligned}$$

The PKE scheme $\mathsf {\Pi }=(\mathtt {Setup},\mathtt {Gen},\mathtt {Enc},\mathtt {Dec})$ works as follows:

$\mathtt {Setup}$. On input a security parameter $\lambda $, the setup algorithm computes $\mathsf {pp} \leftarrow \mathsf {\Pi }'.\mathtt {Setup}(1^{\lambda })$, $\tilde{\mathsf {pp}} \leftarrow \mathsf {E}.\mathtt {Setup}(1^{\lambda })$ and $\mathsf {crs} \leftarrow \mathsf {NIZK}.\mathtt {Gen}(1^{\lambda })$. Also, it generates $(\tilde{ pk }, \tilde{ sk }) \leftarrow \mathsf {E}.\mathtt {Gen}(\tilde{\mathsf {pp}})$. The public parameter for $\mathsf {\Pi }$ is $\mathsf {PP}=(\mathsf {pp},\mathsf {crs},\tilde{\mathsf {pp}},\tilde{ pk })$.
$\mathtt {Gen}$. On input a public parameter $\mathsf {PP}=(\mathsf {pp},\mathsf {crs},\tilde{\mathsf {pp}},\tilde{ pk })$, the key generation algorithm computes $( pk , sk ) \leftarrow \mathsf {\Pi }'.\mathtt {Gen}(\mathsf {pp})$. The public key $PK= pk $ and the secret key $SK= sk $.
$\mathtt {Enc}$. On input a public parameter $\mathsf {PP}=(\mathsf {pp},\mathsf {crs},\tilde{\mathsf {pp}},\tilde{ pk })$, a public key $PK= pk $ and a message m, the encryption algorithm first samples $r,\tilde{r}$ randomly from the encryption randomness space of $\mathsf {\Pi }'$ and $\mathsf {E}$ respectively. Then it computes $c=\mathsf {\Pi }'.\mathtt {Enc}(\mathsf {pp}, pk ,m;r)$, $\tilde{c}=\mathsf {E}.\mathtt {Enc}(\tilde{\mathsf {pp}},\tilde{ pk },m;\tilde{r})$ and $\pi \leftarrow \mathsf {NIZK}.\mathtt {Prove}(\mathsf {crs},(\mathsf {pp}, pk ,c,\tilde{\mathsf {pp}}, \tilde{ pk },\tilde{c}),(m,r,\tilde{r}))$. The ciphertext is $C=(c,\tilde{c},\pi )$.
$\mathtt {Dec}$. On input a public parameter $\mathsf {PP}=(\mathsf {pp},\mathsf {crs},\tilde{\mathsf {pp}},\tilde{ pk })$, a public key $PK= pk $, a secret key $SK= sk $ and a ciphertext $C=(c,\tilde{c},\pi )$, the decryption algorithm first checks if $\pi $ is valid and aborts with a decryption failure symbol $\perp $ if it is not the case. Otherwise, it outputs $m \leftarrow \mathsf {\Pi }'.\mathtt {Dec}(\mathsf {pp}, pk , sk ,c)$.

Security. Security of $\mathsf {\Pi }$ is guaranteed by the following theorem. We put the proof of Theorem 5.2 in Sect. 5.4.

Theorem 5.2

If $\mathsf {\Pi }'$ is a $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure PKE scheme, $\mathsf {E}$ is a CPA-secure PKE scheme and $\mathsf {NIZK}$ is an unbounded simulation-sound NIZK proof, then $\mathsf {\Pi }$ is a PKE scheme with $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ security.

Key Length. If we instantiate the underlying $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure PKE scheme $\mathsf {\Pi }'$ with the one we constructed in Sect. 5.1, then we can obtain a $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ secure PKE scheme $\mathsf {\Pi }$, where the ratio of key length to messages number k is also $\frac{k+\log {q}}{k}=1+o(1)$.

5.3 Proof of Theorem 5.1

Proof

We provide the proof of Theorem 5.1 in this section.

Let K and $K'$ be the random variables used in generating and decrypting the same ciphertext $(x_0, x_1, \ldots , x_k, C)$ respectively. It is easy to see that the decryption algorithm can recover the correct message iff $K=K'$. As we have

$$K= pk ^{w}= (\prod _{\imath \in [0,k]}g_{\imath }^{s_{\imath }})^{w} =\prod _{\imath \in [0,k]}g_{\imath }^{w \cdot s_{\imath }} = \prod _{\imath \in [0,k]}(g_{\imath }^{w})^{s_{\imath }}=\prod _{\imath \in [0,k]}x_{\imath }^{s_{\imath }}=K'$$

the correctness holds.

Next, we focus on the $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ security of $\mathsf {\Pi }$. First, for any polynomial n, any adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2,\mathcal {A}_3)$, and any distinguisher $\mathcal {D}$, we design the simulator $\mathcal {S}$ for $\mathcal {A}$, which works as in Fig. 4.

Next, we prove that output of the simulator $\mathcal {S}$ is indistinguishable from output of the adversary $\mathcal {A}$ in a real game. We argue this via defining the following games:

Game 0. This is the real experiment $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-real}}_{\mathsf {\Pi },\mathcal {A},n}$. In particular, the challenger interacts with the adversary as follows:
1. 1.
  On input a security parameter, the challenger first generates $(\mathbb {G},q,g) \leftarrow \mathcal {G}(1^{\lambda })$ and samples $a_0, a_1, \ldots a_k, b \overset{\$}{\leftarrow }\mathbb {Z}_q$. Then it computes $g_{\imath }=g^{a_{\imath }}$ for $\imath \in [0,k]$, $h=g^b$, and sets $\mathsf {PP}=(\mathbb {G},q,g,g_0, g_1, \ldots ,g_{k},h)$.
2. 2.
  Then, for $i\in [n]$, it samples $s_{i,0} \overset{\$}{\leftarrow }\mathbb {Z}_q$, $s_{i,1}, \ldots s_{i,k} \overset{\$}{\leftarrow }\{0,1\}$ and computes the public key $ pk _i=\prod _{\imath \in [0,k]}g_{\imath }^{s_{i,\imath }}$.
3. 3.
  Next, the challenger sends $\mathsf {PP},( pk _{i})_{i\in [n]}$ to $\mathcal {A}$ and receives a distribution $\mathcal {M}$ from the adversary.
4. 4.
  Then, the challenger samples a matrix of messages $\textit{\textbf{M}} := (m_{i,j})_{i\in [n],j\in [k]} \leftarrow \mathcal {M}$ and for each $(i,j)\in [n] \times [k]$, it generates a challenge ciphertext for $m_{i,j}$ as follows:
  1. (a)
    Samples $w_{i,j} \overset{\$}{\leftarrow }\mathbb {Z}_q$.
  2. (b)
    Computes $\textit{\textbf{x}}_{i,j}=(x_{i,j,0}, x_{i,j,1}, \ldots ,x_{i,j,k})=(g_0^{w_{i,j}}, g_1^{w_{i,j}}, \ldots , g_k^{w_{i,j}})$.
  3. (c)
    Computes $C_{i,j}= pk _{i}^{w_{i,j}} \cdot h^{m_{i,j}}$.
  4. (d)
    Sets $CT_{i,j}=(\textit{\textbf{x}}_{i,j},C_{i,j})$.
5. 5.
  Next, the challenger sends all challenge ciphertexts to $\mathcal {A}$ and receives a set $\mathcal {I} \subseteq [n]$ from the adversary.
6. 6.
  Then, the challenger sets $ sk _{i}=(s_{i,0},s_{i,1}, \ldots , s_{i,k})$ for $i\in \mathcal {I}$ and sends $( sk _{i},m_{i,j})_{i\in \mathcal {I},j\in [k]}$ to $\mathcal {A}$.
7. 7.
  Finally, on receiving $\mathcal {A}$’s output out, the challenger outputs $(\textit{\textbf{M}},\mathcal {M},\mathcal {I},out)$.
Game 1. This is identical to Game 0 except that in step 4, the challenger computes new variables $(s'_{i,j},\alpha _{i,j})_{i\in [n],j\in [k]}$. More precisely, for $i\in [n],j\in [k]$, it sets $s'_{i,j}=s_{i,j}$ if $m_{i,j}=0$ and sets $s'_{i,j}=1-s_{i,j}$ otherwise. Besides, it sets $\alpha _{i,j}=1$ if $s'_{i,j}=1$ and sets $\alpha _{i,j}=-1$ otherwise.
Game 2. This is identical to Game 1 except that the challenger changes the way to generate $C_{i,j}$. More precisely, for each $i\in [n], j\in [k]$, the challenger computes $C_{i,j}=(\prod _{\imath \in [0,k]} x_{i,j,\imath }^{s_{i,\imath }}) \cdot h^{m_{i,j}}$.
Game 3. This is identical to Game 2 except that the j-th element in $\textit{\textbf{x}}_{i,j}$ (i.e., $x_{i,j,j}$) is generated dishonestly. More precisely, for each $i\in [n], j\in [k]$, it samples $x_{i,j,j} \overset{\$}{\leftarrow }\mathbb {G}$.
Game 4. This is identical to Game 3 except that the challenger changes the way to generate $x_{i,j,j}$. More precisely, for each $i\in [n], j\in [k]$, it samples $x'_{i,j,j} \overset{\$}{\leftarrow }\mathbb {G}$ and computes $x_{i,j,j}=x'_{i,j,j} \cdot h^{\alpha _{i,j}}$.
Game 5. This is identical to Game 4 except that the challenger changes the way to generate $x_{i,j,j}$. More precisely, for each $i\in [n], j\in [k]$, it computes $x'_{i,j,j}=g_j^{w_{i,j}}$ and $x_{i,j,j}=x'_{i,j,j} \cdot h^{\alpha _{i,j}}$.
Game 6. This is identical to Game 5 except that the challenger changes the way to generate $C_{i,j}$. More precisely, in step 4, the challenger sets $s'_{i,0}=s_{i,0}+a_0^{-1} \sum _{\imath \in [k]}(a_{\imath } \cdot (s_{i,\imath }-s'_{i,\imath }))$ and for each $i\in [n], j\in [k]$, it computes $C_{i,j}=\prod _{\imath \in [0,k]} x_{i,j,\imath }^{s'_{i,\imath }}$.
Game 7. This is identical to Game 6 except that the challenger changes the order in generating $s'_{i,j}$ and $s_{i,j}$:
- In step 2, it samples $s'_{i,0} \overset{\$}{\leftarrow }\mathbb {Z}_q$ and $s'_{i,\imath } \overset{\$}{\leftarrow }\{0,1\}$ for $i\in [n],\imath \in [k]$ and computes $ pk _i=\prod _{\imath \in [0,k]}g_{\imath }^{s'_{i,\imath }}$ for $i\in [n]$.
- In step 4, for $i\in [n],j\in [k]$, it sets $s_{i,j}=s'_{i,j}$ if $m_{i,j}=0$ and sets $s_{i,j}=1-s'_{i,j}$ otherwise. Also, it sets $s_{i,0}=s'_{i,0}+a_0^{-1} \sum _{\imath \in [k]}(a_{\imath } \cdot (s'_{i,\imath }-s_{i,\imath }))$ for $i\in [n]$.

Let $\mathfrak {p}_{\iota }$ be the probability that $\mathcal {D}$ outputs 1 when taking the output of Game $\iota $ as input, then we have $\mathfrak {p}_0=\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-real}}_{\mathsf {\Pi },\mathcal {A},n}(\lambda ))=1]$. Also, it is easy to see that output of Game 7 is exactly the output of the ideal experiment, so, we have $\mathfrak {p}_7=\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-ideal}}_{\mathsf {\Pi },\mathcal {S},n}(\lambda ))=1]$. Next, we prove that $\mathfrak {p}_0-\mathfrak {p}_7$ is negligible via showing that $\mathfrak {p}_{\iota }-\mathfrak {p}_{\iota +1}$ is negligible for all $\iota \in [0,6]$.

Lemma 5.1

$|\mathfrak {p}_0 - \mathfrak {p}_1 | =0$.

Proof

Game 0 and Game 1 are identical except that in Game 1, the challenger generates some variables that are not used in this game. This will not affect the output of the game. $\square $

Lemma 5.2

$|\mathfrak {p}_1 - \mathfrak {p}_2 | =0$.

Proof

In Game 1 and Game 2, each $C_{i,j}$ is computed in different ways. But as

$$ pk _{i}^{w_{i,j}}= (\prod _{\imath \in [0,k]}g_{\imath }^{s_{i,\imath }})^{w_{i,j}} =\prod _{\imath \in [0,k]}g_{\imath }^{s_{i,\imath } \cdot w_{i,j}} = \prod _{\imath \in [0,k]}(g_{\imath }^{w_{i,j}})^{s_{i,\imath }}=\prod _{\imath \in [0,k]}x_{i,j,\imath }^{s_{i,\imath }} $$

the computation results are identical and thus outputs of these two games are identically distributed. $\square $

Lemma 5.3

$|\mathfrak {p}_2 - \mathfrak {p}_3 | \le \mathtt {negl}(\lambda )$.

Proof

Indistinguishability between Game 2 and Game 3 comes from the DDH assumption by a standard hybrid argument.

In particular, for some fixed $i,j\in [n] \times [k]$, to show that $x_{i,j,j}$ is sampled from two computationally indistinguishable distributions in Game 2 and Game 3, we consider a DDH challenge $(g,\mathfrak {g}_1,\mathfrak {g}_2,\mathfrak {g}_3)=(g,g^{x},g^{y},g^{z})$, where $z=xy$ or $z \overset{\$}{\leftarrow }\mathbb {Z}_q$. The reduction sets $g_{j}=\mathfrak {g}_1$, $g^{w_{i,j}}=\mathfrak {g}_2$, $x_{i,j,j}=\mathfrak {g}_3$ Then, it simulates the view for $\mathcal {A}$ (as in Game 2 and Game 3) with them. Note that the exact value of x and y is not needed in the simulation since 1) the challenger does not use $a_j$ in both Game 2 and Game 3 and 2) without $w_{i,j}, $the challenger can compute $x_{i,j,\imath }=\mathfrak {g}_2^{a_{\imath }}$ for $\imath \in [0,k]\backslash \{j\}$. It is easy to see that if $z=xy$, then $x_{i,j,j}=g_j^{w_{i,j}}$ as in Game 2, and if $z \overset{\$}{\leftarrow }\mathbb {Z}_q$, then $x_{i,j,j} \overset{\$}{\leftarrow }\mathbb {Z}_q$ as in Game 3. Therefore, indistinguishability between Game 2 and Game 3 is guaranteed assuming the hardness of the DDH assumption. $\square $

Lemma 5.4

$|\mathfrak {p}_3 - \mathfrak {p}_4 | =0$.

Proof

Since in Game 3, $x_{i,j,j} \overset{\$}{\leftarrow }\mathbb {G}$, it will not change its distribution if we additionally multiply it with $h^{\alpha _{i,j}}$. Therefore, outputs of these two games are identically distributed. $\square $

Lemma 5.5

$|\mathfrak {p}_4 - \mathfrak {p}_5 | \le \mathtt {negl}(\lambda )$.

Proof

Similar to the proof of Lemma 5.3, indistinguishability between Game 4 and Game 5 comes from the DDH assumption by a standard hybrid argument. $\square $

Lemma 5.6

$|\mathfrak {p}_5 - \mathfrak {p}_6 | =0$.

Proof

In Game 5 and Game 6, each $C_{i,j}$ is computed in different ways. But as

$$\begin{aligned}&(\prod _{\imath \in [0,k]}x_{i,j,\imath }^{s_{i,\imath }}) \cdot h^{m_{i,j}} \\ =&(\prod _{\imath \in [0,k]}g_{\imath }^{ w_{i,j} \cdot s_{i,\imath }}) \cdot h^{\alpha _{i,j} \cdot s_{i,j}} \cdot h^{m_{i,j}} \\ =&(g^{w_{i,j} \cdot (\sum _{\imath \in [0,k]} a_{\imath } \cdot s_{i,\imath })}) \cdot h^{\alpha _{i,j} \cdot s_{i,j}+m_{i,j}} \\ =&(g^{w_{i,j} \cdot (\sum _{\imath \in [0,k]} a_{\imath } \cdot s'_{i,\imath })}) \cdot h^{\alpha _{i,j} \cdot s_{i,j}+m_{i,j}} \\ =&(g^{w_{i,j} \cdot (\sum _{\imath \in [0,k]} a_{\imath } \cdot s'_{i,\imath })}) \cdot h^{\alpha _{i,j} \cdot s'_{i,j}} \\ =&(\prod _{\imath \in [0,k]}g_{\imath }^{ w_{i,j} \cdot s'_{i,\imath }}) \cdot h^{\alpha _{i,j} \cdot s'_{i,j}}\\ =&\prod _{\imath \in [0,k]}x_{i,j,\imath }^{s'_{i,\imath }} \end{aligned}$$

the computation results are identical and thus outputs of these two games are identically distributed.

Here, the first and the last equalities come from the fact that $x_{i,j,\imath }=g_{\imath }^{w_{i,j}}$ for $\imath \not =j$ and that $x_{i,j,j}=g_{j}^{w_{i,j}} \cdot h^{\alpha _{i,j}}$. Also, the third equality comes from the fact that $s'_{i,0}=s_{i,0}+a_0^{-1} \sum _{\imath \in [k]}(a_{\imath } \cdot (s_{i,\imath }-s'_{i,\imath }))$, which implies that $\sum _{\imath \in [0,k]} (a_{\imath } \cdot s'_{i,\imath })=\sum _{\imath \in [0,k]} (a_{\imath } \cdot s_{i,\imath })$. For the fourth equality, if $m_{i,j}=0$, then $s_{i,j}=s'_{i,j}$ and thus $\alpha _{i,j} \cdot s_{i,j}+0=\alpha _{i,j} \cdot s'_{i,j}$; if $m_{i,j}=1$, then either $s_{i,j}=1,s'_{i,j}=0$ or $s_{i,j}=0,s'_{i,j}=1$, and in both cases, $\alpha _{i,j} \cdot (s'_{i,j}-s_{i,j})=1$, which implies that $\alpha _{i,j} \cdot s_{i,j}+1=\alpha _{i,j} \cdot s'_{i,j}$. $\square $

Lemma 5.7

$|\mathfrak {p}_6 - \mathfrak {p}_7 | =0$.

Proof

First, in both Game 6 and Game 7, each $ pk _{i}$ is a random element in $\mathbb {G}$, thus the adversary’s views are identical in both games until step 4, where $(s_{i,\imath },s'_{i,\imath })_{i\in [n],\imath \in [0,k]}$ are sampled in different ways.

In step 4, fixing the challenge messages $m_{i,j}$, then in both games the random variables $(s_{i,\imath },s'_{i,\imath })_{i\in [n],\imath \in [0,k]}$ are randomly distributed in $\mathbb {Z}_q \times \mathbb {Z}_{q} \times \{0,1\}^{2k}$ with the restriction that for any $i\in [n]$:

$$ {\left\{ \begin{array}{ll} \sum _{\imath \in [0,k]} (a_{\imath } \cdot s'_{i,\imath })=\sum _{\imath \in [0,k]} (a_{\imath } \cdot s_{i,\imath }) = \log _{g} pk _i \\ \forall \imath \in [k], s_{i,\imath }+s'_{i,\imath }=m_{i,j} \end{array}\right. } $$

Therefore, they are identically distributed and that completes the proof of Lemma 5.7.

Combining Lemma 5.1 to Lemma 5.7, we have $\mathfrak {p}_0 - \mathfrak {p}_7$ negligible and this completes the proof. $\square $

5.4 Proof of Theorem 5.2

Proof

We provide the proof of Theorem 5.2 in this section.

Correctness of $\mathsf {\Pi }$ comes from correctness of $\mathsf {\Pi '}$ and completeness of $\mathsf {NIZK}$ directly.

Next, we focus on the $\text {{SIM-RSO}}_{k}\text {{-CCA}}$ security of $\mathsf {\Pi }$. First, for any polynomial n, any adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2,\mathcal {A}_3)$, we define an auxiliary adversary $\mathcal {B}$ for $\mathsf {\Pi }'$ as in Fig. 5. Since $\mathsf {\Pi }'$ is a $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ secure PKE scheme, there exists a simulator $\mathcal {S}'=(\mathcal {S}'_1,\mathcal {S}'_2,\mathcal {S}'_3)$ for $\mathcal {B}$ such that the output of $\mathcal {S}'$ is indistinguishable from the output of $\mathcal {B}$ in a real $\text {{RSO}}_{k}$-CPA game. Then we define the simulator $\mathcal {S}$ for $\mathcal {A}$ as $\mathcal {S}=\mathcal {S}'=(\mathcal {S}'_1,\mathcal {S}'_2,\mathcal {S}'_3)$.

Next, we prove that output of the simulator $\mathcal {S}$ is indistinguishable from output of the adversary $\mathcal {A}$ in a real $\text {{RSO}}_{k}$-CCA game. We argue this via defining the following games:

Game 0. This is the real experiment $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CCA-real}}_{\mathsf {\Pi },\mathcal {A},n}$. In particular, the challenger interacts with the adversary as follows:
1. 1.
  On input a security parameter, the challenger first computes $\mathsf {pp} \leftarrow \mathsf {\Pi }'.\mathtt {Setup}(1^{\lambda })$, $\tilde{\mathsf {pp}} \leftarrow \mathsf {E}.\mathtt {Setup}(1^{\lambda })$ and $\mathsf {crs} \leftarrow \mathsf {NIZK}.\mathtt {Gen}(1^{\lambda })$. Also, it generates $(\tilde{ pk }, \tilde{ sk }) \leftarrow \mathsf {E}.\mathtt {Gen}(\tilde{\mathsf {pp}})$. Then, it sets the public parameter $\mathsf {PP}=(\mathsf {pp},\mathsf {crs},\tilde{\mathsf {pp}},\tilde{ pk })$.
2. 2.
  Then, for $i\in [n]$, it computes $( pk _i, sk _i) \leftarrow \mathsf {\Pi }'.\mathtt {Gen}(\mathsf {pp})$.
3. 3.
  Next, the challenger sends $\mathsf {PP},( pk _i)_{i\in [n]}$ to $\mathcal {A}$ and answers $\mathcal {A}$’s decryption oracle queries as follows:
  1. (a)
    On input a pair (i, C), where $C=(c,\tilde{c},\pi )$, the challenger first checks if $\pi $ is valid and returns an error symbol $\perp $ if $\pi $ is not valid.
  2. (b)
    Otherwise, it computes $m \leftarrow \mathsf {\Pi }'.\mathtt {Dec}(\mathsf {pp}, pk _i, sk _i,c)$.
  3. (c)
    Finally, it returns m to $\mathcal {A}$.
4. 4.
  The adversary will send a distribution $\mathcal {M}$ to the challenger after querying the decryption oracle a few times. Then, the challenger samples a matrix of messages $\textit{\textbf{M}} := (m_{i,j})_{i\in [n],j\in [k]} \leftarrow \mathcal {M}$ and for each $(i,j)\in [n] \times [k]$, it generates a challenge ciphertext for $m_{i,j}$ as follows:
  1. (a)
    Samples $r_{i,j},\tilde{r}_{i,j}$ randomly from the encryption randomness space of $\mathsf {\Pi }'$ and $\mathsf {E}$ respectively.
  2. (b)
    Computes $c_{i,j}=\mathsf {\Pi }'.\mathtt {Enc}(\mathsf {pp}, pk _i,m_{i,j};r_{i,j})$.
  3. (c)
    Computes $\tilde{c}_{i,j}=\mathsf {E}.\mathtt {Enc}(\tilde{\mathsf {pp}},\tilde{ pk },m_{i,j};\tilde{r}_{i,j})$.
  4. (d)
    Computes $\pi _{i,j} \leftarrow \mathsf {NIZK}.\mathtt {Prove}(\mathsf {crs},(\mathsf {pp}, pk _i,c_{i,j},\tilde{\mathsf {pp}}, \tilde{ pk },\tilde{c}_{i,j}),(m_{i,j},r_{i,j},\tilde{r}_{i,j}))$.
  5. (e)
    Sets $C_{i,j}=(c_{i,j},\tilde{c}_{i,j}, \pi _{i,j})$.
5. 5.
  Next, the challenger sends all challenge ciphertexts to $\mathcal {A}$ and answers $\mathcal {A}$’s decryption oracle queries as follows:
  1. (a)
    On input a pair (i, C), the challenger first checks if $C=C_{i,j}$ for some $j\in [k]$. It returns $\perp $ if this is the case.
  2. (b)
    Otherwise, the challenger parses $C=(c,\tilde{c},\pi )$ and checks if $\pi $ is valid. It returns an error symbol $\perp $ if $\pi $ is not valid.
  3. (c)
    Otherwise, it computes $m \leftarrow \mathsf {\Pi }'.\mathtt {Dec}(\mathsf {pp}, pk _i, sk _i,c)$.
  4. (d)
    Finally, it returns m to $\mathcal {A}$.
6. 6.
  The adversary will send a set $\mathcal {I} \subseteq [n]$ to the challenger after querying the decryption oracle a few times. Then, the challenger sends $(sk_i,m_{i,j})_{i\in \mathcal {I},j\in [k]}$ to $\mathcal {A}$. The challenger will answer $\mathcal {A}$’s decryption queries exactly as in step 5.
7. 7.
  Finally, on receiving $\mathcal {A}$’s output out, the challenger outputs $(\textit{\textbf{M}},\mathcal {M},\mathcal {I},out)$.
Game 1. This is identical to Game 0 except that when generating the common reference string and proofs, the challenger uses the simulator of $\mathsf {NIZK}$ instead of generating them honestly. More precisely, in the first step, the challenger computes $(\mathsf {crs},\mathsf {td}) \leftarrow \mathsf {NIZK}.\mathtt {S}_1(1^{\lambda })$ and in step 4, the challenger computes $\pi _{i,j} \leftarrow \mathsf {NIZK}.\mathtt {S}_2(\mathsf {crs},\mathsf {td},(\mathsf {pp}, pk _{i},c_{i,j},\tilde{\mathsf {pp}}, \tilde{ pk },\tilde{c}_{i,j}))$.
Game 2. This is identical to Game 1 except that the challenger changes the way to generate challenge ciphertexts. More precisely, for each $i\in [n], j\in [k]$, the challenger computes $\tilde{c}_{i,j} \leftarrow \mathsf {E}.\mathtt {Enc}(\tilde{\mathsf {pp}},\tilde{ pk },0)$.
Game 3. This is identical to Game 2 except that the challenger changes the way to answer decryption queries. More precisely, for a ciphertext $(c,\tilde{c},\pi )$, it returns $\mathsf {E}.\mathtt {Dec}(\tilde{\mathsf {pp}},\tilde{ pk },\tilde{ sk },\tilde{c})$ in the last step of the decryption oracle.
Game 4. In Game 4, the challenger proceeds as follows:
1. 1.
  $(\mathcal {M},s_1) \leftarrow \mathcal {S}'_1(1^{\lambda })$
2. 2.
  $\textit{\textbf{M}} := (m_{i,j})_{i\in [n],j\in [k]} \leftarrow \mathcal {M}$
3. 3.
  $(\mathcal {I},s_2) \leftarrow \mathcal {S}'_2(s_1)$
4. 4.
  $out \leftarrow \mathcal {S}'_3((m_{i,j})_{i \in \mathcal {I}, j\in [k]},s_2)$
5. 5.
  $\text {Return } (\textit{\textbf{M}}, \mathcal {M}, \mathcal {I}, out)$

Let $\mathfrak {p}_{\alpha }$ be the probability that $\mathcal {D}$ outputs 1 when taking the output of Game $\alpha $ as input, then we have

$$\mathfrak {p}_0=\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CCA-real}}_{\mathsf {\Pi },\mathcal {A},n}(\lambda ))=1]$$

Besides, we can view Game 4 as the ideal experiment $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CCA-ideal}}_{\mathsf {\Pi },\mathcal {S},n}$ (recall that $\mathcal {S}=\mathcal {S}'=(\mathcal {S}'_1,\mathcal {S}'_2,\mathcal {S}'_3)$), so we have

$$\mathfrak {p}_4=\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CCA-ideal}}_{\mathsf {\Pi },\mathcal {S},n}(\lambda ))=1]$$

Next, we prove that $\mathfrak {p}_0-\mathfrak {p}_4$ is negligible via showing that $\mathfrak {p}_{\alpha }-\mathfrak {p}_{\alpha +1}$ is negligible for all $\alpha \in [0,3]$.

Lemma 5.8

$|\mathfrak {p}_0 - \mathfrak {p}_1 | \le \mathtt {negl}(\lambda )$.

Proof

This comes from the unbounded zero-knowledge property of $\mathsf {NIZK}$ directly. $\square $

Lemma 5.9

$|\mathfrak {p}_1 - \mathfrak {p}_2 | \le \mathtt {negl}(\lambda )$.

Proof

This comes from the CPA-security of $\mathsf {E}$ directly. $\square $

Lemma 5.10

$|\mathfrak {p}_2 - \mathfrak {p}_3 | \le \mathtt {negl}(\lambda )$.

Proof

This comes from the fact that for any ciphertext $(c,\tilde{c},\pi )$ with a valid $\pi $, $\mathsf {E}.\mathtt {Dec}(\tilde{\mathsf {pp}},\tilde{ pk },\tilde{ sk },\tilde{c})=\mathsf {\Pi }'.\mathtt {Dec}(\mathsf {pp}, pk _i, sk _i,c)$ with all but negligible probability, which is guaranteed by the unbounded simulation-soundness of $\mathsf {NIZK}$ and correctness of $\mathsf {\Pi }'$ and $\mathsf {E}$. $\square $

Lemma 5.11

$|\mathfrak {p}_3 - \mathfrak {p}_4 | \le \mathtt {negl}(\lambda )$.

Proof

It is easy to see that output of Game 3 is exactly the output of experiment $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-real}}_{\mathsf {\Pi }',\mathcal {B},n}$ (since $\mathcal {A}$’s view in Game 3 is identical to its view in the experiment $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-real}}_{\mathsf {\Pi }',\mathcal {B},n}$ when invoked by $\mathcal {B}$), thus we have

$$\mathfrak {p}_3=\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-real}}_{\mathsf {\Pi }',\mathcal {B},n}(\lambda ))=1]$$

Also, we can view Game 4 as the ideal experiment $\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-ideal}}_{\mathsf {\Pi }',\mathcal {S}',n}$, so we have

$$\mathfrak {p}_4=\text {Pr}[\mathcal {D}(\mathtt {Exp}^{\mathtt {\text {{RSO}}_{k}-CPA-ideal}}_{\mathsf {\Pi }',\mathcal {S}',n}(\lambda ))=1]$$

Therefore, Lemma 5.11 comes from the $\text {{SIM-RSO}}_{k}\text {{-CPA}}$ security of $\mathsf {\Pi }'$ directly.

Combining Lemma 5.8 to Lemma 5.11, we have $\mathfrak {p}_0 - \mathfrak {p}_4$ negligible and this completes the proof. $\square $

6 Conclusion

In this work, we initiate the study of receiver selective opening security for PKE schemes in the multi-challenge setting. Several interesting open questions remain.

First, our impossibility results only work in either the non-programmable random oracle model or the auxiliary input model. It is interesting to see if we can achieve the impossibility results in the standard model without auxiliary input. Another interesting direction is to explore the relation between PKE scheme with $\text {{RSO}}_{k}$ security and some related notions, e.g., (receiver) non-committing encryption, hash proof system, etc. Besides, one may note that in our constructions of $\text {{RSO}}_{k}$ secure PKE schemes, the ciphertexts sizes grow linearly with k. It will be an interesting future work to construct a $\text {{RSO}}_{k}$ secure PKE scheme with constant-size ciphertexts. Finally, in this work, we mainly focus on the feasibility of achieving $\text {{RSO}}_{k}$ secure PKE schemes and it will also be interesting to construct practical PKE schemes with $\text {{RSO}}_{k}$ security.

Notes

1.
In addition, we prefer simulation-based definitions because indistinguishability-based selective opening security are usually defined for efficiently conditionally re-samplable message distributions [BHY09] only. A definition without such restriction (called full IND-SO security [BHK12, ORV14]) needs an inefficient security experiment and seems not achievable.
2.
Previous definitions in the single-challenge setting are specific cases of this new definition and can be denoted as $\text {{RSO}}_{1}$ security.
3.
Here, q is the group order and is fixed by the security parameter.
4.
We refer the readers to Sect. 2.2 for the formal definition of a $\text {{RSO}}_{k}$ simulator in either the CPA setting and the CCA setting.
5.
We remark that similar lower bounds on key length are achieved in these works, but these results do not imply lower bound for SIM-RSO secure PKE scheme directly.
6.
We use $\textit{\textbf{SK}}_{\mathcal {I}}$ and $\textit{\textbf{M}}_{\mathcal {I}}$ to denote the set of secret keys for $(pk_i)_{i\in \mathcal {I}}$ and messages encrypted under $(pk_i)_{i\in \mathcal {I}}$ respectively.
7.
If $|\mathcal {I} |=1$, then the number of possible messages is $2^{k}$ while the number of possible secret keys is no more than $2^{k-1}$.
8.
Concretely, we may view $\mathsf {E}$ as ElGamal encryption scheme.
9.
Here, w.l.o.g., we assume that $\mathcal {S}_2$ and $\mathcal {S}_3$ are deterministic. This will not restrict the power of $\mathcal {S}$ since we can feed coins for $\mathcal {S}_2$ and $\mathcal {S}_3$ to $\mathcal {S}_1$ and require $\mathcal {S}_1$ (resp. $\mathcal {S}_2$) to put coins for $\mathcal {S}_2$ and $\mathcal {S}_3$ (resp. $\mathcal {S}_3$) in its outputted state $s_1$ (resp. $s_2$).

References

Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 645–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_38
Chapter Google Scholar
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: STOC, pp. 103–112. ACM (1988)
Google Scholar
Böhl, F., Hofheinz, D., Kraschewski, D.: On definitions of selective opening security. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 522–539. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_31
Chapter Google Scholar
Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_1
Chapter Google Scholar
Boyen, X., Li, Q.: All-but-many lossy trapdoor functions from lattices and applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 298–331. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_11
Chapter Google Scholar
Bellare, M., O’Neill, A.: Semantically-secure functional encryption: possibility results, impossibility results and the quest for a general definition. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 218–234. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02937-5_12
Chapter Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_16
Chapter Google Scholar
Choi, S.G., Dachman-Soled, D., Malkin, T., Wee, H.: Improved non-committing encryption with applications to adaptively secure protocols. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 287–302. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_17
Chapter Google Scholar
Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: STOC, pp. 639–648 (1996)
Google Scholar
Canetti, R., Halevi, S., Katz, J.: Adaptively-secure, non-interactive public-key encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 150–168. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_9
Chapter Google Scholar
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
Chapter Google Scholar
Damgård, I., Nielsen, J.B.: Improved non-committing encryption schemes based on a general complexity assumption. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 432–450. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_27
Chapter Google Scholar
Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.: Magic functions. In: FOCS, pp. 523–534. IEEE (1999)
Google Scholar
Fehr, S., Hofheinz, D., Kiltz, E., Wee, H.: Encryption schemes secure against chosen-ciphertext selective opening attacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 381–402. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_20
Chapter Google Scholar
Heuer, F., Jager, T., Kiltz, E., Schäge, S.: On the selective opening security of practical public-key encryption schemes. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 27–51. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_2
Chapter MATH Google Scholar
Hara, K., Kitagawa, F., Matsuda, T., Hanaoka, G., Tanaka, K.: Simulation-based receiver selective opening CCA secure PKE from standard computational assumptions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 140–159. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_8
Chapter Google Scholar
Huang, Z., Lai, J., Chen, W., Au, M.H., Peng, Z., Li, J.: Simulation-based selective opening security for receivers under chosen-ciphertext attacks. DCC 87(6), 1345–1371 (2019)
MathSciNet MATH Google Scholar
Hemenway, B., Libert, B., Ostrovsky, R., Vergnaud, D.: Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 70–88. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_4
Chapter Google Scholar
Huang, Z., Liu, S., Qin, B.: Sender-equivocable encryption schemes secure against chosen-ciphertext attacks revisited. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 369–385. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_23
Chapter Google Scholar
Hofheinz, D.: All-but-many lossy trapdoor functions. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 209–227. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_14
Chapter Google Scholar
Heuer, F., Poettering, B.: Selective opening security from simulatable data encapsulation. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 248–277. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_9
Chapter Google Scholar
Hazay, C., Patra, A., Warinschi, B.: Selective opening security for receivers. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 443–469. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_19
Chapter Google Scholar
Hofheinz, D., Rupp, A.: Standard versus selective opening security: separation and equivalence results. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 591–615. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_25
Chapter Google Scholar
Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 121–145. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_5
Chapter Google Scholar
Jia, D., Lu, X., Li, B.: Receiver selective opening security from indistinguishability obfuscation. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 393–410. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49890-4_22
Chapter Google Scholar
Jia, D., Lu, X., Li, B.: Constructions secure against receiver selective opening and chosen ciphertext attacks. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 417–431. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_24
Chapter Google Scholar
Kitagawa, F., Tanaka, K.: Key dependent message security and receiver selective opening security for identity-based encryption. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 32–61. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_2
Chapter Google Scholar
Lyu, L., Liu, S., Han, S., Gu, D.: Tightly SIM-SO-CCA secure public key encryption from standard assumptions. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 62–92. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_3
Chapter Google Scholar
Liu, S., Paterson, K.G.: Simulation-based selective opening CCA security for PKE from key encapsulation mechanisms. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 3–26. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_1
Chapter Google Scholar
Libert, B., Sakzad, A., Stehlé, D., Steinfeld, R.: All-but-many lossy trapdoor functions and selective opening chosen-ciphertext security from LWE. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 332–364. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_12
Chapter Google Scholar
Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_8
Chapter Google Scholar
Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC, pp. 427–437. ACM (1990)
Google Scholar
Ostrovsky, R., Rao, V., Visconti, I.: On selective-opening attacks against encryption schemes. In: Abdalla, M., De Prisco, R. (eds.) SCN 2014. LNCS, vol. 8642, pp. 578–597. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10879-7_33
Chapter Google Scholar
Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS, pp. 543–553. IEEE (1999)
Google Scholar

Download references

Acknowledgement

We appreciate the anonymous reviewers for their valuable comments. Part of this work was supported by the National Natural Science Foundation of China (Grant No. 61922036, 61702125, 61802078, 61972332, U1636205, 61632020), the Research Grant Council of Hong Kong (Grant No. 25206317), and the Major Innovation Project of Science and Technology of Shandong Province (Grant No. 2018CXGC0702).

Author information

Authors and Affiliations

Department of Computer Science, The University of Hong Kong, Hong Kong, China
Rupeng Yang & Man Ho Au
College of Information Science and Technology, Jinan University, Guangzhou, China
Junzuo Lai
Peng Cheng Laboratory, Shenzhen, China
Zhengan Huang
School of Software, Shandong University, Jinan, China
Qiuliang Xu
Institute of Cybersecurity and Cryptology, School of Computing and Information Technology, University of Wollongong, Wollongong NSW, Australia
Willy Susilo

Authors

Rupeng Yang
View author publications
You can also search for this author in PubMed Google Scholar
Junzuo Lai
View author publications
You can also search for this author in PubMed Google Scholar
Zhengan Huang
View author publications
You can also search for this author in PubMed Google Scholar
Man Ho Au
View author publications
You can also search for this author in PubMed Google Scholar
Qiuliang Xu
View author publications
You can also search for this author in PubMed Google Scholar
Willy Susilo
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Rupeng Yang , Junzuo Lai or Zhengan Huang .

Editor information

Editors and Affiliations

Network Security Research Institute (NICT), Tokyo, Japan
Shiho Moriai
Nanyang Technological University, Singapore, Singapore
Huaxiong Wang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Yang, R., Lai, J., Huang, Z., Au, M.H., Xu, Q., Susilo, W. (2020). Possibility and Impossibility Results for Receiver Selective Opening Secure PKE in the Multi-challenge Setting. In: Moriai, S., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2020. ASIACRYPT 2020. Lecture Notes in Computer Science(), vol 12491. Springer, Cham. https://doi.org/10.1007/978-3-030-64837-4_7

Download citation

DOI: https://doi.org/10.1007/978-3-030-64837-4_7
Published: 06 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64836-7
Online ISBN: 978-3-030-64837-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Possibility and Impossibility Results for Receiver Selective Opening Secure PKE in the Multi-challenge Setting

Abstract

Similar content being viewed by others

Receiver selective opening security for identity-based encryption in the multi-challenge setting

Receiver Selective Opening CCA Secure Public Key Encryption from Various Assumptions

Selective Opening Security for Receivers

1 Introduction

1.1 Our Results

1.2 Technical Overview

1.3 Related Works

1.4 Roadmap

2 Preliminaries

2.1 Assumptions and Cryptographic Primitives

2.2 PKE with \(\text {{RSO}}_{k}\) Security

Definition 2.1

Definition 2.2

Definition 2.3

3 Lower Bound for PKE with \(\text {{RSO}}_{k}\) Security

Theorem 3.1

Proof

Lemma 3.1

Proof

Lemma 3.2

Proof

Lemma 3.3

Proof

Remark 3.1

4 \(\text {{RSO}}_{k}\) Security \(\not \Rightarrow \) \(\text {{RSO}}_{k+1}\) Security

Theorem 4.1

Theorem 4.2

5 \(\text {{RSO}}_{k}\) Secure PKE with (Nearly) Optimal Secret Key Length

5.1 \(\text {{SIM-RSO}}_{k}\text {{-CPA}}\) Secure PKE with (Nearly) Optimal Secret Key Length

Theorem 5.1

5.2 \(\text {{SIM-RSO}}_{k}\text {{-CCA}}\) Secure PKE with (Nearly) Optimal Secret Key Length

Theorem 5.2

5.3 Proof of Theorem 5.1

Proof

Lemma 5.1

Proof

Lemma 5.2

Proof

Lemma 5.3

Proof

Lemma 5.4

Proof

Lemma 5.5

Proof

Lemma 5.6

Proof

Lemma 5.7

Proof

5.4 Proof of Theorem 5.2

Proof

Lemma 5.8

Proof

Lemma 5.9

Proof

Lemma 5.10

Proof

Lemma 5.11

Proof

6 Conclusion

Notes

References

Acknowledgement

Author information

Authors and Affiliations

Corresponding authors

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation