On Selective-Opening Security of Deterministic Primitives

Abstract

Classically, selective-opening attack (SOA) has been studied for randomized primitives, like randomized encryption schemes and commitments. The study of SOA for deterministic primitives, which presents some unique challenges, was initiated by Bellare et al. (PKC 2015), who showed negative results. Subsequently, Hoang et al. (ASIACRYPT 2016) showed positive results in the non-programmable random oracle model. Here we show the first positive results for SOA security of deterministic primitives in the standard (RO devoid) model. Our results are:

• Any 2t-wise independent hash function is SOA secure for an unbounded number of “t-correlated” messages, meaning any group of up to t messages are arbitrarily correlated.

• A construction of a deterministic encryption scheme with analogous security, combining a regular lossy trapdoor function with a 2t-wise independent hash function.

• The one-more-RSA problem of Bellare et al. (J. Cryptology 2003), which can be seen as a form of SOA, is hard under the \(\varPhi \)-Hiding Assumption with large enough encryption exponent.

Somewhat surprisingly, the last result yields the first proof of RSA-based Chaum’s blind signature scheme (CRYPTO 1982), albeit for large exponent e, based on a “standard” computational assumption. Notably, it avoids the impossibility result of Pass (STOC 2011) because lossiness of RSA endows the scheme with non-unique signatures.

Work done while M.Z. was a PhD student at Georgetown University.

A Deferred Proofs

Proof of Theorem 2. The proof is similar to the proof of Theorem 3.1 from [17]. The proof of Theorem 2 follows from the following claims. We begin by showing that it is suffices to consider \(\text {H-SO}\) adversaries where the output of \(A.\mathrm {f}\) is boolean.

Claim

Let \({\mathsf {H}}= ({\mathsf {HKg}}, {\mathsf {h}})\) be a hash function family with domain \(\mathsf {HDom}\) and range \(\mathsf {HRng}\). Let A be a \(\text {H-SO}\) adversary against \({\mathsf {H}}\) with respect to message sampler \({\mathcal M}\). Then, there is a boolean \(\text {H-SO}\) adversary B such that for all \(k \in {{\mathbb N}}\)

$$ \mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},A,{\mathcal M}}(k) \le 2 \cdot \mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},B,{\mathcal M}}(k) . $$

where the running time of B is about that of A.

Proof

Consider adversary B in Fig. 8. We define \(E_A\) and \(E_B\) to be events where games \(\text {H-SO-REAL}^{A,{\mathcal M}}_{\mathsf {H}}\) and \(\text {H-SO-REAL}^{B,{\mathcal M}}_{\mathsf {H}}\) output 1, respectively. Hence,

$$\begin{aligned} {\Pr \left[ \,{E_B}\,\right] }= & {} {\Pr \left[ \,{E_A}\,\right] } + \frac{1}{2} (1-{\Pr \left[ \,{E_A}\,\right] }) \\= & {} \frac{1}{2} {\Pr \left[ \,{E_A}\,\right] } + \frac{1}{2} . \; \end{aligned}$$

Fig. 8.

\(\text {H-SO}\) adversary \(B\) in the proof of Claim A.

We also define \(T_A\) and \(T_B\) to be the events where games \(\text {H-SO-IDEAL}^{A,{\mathcal M}}_{\mathsf {H}}\) and \(\text {H-SO-IDEAL}^{B,{\mathcal M}}_{\mathsf {H}}\) output 1, respectively. Similarly, we have \( {\Pr \left[ \,{T_B}\,\right] } = {\Pr \left[ \,{T_A}\,\right] }/2 + 1/2\). Thus, we have \(\mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},A,{\mathcal M}}(k) \le 2 \cdot \mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},B,{\mathcal M}}(k) \). This completes the proof.

Next, we claim that it is suffices to consider balanced \(\text {H-SO}\) adversaries meaning the probability the partial information is 1 or 0 is approximately 1/2.

Claim

Let \({\mathsf {H}}= ({\mathsf {HKg}}, {\mathsf {h}})\) be a hash function family with domain \(\mathsf {HDom}\) and range \(\mathsf {HRng}\). Let B be a boolean \(\text {H-SO}\) adversary against \({\mathsf {H}}\) with respect to the message sampler \({\mathcal M}\). Then for any \(0 \le \delta < 1/2\), there is a \(\delta \text{- }balanced\) boolean \(\text {H-SO}\) adversary C such that for all \(k \in {{\mathbb N}}\)

$$ \mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},B,{\mathcal M}}(k) \le \Big (\frac{2}{\delta }+1\Big )^2 \cdot \mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},C,{\mathcal M}}(k) . $$

where the running time of C is about that of B plus \(\mathcal {O}(1/\delta )\)

Proof

For simplicity, we assume \(1/\delta \) is an integer. Consider adversary C in Fig. 9. Note that C is \(\delta \text{- }balanced\), since for all \(b \in \{0,1\}\)

We define \(E_B\) and \(E_C\) to be events where games \(\text {H-SO-REAL}^{B,{\mathcal M}}_{\mathsf {H}}\) and \(\text {H-SO-REAL}^{C,{\mathcal M}}_{\mathsf {H}}\) output 1, respectively. Let T be the event that \(i, j = 2/\delta + 1\). Therefore we have

$$\begin{aligned} {\Pr \left[ \,{E_C}\,\right] }= & {} {\Pr \left[ \,{E_C \mid T}\,\right] }\cdot {\Pr \left[ \,{T}\,\right] } + {\Pr \left[ \,{E_C \mid \overline{T}}\,\right] } \cdot {\Pr \left[ \,{\overline{T}}\,\right] } \\= & {} \Big (\frac{1}{2/\delta +1}\Big )^2 {\Pr \left[ \,{E_B}\,\right] } + \frac{1}{2} {\Pr \left[ \,{\overline{T}}\,\right] } . \end{aligned}$$

We also define \(T_B\) and \(T_C\) to be the events where games \(\text {H-SO-IDEAL}^{B,{\mathcal M}}_{\mathsf {H}}\) and \(\text {H-SO-IDEAL}^{C,{\mathcal M}}_{\mathsf {H}}\) output 1, respectively. Similarly, we have

$$ {\Pr \left[ \,{T_C}\,\right] } = \Big (\frac{1}{2/\delta +1}\Big )^2 {\Pr \left[ \,{T_B}\,\right] } + \frac{1}{2} {\Pr \left[ \,{\overline{T}}\,\right] } . $$

Summing up, we obtain that \(\mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},B,{\mathcal M}}(k) \le \Big (\frac{2}{\delta }+1\Big )^2 \cdot \mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},C,{\mathcal M}}(k)\). This completes the proof of Claim A.

Fig. 9.

\(\text {H-SO}\) adversary \(C\) in the proof of Claim A.