Abstract
Classically, selective-opening attack (SOA) has been studied for randomized primitives, like randomized encryption schemes and commitments. The study of SOA for deterministic primitives, which presents some unique challenges, was initiated by Bellare et al. (PKC 2015), who showed negative results. Subsequently, Hoang et al. (ASIACRYPT 2016) showed positive results in the non-programmable random oracle model. Here we show the first positive results for SOA security of deterministic primitives in the standard (RO devoid) model. Our results are:
-
Any 2t-wise independent hash function is SOA secure for an unbounded number of “t-correlated” messages, meaning any group of up to t messages are arbitrarily correlated.
-
A construction of a deterministic encryption scheme with analogous security, combining a regular lossy trapdoor function with a 2t-wise independent hash function.
-
The one-more-RSA problem of Bellare et al. (J. Cryptology 2003), which can be seen as a form of SOA, is hard under the \(\varPhi \)-Hiding Assumption with large enough encryption exponent.
Somewhat surprisingly, the last result yields the first proof of RSA-based Chaum’s blind signature scheme (CRYPTO 1982), albeit for large exponent e, based on a “standard” computational assumption. Notably, it avoids the impossibility result of Pass (STOC 2011) because lossiness of RSA endows the scheme with non-unique signatures.
Work done while M.Z. was a PhD student at Georgetown University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It is tempting to give a Paillier-based construction with a degree 2t polynomial in the exponent, but unfortunately the coefficients don’t lie in a field so the classical proof of 2t-wise independence does not work.
- 2.
This glosses over an issue about regularity of lossy RSA on subdomains discussed in the body.
References
Bellare, M., Dowsley, R., Keelveedhi, S.: How secure is deterministic encryption? In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 52–73. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_3
Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 645–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_38
Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_1
Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Ashby, V. (ed.) ACM CCS 1993, Fairfax, Virginia, USA, 3–5 November 1993, pp. 62–73. ACM Press (1993)
Bendlin, R., Nielsen, J.B., Nordholt, P.S., Orlandi, C.: Lower and upper bounds for deniable public-key encryption. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 125–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_7
Böhl, F., Hofheinz, D., Kraschewski, D.: On definitions of selective opening security. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 522–539. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_31
Canetti, R.: Towards realizing random oracles: hash functions that hide all partial information. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 455–469. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052255
Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052229
Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: 28th ACM STOC, Philadephia, PA, USA, 22–24 May 1996, pp. 639–648. ACM Press (1996)
Canetti, R., Halevi, S., Katz, J.: Adaptively-secure, non-interactive public-key encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 150–168. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_9
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) CRYPTO 1982, pp. 199–203, Santa Barbara, CA, USA. Plenum Press, New York (1982)
Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_18
Damgård, I., Nielsen, J.B.: Improved non-committing encryption schemes based on a general complexity assumption. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 432–450. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_27
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_31
Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. J. ACM 50(6), 852–921 (2003)
Fuller, B., O’Neill, A., Reyzin, L.: A unified approach to deterministic encryption: new constructions and a connection to computational entropy. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 582–599. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_33
Goyal, V., O’Neill, A., Rao, V.: Correlated-input secure hash functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 182–200. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_12
Heuer, F., Kiltz, E., Pietrzak, K.: Standard security does imply security against selective opening for markov distributionss. Cryptology ePrint Archive, Report 2015/853 (2015). http://eprint.iacr.org/2015/853
Hoang, V.T., Katz, J., O’Neill, A., Zaheri, M.: Selective-opening security in the presence of randomness failures. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 278–306. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_10
Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. Cryptology ePrint Archive, Report 2015/792 (2015). http://eprint.iacr.org/2015/792
Hofheinz, D., Rupp, A.: Standard versus selective opening security: separation and equivalence results. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 591–615. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_25
Kakvi, S.A., Kiltz, E.: Optimal security proofs for full domain hash, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 537–553. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_32
Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under chosen-plaintext attack. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 295–313. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_16
Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_8
Nielsen, J.B.: A threshold pseudorandom function construction and its applications. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 401–416. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_26
O’Neill, A., Peikert, C., Waters, B.: Bi-deniable public-key encryption. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 525–542. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_30
Pandey, O., Pass, R., Vaikuntanathan, V.: Adaptive one-way functions and applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 57–74. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_4
Pass, R.: Limits of provable security from standard assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, San Jose, CA, USA, 6–8 June 2011, pp. 109–118. ACM Press (2011)
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, Victoria, British Columbia, Canada, 17–20 May 2008, pp. 187–196. ACM Press (2008)
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 475–484, New York, NY, USA, 31 May–3 June 2014. ACM Press (2014)
Acknowledgments
We thank the PKC 2021 anonymous reviewers for helpful comments. We thank Jonathan Katz and Viet Tung Hoang for insightful discussions. Mohammad Zaheri was supported by NSF grant No. 1565387 and NSF grant No. 1149832.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Deferred Proofs
A Deferred Proofs
Proof of Theorem 2. The proof is similar to the proof of Theorem 3.1 from [17]. The proof of Theorem 2 follows from the following claims. We begin by showing that it is suffices to consider \(\text {H-SO}\) adversaries where the output of \(A.\mathrm {f}\) is boolean.
Claim
Let \({\mathsf {H}}= ({\mathsf {HKg}}, {\mathsf {h}})\) be a hash function family with domain \(\mathsf {HDom}\) and range \(\mathsf {HRng}\). Let A be a \(\text {H-SO}\) adversary against \({\mathsf {H}}\) with respect to message sampler \({\mathcal M}\). Then, there is a boolean \(\text {H-SO}\) adversary B such that for all \(k \in {{\mathbb N}}\)
where the running time of B is about that of A.
Proof
Consider adversary B in Fig. 8. We define \(E_A\) and \(E_B\) to be events where games \(\text {H-SO-REAL}^{A,{\mathcal M}}_{\mathsf {H}}\) and \(\text {H-SO-REAL}^{B,{\mathcal M}}_{\mathsf {H}}\) output 1, respectively. Hence,
We also define \(T_A\) and \(T_B\) to be the events where games \(\text {H-SO-IDEAL}^{A,{\mathcal M}}_{\mathsf {H}}\) and \(\text {H-SO-IDEAL}^{B,{\mathcal M}}_{\mathsf {H}}\) output 1, respectively. Similarly, we have \( {\Pr \left[ \,{T_B}\,\right] } = {\Pr \left[ \,{T_A}\,\right] }/2 + 1/2\). Thus, we have \(\mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},A,{\mathcal M}}(k) \le 2 \cdot \mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},B,{\mathcal M}}(k) \). This completes the proof.
Next, we claim that it is suffices to consider balanced \(\text {H-SO}\) adversaries meaning the probability the partial information is 1 or 0 is approximately 1/2.
Claim
Let \({\mathsf {H}}= ({\mathsf {HKg}}, {\mathsf {h}})\) be a hash function family with domain \(\mathsf {HDom}\) and range \(\mathsf {HRng}\). Let B be a boolean \(\text {H-SO}\) adversary against \({\mathsf {H}}\) with respect to the message sampler \({\mathcal M}\). Then for any \(0 \le \delta < 1/2\), there is a \(\delta \text{- }balanced\) boolean \(\text {H-SO}\) adversary C such that for all \(k \in {{\mathbb N}}\)
where the running time of C is about that of B plus \(\mathcal {O}(1/\delta )\)
Proof
For simplicity, we assume \(1/\delta \) is an integer. Consider adversary C in Fig. 9. Note that C is \(\delta \text{- }balanced\), since for all \(b \in \{0,1\}\)
We define \(E_B\) and \(E_C\) to be events where games \(\text {H-SO-REAL}^{B,{\mathcal M}}_{\mathsf {H}}\) and \(\text {H-SO-REAL}^{C,{\mathcal M}}_{\mathsf {H}}\) output 1, respectively. Let T be the event that \(i, j = 2/\delta + 1\). Therefore we have
We also define \(T_B\) and \(T_C\) to be the events where games \(\text {H-SO-IDEAL}^{B,{\mathcal M}}_{\mathsf {H}}\) and \(\text {H-SO-IDEAL}^{C,{\mathcal M}}_{\mathsf {H}}\) output 1, respectively. Similarly, we have
Summing up, we obtain that \(\mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},B,{\mathcal M}}(k) \le \Big (\frac{2}{\delta }+1\Big )^2 \cdot \mathbf {Adv}^{\text {h-so}}_{{\mathsf {H}},C,{\mathcal M}}(k)\). This completes the proof of Claim A.
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
O’Neill, A., Zaheri, M. (2021). On Selective-Opening Security of Deterministic Primitives. In: Garay, J.A. (eds) Public-Key Cryptography – PKC 2021. PKC 2021. Lecture Notes in Computer Science(), vol 12711. Springer, Cham. https://doi.org/10.1007/978-3-030-75248-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-75248-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-75247-7
Online ISBN: 978-3-030-75248-4
eBook Packages: Computer ScienceComputer Science (R0)