Simulation-Based Bi-Selective Opening Security for Public Key Encryption

Abstract

Selective opening attacks (SOA) (for public-key encryption, PKE) concern such a multi-user scenario, where an adversary adaptively corrupts some fraction of the users to break into a subset of honestly created ciphertexts, and tries to learn the information on the messages of some unopened (but potentially related) ciphertexts. Until now, the notion of selective opening attacks is only considered in two settings: sender selective opening (SSO), where part of senders are corrupted and messages together with randomness for encryption are revealed; and receiver selective opening (RSO), where part of receivers are corrupted and messages together with secret keys for decryption are revealed.

In this paper, we consider a more natural and general setting for selective opening security. In the setting, the adversary may adaptively corrupt part of senders and receivers simultaneously, and get the plaintext messages together with internal randomness for encryption and secret keys for decryption, while it is hoped that messages of uncorrupted parties remain protected. We denote it as Bi-SO security since it is reminiscent of Bi-Deniability for PKE.

We first formalize the requirement of Bi-SO security by the simulation-based (SIM) style, and prove that some practical PKE schemes achieve SIM-Bi-\(\text {SO}\)-CCA security in the random oracle model. Then, we suggest a weak model of Bi-SO security, denoted as SIM-wBi-\(\text {SO}\)-CCA security, and argue that it is still meaningful and useful. We propose a generic construction of PKE schemes that achieve SIM-wBi-\(\text {SO}\)-CCA security in the standard model and instantiate them from various standard assumptions. Our generic construction is built on a newly presented primitive, namely, universal\(_{\kappa }\) hash proof system with key equivocability, which may be of independent interest.

A Cryptographic Assumptions

The DDH Assumption. Let \(\mathbb {G}\) be a cyclic group of prime order q with a generator g. The DDH assumption requires that it is hard to distinguish \((g^a,g^b,g^c)\) and \((g^a,g^b,g^{ab})\), where \(a,b,c {\leftarrow }\mathbb {Z}_q\).

The DCR Assumption. Now, we recall the Decision Composite Residuosity (DCR) assumption [30] and some useful facts about it shown in [8].

Let \(p,q,p',q'\) be primes such that \(p=2p'+1\) and \(q=2q'+1\). Let \(N=pq\) and \(N'=p'q'\). Then the group \(\mathbb {Z}^*_{N^2}\) can be decomposed as the direct product \(\mathbb {G}_N \cdot \mathbb {G}_{N'} \cdot \mathbb {G}_2 \cdot \mathbb {T}\), where \(\mathbb {G}_{N'}\) and \(\mathbb {G}_2\) are cyclic groups of order \(N'\) and order 2 respectively; \(\mathbb {G}_N\) is a cyclic group of order N generated by \(\xi =(1+N) \mod N^2\); and \(\mathbb {T}\) is the order-2 subgroup of \(\mathbb {Z}^*_{N^2}\) generated by \((-1 \mod N^2)\). Note that \(\xi ^a = (1+aN) \mod N^2\) for \(a\in \{0,1,\cdots ,N\}\).

The DCR assumption requires that it is hard to distinguish a random element in \(\mathbb {Z}^*_{N^2}\) and a random element in \(\mathbb {G}_{N'} \cdot \mathbb {G}_2 \cdot \mathbb {T}\).

Next, define \(\mathbb {X}=\mathbb {G}_N \cdot \mathbb {G}_{N'} \cdot \mathbb {T}\). The set \(\mathbb {X}\) is an efficiently samplable and explainable domain, where the sample algorithm and the explain algorithm work as follows:

• Sample: The sample algorithm proceeds as follows:

  1. 1.

     For \(i\in [1,160]\):

     1. (a)

        \(x{\leftarrow }\mathbb {Z}_{N^2}\)

     2. (b)

        If the Jacobi symbol \((\frac{x}{N}) = 1\): output x.

  2. 2.

     Output \(\perp \).

• Explain: on input an element \(x \in \mathbb {X}\), the explain algorithm proceeds as follows:

  1. 1.

     Set \(\mathsf {r}\) to be an empty string.

  2. 2.

     For \(i\in [1,160]\):

     1. (a)

        Sample \(b{\leftarrow }\{0,1\}\).

     2. (b)

        If \(b=1\), append x to \(\mathsf {r}\) and outputs \(\mathsf {r}\).

     3. (c)

        Otherwise, sample an element \(x'{\leftarrow }\mathbb {Z}_{N^2}\) s.t. the Jacobi symbol \((\frac{x'}{N})=-1\) and append \(x'\) to \(\mathsf {r}\).

  3. 3.

     Output \(\perp \).

Note that as \(\frac{|\mathbb {X} |}{|\mathbb {Z}^*_{N^2} |}=1/2\), the expected repetition in the sample algorithm is about 2 and the probability that the sample algorithm outputs \(\perp \) is \(\frac{1}{2^{160}}\), which is negligible. Also, it is easy to see the probability that the explain algorithm outputs \(\perp \) is also \(\frac{1}{2^{160}}\), which is negligible.

Also, define \(\chi : \mathbb {Z}_{N^2} \rightarrow \mathbb {Z}_N\) as \(\chi (a)=\lfloor a/N \rfloor \). For any fixed \(x\in \mathbb {X}\), \(\chi (x \xi ^c)\) is uniform in \(\mathbb {Z}_N\) if \(c {\leftarrow }\mathbb {Z}_N\).

Finally, define \(\mathbb {L}=\mathbb {G}_{N'} \cdot \mathbb {T}\). It is easy to create a generator g for \(\mathbb {L}\) by first sampling a random element \(\mu \in \mathbb {Z}^*_{N^2}\) and then computing \(g=-\mu ^{2N}\). Besides, the DCR assumption implies that a random element in \(\mathbb {X}\) is computationally indistinguishable from a random element in \(\mathbb {L}\).