Abstract
Selective opening attacks (SOA) (for public-key encryption, PKE) concern such a multi-user scenario, where an adversary adaptively corrupts some fraction of the users to break into a subset of honestly created ciphertexts, and tries to learn the information on the messages of some unopened (but potentially related) ciphertexts. Until now, the notion of selective opening attacks is only considered in two settings: sender selective opening (SSO), where part of senders are corrupted and messages together with randomness for encryption are revealed; and receiver selective opening (RSO), where part of receivers are corrupted and messages together with secret keys for decryption are revealed.
In this paper, we consider a more natural and general setting for selective opening security. In the setting, the adversary may adaptively corrupt part of senders and receivers simultaneously, and get the plaintext messages together with internal randomness for encryption and secret keys for decryption, while it is hoped that messages of uncorrupted parties remain protected. We denote it as Bi-SO security since it is reminiscent of Bi-Deniability for PKE.
We first formalize the requirement of Bi-SO security by the simulation-based (SIM) style, and prove that some practical PKE schemes achieve SIM-Bi-\(\text {SO}\)-CCA security in the random oracle model. Then, we suggest a weak model of Bi-SO security, denoted as SIM-wBi-\(\text {SO}\)-CCA security, and argue that it is still meaningful and useful. We propose a generic construction of PKE schemes that achieve SIM-wBi-\(\text {SO}\)-CCA security in the standard model and instantiate them from various standard assumptions. Our generic construction is built on a newly presented primitive, namely, universal\(_{\kappa }\) hash proof system with key equivocability, which may be of independent interest.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Very recently, Yang et al. [32] formalized the notion of RSO security in the multi-challenge setting. But their work only considers the receiver corruption setting.
- 2.
Note that both SIM-Bi-SO-CCA and SIM-wBi-SO\(_{k}\)-CCA security capture the security requirements in a multi-user scenario, where multiple public/secret key pairs are involved. In this setting, some global information is needed to be generated by a global algorithm Setup, as done in previous works about multi-user security, such as [1].
- 3.
The SIM-SSO-CPA security notion presented in [4] allows the adversary to query the \(\mathtt {MkRec}\) oracle multiple times.
- 4.
Both [2, Theorem 5.1] and [2, Theorem 4.1] only hold in the the auxiliary input model (i.e., in the experiments defining SIM-RSO-CPA and SIM-SSO-CPA security, both the adversary and the simulator get an auxiliary input). So do our counterexamples in this section. These counterexamples may be modified with the technique proposed in [2, Sec. 6] to drop the auxiliary inputs.
- 5.
Note that a hard SSMP is also a hard SMP, since a simple hybrid argument shows that for any PPT distinguisher \(\mathcal {D}\), \(|{\mathrm{Pr}}[\mathcal {D}({\mathsf{prm}},x_{\mathcal {X}})=1]-{\mathrm{Pr}}[\mathcal {D}({\mathsf{prm}},x_\mathcal {L})=1]|\le {\mathtt {Adv}}^{{\mathrm{HARD\hbox {-}1}}}_{{\mathsf{SSMP}}, \mathcal {D}, 1}(\lambda )+{\mathtt {Adv}}^{{\mathrm{HARD\hbox {-}2}}}_{{\mathsf{SSMP}}, \mathcal {D}, 1}(\lambda )\).
References
Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_18
Bellare, M., Dowsley, R., Waters, B., Yilek, S.: Standard security does not imply security against selective-opening. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 645–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_38
Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_1
Bellare, M., Yilek, S.: Encryption schemes secure under selective opening attack. Cryptology ePrint Archive, Report 2009/101 (2009). https://eprint.iacr.org/2009/101
Boyen, X., Li, Q.: All-but-many lossy trapdoor functions from lattices and applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 298–331. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_11
Canetti, R., Halevi, S., Katz, J.: Adaptively-secure, non-interactive public-key encryption. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 150–168. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_9
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_4
Fehr, S., Hofheinz, D., Kiltz, E., Wee, H.: Encryption schemes secure against chosen-ciphertext selective opening attacks. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 381–402. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_20
Goldreich, O.: Foundations of Cryptography: Volume 2, Basic Applications. Cambridge University Press, Cambridge (2009)
Hara, K., Kitagawa, F., Matsuda, T., Hanaoka, G., Tanaka, K.: Simulation-based receiver selective opening CCA secure PKE from standard computational assumptions. In: Catalano, D., De Prisco, R. (eds.) SCN 2018. LNCS, vol. 11035, pp. 140–159. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98113-0_8
Hazay, C., Patra, A., Warinschi, B.: Selective opening security for receivers. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 443–469. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_19
Hemenway, B., Libert, B., Ostrovsky, R., Vergnaud, D.: Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 70–88. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_4
Heuer, F., Jager, T., Kiltz, E., Schäge, S.: On the selective opening security of practical public-key encryption schemes. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 27–51. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_2
Heuer, F., Poettering, B.: Selective opening security from simulatable data encapsulation. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 248–277. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_9
Hofheinz, D.: All-but-many lossy trapdoor functions. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 209–227. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_14
Hofheinz, D., Rao, V., Wichs, D.: Standard security does not imply indistinguishability under selective opening. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 121–145. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_5
Hofheinz, D., Rupp, A.: Standard versus selective opening security: separation and equivalence results. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 591–615. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_25
Huang, Z., Lai, J., Chen, W., Au, M.H., Peng, Z., Li, J.: Simulation-based selective opening security for receivers under chosen-ciphertext attacks. Des. Codes Crypt. 87(6), 1345–1371 (2018). https://doi.org/10.1007/s10623-018-0530-1
Huang, Z., Liu, S., Qin, B.: Sender-equivocable encryption schemes secure against chosen-ciphertext attacks revisited. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 369–385. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_23
Jia, D., Libert, B.: SO-CCA secure PKE from pairing based all-but-many lossy trapdoor functions. Des. Codes Crypt. 89(5), 895–923 (2021). https://doi.org/10.1007/s10623-021-00849-9
Jia, D., Lu, X., Li, B.: Receiver selective opening security from indistinguishability obfuscation. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 393–410. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49890-4_22
Jia, D., Lu, X., Li, B.: Constructions secure against receiver selective opening and chosen ciphertext attacks. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 417–431. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52153-4_24
Lai, J., Deng, R.H., Liu, S., Weng, J., Zhao, Y.: Identity-based encryption secure against selective opening chosen-ciphertext attack. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 77–92. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_5
Libert, B., Sakzad, A., Stehlé, D., Steinfeld, R.: All-but-many lossy trapdoor functions and selective opening chosen-ciphertext security from LWE. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 332–364. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_12
Liu, S., Paterson, K.G.: Simulation-based selective opening CCA security for PKE from key encapsulation mechanisms. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 3–26. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_1
Lyu, L., Liu, S., Han, S., Gu, D.: Tightly SIM-SO-CCA secure public key encryption from standard assumptions. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 62–92. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_3
Okamoto, T., Pointcheval, D.: REACT: rapid enhanced-security asymmetric cryptosystem transform. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 159–174. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45353-9_13
O’Neill, A., Peikert, C., Waters, B.: Bi-deniable public-key encryption. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 525–542. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_30
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Steinfeld, R., Baek, J., Zheng, Y.: On the necessity of strong assumptions for the security of a class of asymmetric encryption schemes. In: Batten, L., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 241–256. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45450-0_20
Yang, R., Lai, J., Huang, Z., Au, M.H., Xu, Q., Susilo, W.: Possibility and impossibility results for receiver selective opening secure PKE in the multi-challenge setting. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12491, pp. 191–220. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64837-4_7
Acknowledgment
We thank Fangguo Zhang for the helpful discussions. We appreciate the anonymous reviewers for their valuable comments. This work was supported by the National Natural Science Foundation of China (Grant Nos. 61922036, U2001205, 61702125, 61802078, 61825203, U1736203, 61732021), Major Program of Guangdong Basic and Applied Research (Grant No. 2019B030302008), National Key Research and Development Plan of China (Grant No. 2020YFB1005600), Guangdong Provincial Science and Technology Project (Grant No. 2017B010111005), and National Joint Engineering Research Center for Network Security Detection and Protection Technology.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
A Cryptographic Assumptions
A Cryptographic Assumptions
The DDH Assumption. Let \(\mathbb {G}\) be a cyclic group of prime order q with a generator g. The DDH assumption requires that it is hard to distinguish \((g^a,g^b,g^c)\) and \((g^a,g^b,g^{ab})\), where \(a,b,c {\leftarrow }\mathbb {Z}_q\).
The DCR Assumption. Now, we recall the Decision Composite Residuosity (DCR) assumption [30] and some useful facts about it shown in [8].
Let \(p,q,p',q'\) be primes such that \(p=2p'+1\) and \(q=2q'+1\). Let \(N=pq\) and \(N'=p'q'\). Then the group \(\mathbb {Z}^*_{N^2}\) can be decomposed as the direct product \(\mathbb {G}_N \cdot \mathbb {G}_{N'} \cdot \mathbb {G}_2 \cdot \mathbb {T}\), where \(\mathbb {G}_{N'}\) and \(\mathbb {G}_2\) are cyclic groups of order \(N'\) and order 2 respectively; \(\mathbb {G}_N\) is a cyclic group of order N generated by \(\xi =(1+N) \mod N^2\); and \(\mathbb {T}\) is the order-2 subgroup of \(\mathbb {Z}^*_{N^2}\) generated by \((-1 \mod N^2)\). Note that \(\xi ^a = (1+aN) \mod N^2\) for \(a\in \{0,1,\cdots ,N\}\).
The DCR assumption requires that it is hard to distinguish a random element in \(\mathbb {Z}^*_{N^2}\) and a random element in \(\mathbb {G}_{N'} \cdot \mathbb {G}_2 \cdot \mathbb {T}\).
Next, define \(\mathbb {X}=\mathbb {G}_N \cdot \mathbb {G}_{N'} \cdot \mathbb {T}\). The set \(\mathbb {X}\) is an efficiently samplable and explainable domain, where the sample algorithm and the explain algorithm work as follows:
-
Sample: The sample algorithm proceeds as follows:
-
1.
For \(i\in [1,160]\):
-
(a)
\(x{\leftarrow }\mathbb {Z}_{N^2}\)
-
(b)
If the Jacobi symbol \((\frac{x}{N}) = 1\): output x.
-
(a)
-
2.
Output \(\perp \).
-
1.
-
Explain: on input an element \(x \in \mathbb {X}\), the explain algorithm proceeds as follows:
-
1.
Set \(\mathsf {r}\) to be an empty string.
-
2.
For \(i\in [1,160]\):
-
(a)
Sample \(b{\leftarrow }\{0,1\}\).
-
(b)
If \(b=1\), append x to \(\mathsf {r}\) and outputs \(\mathsf {r}\).
-
(c)
Otherwise, sample an element \(x'{\leftarrow }\mathbb {Z}_{N^2}\) s.t. the Jacobi symbol \((\frac{x'}{N})=-1\) and append \(x'\) to \(\mathsf {r}\).
-
(a)
-
3.
Output \(\perp \).
-
1.
Note that as \(\frac{|\mathbb {X} |}{|\mathbb {Z}^*_{N^2} |}=1/2\), the expected repetition in the sample algorithm is about 2 and the probability that the sample algorithm outputs \(\perp \) is \(\frac{1}{2^{160}}\), which is negligible. Also, it is easy to see the probability that the explain algorithm outputs \(\perp \) is also \(\frac{1}{2^{160}}\), which is negligible.
Also, define \(\chi : \mathbb {Z}_{N^2} \rightarrow \mathbb {Z}_N\) as \(\chi (a)=\lfloor a/N \rfloor \). For any fixed \(x\in \mathbb {X}\), \(\chi (x \xi ^c)\) is uniform in \(\mathbb {Z}_N\) if \(c {\leftarrow }\mathbb {Z}_N\).
Finally, define \(\mathbb {L}=\mathbb {G}_{N'} \cdot \mathbb {T}\). It is easy to create a generator g for \(\mathbb {L}\) by first sampling a random element \(\mu \in \mathbb {Z}^*_{N^2}\) and then computing \(g=-\mu ^{2N}\). Besides, the DCR assumption implies that a random element in \(\mathbb {X}\) is computationally indistinguishable from a random element in \(\mathbb {L}\).
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Lai, J., Yang, R., Huang, Z., Weng, J. (2021). Simulation-Based Bi-Selective Opening Security for Public Key Encryption. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2021. ASIACRYPT 2021. Lecture Notes in Computer Science(), vol 13091. Springer, Cham. https://doi.org/10.1007/978-3-030-92075-3_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-92075-3_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92074-6
Online ISBN: 978-3-030-92075-3
eBook Packages: Computer ScienceComputer Science (R0)