Chosen-Ciphertext Secure Dual-Receiver Encryption in the Standard Model Based on Post-quantum Assumptions

Benz, Laurin; Beskorovajnov, Wasilij; Eilebrecht, Sarai; Gröll, Roland; Müller, Maximilian; Müller-Quade, Jörn

doi:10.1007/978-3-031-57728-4_9

Laurin Benz ORCID: orcid.org/0000-0001-8839-0725^10,11,
Wasilij Beskorovajnov⁹,
Sarai Eilebrecht⁹,
Roland Gröll⁹,
Maximilian Müller⁹ &
…
Jörn Müller-Quade^10,11

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14604))

Included in the following conference series:

IACR International Conference on Public-Key Cryptography

91 Accesses

Abstract

Dual-receiver encryption (DRE) is a special form of public key encryption (PKE) that allows a sender to encrypt a message for two recipients. Without further properties, the difference between DRE and PKE is only syntactical. One such important property is soundness, which requires that no ciphertext can be constructed such that the recipients decrypt to different plaintexts. Many applications rely on this property in order to realize more complex protocols or primitives. In addition, many of these applications explicitly avoid the usage of the random oracle, which poses an additional requirement on a DRE construction. We show that all of the IND-CCA2 secure standard model DRE constructions based on post-quantum assumptions fall short of augmenting the constructions with soundness and describe attacks thereon.

We then give an overview over all applications of IND-CCA2 secure DRE, group them into generic (i. e., applications using DRE as black-box) and non-generic applications and demonstrate that all generic ones require either soundness or public verifiability.

Conclusively, we identify the gap of sound and IND-CCA2 secure DRE constructions based on post-quantum assumptions in the standard model. In order to fill this gap we provide two IND-CCA2 secure DRE constructions based on the standard post-quantum assumptions, Normal Form Learning With Errors (NLWE) and Learning Parity with Noise (LPN).

You have full access to this open access chapter, Download conference paper PDF

Keywords

1 Introduction

Dual-receiver encryption (DRE) may be seen as a special case of Broadcast encryption (BE), where the number of recipients is constrained to two. Chow, Franklin, and Zhang [18] and Diament et al. [22] showed that DRE has plenty of applications, which impose different requirements on the used scheme. For some applications the chosen plaintext attack (CPA) security is sufficient, whereas others require the stronger adaptive chosen ciphertext attack (CCA2) security. Furthermore, some applications require very specific DRE constructions using for example bilinear pairings. In this work we call such applications non-generic, as they make calls on internals routines of the employed DRE construction, preventing the use of DRE in a black-box manner within these applications.

Nevertheless, plenty of applications use DRE in a black-box manner and require only the property of soundness, for example [4, 8, 18, 20, 23, 43, 47]. This property requires that no adversary, even with knowledge of the secret keys of both recipients, is able to create a ciphertext that decrypts to two different plaintexts when decrypting with the secret keys of the recipients. Note that many of these applications are explicitly avoiding the use of the random oracle, which carries over to the employed DRE construction.

All standard model CCA2 secure DRE constructions based on post-quantum (PQ) assumptions [36, 53] are lattice-based and, as we show in this work, surprisingly fail at providing the soundness property. Moreover, Brendel et al. [14] mentions that amongst others, a CCA2 secure and sound PQ-instantiation did not yet appear in the literature. Thus, the aim of this work is to provide such DRE constructions, and therefore close this gap.

Contribution and Outline. Firstly, we conduct a literature review on—to the best of our knowledge—all applications requiring a sound CCA2 secure DRE in order to categorize them into generic and non-generic. Each application is explained shortly in Sect. 3.

We identify the following generic applications requiring soundness: applications of CCA2 secure binding encryption [43], plaintext awareness via key registration [31], protocols for deniable authentication (DA) [23, 47], non-malleable commitments [19], and PKE schemes with non-interactive opening (PKENO) [20].
The remaining applications are identified as non-generic: combined encryption schemes [22], protocols for secure group key management [12], tripartite key exchange [46], and schemes of dual receiver proxy re-encryption [9, 39].

Secondly, we conduct another literature review on—to the best of our knowledge—all constructions of CCA2 secure DRE in the standard model that may be used in a post-quantum setting and whether these constructions satisfy the soundness property. We present and explain our results in depth in Sect. 4. Our observation is that right now all of IND-CCA2 secure constructions are based on lattices and lack the soundness property.

Finally, in Sect. 5, we give efficient lattice- and LPN-based constructions in the standard model for IND-CCA2 secure and sound DRE schemes based on the hybrid encryption construction by Boyen, Izabachène, and Li [11] and the PKE construction by Kiltz, Masny, and Pietrzak [34], which can be used in any of the generic applications.

Moreover, we would like to point out that the employed trapdoor function in our lattice-based construction is from Micciancio and Peikert [41] and its ring and module variant was already implemented by Bert et al. [6, 7]. We therefore expect that our constructions are readily usable in prototypical implementations of generic applications from Sect. 3.

2 Preliminaries

Notations: For a positive integer k, [k] denotes the set $\{ 1,\,2,\, \dotsc ,\, k\}$. We define the set of integers modulo $q > 1$ by $\mathbb {Z}_q$ and the modular operation $(x \bmod q)$ as mapping the integer x into $[{-q/2},{q/2})$. Column-vectors are written as bold lower-case letters (e. g., $\textbf{v}$) and row-vectors are transposed column-vectors (e. g., $\textbf{v}^{\top }$). The standard scalar product of the vectors $\textbf{x}$ and $\textbf{y}$ of the same dimension is denoted by $\langle \textbf{x}, \textbf{y}\rangle $. We denote matrices by bold upper-case letters (e. g., $\textbf{A}$). The concatenation of two vectors $\textbf{v}_1,\, \textbf{v}_2$ is denoted by $(\textbf{v}_1,\, \textbf{v}_2 )$. By $\textbf{v}[i]$ we refer to the i-th element of a vector $\textbf{v}$ and $\textbf{a}_i$ is the i-th column vector of a matrix $\textbf{A}$. The Euclidean norm of a vector $\textbf{v}$ is written as $\left\| \textbf{v}\right\| $, its Hamming weight is denoted by $\left\| \textbf{v}\right\| _w$, and $\left| x\right| $ is the absolute value of a scalar x. Let S be an arbitrary set. By , we define the uniformly sampling of an element from S. If $\chi $ is a probability distribution, $x \leftarrow \chi $ denotes sampling an element according to the distribution. For a probabilistic algorithm R we denote by $y \leftarrow R(\textbf{x})$ the result of one execution of R with input $\textbf{x}$. If an algorithm $\mathcal {A}$ has access to an oracle $\mathcal {O}$, we write $\mathcal {A}^{\mathcal {O}}$. Our security parameter will always be called $\lambda $. We call a function $\texttt{negl}: \mathbb {N} \rightarrow \mathbb {R}$ negligible in $\lambda $, if for each positive integer k there exists an integer $k_{0}$ such that for all $\lambda >k_{0}: \left| \texttt{negl}(\lambda )\right| < \lambda ^{-k}$.

2.1 Definitions

We adapt the definition of DRE from Chow, Franklin, and Zhang [18] to a broader setting without the use of a common reference string (CRS). In many applications of DRE, the sender does not encrypt a message to two independent recipients. Instead, the sender interprets themselves as one of the recipients and encrypts the message under their own public key, too. Thus, we refer to the two receiving parties as receiver R and sender S with key pairs $( sk ^R,\, pk ^R)$ and $( sk ^S,\, pk ^S)$, respectively.

Definition 1

(DRE). A public-key dual-receiver encryption scheme $\textrm{DRE}= (\texttt{gen}, \texttt{enc}, \texttt{dec})$ consists of the following algorithms:

$\texttt{gen}(1^\lambda )$: The randomized key generation algorithm takes as input a unary encoding of the security parameter $\lambda $ and outputs a public/secret key pair $( pk , sk )$. We write $( sk ^R, pk ^R)$ and $( sk ^S, pk ^S)$ for the key pairs of two independent users.
$\texttt{enc}( pk ^R, pk ^S,\textbf{m})$: The randomized encryption algorithm takes as input two public keys $ pk ^R$ and $ pk ^S$ and a message $\textbf{m}$, and outputs a ciphertext $\textbf{c}$.
$\texttt{dec}( sk ^i, pk ^R, pk ^S,\textbf{c})$: The deterministic decryption algorithm takes one of the secret keys $ sk ^i (i \in \{ R,\,S \})$, two public keys $ pk ^R,\, pk ^S$, and a ciphertext $\textbf{c}$ as input, and outputs a message $\textbf{m}^i$ (which may be the special symbol $\bot $); we write $\textbf{m}^i = \texttt{dec}( sk ^i,\, pk ^R,\, pk ^S,\,\textbf{c})$.

The usual IND-CCA2 security is somewhat different for a DRE scheme defined in Definition 2. However, when a DRE scheme already satisfies the soundness property from Definition 3 then the definition of $\text {IND-CCA2}_\text {DRE}$ collapses to the standard definition of IND-CCA2.

Definition 2

(IND-CCA2_DRE). A DRE scheme is said to be indistinguishable under adaptive chosen ciphertext attack ($\text {IND-CCA2}_\text {DRE}$ secure), if any probabilistic polynomial time (PPT) algorithm $\mathcal {A}$ wins the $\text {IND-CCA2}_\text {DRE}$ game in Fig. 1 with probability at most $\frac{1}{2} + \texttt{negl}(\lambda )$, i. e.,

$$\begin{aligned} \textsf{Adv}_{\textrm{DRE},\mathcal {A}}^{{\text {IND-CCA2}_\text {DRE}}}(\lambda ) := \left| \mathbb {P}\left[ \textsf{Exp}_{\textrm{DRE},\mathcal {A}}^{{\text {IND-CCA2}_\text {DRE}}}(\lambda ) = 1\right] - \frac{1}{2} \right| \le \texttt{negl}(\lambda )\,. \end{aligned}$$

The most important property of a DRE scheme is that of soundness, which states that every ciphertext will be decrypted to the same message from both parties, even if it was maliciously made. Without this property every PKE scheme can also be used as a DRE scheme, simply by encrypting the message for both parties independently.

Definition 3

(Soundness for DRE [18]). Consider the experiment $\textsf{Exp}_{\mathcal {E},\mathcal {A}}^{\texttt {sound}}$ from Fig. 2 for a DRE scheme $\mathcal {E}$ and a PPT algorithm $\mathcal {A}$. A DRE scheme $\mathcal {E}$ satisfies soundness if for any $\mathcal {A}$ we have that $\textsf{Adv}_{\mathcal {E},\mathcal {A}}^{\text {sound}}$ is negligible in $\lambda $, i. e.,

$$\begin{aligned} \textsf{Adv}_{\mathcal {E},\mathcal {A}}^{\text {sound}}(\lambda ) := \mathbb {P}\left[ \textsf{Exp}_{\mathcal {E},\mathcal {A}}^{\text {sound}}(\lambda ) = 1\right] \le \texttt{negl}(\lambda )\,. \end{aligned}$$

We will be constructing DRE schemes with the help of the hybrid encryption paradigm. For our constructions we require the following symmetric primitives and the according security definitions.

Definition 4

(SKE). A secret-key encryption (SKE) scheme is a pair of algorithms $\texttt {SKE}= (\texttt {SKE}.\texttt{enc},\, \texttt {SKE}.\texttt{dec})$ with key space $\mathcal {K}_{\textrm{ske}}$ and ciphertext space $\mathcal {C}_{\textrm{ske}}$ with:

$\texttt {SKE}.\texttt{enc}( dk ,\, \textbf{m})$: The deterministic encryption algorithm takes as input a key $ dk \in \mathcal {K}_{\textrm{ske}}$ and a message $\textbf{m}$, and outputs a ciphertext $\textbf{c}$.
$\texttt {SKE}.\texttt{dec}( dk ,\,\textbf{c})$: The deterministic decryption algorithm takes as input a key $ dk \in \mathcal {K}_{\textrm{ske}}$ and a ciphertext $\textbf{c}$, and outputs a message $\textbf{m}^{\prime }$ (which may be the special symbol $\bot $)

We require that for all $ dk \in \mathcal {K}_{\textrm{ske}}$ it holds that

$$\textbf{m}= \texttt {SKE}.\texttt{dec}( dk ,\,\texttt {SKE}.\texttt{enc}( dk ,\, \textbf{m}))\,.$$

Definition 5

(OT-IND). A SKE scheme $\texttt {SKE}$ is said to be one-time indistinguishable (OT-IND secure), if any PPT algorithm $\mathcal {A}$ wins the OT-IND game in Fig. 3 with probability at most $\frac{1}{2} + \texttt{negl}(\lambda )$, i. e.,

$$\begin{aligned} \textsf{Adv}_{\texttt {SKE},\mathcal {A}}^{\text {OT-IND}}(\lambda ) := \left| \mathbb {P}\left[ \textsf{Exp}_{\texttt {SKE},\mathcal {A}}^{\text {OT-IND}}(\lambda ) = 1\right] - \frac{1}{2} \right| \le \texttt{negl}(\lambda )\,. \end{aligned}$$

A hash function is a function $\texttt {H}: \{0,1\}^* \rightarrow \{0,1\}^\ell $ mapping bit strings of any length to bit strings of a fixed length $\ell $.

Definition 6

(Collision Resistance). A family of hash functions $\{\texttt {H}_k\}_{k \in K}$ is said to be collision resistant (CR) if for all PPT algorithms $\mathcal {A}$ the advantage $\textsf{Adv}_{\texttt {H},\mathcal {A}}^{\text {CR}}(\lambda )$ is negligibly small, where

We need to look at keyed hash functions, as for every fixed hash function there exists an adversary with a collision hard coded by the pigeonhole principle. Still, in a slight abuse of notation we will speak of a “collision resistant hash function”, by which we mean a function sampled uniformly from a collision resistant hash function family.

Definition 7

(MAC). A message authentication code (MAC) scheme $\texttt {MAC}$ with key space $\mathcal {K}_{\textrm{mac}}$ consists of the two algorithms $\texttt {MAC}= (\texttt {MAC}.\texttt{sign},\, \texttt {MAC}.\texttt{ver})$, where

$\texttt {MAC}.\texttt{sign}( mk ,\, \textbf{m})$: The randomized signing algorithm takes as input a signing key $ mk \in \mathcal {K}_{\textrm{mac}}$ and a message $\textbf{m}$, and outputs a tag $\sigma $.
$\texttt {MAC}.\texttt{ver}( mk ,\,\textbf{m},\, \sigma )$: The deterministic verification algorithm takes as input a signing key $ mk \in \mathcal {K}_{\textrm{ske}}$, a message $\textbf{m}$ and a tag $\sigma $, and outputs 1 if $\sigma \leftarrow \texttt {MAC}.\texttt{sign}( mk ,\,\textbf{m})$ and 0 otherwise.

Definition 8

(OT-SUF). A message authentication code scheme $\texttt {MAC}$ is said to be one-time strongly unforgeable (OT-SUF secure) if any PPT algorithm $\mathcal {A}$ wins the OT-SUF game in Fig. 4 with at most negligible probability, i. e.,

$$\begin{aligned} \textsf{Adv}_{\texttt {MAC},\mathcal {A}}^{\text {OT-SUF}}(\lambda ) := \mathbb {P}\left[ \textsf{Exp}_{\texttt {MAC},\mathcal {A}}^{\text {OT-SUF}}(\lambda ) = 1\right] \le \texttt{negl}(\lambda )\,. \end{aligned}$$

We use a key derivation function $\texttt {KDF}: \mathcal {K} \rightarrow \{0,1\}^n$ with key-space $\mathcal {K}$ in order to generate the $\texttt {SKE}$- and $\texttt {MAC}$-keys from a short seed. We require for a $\texttt {KDF}$ function to be IND secure according to Definition 9.

Definition 9

(IND KDF [11]). A key derivation function $\texttt {KDF}$ is said to be IND secure if for all PPT algorithms $\mathcal {A}$ the advantage $\textsf{Adv}_{\texttt {KDF},\mathcal {A}}^{\text {IND}}(\lambda )$ is negligibly small, where

$$\begin{aligned} \textsf{Adv}_{\texttt {KDF},\mathcal {A}}^{\text {IND}}(\lambda ) := \left| \mathbb {P}\left[ \mathcal {A}(1^\lambda ,\texttt {KDF}(\textbf{k})) = 1\right] - \mathbb {P}\left[ \mathcal {A}(1^\lambda ,\textbf{r}) = 1\right] \right| \end{aligned}$$

for and .

2.2 Assumptions and Lemmas

The following assumptions and lemmas are required in our proofs.

Definition 10

(NLWE Problem [11]). Let $n = n(\lambda ), m = m(\lambda ), q = q(\lambda )$ be integers and $\chi $ be an error distribution. The advantage of a PPT adversary $\mathcal {A}$ for the (normal-form) $\textsf{NLWE}_{n,m,q,\chi }$ problem, denoted by $\textsf{Adv}_{\mathcal {A}}^{\textsf{NLWE}_{n,m,q,\chi }}(\lambda )$, is defined as

$$\begin{aligned} \textsf{Adv}_{\mathcal {A}}^{\textsf{NLWE}_{n,m,q,\chi }} (\lambda ) {:}{=}\left| \mathbb {P}\left[ \mathcal {A}(\textbf{A}, \textbf{s}^{\top } \textbf{A}+ \textbf{e}^{\top }) = 1\right] - \mathbb {P}\left[ \mathcal {A}(\textbf{A}, \textbf{b}^{\top }) = 1\right] \right| , \end{aligned}$$

where and $\textbf{e}\leftarrow \chi ^m$. The $\textsf{NLWE}_{n,m,q,\chi }$ problem is hard if $\textsf{Adv}_{\mathcal {A}}^{\textsf{NLWE}_{n,m,q,\chi }}$ is negligible in $\lambda $ for all PPT adversaries $\mathcal {A}$

Applebaum et al. [3, Lemma 2] proved that NLWE is equivalent to the standard form of LWE where the LWE secret $\textbf{s}$ is sampled from $\mathbb {Z}_q^n$ instead of $\chi ^n$.

Let $\text {Ber}_p$ denote the Bernoulli distribution with parameter p, so $x \leftarrow \text {Ber}_p$ is the random variable over $\{0,1\}$ with $\mathbb {P}\left[ x = 1\right] = p$.

Definition 11

(LPN Problem [34]). Let $n = n(\lambda ), m = m(\lambda ) \ge n$ as well as $0 \le p = p(\lambda ) \le \frac{1}{2}$ be the Bernoulli parameter. The advantage of a PPT adversary $\mathcal {A}$ for the $\textsf{LPN}_{n,m,p}$ problem, denoted by $\textsf{Adv}_{\mathcal {A}}^{\textsf{LPN}_{n,m,p}}(\lambda )$, is defined as

$$\begin{aligned} \textsf{Adv}_{\mathcal {A}}^{\textsf{LPN}_{n,m,p}} (\lambda ) {:}{=}\left| \mathbb {P}\left[ \mathcal {A}(\textbf{A}, \textbf{s}^{\top } \textbf{A}+ \textbf{e}^{\top }) = 1\right] - \mathbb {P}\left[ \mathcal {A}(\textbf{A}, \textbf{b}^{\top }) = 1\right] \right| , \end{aligned}$$

where and $\textbf{e}\leftarrow \text {Ber}_p^m$. The $\textsf{LPN}_{n,m,p}$ problem is hard if $\textsf{Adv}_{\mathcal {A}}^{\textsf{LPN}_{n,m,p}}$ is negligible in $\lambda $ for all PPT adversaries $\mathcal {A}$.

The LPN assumption is equivalent to the hardness of decoding a random linear code, and it is believed to be post-quantum secure just like LWE. We also need two extended dual version of the LPN assumption, called Knapsack Learning Parity with Noise (KLPN) and Extended Knapsack Learning Parity with Noise (EKLPN).

Definition 12

(KLPN Problem [34]). Let $n = n(\lambda ), m = m(\lambda ) \ge 2n$ and $0 \le p = p(\lambda ) \le \frac{1}{2}$ be the Bernoulli parameter. The advantage of a PPT adversary $\mathcal {A}$ for the $\textsf{KLPN}_{n,m,p}$ problem, denoted by $\textsf{Adv}_{\mathcal {A}}^{\textsf{KLPN}_{n,m,p}}(\lambda )$, is defined as

$$\begin{aligned} \textsf{Adv}_{\mathcal {A}}^{\textsf{KLPN}_{n,m,p}} (\lambda ) {:}{=}\left| \mathbb {P}\left[ \mathcal {A}(\textbf{A}, \textbf{A}\textbf{E}) = 1\right] - \mathbb {P}\left[ \mathcal {A}(\textbf{A}, \textbf{B}) = 1\right] \right| , \end{aligned}$$

where and $\textbf{E}\leftarrow \text {Ber}_p^{m \times m}$.

Definition 13

(EKLPN Problem [34]). Let $n = n(\lambda ), m = m(\lambda ) \ge 2n$ and $0 \le p = p(\lambda ) \le \frac{1}{2}$ be the Bernoulli parameter. The advantage of a PPT adversary $\mathcal {A}$ for the $\textsf{EKLPN}_{n,m,p}$ problem, denoted by $\textsf{Adv}_{\mathcal {A}}^{\textsf{EKLPN}_{n,m,p}}(\lambda )$, is defined as

$$\begin{aligned} \textsf{Adv}_{\mathcal {A}}^{\textsf{EKLPN}_{n,m,p}} (\lambda ) {:}{=}\left| \mathbb {P}\left[ \mathcal {A}(\textbf{A}, \textbf{A}\textbf{E}, \textbf{z}, \textbf{z}^\top \textbf{E}) = 1\right] - \mathbb {P}\left[ \mathcal {A}(\textbf{A}, \textbf{B}, \textbf{z}, \textbf{z}^\top \textbf{E}) = 1\right] \right| , \end{aligned}$$

where and $\textbf{z}\leftarrow \text {Ber}_p^m$.

There is a reduction from EKLPN and KLPN to LPN by Kiltz, Masny, and Pietrzak [34] that states:

Lemma 1

([34]). For all algorithms $\mathcal {B}$ and $\mathcal {B}'$ there exist algorithms $\mathcal {A}$ and $\mathcal {A}'$ that run in roughly the same time as $\mathcal {B}$, respectively $\mathcal {B}'$, and $\textsf{Adv}_{\mathcal {A}}^{\textsf{LPN}_{m-n,m,p}} \ge \frac{1}{m} \textsf{Adv}_{\mathcal {B}}^{\textsf{KLPN}_{n,m,p}}$ as well as $\textsf{Adv}_{\mathcal {A}}^{\textsf{LPN}_{m-n,m,p}} \ge \frac{1}{2m} \textsf{Adv}_{\mathcal {B}}^{\textsf{EKLPN}_{n,m,p}}.$

We also need efficient codes, which exist by the following lemma.

Lemma 2

([33]). For any rate $0 < R < 1$, there exists a binary linear error-correcting code family which is polynomial time constructible, encodable and decodable and can decode up to $\lfloor \frac{\delta n}{2} \rfloor $ errors where $\delta \approx \frac{1}{2} (1-R)$.

To carry out attacks against the soundness property of DRE schemes from the literature (Sect. 4), we need to construct a carefully chosen malicious LWE secret, called $\textbf{s}_2$ in the following lemma.

Lemma 3

For all $\textbf{d}\in \mathbb {Z}_q^n\setminus \{0\}$ and $\textbf{s}_1 \in \mathbb {Z}_q^n$ there exists $\textbf{s}_2 \in \mathbb {Z}_q^n$ such that

$$\begin{aligned} \langle \textbf{d}, \textbf{s}_1 - \textbf{s}_2 \rangle \notin \left[ {-\frac{q}{4}},{\frac{q}{4}}\right) . \end{aligned}$$

Moreover, this $\textbf{s}_2$ can be found efficiently.

Proof

Choose an index i such that $\textbf{d}[i] \ne 0$. If there exists $x \in \mathbb {Z}_q$ such that $\textbf{d}[i] \cdot x \mod q \notin \left[ {-\frac{q}{4}},{\frac{q}{4}}\right) $ we can set $\textbf{s}_2[i] = \textbf{s}_1[i] - x$ and $\textbf{s}_2[j] = \textbf{s}_1[j]$ for all $j \in [n] \setminus \{i\}$. It then follows that $\langle \textbf{d},\, \textbf{s}_1 - \textbf{s}_2 \rangle = \textbf{d}[i] \cdot x \notin \left[ {-\frac{q}{4}},{\frac{q}{4}}\right) $, proving the lemma. To see that such an x exists let $m \in \mathbb {N}_0$ be minimal such that $\textbf{d}[i] \cdot 2^m \notin \left[ {-\frac{q}{4}},{\frac{q}{4}}\right) $. As m is minimal we know that $\textbf{d}[i] \cdot 2^{\max (0,\,m-1)} \in \left[ {-\frac{q}{4}},{\frac{q}{4}}\right) $, and thus $\textbf{d}[i] \cdot 2^m \in \left[ {-\frac{q}{2}}{\frac{q}{2}}\right) $. Therefore, $\textbf{d}[i] \cdot 2^m$ is not affected by the modulus and $x=2^m$ satisfies the constraint.

This x can be found in $\log q$ steps. $\square $

3 Applications of Dual-Receiver Encryption

In the following, we describe—to the best of our knowledge—all applications that are reportedly realized with a CCA2 secure DRE scheme.

This section is structured as follows: Firstly, we describe all applications that generically require a sound DRE scheme. Then we briefly describe, for the sake of completeness, two remaining generic applications where a CCA2 secure and sound DRE construction is either unnecessarily strong or requires a reformulation and an additional proof in the CRS model. Finally, we describe the remaining non-generic applications.

3.1 Applications of CCA2 Secure DRE with Soundness

Applications of Binding Encryption. Binding Encryption schemes are a special case of Broadcast Encryption [27], where the property of strong or weak decryption consistency is guaranteed. DRE in turn is a special case of a binding encryption scheme with only two recipients. The definitions of (partial) soundness and (weak) strong decryption consistency are syntactically equivalent when constrained to the special case of two recipients. Conclusively, one may therefore use a binding encryption scheme constrained to two recipients with a suitable level of decryption consistency in any DRE scenario. This means that the most efficient construction of binding encryption by Noh et al. [43] is basically an IND-CPA DRE scheme with soundness as it guarantees strong decryption consistency.

In some cases, a DRE scheme can also be extended to a binding encryption scheme. Consider the case that a sound DRE scheme is scalable for up to n receivers, which is the case with our constructions in Sect. 5. Then the DRE scheme becomes a binding encryption scheme and can therefore be used for all of its applications. These observations are somewhat simple but surprisingly have not yet been mentioned in the literature.

Plaintext Awareness via Key Registration (PAvKR). One variant of plaintext-awareness is plaintext-awareness via key registration introduced by Herzog, Liskov, and Micali [31]. In this notion, both sender and receiver need a public/private-key pair. These key pairs are registered via a key registration authority that ensures that the owner of a public key has knowledge of the private key. DRE is a natural way to utilize such an authority to achieve PA.

PAvKR can be used to enforce the Dolev-Yao model [24]. It is a formal proof model in which automated theorem provers like TAMARIN [40] can be used.

Deniable Authenticated Key Exchange. DRE is used in [23, 47] to implement a special case of deniable authentication (DA) introduced by Dwork, Naor, and Sahai [26] called on-line deniability, which captures the fact that deniability should also apply when one of the parties cooperates with a third party during the protocol. Dodis et al. [23] proposed an asymmetric key exchange protocol for symmetric keys called key exchange with incriminating abort (KEIA), which is a weak form of a deniable key exchange protocol. Roughly said, KEIA enables deniability if the key exchange protocol is terminated successfully. Once a shared key is established, deniability is guaranteed, even if corruptions occur later on. An IND-CCA2 secure and sound DRE scheme is used together with non-committing encryption by Canetti et al. [16] to realize a key exchange with incriminating abort functionality $\mathcal {F}_{keia}$ in the generalized universal composability (GUC) framework by Canetti et al. [15]. The soundness property is mandatory, as it allows to simulate specific actions with either S’s or R’s secret key.

PKE with Non-interactive Opening. The notion of public-key encryption with non-interactive opening (PKENO) by Damgård et al. [20] allows a receiver of a message to publicly open, when the encryption is interpreted as a commitment scheme, a received ciphertext to its plaintext without the necessity to interact with the sender. As stated by Chow, Franklin, and Zhang [18], a DRE trivially implies a one-time PKENO: The encrypting party takes the public keys of both receivers and sends $c = \texttt{enc}( pk ^R, pk ^T,\, \textbf{m})$ to both receivers. One of the two receivers can then prove the validity of the ciphertext c by revealing $\textbf{m}$ and its secret key.

3.2 Applications of DRE with Public Verifiability

Some applications require the property of public verifiability for ciphertexts of a DRE scheme, which is another property of DRE beside soundness. This property requires the existence of a public algorithm verifying the validity of a given DRE ciphertext.

Threshold Decryption. Chow, Franklin, and Zhang [18] describe that a publicly verifiable DRE scheme can be augmented with a secret sharing protocol that distributes one of the receiver’s secret key among n parties in order to enable the threshold decryption scenario with a distributed so-called supervision party. We are not aware of any literature that explores these kinds of constructions any further.

Public-Key Encryption with Plaintext Equality Test (PET). Chow, Franklin, and Zhang [18] note that each publicly verifiable DRE enables the notion of PET introduced by Yang et al. [52]. This allows one to check if any two independent ciphertexts encrypt the same message by providing an additional public test functionality. However, to the best of our knowledge, all the established DRE constructions that are used in PET realizations so far are based on bilinear pairings.

3.3 Applications of CPA secure DRE and the CRS Model

There are two generic applications that differ substantially from the others in regard to their requirements on the DRE or the model they are proven secure within.

Completely Non-malleable DRE. Due to the impossibility results of the existence of a non-interactive completely non-malleable PKE that can be proven secure with a black-box simulation in the standard model from Fischlin [28]. Chow, Franklin, and Zhang [18] propose two constructions of a completely non-malleable DRE (CNM-DRE) scheme in the CRS model. This property requires that any adversary obtaining a ciphertext $\textbf{c}$ without knowing the corresponding plaintext $\textbf{m}$ is not able to create a ciphertext $\textbf{c}^*$ and a (new) key pair such that the message $\textbf{m}^*$ encrypted in $\textbf{c}^*$ under this key pair is related to $\textbf{m}$ in some way.

CNM-DRE schemes can be utilized to construct dual-receiver non-malleable commitments (DR-NMC). These are generalizations of normal commitment schemes introduced by Crescenzo, Ishai, and Ostrovsky [19] and enable the possibility of committing to a message in a non-malleable sense for two independent receivers such that both receivers are able to open the commitment and know that the other party obtained the same de-committed message. We leave it open for future work to check our constructions in regard to this security definition.

Construction of Secure Channels. A new security notion, called sender-binding chosen plaintext attack (SB-CPA), for a variant of PKE, namely sender-binding encryption (SBE), was introduced by Beskorovajnov et al. [8]. The reasoning behind this notion is a definition of minimal security for the public-key part of the encryption when used in conjunction with authenticated channels in order to realize a universally composable secure channel. The authors show that an IND-CPA secure and sound DRE can be used to construct an SB-CPA secure SBE when a key registration with knowledge (KRK) is available. Benz et al. [5] showed that the results carry over to the hybrid encryption or the key exchange setting by utilizing a CPA secure dual-receiver key encapsulation mechanism (KEM). Our constructions from Sect. 5 can be easily simplified to provide this lower security than CCA2 without losing the soundness property. Moreover, we note that our constructions can be easily adapted to provide a CPA secure dual-receiver KEM with soundness because they are constructed with the help of the hybrid encryption paradigm.

3.4 Non-generic Applications

In this section, we briefly introduce non-generic applications of DRE. We denote that the use of DRE in these applications may be generalizable by finding a property that correctly describes the application’s requirements on a DRE construction. However, we are not aware of any such property in the literature and therefore argue that declaring these applications non-generic at this point in time is justified. Securely modifying the use of DRE in these applications in order to make them generic is out of scope and left as an open question. Finally, all the following applications are build upon bilinear pairings inside the employed DRE construction.

Useful Security Puzzles. Computational puzzles can be used to protect servers from resource-heavy client requests. That is, a client has to solve a computationally expensive task which is easily verifiable by the server. However, we call a puzzle not useful if for example its only purpose is to rate-limit a client. In the work of Diament et al. [22], there are two scenarios with useful security puzzles proposed. In the first scenario, a file server can utilize DRE to rate-limit clients requesting encrypted files by outsourcing a huge part of the decryption to the clients. In another scenario, security puzzles might be used for DDoS protection in a TLS-like protocol. Note that this work has been revised in [21].

Combined Encryption Schemes. DRE is utilized to construct combined encryption schemes in [18] and [21, 22]. In the latter two works, the scheme can be used for signing and encryption at the same time. Meanwhile the former construction offers the possibility to use a DRE and PKE scheme with the same keys.

Secure Group Key Management. The concept of secure group communication (SGC) allows a group of users to communicate such that only members of the group can decrypt messages. For this purpose, the group shares a secret called the group key. The most crucial problem is to solve the management of this group key. In SGC, new members can join, and existing members may leave the group. However, new members must not read old messages (backward secrecy), and ex-users are not allowed to decrypt messages after leaving the group (forward secrecy). Hence, the group key must be changed after each entry or exit. This process is called rekeying.

One possible way to manage group keys is to use key graphs [49]. BR and Amberker [12] use the DRE scheme of Diament et al. [22] to manage such a key graph and thus to enable SGC.

Tripartite Key Exchange. The protocols for authenticated key exchange (AKE) are used to share a key among multiple parties via unauthenticated channels. A special case is the three-party AKE (3KE). One of the special properties of a 3KE is called maximal-exposure-resilience (MEX-resilience). It roughly captures the fact that no information about the session key is exposed, even if an adversary is able to obtain any non-trivial combination of keys, that is, not all parties are completely corrupted.

Suzuki and Yoneyama [46] utilize a modified version of a DRE KEM construction from Chow, Franklin, and Zhang [18] to realize an exposure-resilient one-round 3KE in the standard model with the help of bilinear pairings. During the protocol, each party samples a random nonce and broadcasts it to the two other parties. Afterwards, each party aggregates the three plaintexts and derives a shared key via a pseudo-random key derivation function (KDF).

Dual-Receiver Proxy Re-Encryption (DR-PRE). The general notion of proxy re-encryption (PRE) from Blaze, Bleumer, and Strauss [9] and Mambo and Okamoto [39] allows one to transform a ciphertext that has been encrypted for one user into a ciphertext for a different party. In the case of dual-receiver proxy re-encryption (DR-PRE), a ciphertext encrypted for a single user, called the delegator, can be converted into a ciphertext so that it can be decrypted by two independent users, called the delegatees.

Originally, this task had to be done for each delegatee individually with different PREs and re-encryption keys. Patil and BR [44] however use DRE to accomplish this task with a dedicated DR-PRE construction. Both delegatees can decrypt the resulting ciphertext with their respective secret key. In this way computational and bandwidth costs can be saved.

4 Related Work on Post-quantum DRE Constructions

In this section, we present all related works for post-quantum $\text {IND-CCA2}_\text {DRE}$ secure DRE constructions in the standard model, that are [36, 53]. For both of these works, we show that they do not fulfill the soundness property.

We also consider constructions of broadcast encryption schemes as such constructions may be applied to the DRE setting and may have the property of strong decryption consistency that is equivalent to soundness, cf. the discussion from Sect. 3.1. Belonging to the list of broadcast encryption constructions that do not mention strong decryption consistency, there are six (identity-based) BE schemes [13, 29, 32, 38, 48, 51], one IND-CPA construction [10] and four generic constructions from Libert, Paterson, and Quaglia [35]. One exception is the binding encryption construction from Noh et al. [43], which explicitly proves the decryption consistency property. However, this construction is only IND-CPA secure.

For the sake of completeness, we also denote that there are four DRE schemes which are based on post-quantum assumptions satisfying the soundness property. However, they are only IND-CPA secure. The first is from a Master’s Thesis by Gegier [30], which presents a generic construction of a DRE KEM from any deterministic PKE and trapdoor functions with hardcore functions. The second is from a Master’s Thesis by Müller [42], which presents a lattice-based direct construction of a DRE PKE. The third and fourth are two McEliece-based constructions by Beskorovajnov et al. [8].

4.1 IND-CCA2 Secure DRE Schemes Without Soundness

There are two $\text {IND-CCA2}_\text {DRE}$ secure DRE schemes in the standard model, one by Zhang et al. [53] and one by Liu et al. [36]. The constructions differ roughly only in the choice of hash functions. In this subsection, we will show that these schemes do not satisfy the soundness property due to the lack of structure checks. In order to explain the attack on the soundness of these schemes, we abstract the two schemes into one abstract template that covers both schemes:

The parameters $\chi $ and $\chi ^{\prime }$ denote LWE error distributions.
$\text {OTS} = (\textsf{KGen}_{\text {OTS}}, \textsf{Sig}_{\text {OTS}}, \textsf{Vfy}_{\text {OTS}})$ is a strongly unforgeable one-time signature scheme (see [53, Appendix B] for a definition).
$\textbf{H}^R, \textbf{H}^S$ are matrices generated by deterministic functions whose computation includes parts of the public key and a hash function depending on a verification key of OTS. These functions differ among both schemes, but are well-defined.
The algorithm $\texttt {SampleLeft}$ which occurs in line 4 of Fig. 6 outputs on input $(\textbf{C}^R, \textbf{d}_i, sk ^R, s^{\prime })$ a vector $\textbf{v}_i$ such that $\textbf{C}^R \textbf{v}_i = \textbf{d}_i$. The vector $\textbf{d}_i$ is the i-th column vector of the matrix $\textbf{D}$ which is sampled uniformly random, part of the CRS of this scheme, and used as LWE-Matrix to disguise the message.

We omit the details of the key generation here. Roughly, a LWE-Matrix and a corresponding trapdoor is generated in it.

Let us construct an adversary $\mathcal {A}$ which breaks the soundness property with probability 1. It creates a ciphertext $\textbf{c}$ such that R decrypts 0 as the first bit of the message, whereas S obtains 1.

First, $\mathcal {A}$ obtains the public keys $\textbf{A}^R$ and $\textbf{A}^S$ (the secret keys are not needed for this attack). $\mathcal {A}$ runs $( vk , sk ) \leftarrow \textsf{KGen}_{\text {OTS}}$ and creates the LWE-matrices $\textbf{C}^i = \left[ \begin{array}{c|c}\textbf{A}^i & \textbf{H}^i \end{array}\right] $ for $i \in \{R, S \}$ where $\textbf{H}_i$ are deterministic evaluations of some hash functions and other public information. Recall that $\textbf{d}_1$ is the first column vector of $\textbf{D}$. Sample and use Lemma 3 to choose $\textbf{s}^S \in \mathbb {Z}_q^n$ such that $\langle \textbf{d}_1, \textbf{s}^R - \textbf{s}^S \rangle \notin \left[ {-\frac{q}{4}},{\frac{q}{4}}\right) $. The vector $d_1$ is not equal to zero with overwhelming probability since it was sampled from $\mathbb {Z}_q^n$ uniformly at random. Now, $\mathcal {A}$ can construct a malicious ciphertext part $\textbf{c}^{\prime }$ as follows:

$$\begin{aligned} \textbf{c}^{\prime } = \left( \begin{array}{c}\textbf{c}^R \\ \textbf{c}^S \\ \textbf{c}^{\text {msg}} \end{array}\right) = \left[ \begin{array}{c}{( \textbf{C}^R)}^{\top } \cdot \textbf{s}^R \\ {( \textbf{C}^S)}^{\top } \cdot \textbf{s}^S \\ \textbf{D}^{\top } \cdot \textbf{s}^R \end{array}\right] \in \mathbb {Z}_q^{2m+n}. \end{aligned}$$

Note that we implicitly choose $\textbf{e}^R, \textbf{e}^S = \textbf{0}^m$ and $\textbf{e}^{\text {msg}},\textbf{m}= 0^n$. To finish the encryption, $\mathcal {A}$ runs $\sigma \leftarrow \textsf{Sig}_{\text {OTS}}( sk , \textbf{c}^{\prime })$ and returns the ciphertext $\textbf{c}= ( vk , \textbf{c}^{\prime }, \sigma )$. A sketch of this game is given in Fig. 5.

Let us discuss the respective decryptions. Since R does not use the malformed ciphertext part $\textbf{c}^S$ in the decryption algorithm and the signature $\sigma $ is valid, R decrypts $0^n$ as its message and thus 0 as the first bit. Now consider the decryption algorithm in the view of S, restricted to the first bit of $\textbf{m}$. First, the signature check is successful since $\mathcal {A}$ made an honest signature. Next, $\texttt {SampleLeft}(\textbf{A}^S, \textbf{H}^S, \textbf{d}_1, \textbf{sk }^S, s^{\prime })$ returns $\textbf{v}_1$ such that $\textbf{C}^S \textbf{v}_1 = \textbf{d}_1$. According to line 6 of the decryption algorithm from Fig. 6, S obtains $\textbf{m}^{\prime }[1] = \textbf{c}^{\text {msg}}[1] - \textbf{v}_1^{\top } \textbf{c}^S = \langle \textbf{d}_1, \textbf{s}^R \rangle - \textbf{v}_1^{\top } ( \textbf{C}^S)^{\top } \cdot \textbf{s}^S = \langle \textbf{d}_1, \textbf{s}^R \rangle - \textbf{d}_1^{\top } \textbf{s}^S = \langle \textbf{d}_1, \textbf{s}^R - \textbf{s}^S \rangle \notin \left[ {-\frac{q}{4}},{\frac{q}{4}}\right) $ and hence decrypts 1 as first bit. Thus, R and S decrypt different messages from the same ciphertext which breaks the soundness property.

4.2 Identity-Based DRE Schemes Without Soundness

We now discuss identity-based DRE (IB-DRE) schemes. In identity based encryption (IBE), public information, such as an email address, called identity, is used for encryption instead of traditional public keys. Decryption is still performed with the help of a secret key. Such a secret key is attained from a key generation algorithm that takes a master secret key and an identity as input.

There are three works constructing post-quantum secure identity-based DRE schemes in the literature [36, 37, 53]. Zhang et al. [53] propose a generic construction, which is instantiated in the more recent work of Liu et al. [36]. Here, an additional primitive called lattice-based programmable hash functions is used. Liu et al. [37] use an injective map and a homomorphic computation technique due to Yamada [50].

Due to the huge storage costs of public parameters, IB-DRE schemes are impracticable in their current state. For example, in the recent work from Liu et al. [37], 70 public key matrices are demanded, leading to storage cost of approximately 1.2GB for a choice of $n=284$ (as suggested by Micciancio and Peikert [41]). Besides the huge storage costs, none of the three IB-DRE schemes satisfies the soundness property. From a structural perspective, all of these schemes use the same ideas as the schemes from Sect. 4.1 for encryption, and the decryption algorithm does not contain any soundness tests as well. Hence, an adversary can inject different LWE-secrets $\textbf{s}$ in the encryption.

For an attack against the schemes of Liu et al. [37], we refer to Sect. 4.1 since the attacks are very similar. The attack on the schemes of Liu et al. [36] is slightly more involved and is discussed in Appendix A of the full version.

5 $\text {IND-CCA2}_\text {DRE}$ Secure and Sound Hybrid DRE

Section 3 and Sect. 4 show that there is a need for efficient, post-quantum and $\text {IND-CCA2}_\text {DRE}$ secure and sound constructions of DRE schemes in the standard model. In the following we present two constructions that meet this need.

For both constructions we need a full-rank difference encoding $\texttt {FRD}$^{Footnote 1} as well as a hash function $\texttt {H}: \{0,1\}^* \rightarrow \mathbb {Z}_q^n \setminus \{0\}$, a secret-key encryption system $\texttt {SKE}$, a message authentication code $\texttt {MAC}$ and a key derivation function $\texttt {KDF}$.

5.1 NLWE-Based Construction

By adapting the NLWE-based hybrid construction from Boyen, Izabachène, and Li [11] we are able to straightforwardly construct an NLWE-based DRE construction with soundness. As usual, $\mathcal {D}_{\mathbb {Z},\alpha q}$ denotes the discrete Gaussian distribution.

In our description in Fig. 7 we only show the decryption for R, the decryption for S works exactly the same with swapped party identifiers.

Theorem 1

The DRE $\varSigma _{\texttt {LWE}\hbox {-}{} \texttt {DRE}} = (\texttt{gen},\,\texttt{enc},\,\texttt{dec})$ is correct.

The correctness proof carries over from the correctness of [11] since our construction does not change anything intrinsic.

Theorem 2

The DRE $\varSigma _{\texttt {LWE}\hbox {-}{} \texttt {DRE}} = (\texttt{gen},\,\texttt{enc},\,\texttt{dec})$ is sound as in Definition 3.

The basic idea is a statistical one: for a given matrix $\textbf{A}$, the LWE tuple $(\textbf{s},\,\textbf{e})$ in $\textbf{s}^\top \textbf{A}+ \textbf{e}$ is unique with overwhelming probability, see for example the work of Zhang et al. [54]. Therefore, even for maliciously created ciphertexts, both parties will recover the same $\textbf{s}$.

Proof

Assume the scheme is not sound. Then there exists an adversary $\mathcal {A}$ with non-negligible advantage $\textsf{Adv}_{\mathcal {E},\mathcal {A}}^{\text {dre-sound}}$ as in Definition 3. Thus, given two public keys $ pk ^R = (\textbf{A}^R, \textbf{A}_1^R)$ and $ pk ^S = (\textbf{A}^S, \textbf{A}_1^S)$, the adversary $\mathcal {A}$ returns with non-negligible advantage a valid ciphertext $\textbf{c}$ such that $\texttt{dec}( sk ^R,\, pk ^S,\, pk ^R, \textbf{c}) \ne \texttt{dec}( sk ^S,\, pk ^S, pk ^R,\,\textbf{c})$.

At least one party has to accept the ciphertext as otherwise both parties would return $\bot $. Thus, we can assume without loss of generality that R outputs a message and therefore all checks are valid. In particular, we have $\left\| \textbf{c}_1^{S^\top }- (\textbf{s}^R)^\top (\textbf{A}_1^S+ \texttt {FRD}(\texttt {H}(\textbf{c}_0))\textbf{G})\right\| \le \alpha q \sqrt{2m \overline{m}} \cdot \omega (\sqrt{\log n})$, where $\textbf{s}^R$ is the vector that R recovered in step 5. This means that $\textbf{c}_1^{S^\top }= (\textbf{s}^R)^\top (\textbf{A}_1^S+ \texttt {FRD}(\texttt {H}(\textbf{c}_0))\textbf{G}) + (\textbf{e}_1^\prime )^\top $ with $\left\| \textbf{e}_1^\prime \right\| \le \alpha q \sqrt{2m \overline{m}} \cdot \omega (\sqrt{\log n})$. Similarly, we have $\textbf{c}_0^{S^\top }= (\textbf{s}^R)^\top \textbf{A}^S+ (\textbf{e}_0^\prime )^\top $ with $\left\| \textbf{e}_0^\prime \right\| \le \alpha q \sqrt{m}$.

By Micciancio and Peikert [41, Theorem 5.4] this means that S recovers $\textbf{s}^R$ as well, succeeds with all checks and thus both parties recover the same $\textbf{k}$, as well as the same $( dk ,\, mk )$ because the $\texttt {KDF}$ is deterministic.

Finally, as our decryption algorithm as well as our verification algorithm are deterministic, it follows that both parties recover the same $\textbf{M}$. $\square $

Theorem 3

The DRE $\varSigma _{\texttt {LWE}\hbox {-}{} \texttt {DRE}} = (\texttt{gen}, \texttt{enc}, \texttt{dec})$ is $\text {IND-CCA2}_\text {DRE}$-secure as in Definition 2 if $\text {NLWE}_{n,m,q,D_{\mathbb {Z}, \alpha q}}$ is hard, and $\texttt {SKE}, \texttt {MAC}, \texttt {H}, \texttt {KDF}$ are all secure w. r. t. Definitions 5, 6, 8 and 9.

To prove this we adapt the proof of Boyen, Izabachène, and Li [11, Theorem 1]. Thus, for a more in-depth discussion we refer interested reader to that paper. Starting with the $\text {IND-CCA2}_\text {DRE}$ game, we slowly replace parts of our scheme until we arrive at a game where any adversary cannot do better than guessing because the supposedly encrypted message is in fact only a random ciphertext. Our assumptions make sure that no adversary can differentiate the games with more than negligible probability and so this proves that our construction is indeed secure.

Proof

We start by giving a small overview of the games. Game 1 to 3 change the decryption oracle to make it easier for us to adapt the public keys in Game 4. Those changes aim to make sure that the adversary does not query ciphertexts using the challenge “tag” $\texttt {FRD}(\texttt {H}(\textbf{c}_0^*))$. This in turn allows us to replace the binding parts $\textbf{c}_0$ and $\textbf{c}_1$ of $\textbf{k}$ by randomness in Game 5 and 6. Now, Game 7 replaces this key $\textbf{k}$ by randomness as well, and finally in Game 8 we replace the message encryption $\phi $ by a random ciphertext.

As usual, we denote by $\mathbb {P}\left[ S_i\right] $ the probability, that the adversary outputs 1 in Game i.

Game 0: This game follows the IND-CCA2-DRE game. Here, $\mathcal {A}$ gets two independently generated public keys, makes decryption queries to the oracle which can be honestly answered using the secret keys. After that, $\mathcal {A}$ submits two messages $M_0, M_1$ of equal length, after which the challenge ciphertext is computed by $\textbf{c}^* = \texttt{enc}( pk ^R, pk ^S, M_b)$ for . The adversary $\mathcal {A}$ can now make further queries provided that the used public key is from the set $\{R, S\}$ and $\textbf{c}\ne \textbf{c}^*$. Finally, $\mathcal {A}$ outputs $b'$ and the game returns 1 if $b = b'$. By definition, we have
$$\mathbb {P}\left[ S_0\right] = \mathbb {P}\left[ \textsf{Exp}_{\textrm{DRE},\mathcal {A}}^{{\text {IND-CCA2}_\text {DRE}}}(\lambda ) = 1\right] .$$
Game 1: We now precompute $\textbf{c}_0^*$ before sending the two generated public keys to $\mathcal {A}$. More specifically, steps 3 to 7 of the encoding in Fig. 7 are now done before sending the public keys to $\mathcal {A}$. As the precomputed $\textbf{c}_0^*$ is already unavailable to $\mathcal {A}$ until $\textbf{c}^*$ is released and nothing else changed we get
$$\mathbb {P}\left[ S_1\right] = \mathbb {P}\left[ S_0\right] .$$
Game 2: This is identical to Game 1 except for the decryption oracle, which now rejects ciphertexts with $\texttt {H}(\textbf{c}_0) = \texttt {H}(\textbf{c}_0^*)$ in the first phase as well as ciphertexts with $\textbf{c}_0\ne \textbf{c}_0^*$ and $\texttt {H}(\textbf{c}_0) = \texttt {H}(\textbf{c}_0^*)$ in the second phase. Using [11, Lemma 4] we get (for $Q_1$ being the number of decryption queries in the first phase)^{Footnote 2}
$$| \mathbb {P}\left[ S_2\right] - \mathbb {P}\left[ S_1\right] | \le \frac{Q_1}{q^{n}} + \textsf{Adv}^\text {CR}_{\texttt {H},\mathcal {B}_1(\lambda )}.$$
Game 3: We now additionally forbid all decryption queries with $\textbf{c}_0= \textbf{c}_0^*$ after the challenge ciphertext has been released. We can bound the probability that $\mathcal {A}$ submits a valid decryption query $\textbf{c}= (\textbf{c}_0^*, \textbf{c}_1, \phi , \sigma ) \ne \textbf{c}^*$ by two sub-events:
1. (1)
  NoBind: a different key $\textbf{k}\ne \textbf{k}^*$ is associated to $\textbf{c}_0^*$.
2. (2)
  Forge: the key $\textbf{k}^*$ from $\textbf{c}^*$ was used for $\textbf{c}$.
Our definition of $\textbf{c}_0$ (step 7 of Fig. 7) and the uniqueness of LWE samples^{Footnote 3} proves that $\mathbb {P}\left[ \text {NoBind}\right] $ is negligible, and thus
$$|\mathbb {P}\left[ S_4\right] - \mathbb {P}\left[ S_3\right] | \le \mathbb {P}\left[ \text {Forge}_3\right] + \texttt{negl}(\lambda ).$$
Game 4: We adapt the generation of both public keys, calculating $\textbf{c}_0^*$ before setting $\textbf{A}_1^R= \textbf{A}^R\textbf{R}^R - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*)) \textbf{G})$ and $\textbf{A}_1^S= \textbf{A}^S\textbf{R}^S - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*)) \textbf{G})$. As $\textbf{A}^S$ and $\textbf{A}^R$ are both uniformly random, the distribution of the public keys in Game 3 and Game 4 are statistically close. Also, the decryption oracle can handle the same set of decryption queries as in Game 3. Indeed, given $\textbf{c}= (\textbf{c}_0, \textbf{c}_1, \phi , \sigma )$ we have
$$\begin{aligned} \textbf{c}_1= \big (&\textbf{s}^{\top } (\textbf{A}_1^R+ \texttt {FRD}(\texttt {H}(\textbf{c}_0))\textbf{G})+ \textbf{e}^R_1,\textbf{s}^{\top } (\textbf{A}_1^S+ \texttt {FRD}(\texttt {H}(\textbf{c}_0))\textbf{G}) + \textbf{e}^S_1 \big )\\ = \big (&\textbf{s}^{\top } (\textbf{A}^R\textbf{R}^R + (\texttt {FRD}(\texttt {H}(\textbf{c}_0)) - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))) \textbf{G}) + \textbf{e}^R_1, \\ &\textbf{s}^{\top } (\textbf{A}^S\textbf{R}^S + (\texttt {FRD}(\texttt {H}(\textbf{c}_0)) - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))) \textbf{G}) + \textbf{e}^S_1 \big ). \end{aligned}$$
As for all $\texttt {H}(\textbf{c}_0) \ne \texttt {H}(\textbf{c}_0^*)$ the difference $\texttt {FRD}(\texttt {H}(\textbf{c}_0)) - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))$ is invertible by the definition of FRD, the trapdoor $\textbf{R}^S$ or $\textbf{R}^R$ can be used to decrypt the queries. The case $\texttt {H}(\textbf{c}_0) = \texttt {H}(\textbf{c}_0^*)$ was already rejected in Game 3 and so we get
$$| \mathbb {P}\left[ S_4\right] - \mathbb {P}\left[ S_3\right] | \le \texttt{negl}(\lambda ) \quad \text { and }\quad | \mathbb {P}\left[ \text {Forge}_4\right] - \mathbb {P}\left[ \text {Forge}_3\right] | \le \texttt{negl}(\lambda ).$$
Game 5: Here, instead of honestly generating $\textbf{c}_0^*$ and $\textbf{c}_1^*$, we draw and and set $\textbf{c}_0^* = (\tilde{\textbf{c}_0^*}^R + (\textbf{k}^* \cdot \lfloor q/2 \rfloor )^\top \textbf{A}^R, \tilde{\textbf{c}_0^*}^S + (\textbf{k}^* \cdot \lfloor q/2 \rfloor )^\top \textbf{A}^S)$. We can then use [11, Lemma 5] to reduce this game-step to the NLWE-assumption with the only adaption being that we replace the definition of $(\textbf{c}_1^*)^\top = (\textbf{c}_0^*)^\top \textbf{R}+ \textbf{v}^\top $ by $(\textbf{c}_1^*)^\top = (({\textbf{c}_0^*}^R)^\top \textbf{R}^R + {\textbf{v}^R}^\top , ({\textbf{c}_0^*}^S)^\top \textbf{R}^S + {\textbf{v}^S}^\top )$. This results in
$$\begin{aligned} |\mathbb {P}\left[ S_5\right] - \mathbb {P}\left[ S_4\right] | &\le \textsf{Adv}_{\mathcal {B}_2}^{\textsf{NLWE}_{n,m,q,\chi }} (\lambda ) \quad \text { as well as} \\ |\mathbb {P}\left[ \text {Forge}_5\right] - \mathbb {P}\left[ \text {Forge}_4\right] | &\le 2 \textsf{Adv}_{\mathcal {B}'_2}^{\textsf{NLWE}_{n,m,q,\chi }} (\lambda ). \end{aligned}$$
Game 6: We now replace $\textbf{c}_0^*$ of Game 5 with . As $\tilde{\textbf{c}_0^*}$ was only used to generate $\textbf{c}_0^*$ and acted as a one-time-pad, the distributions of both games are identical and thus
$$\mathbb {P}\left[ S_6\right] = \mathbb {P}\left[ S_5\right] \quad \text { and }\quad \mathbb {P}\left[ \text {Forge}_6\right] = \mathbb {P}\left[ \text {Forge}_5\right] .$$
Game 7: Instead of generating the signing key $ dk ^*$ and the $\texttt {MAC}$ key $ mk ^*$ using the $\texttt {KDF}$, we just draw them from the key spaces of $\texttt {SKE}$ and $\texttt {MAC}$ uniformly. As $\textbf{k}^*$ is independent of $\textbf{c}^*$ since Game 6, this change can be reduced to the security of the $\texttt {KDF}$. More specifically, using [11, Lemma 6] we can show that
$$\begin{aligned} |\mathbb {P}\left[ S_7\right] - \mathbb {P}\left[ S_6\right] | &\le \textsf{Adv}_{\texttt {KDF},\mathcal {B}'_3}^{\text {IND}}(\lambda ) \quad \text { as well as} \\ |\mathbb {P}\left[ \text {Forge}_7\right] - \mathbb {P}\left[ \text {Forge}_6\right] | &\le 2\textsf{Adv}_{\texttt {KDF},\mathcal {B}'_3}^{\text {IND}}(\lambda ). \end{aligned}$$
But as $ mk ^*$ is now uniformly sampled and independent of $\textbf{c}_0^*,\textbf{c}_1^*$ and $\phi ^*$, $\mathbb {P}\left[ \text {Forge}_7\right] $ can straightforwardly be bound by the security of the $\texttt {MAC}$ using [11, Lemma 7] to arrive at
$$\mathbb {P}\left[ \text {Forge}_7\right] \le Q_2 \cdot \textsf{Adv}_{\texttt {MAC},\mathcal {B}_4}^{\text {OT-SUF}}(\lambda ).$$
Game 8: Last but not least we replace the encrypted message $\phi ^*$ of the challenge ciphertext by a random ciphertext. As $ dk ^*$ is independently and randomly chosen, a straightforward reduction shows
$$|\mathbb {P}\left[ S_8\right] - \mathbb {P}\left[ S_7\right] | \le \textsf{Adv}_{\texttt {SKE},\mathcal {B}_5}^{\text {OT-IND}}(\lambda ).$$

We note that in Game 8 the challenge ciphertext is independent of the chosen value b, and thus the adversary has no advantage in winning Game 8. Using our assumptions we finally see that the winning probability between all games only changes negligible, and thus

$$\textsf{Adv}_{\textrm{DRE},\mathcal {A}}^{{\text {IND-CCA2}_\text {DRE}}}(\lambda ) \le \frac{1}{2} + \texttt{negl}(\lambda ),$$

which finishes the proof. $\square $

5.2 Code-Based Construction of a Sound and $\text {IND-CCA2}_\text {DRE}$ Secure DRE

We adapt the LPN-based PKE from Kiltz, Masny, and Pietrzak [34] to create an $\text {IND-CCA2}_\text {DRE}$ secure DRE scheme with soundness. The double trapdoor technique employed by the authors allows us to convert their PKE into a DRE construction, while actually reducing the public key by one matrix and only slightly increasing the ciphertext size.

We note here that Boyen, Izabachène, and Li [11] adapted the scheme of Kiltz, Masny, and Pietrzak [34] as well to create an IND-CCA2 secure hybrid encryption scheme based on LPN, which shares the symmetric part of our scheme.

As before only the decryption for R is described in Fig. 8, but the decryption for S works exactly the same with swapped party identifiers. Also, everything happens in $\mathbb {Z}_2$, and so the operations “$+$” and “−” can be used interchangeably.

In this scheme we use a constant $0 < c < 1/4$ defining the Bernoulli parameter $p = \sqrt{c/m}$ and the bounding parameter $\beta = 2 \sqrt{cm}$. Additionally, we use an efficient binary linear error-correcting code $\textbf{G}: \mathbb {Z}_2^n \rightarrow \mathbb {Z}_2^m$ correcting up to $\alpha m$ errors for $4c < \alpha < 1$, which exists by Lemma 2.

Theorem 4

The DRE $\varSigma _{\texttt {LPN}\hbox {-}{} \texttt {DRE}} = (\texttt{gen},\,\texttt{enc},\,\texttt{dec})$ is correct.

Proof

As the same parameters are used, the proof of [34, Theorem 1] shows that

$$\begin{aligned} \mathop {\mathbb {P}}\limits _{\textbf{e}\leftarrow \text {Ber}_p^m}\left[ \left\| \textbf{e}\right\| _w > \beta \right] < 2^{-\varTheta (\sqrt{m})} \end{aligned}$$

(1)

as well as

$$\begin{aligned} \mathop {\mathbb {P}}\limits _{\textbf{T}\leftarrow \text {Ber}_p^{m \times m}}\left[ \left\| \textbf{T}\textbf{e}\right\| _w > \frac{\alpha m}{2} \mid \left\| \textbf{e}\right\| _w \le \beta \right] < 2^{-\varTheta (m)}. \end{aligned}$$

(2)

Thus, for a properly generated ciphertext, it holds with overwhelming probability $1-2^{\varTheta (\sqrt{m})}$ for $i \in \{R, S\}$ that

$$\left\| \textbf{e}^i\right\| _w \le \beta \wedge \left\| (\textbf{e}^i)^\top \textbf{T}^i\right\| _w \le \frac{\alpha m}{2} \wedge \left\| (\textbf{e}^i)^\top \textbf{R}^i\right\| _w \le \frac{\alpha m}{2}.$$

In this case, by the error correction property of the code $\textbf{G}$, the correct $\textbf{s}$ is recovered from $\textbf{c}_t^R = \textbf{s}^\top \texttt {FRD}(\texttt {H}(\textbf{c}_0)) \textbf{G}+ (\textbf{e}^R)^\top (\textbf{T}^R -\textbf{R}^R)$ as the error term satisfies $\left\| (\textbf{e}^R)^\top (\textbf{T}^R -\textbf{R}^R)\right\| _w \le \alpha m$ by Equation (2). Also, all decryption checks succeed and thus the correct message $\textbf{M}$ is recovered by the determinism of $\texttt {KDF}, \texttt {MAC}.\textsf{Vfy}$ and $\texttt {SKE}.\texttt{dec}$. $\square $

Theorem 5

The DRE $\varSigma _{\texttt {LPN}\hbox {-}{} \texttt {DRE}} = (\texttt{gen},\,\texttt{enc},\,\texttt{dec})$ is sound as in Definition 3.

The proof is similar to proof 2 but this time we use the decoding properties of $\textbf{G}$ for the uniqueness of $\textbf{s}$.

Proof

Assume the scheme is not sound. Then there exists an adversary $\mathcal {A}$ whose advantage $\textsf{Adv}_{\mathcal {E},\mathcal {A}}^{\text {dre-sound}}$ is non-negligible, where the advantage is defined as in Definition 3. Thus, given two public keys $ pk ^R = (\textbf{A}^R, \textbf{A}_1^R), pk ^S = (\textbf{A}^S, \textbf{A}_1^S)$, the adversary $\mathcal {A}$ returns with non-negligible advantage a valid ciphertext $\textbf{c}$ with $\texttt{dec}( sk ^R,\, pk ^S,\, pk ^R, \textbf{c}) \ne \texttt{dec}( sk ^S,\, pk ^S, pk ^R,\,\textbf{c})$.

At least one party has to accept the ciphertext as otherwise both parties would return $\bot $. Thus, we can assume without loss of generality that R outputs a message and therefore the decryption checks are valid. In particular, we have $\left\| \textbf{c}_1^S - (\textbf{s}^R)^\top (\textbf{A}_1^S+ \texttt {FRD}(\texttt {H}(\textbf{c}_0))\textbf{G})\right\| _w \le \frac{\alpha m}{2}$, where $\textbf{s}^R$ is the vector that R recovered in step 6. This means that $\textbf{c}_1^S = (\textbf{s}^R)^\top (\textbf{A}_1^S+ \texttt {FRD}(\texttt {H}(\textbf{c}_0))\textbf{G}) + (\textbf{e}_1^\prime )^\top $ with $\left\| \textbf{e}_1^\prime \right\| _w \le \frac{\alpha m}{2}$. Similarly, we have $\textbf{c}_0^S = (\textbf{s}^R)^\top \textbf{A}^S+ (\textbf{e}_0^\prime )^\top $ with $\left\| \textbf{e}_0^\prime \right\| _w \le \beta $.

Therefore, it holds that $\textbf{c}_t^S = \textbf{c}_1^S - \textbf{c}_0^S \textbf{R}^S = \textbf{s}^R \texttt {FRD}(\texttt {H}(c_0)) \textbf{G}+ (\textbf{e}_1^\prime )^\top - (\textbf{e}_0^\prime )^\top \textbf{R}^S$. As $\left\| \textbf{e}_1^\prime \right\| _w \le \frac{\alpha m}{2}$ we only need to show $\left\| (\textbf{e}_0^\prime )^\top \textbf{R}^S\right\| _w \le \frac{\alpha m}{2}$. Indeed, the decoding property of $\textbf{G}$ guarantees the correct decoding of $\textbf{s}$ if the inequality holds, and as $\texttt {KDF}, \texttt {MAC}.\textsf{Vfy}$ and $\texttt {SKE}.\texttt{dec}$ are deterministic, both parties will decrypt the same message $\textbf{M}$.

To show that $\left\| (\textbf{e}_0^\prime )^\top \textbf{R}\right\| _w \le \frac{\alpha m}{2}$ with overwhelming probability, notice first that $\#\{\textbf{e}\in \mathbb {Z}_2^m \mid \left\| \textbf{e}\right\| _w \le \beta \} = \sum _{i=0}^{\beta } \left( {\begin{array}{c}m\\ i\end{array}}\right) \le 2^{\log (m) \mathcal {O}(\sqrt{m})}$ because $\beta = \varTheta (\sqrt{m})$. Thus, taking the union bound over all $\textbf{e}\in \mathbb {Z}_2^m$ with $\left\| \textbf{e}\right\| _w \le \beta $ we get

$$\mathop {\mathbb {P}}\limits _{\textbf{R}^S}\left[ \forall \textbf{e}, \left\| \textbf{e}\right\| _w \le \beta : \left\| \textbf{e}^\top \textbf{R}^S\right\| _w \le \frac{\alpha m}{2}\right] \ge 1 - 2^{\varTheta (m)}$$

using Equation (2) as desired, which finishes the proof.

Theorem 6

The DRE $\varSigma _{\texttt {LPN}\hbox {-}{} \texttt {DRE}} = (\texttt{gen}, \texttt{enc}, \texttt{dec})$ is $\text {IND-CCA2}_\text {DRE}$-secure as in Definition 2 if $\text {LPN}_{n,m,p}$ is hard, and $\texttt {SKE}, \texttt {MAC}, \texttt {H}, \texttt {KDF}$ are all secure w. r. t. Definitions 5, 6, 8 and 9.

To prove this we use ideas of Boyen, Izabachène, and Li [11, Theorem 1] and Kiltz, Masny, and Pietrzak [34, Theorem 2]. Therefore, this proof shares its structure with proof 3, and for faster understanding, games that differ from aforementioned proof are highlighted by underscoring them.

Proof

Game 0: This game follows the IND-CCA2-DRE game. So again, $\mathcal {A}$ gets two independently generated public keys, makes decryption queries to the oracle which can be honestly answered using the secret keys. After that, $\mathcal {A}$ submits two messages $M_0, M_1$ of equal length, after which the challenge ciphertext is computed by $\textbf{c}^* = \texttt{enc}( pk ^R, pk ^S, M_b)$ for . The adversary $\mathcal {A}$ can now make further queries provided that the used public key is from the set $\{R, S\}$ and $\textbf{c}\ne \textbf{c}^*$. Finally, $\mathcal {A}$ outputs $b'$ and the game returns 1 if $b = b'$. By definition, we have
$$\mathbb {P}\left[ S_0\right] = \mathbb {P}\left[ \textsf{Exp}_{\textrm{DRE},\mathcal {A}}^{{\text {IND-CCA2}_\text {DRE}}}(\lambda ) = 1\right] .$$
Game 1: In this game, $\textbf{c}_0^*$ is precomputed before sending the two generated public keys to $\mathcal {A}$. More specifically, steps 3 to 6 of the encoding in Fig. 8 are now done before sending the public keys to $\mathcal {A}$. As the precomputed $\textbf{c}_0^*$ is already unavailable to $\mathcal {A}$ until $\textbf{c}^*$ is released and nothing else changed we get
$$\mathbb {P}\left[ S_1\right] = \mathbb {P}\left[ S_0\right] .$$
Game 2: This is identical to Game 1 except for the decryption oracle, which now rejects ciphertexts with $\texttt {H}(\textbf{c}_0) = \texttt {H}(\textbf{c}_0^*)$ in the first phase as well as ciphertexts with $\textbf{c}_0\ne \textbf{c}_0^*$ and $\texttt {H}(\textbf{c}_0) = \texttt {H}(\textbf{c}_0^*)$ in the second phase. Using [11, Lemma 4] we get (for $Q_1$ being the number of decryption queries in the first phase)
$$| \mathbb {P}\left[ S_2\right] - \mathbb {P}\left[ S_1\right] | \le \frac{Q_1}{q^{n}} + \textsf{Adv}^\text {CR}_{\texttt {H},\mathcal {B}_1(\lambda )}.$$
Game 3: We now additionally forbid all decryption queries with $\textbf{c}_0= \textbf{c}_0^*$ after the challenge ciphertext has been released. We can bound the probability that $\mathcal {A}$ submits a valid decryption query $\textbf{c}= (\textbf{c}_0^*, \textbf{c}_1, \phi , \sigma ) \ne \textbf{c}^*$ by two sub-events:
1. (1)
  NoBind: a different key $\textbf{s}\ne \textbf{s}^*$ is associated to $\textbf{c}_0^*$.
2. (2)
  Forge: the key $\textbf{s}^*$ from $\textbf{c}^*$ was used for $\textbf{c}$.
Our definition of $\textbf{c}_0$ (step 6 of Fig. 8) and the uniqueness of LPN samples^{Footnote 4} proves that $\mathbb {P}\left[ \text {NoBind}\right] $ is negligible, and thus
$$|\mathbb {P}\left[ S_4\right] - \mathbb {P}\left[ S_3\right] | \le \mathbb {P}\left[ \text {Forge}_3\right] + \texttt{negl}(\lambda ).$$
Game 4: Our goal again is to set $\textbf{A}_1^R= \textbf{A}^R\textbf{R}^R - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*)) \textbf{G}$ as well as $\textbf{A}_1^S= \textbf{A}^S\textbf{R}^S - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*)) \textbf{G}$. Because of the low noise rate of the private keys, $\textbf{A}_1^R$ and $\textbf{A}_1^S$ are only computationally indistinguishable from uniformly random matrices based on the KLPN problem (whereas those matrices were statistically close to uniform in our LWE construction from Sect. 5.1). To solve this we split this game into multiple smaller steps. The idea is to use the double trapdoor already present in the DRE scheme because of the (sound) encryption for both parties to first adapt $ sk ^R$ and then $ sk ^S$. In the process we also adapt $\textbf{c}^*$ so that later we can use an LPN sample to hide the challenge bit. A recap of the changes can be found before Game 5.
- Game 4.1: All decryption queries are answered using $ sk ^S$. By the soundness property of our construction (see Theorem 5) we have
  $$\left| \mathbb {P}\left[ S_{4.1}\right] - \mathbb {P}\left[ S_{3}\right] \right| \le \texttt{negl}(\lambda ) \text { and } \left| \mathbb {P}\left[ \text {Forge}_{4.1}\right] - \mathbb {P}\left[ \text {Forge}_3\right] \right| \le \texttt{negl}(\lambda ).$$
- Game 4.2: We replace $\textbf{A}_1^R$ by a random matrix. This can be reduced to the KLPN assumption: Assume we have a distinguisher $\mathcal {D}$ between Game 4.1 and 4.2. Our attacker $\mathcal {A}_1$ on KLPN gets $(\textbf{A}, \textbf{B})$ and has to decide whether or $\textbf{B}= \textbf{A}\textbf{E}$ for and $\textbf{E}\leftarrow \text {Ber}_p^{m \times m}$. It simulates Game 4.1 but instead of generating $\textbf{A}^R$ and $\textbf{A}_1^R$ it sets $\textbf{A}^R{:}{=}\textbf{A}$ and $\textbf{A}_1^R{:}{=}\textbf{B}$. As $ sk ^R$ is not used anymore this does not change the decryption capabilities of the oracle, and so if this perfectly simulates Game 4.2, while if $\textbf{B}= \textbf{A}\textbf{E}$ this perfectly simulates Game 4.1. Thus, the advantage of $\mathcal {A}_1$ is that of $\mathcal {D}$, and so we have
  $$|\mathbb {P}\left[ S_{4.2}\right] - \mathbb {P}\left[ S_{4.1}\right] | \le \textsf{Adv}_{\mathcal {A}_1}^{\textsf{KLPN}_{n,m,p}} (\lambda ).$$
  For the Forge probabilities, the adversary $\mathcal {A}_2$ follows the same game as above, but for every decryption query $\textbf{c}= (\textbf{c}_0^*, \textbf{c}_1, \phi , \sigma ) \ne \textbf{c}^*$ it checks if $\texttt {MAC}.\textsf{Vfy}(mk^*, (\textbf{c}_0,\textbf{c}_1,\phi ), \sigma ) = 1$. In this case, it outputs 1 to the KLPN challenger, otherwise it replies with $\bot $ to the decryption query. If this never happens $\mathcal {A}_2$ outputs a random bit. As in [11, Lemma 5] this results in
  $$| \mathbb {P}\left[ \text {Forge}_{4.2}\right] - \mathbb {P}\left[ \text {Forge}_{4.1}\right] | \le 2 \textsf{Adv}_{\mathcal {A}_2}^{\textsf{KLPN}_{n,m,p}} (\lambda ).$$
- Game 4.3: In this game $\textbf{A}_1^R= \textbf{B}$ is replaced by $\textbf{A}_1^R= \textbf{B}- \texttt {FRD}(\texttt {H}(\textbf{c}_0^*)) \textbf{G}$ for . As $\textbf{B}$ is a one time pad this does not change the distributions, and so
  $$\mathbb {P}\left[ S_{4.3}\right] = \mathbb {P}\left[ S_{4.2}\right] \quad \text { and }\quad \mathbb {P}\left[ \text {Forge}_{4.3}\right] = \mathbb {P}\left[ \text {Forge}_{4.2}\right] .$$
- Game 4.4: We now replace $\textbf{A}_1^R= \textbf{B}- \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))$ by our secret key trapdoor $\textbf{A}_1^R= \textbf{A}^R \textbf{R}^R - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*)) \textbf{G}$. We also adapt $\mathbf {c_1^*}^R$ such that instead of sampling $\textbf{T}^R$ and honestly generating ${\textbf{c}_1^*}^R$ we instead replace it by $\mathbf {c_1^*}^R {:}{=}\textbf{s}^\top (\textbf{A}_1^R+ \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))\textbf{G}) + (\textbf{e}^R)^\top \textbf{R}^R$. Similar to Game 4.2 this can be reduced to the EKLPN assumption. For this, assume that there is a distinguisher $\mathcal {D}$ between Game 4.4 and 4.3. The adversary $\mathcal {A}_3$ on EKLPN gets $(\textbf{A}, \textbf{B}, \textbf{z}, \textbf{u})$ and has to decide whether or $\textbf{B}= \textbf{A}\textbf{E}$ for $\textbf{A}\leftarrow \mathbb {Z}_2^{n \times m}, \textbf{E}\leftarrow \text {Ber}_p^{m \times m}, \textbf{z}\leftarrow \text {Ber}_p^m$ and $\textbf{u}= \textbf{z}^\top \textbf{E}$. It then simulates Game 4.3 but sets $\textbf{A}^R{:}{=}\textbf{A}, \textbf{A}_1^R{:}{=}\textbf{B}, \mathbf {c_0^*}^R {:}{=}\textbf{s}^\top \textbf{A}^R+ \textbf{z}$ and $\mathbf {c_1^*}^R {:}{=}\textbf{s}^\top (\textbf{A}_1^R+ \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))\textbf{G}) + \textbf{u}$.
  
  Now, if this perfectly simulates Game 4.3 because $\textbf{E}$ and $\textbf{T}^R$ have the same distribution and both are not used outside of the error generation, whereas if $\textbf{B}= \textbf{A}\textbf{E}$ the construction perfectly simulates Game 4.4. As before, together this gives us
  $$\begin{aligned} |\mathbb {P}\left[ S_{4.4}\right] - \mathbb {P}\left[ S_{4.3}\right] | &\le \textsf{Adv}_{\mathcal {A}_3}^{\textsf{EKLPN}_{n,m,p}} (\lambda ) \quad \text { and} \\ | \mathbb {P}\left[ \text {Forge}_{4.4}\right] - \mathbb {P}\left[ \text {Forge}_{4.3}\right] | &\le 2\textsf{Adv}_{\mathcal {A}_4}^{\textsf{EKLPN}_{n,m,p}} (\lambda ). \end{aligned}$$
- Game 4.5: Decryption is now always done via $ sk ^R$ instead of $ sk ^S$. The decryption oracle can still handle the same set of decryption queries. Indeed, given a valid $\textbf{c}= (\textbf{c}_0, \textbf{c}_1, \phi , \sigma )$ we have
  $$\begin{aligned} \textbf{c}_1^{R^\top }= &\textbf{s}^{\top } (\textbf{A}_1^R+ \texttt {FRD}(\texttt {H}(\textbf{c}_0))\textbf{G})+ (\textbf{e}^R)^\top \textbf{T}^R\\ = &\textbf{s}^{\top } (\textbf{A}^R\textbf{R}^R + (\texttt {FRD}(\texttt {H}(\textbf{c}_0)) - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))) \textbf{G}) + (\textbf{e}^R)^\top \textbf{T}^R. \end{aligned}$$
  As for all $\texttt {H}(\textbf{c}_0) \ne \texttt {H}(\textbf{c}_0^*)$ the difference $\texttt {FRD}(\texttt {H}(\textbf{c}_0)) - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))$ is invertible by the definition of FRD, the trapdoor $\textbf{R}^R$ can be used to decrypt the queries. The case $\texttt {H}(\textbf{c}_0) = \texttt {H}(\textbf{c}_0^*)$ was already rejected from Game 3 on. Also, by the soundness the difference between using $ sk ^R$ or $ sk ^S$ is negligible, and so we get
  $$ \left| \mathbb {P}\left[ S_{4.5}\right] - \mathbb {P}\left[ S_{{4.4}}\right] \right| \le \texttt{negl}(\lambda ) \text { and } \left| \mathbb {P}\left[ \text {Forge}_{4.5}\right] - \mathbb {P}\left[ \text {Forge}_{4.4}\right] \right| \le \texttt{negl}(\lambda ).$$
- Game 4.6: We repeat Game 4.2-Game 4.4 with $ sk ^S$. This results in $\textbf{A}_1^S= \textbf{A}^S\textbf{R}^S - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))$ and $\mathbf {c_1^*}^S {:}{=}\textbf{s}^\top (\textbf{A}_1^S+ \texttt {FRD}(\texttt {H}(\textbf{c}_0^*))\textbf{G}) + (\textbf{e}^S)^\top \textbf{R}^S$ with probability differences
  $$\begin{aligned} |\mathbb {P}\left[ S_{4.6}\right] - \mathbb {P}\left[ S_{4.5}\right] | &\le \textsf{Adv}_{\mathcal {A}_5}^{\textsf{KLPN}_{n,m,p}} (\lambda ) + \textsf{Adv}_{\mathcal {A}_6}^{\textsf{EKLPN}_{n,m,p}} (\lambda ) \quad \text { and} \\ \mathbb {P}\left[ \text {Forge}_{4.6}\right] - \mathbb {P}\left[ \text {Forge}_{4.5}\right] &\le 2 \textsf{Adv}_{\mathcal {A}_7}^{\textsf{KLPN}_{n,m,p}} (\lambda ) + 2 \textsf{Adv}_{\mathcal {A}_8}^{\textsf{EKLPN}_{n,m,p}} (\lambda ). \end{aligned}$$
After Game 4.6 we have (for $i \in \{R,S\}$) $\textbf{A}_1^i + \texttt {FRD}(\texttt {H}(\textbf{c}_0^*)) \textbf{G}= \textbf{A}^i \textbf{R}^i$, and thus at this point the scheme differs in the following way from the original scheme^{Footnote 5}:
- $( pk ^i, sk ^i) = ((\textbf{A}^i, \textbf{A}_1^i), \textbf{R}^i)$ where and then $\textbf{A}_1^i {:}{=}\textbf{A}^i \textbf{R}^i - \texttt {FRD}(\texttt {H}(\textbf{c}_0^*)) \textbf{G}$
- $\textbf{c}_0^* = (\textbf{s}^{\top } \textbf{A}^R + \textbf{e}^R, \textbf{s}^{\top } \textbf{A}^S + \textbf{e}^S )$
- $\textbf{c}_1^* = \big (\textbf{s}^{\top } \textbf{A}^R \textbf{R}^R+ (\textbf{e}^R)^\top \textbf{R}^R, \textbf{s}^{\top } \textbf{A}^S \textbf{R}^S + (\textbf{e}^S)^\top \textbf{R}^S \big )$.
Game 5: Instead of honestly generating $\textbf{c}_0^*$ and $\textbf{c}_1^*$, we draw both and and set ${\textbf{c}_1^*}^R {:}{=}{\textbf{c}_0^*}^R \textbf{R}^R$ as well as ${\textbf{c}_1^*}^S {:}{=}{\textbf{c}_0^*}^S \textbf{R}^S$. This game step can be reduced to the LPN problem. So assume that there is a distinguisher $\mathcal {D}$ between Game 5 and 4.6. Let $\mathcal {A}_9$ be an adversary to the LPN^{Footnote 6} problem who gets $((\textbf{A}^1, \textbf{A}^2), (\textbf{u}^1, \textbf{u}^2))$ where or $\textbf{u}^i = \textbf{s}^\top \textbf{A}^i + \textbf{e}^i$ for and $\textbf{e}^i \leftarrow \text {Ber}_p^m$. It simulates Game 4.6 but sets ${\textbf{c}_0^*}^R = \textbf{u}^1$, ${\textbf{c}_0^*}^S = \textbf{u}^2$, ${\textbf{c}_1^*}^R = \textbf{u}^1 \textbf{R}^R$ and ${\textbf{c}_1^*}^S = \textbf{u}^2 \textbf{R}^S$.

Now if $\textbf{u}^i = \textbf{s}^\top \textbf{A}^i + \textbf{e}^i$ this perfectly simulates Game 4.6 by our previous comment, whereas if this simulates Game 5. As before that means we have
$$\begin{aligned} |\mathbb {P}\left[ S_5\right] - \mathbb {P}\left[ S_{4.6}\right] | &\le \textsf{Adv}_{\mathcal {A}_9}^{\textsf{LPN}_{n,2m,p}} (\lambda ) \quad \text { as well as} \\ |\mathbb {P}\left[ \text {Forge}_5\right] - \mathbb {P}\left[ \text {Forge}_{4.6}\right] | &\le 2 \textsf{Adv}_{\mathcal {A}_{10}}^{\textsf{LPN}_{n,2m,p}} (\lambda ). \end{aligned}$$
Game 6: Instead of generating the signing key $ dk ^*$ and the $\texttt {MAC}$ key $ mk ^*$ using the $\texttt {KDF}$, we just draw them from the key spaces of $\texttt {SKE}$ and $\texttt {MAC}$ uniformly. As $\textbf{s}^*$ is independent of $\textbf{c}^*$ since Game 5, this change can be reduced to the security of the $\texttt {KDF}$. More specifically, using [11, Lemma 6] we can show that
$$\begin{aligned} |\mathbb {P}\left[ S_6\right] - \mathbb {P}\left[ S_5\right] | &\le \textsf{Adv}_{\texttt {KDF},\mathcal {B}'_3}^{\text {IND}}(\lambda ) \quad \text { as well as} \\ |\mathbb {P}\left[ \text {Forge}_6\right] - \mathbb {P}\left[ \text {Forge}_5\right] | &\le 2\textsf{Adv}_{\texttt {KDF},\mathcal {B}'_3}^{\text {IND}}(\lambda ). \end{aligned}$$
But as $ mk ^*$ is now uniformly sampled and independent of $\textbf{c}_0^*,\textbf{c}_1^*$ and $\phi ^*$, $\mathbb {P}\left[ \text {Forge}_6\right] $ can straightforwardly be bound by the security of the $\texttt {MAC}$ using [11, Lemma 7] to arrive at
$$\mathbb {P}\left[ \text {Forge}_6\right] \le Q_2 \cdot \textsf{Adv}_{\texttt {MAC},\mathcal {B}_4}^{\text {OT-SUF}}(\lambda ).$$
Game 7: Last but not least we replace the encrypted message $\phi ^*$ of the challenge ciphertext by a random ciphertext. As $ dk ^*$ is independently and randomly chosen, a straightforward reduction shows
$$|\mathbb {P}\left[ S_7\right] - \mathbb {P}\left[ S_6\right] | \le \textsf{Adv}_{\texttt {SKE},\mathcal {B}_5}^{\text {OT-IND}}(\lambda )$$

We note that in Game 7 the challenge ciphertext is independent of the chosen value b, and thus the adversary has no advantage in winning Game 7. Using our assumptions we finally see that the winning probability between all games only changes negligible, and thus

$$\textsf{Adv}_{\textrm{DRE},\mathcal {A}}^{{\text {IND-CCA2}_\text {DRE}}}(\lambda ) \le \frac{1}{2} + \texttt{negl}(\lambda ),$$

which finishes the proof. $\square $

We discuss further observations that might be of independent interest in Sect. 6.

6 Discussion

Secure parameters for our schemes from Sect. 5 as well as their resulting sizes can be found in Appendix B of the full version of this paper.

Modular Hybrid Encryption: Boyen, Izabachène, and Li [11] mention that proving the security of the KEM-part in their construction is left for future work. Solving this task would be in fact an interesting result, which might lead to more efficient IND-CCA2 constructions of PKE or DRE in the standard model. For DRE, however, additional assumptions, such as correlated product security [45], are required as encrypting the same secret twice might in general counteract the one-wayness property as shown by Rosen and Segev [45] for the $\textrm{RSA}$ one-way function. Our observation is that the security of the KEM part in the hybrid construction from Boyen, Izabachène, and Li [11] has to be weaker than the replayable chosen ciphertext attack (RCCA) security, which is defined for a PKE by Canetti, Krawczyk, and Nielsen [17] and adapted to the KEM definition from Abe, Gennaro, and Kurosawa [1]. In lattice- or LPN-based trapdoor functions an adversary may always manipulate the error such that the inversion outputs an $\textbf{x}\ne \bot $. Consider having a validity oracle that on input $\textbf{c}$ checks whether the ciphertext decrypts to $\bot $. Note that the decryption oracle from the RCCA-Game returning test is such an oracle. Then the adversary may obtain the error vector by manipulating $\textbf{c}$ and testing, whether the RCCA oracle returns test.

Partial Soundness. There are corner cases where a weaker variant of soundness is sufficient, i. e., partial soundness or weak decryption consistency, which are equivalent when constrained to two recipients. This allows one party to decrypt the ciphertext to a valid message while the other party outputs $\bot $. The formal definitions can be found in Beskorovajnov et al. [8] and Noh et al. [43].

If one for example skips either step 8 or 9 (but not both) of the decryption in the NLWE-based construction of Sect. 5.1 (only checking the error of either $\textbf{c}_0^S$ or $\textbf{c}_1^S$) one gets a slightly more efficient partially sound DRE. Thus, while an attacker cannot create a valid ciphertext encrypting different messages to S and R, they can create a ciphertext which S decrypts to a valid message while R outputs $\bot $. Indeed, one can achieve this by creating a valid ciphertext and adding a big enough error term to either $\textbf{c}_0^S$ or $\textbf{c}_1^S$ such that S does not accept the ciphertext, whereas R accepts and decrypts the ciphertext because it does not check this error. Partial soundness still holds because of the injectivity of the LWE function.

7 Conclusion

We observe that the literature of $\text {IND-CCA2}_\text {DRE}$ secure DRE constructions in the standard model based on post-quantum assumptions lacks constructions that guarantee soundness. However, most of the literature around applications that employ DRE in a generic way require this exact property. Our main result comprises two constructions that fill this gap.

We point out that applications identified by us as non-generic in Sect. 3.4 may be abstracted further in future work in order to use a DRE in a black-box manner. Finally, we note that a DRE construction based on a post-quantum assumption with public verifiability and soundness, which is required by applications from Sect. 3.2, is still an open question.

Notes

1.
A $\texttt {FRD}$ is a function $\texttt {FRD}: \mathbb {Z}_q^n \rightarrow \mathbb {Z}_q^{n \times n}$ such that for any $x,y \in \mathbb {Z}_q^n, x \ne y$ we have $\texttt {FRD}(x) - \texttt {FRD}(y)$ is invertible over $\mathbb {Z}_q^{n \times n}$. See the work of Agrawal, Boneh, and Boyen [2] for an example of such functions.
2.
Notice that $Q_2$ in [11, Lemma 4] is not needed: The reduction algorithm $\mathcal {B}_1$ always wins if a collision occurs.
3.
See for example [54, Lemma 6].
4.
See for example [25, Lemma 3.2].
5.
As $\textbf{c}_0^*$ is calculated after $\textbf{A}^i$ is generated but before $\textbf{A}_1^i$ is generated, it can be used to calculate $\textbf{A}_1^i$.
6.
Notice that this is actually an $\text {LPN}_{n,2m,p}$ sample.

References

Abe, M., Gennaro, R., Kurosawa, K.: Tag-KEM/DEM: A New Framework for Hybrid Encryption, Cryptology ePrint Archive, Report 2005/027 (2017). https://eprint.iacr.org/2005/027
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Chapter Google Scholar
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Chapter Google Scholar
Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053428
Chapter Google Scholar
Benz, L., Beskorovajnov, W., Eilebrecht, S., Müller-Quade, J., Ottenhues, A., Schwerdt, R.: Sender-binding Key Encapsulation. In: Boldyreva, A., Kolesnikov, V. (eds.) PKC 2023, Part I. LNCS, vol. 13940, pp. 744–773. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-31368-4_26
Chapter Google Scholar
Bert, P., Eberhart, G., Prabel, L., Roux-Langlois, A., Sabt, M.: Implementation of lattice trapdoors on modules and applications. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 195–214. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_11
Chapter Google Scholar
Bert, P., Fouque, P.-A., Roux-Langlois, A., Sabt, M.: Practical implementation of ring-SIS/LWE based signature and IBE. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 271–291. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-79063-3_13
Chapter Google Scholar
Beskorovajnov, W., Gröll, R., Müller-Quade, J., Ottenhues, A., Schwerdt, R.: A new security notion for PKC in the standard model: weaker, simpler, and still realizing secure channels. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022. LNCS, vol. 13178, pp. 316–344. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-030-97131-1_11
Chapter Google Scholar
Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127–144. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054122
Chapter Google Scholar
Boneh, D., Kim, S., Nikolaenko, V.: Lattice-based DAPS and generalizations: self-enforcement in signature schemes. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 457–477. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_23
Chapter Google Scholar
Boyen, X., Izabachène, M., Li, Q.: Secure hybrid encryption in the standard model from hard learning problems. In: Cheon, J.H., Tillich, J.-P. (eds.) PQCrypto 2021 2021. LNCS, vol. 12841, pp. 399–418. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81293-5_21
Chapter Google Scholar
Purushothama, B.R., Amberker, B.: Secure group key management scheme based on dual receiver cryptosystem. In: AsiaPKC 2013, pp. 45-50. ACM Press (2013). https://doi.org/10.1145/2484389.2484399
Brakerski, Z., Vaikuntanathan, V.: Lattice-Inspired Broadcast Encryption and Succinct Ciphertext-Policy ABE, Cryptology ePrint Archive, Report 2020/191 (2020). https://eprint.iacr.org/2020/191
Brendel, J., Fiedler, R., Günther, F., Janson, C., Stebila, D.: Post-quantum asynchronous deniable key exchange and the signal handshake. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022, Part II. LNCS, vol. 13178, pp. 3–34. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97131-1_1
Chapter Google Scholar
Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 61–85. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_4
Chapter Google Scholar
Canetti, R., Feige, R., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: 28th ACM STOC, pp. 639–648. ACM Press (1996). https://doi.org/10.1145/237814.238015
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33
Chapter Google Scholar
Chow, S.S.M., Franklin, M., Zhang, H.: Practical dual-receiver encryption. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 85–105. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_5
Chapter Google Scholar
Crescenzo, G.D., Ishai, Y., Ostrovsky, R.: Non-interactive and non-malleable commitment. In: 30th ACM STOC, pp. 141–150. ACM Press (1998). https://doi.org/10.1145/276698.276722
Damgård, I., Hofheinz, D., Kiltz, E., Thorbek, R.: Public-key encryption with non-interactive opening. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 239–255. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-79263-5_15
Chapter Google Scholar
Diament, T., Lee, H.K., Keromytis, A.D., Yung, M.: The efficient dual receiver cryptosystem and its applications. Int. J. Network Secur. 13(3), 135–151 (2011). https://doi.org/10.7916/D81R7100
Article Google Scholar
Diament, T., Lee, H.K., Keromytis, A.D., Yung, M.: The dual receiver cryptosystem and its applications. In: Atluri, V., Pfitzmann, B., McDaniel, P. (eds.) ACM CCS 2004, pp. 330–343. ACM Press (2004). https://doi.org/10.1145/1030083.1030128
Dodis, Y., Katz, J., Smith, A., Walfish, S.: Composability and on-line deniability of authentication. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 146–162. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_10
Chapter Google Scholar
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983). https://doi.org/10.1109/TIT.1983.1056650
Article MathSciNet Google Scholar
Döttling, N.: Cryptography based on the Hardness of Decoding. Ph.D. thesis, Karlsruhe, Karlsruher Institut für Technologie (KIT), Diss., 2014 (2014)
Google Scholar
Dwork, C., Naor, M., Sahai, A.: Concurrent zero-knowledge. J. ACM 51(6), 851–898 (2004). https://doi.org/10.1145/1039488.1039489
Article MathSciNet Google Scholar
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_40
Chapter Google Scholar
Fischlin, M.: Completely non-malleable schemes. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 779–790. Springer, Heidelberg (2005). https://doi.org/10.1007/11523468_63
Chapter Google Scholar
Ge, A., Wei, P.: Identity-based broadcast encryption with efficient revocation. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 405–435. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_14
Chapter Google Scholar
Gegier, K.: On Novel Constructions of Dual Receiver Key Encapsulation Mechanisms Based on Deterministic Encryption. M.A. thesis, Karlsruhe Institute of Technology (KIT) (2020)
Google Scholar
Herzog, J., Liskov, M., Micali, S.: Plaintext awareness via key registration. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 548–564. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_32
Chapter Google Scholar
Jinman, Z., Qin, C.: Hierarchical identity-based broadcast encryption scheme on lattices. In: 2011 Seventh International Conference on Computational Intelligence and Security, pp. 944–948. IEEE (2011). https://doi.org/10.1109/CIS.2011.212
Justesen, J.: Class of constructive asymptotically good algebraic codes. IEEE Trans. Inf. Theory 18(5), 652–656 (1972). https://doi.org/10.1109/TIT.1972.1054893
Article MathSciNet Google Scholar
Kiltz, E., Masny, D., Pietrzak, K.: Simple chosen-ciphertext security from low-noise LPN. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 1–18. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_1
Chapter Google Scholar
Libert, B., Paterson, K.G., Quaglia, E.A.: Anonymous broadcast encryption: adaptive security and efficient constructions in the standard model. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 206–224. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_13
Chapter Google Scholar
Liu, Y., Zhang, D., Deng, Y., Li, B.: (Identity-based) dual receiver encryption from lattice-based programmable hash functions with high min-entropy. Cybersecurity 2(1), 1–15 (2019). https://doi.org/10.1186/s42400-019-0034-y
Article Google Scholar
Liu, Y., Wang, L., Shen, X., Li, L.: New constructions of identity-based dual receiver encryption from lattices. Entropy 22(6) (2020). https://doi.org/10.3390/e22060599
Ma, F., Zhandry, M.: Encryptor Combiners: A Unified Approach to Multiparty NIKE, (H)IBE, and Broadcast Encryption, Cryptology ePrint Archive, Report 2017/152 (2017). https://eprint.iacr.org/2017/152
Mambo, M., Okamoto, E.: Proxy cryptosystems: delegation of the power to decrypt ciphertexts. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 80(1), 54–63 (1997)
Google Scholar
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48
Chapter Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Müller, M.: On the Applicability of Dual-Receiver Encryption in a Post-Quantum World. M.A. thesis, Karlsruhe Institute of Technology (KIT) (2021)
Google Scholar
Noh, G., Hong, D., Kwon, J.O., Jeong, I.R.: A strong binding encryption scheme from lattices for secret broadcast. IEEE Commun. Lett. 16(6), 781–784 (2012). https://doi.org/10.1109/LCOMM.2012.041112.112495
Article Google Scholar
Patil, S.M., BR, P.: DR-PRE: dual receiver proxy re-encryption scheme. Inf. Secur. J. Global Perspective 29(2), 62–72 (2020). https://doi.org/10.1080/19393555.2020.1715515
Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_25
Chapter Google Scholar
Suzuki, K., Yoneyama, K.: Exposure-resilient one-round tripartite key exchange without random oracles. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 458–474. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_29
Chapter Google Scholar
Unger, N., Goldberg, I.: Improved strongly deniable authenticated key exchanges for secure messaging. PoPETs 2018(1), 21–66 (2018). https://doi.org/10.1515/popets-2018-0003
Article Google Scholar
Wang, J., Bi, J.: Lattice-Based Identity-Based Broadcast Encryption, IACR ePrint Archive, Report 2010/288 (2010). https://eprint.iacr.org/2010/288
Wong, C.K., Gouda, M., Lam, S.S.: Secure group communications using key graphs. IEEE/ACM Trans. Networking 8(1), 16–30 (2000). https://doi.org/10.1109/90.836475
Article Google Scholar
Yamada, S.: Adaptively secure identity-based encryption from lattices with asymptotically shorter public parameters. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 32–62. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_2
Chapter Google Scholar
Yang, C., Zheng, S., Wang, L., Lu, X., Yang, Y.: Hierarchical identity-based broadcast encryption scheme from LWE. J. Commun. Networks 16(3), 258–263 (2014). https://doi.org/10.1109/JCN.2014.000045
Article Google Scholar
Yang, G., Tan, C.H., Huang, Q., Wong, D.S.: Probabilistic public key encryption with equality test. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 119–131. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5_9
Chapter Google Scholar
Zhang, D., Zhang, K., Li, B., Lu, X., Xue, H., Li, J.: Lattice-based dual receiver encryption and more. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 520–538. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_30
Chapter Google Scholar
Zhang, J., Yu, Y., Fan, S., Zhang, Z.: Improved lattice-based CCA2-secure PKE in the standard model. Sci. Chin. Inf. Sci. 63(182101), 1–22 (2020). https://doi.org/10.1007/s11432-019-9861-3
Article MathSciNet Google Scholar

Download references

Acknowledgements

We thank the PKC 2024 anonymous reviewers for their valuable feedback. The work presented in this paper has been supported by Helmholtz Information, Program “Engineering Digital Futures”, Topic “Engineering secure Systems”.

Author information

Authors and Affiliations

FZI Research Center for Information Technology, Karlsruhe, Germany
Wasilij Beskorovajnov, Sarai Eilebrecht, Roland Gröll & Maximilian Müller
Karlsruhe Institute of Technology, Karlsruhe, Germany
Laurin Benz & Jörn Müller-Quade
KASTEL Security Research Labs, Karlsruhe, Germany
Laurin Benz & Jörn Müller-Quade

Authors

Laurin Benz
View author publications
You can also search for this author in PubMed Google Scholar
Wasilij Beskorovajnov
View author publications
You can also search for this author in PubMed Google Scholar
Sarai Eilebrecht
View author publications
You can also search for this author in PubMed Google Scholar
Roland Gröll
View author publications
You can also search for this author in PubMed Google Scholar
Maximilian Müller
View author publications
You can also search for this author in PubMed Google Scholar
Jörn Müller-Quade
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Laurin Benz .

Editor information

Editors and Affiliations

The University of Sydney, Sydney, NSW, Australia
Qiang Tang
The Australian National University, Acton, ACT, Australia
Vanessa Teague

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Benz, L., Beskorovajnov, W., Eilebrecht, S., Gröll, R., Müller, M., Müller-Quade, J. (2024). Chosen-Ciphertext Secure Dual-Receiver Encryption in the Standard Model Based on Post-quantum Assumptions. In: Tang, Q., Teague, V. (eds) Public-Key Cryptography – PKC 2024. PKC 2024. Lecture Notes in Computer Science, vol 14604. Springer, Cham. https://doi.org/10.1007/978-3-031-57728-4_9

Download citation

DOI: https://doi.org/10.1007/978-3-031-57728-4_9
Published: 14 April 2024
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57727-7
Online ISBN: 978-3-031-57728-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Chosen-Ciphertext Secure Dual-Receiver Encryption in the Standard Model Based on Post-quantum Assumptions

Abstract

Keywords

1 Introduction

2 Preliminaries

2.1 Definitions

Definition 1

Definition 2

Definition 3

Definition 4

Definition 5

Definition 6

Definition 7

Definition 8

Definition 9

2.2 Assumptions and Lemmas

Definition 10

Definition 11

Definition 12

Definition 13

Lemma 1

Lemma 2

Lemma 3

Proof

3 Applications of Dual-Receiver Encryption

3.1 Applications of CCA2 Secure DRE with Soundness

3.2 Applications of DRE with Public Verifiability

3.3 Applications of CPA secure DRE and the CRS Model

3.4 Non-generic Applications

4 Related Work on Post-quantum DRE Constructions

4.1 IND-CCA2 Secure DRE Schemes Without Soundness

4.2 Identity-Based DRE Schemes Without Soundness

5 \(\text {IND-CCA2}_\text {DRE}\) Secure and Sound Hybrid DRE

5.1 NLWE-Based Construction

Theorem 1

Theorem 2

Proof

Theorem 3

Proof

5.2 Code-Based Construction of a Sound and \(\text {IND-CCA2}_\text {DRE}\) Secure DRE

Theorem 4

Proof

Theorem 5

Proof

Theorem 6

Proof

6 Discussion

7 Conclusion

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation