Abstract
Applebaum (EUROCRYPT 2011) showed how to convert a public key encryption (PKE) scheme which is key dependent message (KDM) secure with respect to projection functions (also called projection-KDM secure) to a scheme which is KDM secure with respect to functions computable by polynomially bounded-size circuits (also called bounded-KDM secure). This result holds in both of the chosen plaintext attack (CPA) setting and the chosen ciphertext attack (CCA) setting. Bellare et al. (CCS 2012) later showed another conversion from a projection-KDM secure scheme to a bounded-KDM secure one, which is more efficient than Applebaum’s, but works only in the CPA setting. In this work, we show an efficient conversion from a projection-KDM-CCA secure PKE scheme to a bounded-KDM-CCA secure PKE scheme. To see that our conversion leads to more efficient bounded-KDM-CCA secure schemes than Applebaum’s, we show that by combining our result with several known results, we can obtain currently the most efficient bounded-KDM-CCA secure PKE scheme based on the symmetric external Diffie-Hellman (SXDH) assumption.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., Rogaway, P.: Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptol. 20(3), 395 (2007)
Adão, P., Bana, G., Herzog, J., Scedrov, A.: Soundness and completeness of formal encryption: the cases of key cycles and partial information leakage. J. Comput. Secur. 17(5), 737–797 (2009)
Applebaum, B.: Key-dependent message security: generic amplification and completeness. J. Cryptol. 27(3), 429–451 (2014)
Applebaum, B.: Key-dependent message security: generic amplification and completeness. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 527–546. Springer, Heidelberg (2011)
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)
Applebaum, B., Ishai, Y., Kushilevitz, E.: Computationally private randomizing polynomials and their applications. In: CCC 2005, pp. 260–274. IEEE Computer Society (2005)
Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded key-dependent message security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 423–444. Springer, Heidelberg (2010)
Bellare, M., Hoang, V., Rogaway, P.: Foundations of garbled circuits. In: CCS 2012, pp. 784–796. ACM (2012)
Bellare, M., Hoang, V., Rogaway, P.: Foundations of garbled circuits. IACR Cryptol. ePrint Arch. 2012, 265 (2012)
Black, J., Rogaway, P., Shrimpton, T.: Encryption-scheme security in the presence of key-dependent messages. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 62–75. Springer, Heidelberg (2003)
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)
Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision Diffie-Hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008)
Brakerski, Z., Goldwasser, S.: Circular and leakage resilient public-key encryption under subgroup indistinguishability. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 1–20. Springer, Heidelberg (2010)
Brakerski, Z., Goldwasser, S., Kalai, Y.T.: Black-box circular-secure encryption beyond affine functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 201–218. Springer, Heidelberg (2011)
Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. IACR Cryptol. ePrint Arch. 2008, 375 (2008)
Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 351–368. Springer, Heidelberg (2009)
Camenisch, J.L., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)
Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)
Hofheinz, D.: Circular chosen-ciphertext security with compact ciphertexts. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 520–536. Springer, Heidelberg (2013)
Malkin, T., Teranishi, I., Yung, M.: Efficient circuit-size independent public key encryption with KDM security. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 507–526. Springer, Heidelberg (2011)
Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: STOC 1989, pp. 33–43. ACM (1989)
Valiant, L.: Universal circuits (preliminary report). In: STOC 1976, pp. 196–203. ACM (1976)
Yao, A.: How to generate and exchange secrets (extended abstract). In: FOCS 1986, pp. 162–167. IEEE Computer Society (1986)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A How to Obtain a Projection-KDM-CCA Secure Scheme
A How to Obtain a Projection-KDM-CCA Secure Scheme
In Sect. 4, we consider a projection-KDM-CCA secure scheme obtained from [12, 16] for the underlying scheme to which our KDM amplification method and that of Applebaum are applied. Here, we explain how this scheme is obtained in more details.
Recall that the BHHO scheme [12] is shown to be affine-KDM-CPA secure based on the decisional Diffie-Hellman (DDH) assumption. Let us write \(\mathbb {G}\) to denote its underlying prime order group. We assume that \(|\mathbb {G}| = O(\lambda )\), and that an element of \(\mathbb {G}\) has size \(O(\lambda )\) bits where \(\lambda \) is a security parameter. Then, the plaintext space of this scheme is \(\mathbb {G}\), and the secret key length is \(p = 3 \log |\mathbb {G}| = O(\lambda )\). Moreover, since a ciphertext of the scheme consists of \((p+1)\) elements of \(\mathbb {G}\), its size (for encrypting an element in \(\mathbb {G}\)) is \((p + 1) \cdot O(\lambda ) = O(\lambda ^2)\) bits.
Applebaum [3] showed how to obtain a projection-KDM-CPA secure scheme from the BHHO scheme: To the best of our knowledge, in Applebaum’s method, we have to “encode” each bit of a secret key as an element of \(\mathbb {G}\). Furthermore, the BHHO scheme by itself can encrypt one group element, and thus if we use the encoding of a secret key, we only obtain a “single-bit output” projection-KDM-CPA secure scheme. Fortunately, he also showed how to construct a “\(n\)-bit output” projection-KDM-CPA secure scheme (with \(n\)-bit plaintext space) from a single-bit output projection-KDM-CPA secure scheme by just encrypting each bit of a plaintext and concatenating the resulting ciphertexts. Thus, in summary, from the BHHO scheme one can obtain a projection-KDM-CPA secure scheme with \(n\)-bit plaintext space whose ciphertext size is \(O(n \lambda ^2)\) bits.
Camenisch, Chandran, and Shoup [15, 16] showed how to enhance a KDM-CPA secure scheme into a KDM-CCA secure scheme, using NIZK proofs. More precisely, they showed two approaches. The first approach obtains a KDM-CCA secure scheme from a KDM-CPA secure scheme, (non-KDM-)CCA secure scheme, a one-time signature scheme, and NIZK proofs (satisfying soundness and zero-knowledge). The second approach obtains a KDM-CCA secure scheme from a KDM-CPA secure scheme, (non-KDM-)CPA secure scheme, and simulation-sound NIZK proofs (also satisfying soundness and zero-knowledge).
We consider the KDM-CCA secure scheme obtained from the second approach. This is because in the first approach we have to use a (non-KDM-)CCA secure scheme that has the same plaintext space as the above mentioned BHHO-based projection-KDM-CPA secure scheme (i.e. \(\mathbb {G}^n\) for \(n\)-bit plaintexts). However, it is not so easy to obtain a CCA secure scheme (that is compatible with the BHHO-based projection-KDM-CPA secure scheme) whose plaintext space can be flexibly chosen, independently of its public keys. (For example, the Cramer-Shoup scheme [18] has a disadvantage that its plaintext space is fixed once a public/secret key pair is generated.)
Fortunately, [15] showed how to convert the Groth-Sahai proof [19] so that it supports simulation soundness. More specifically, [15] showed how to convert the Groth-Sahai proof into the simulation-sound version by using a (non-simulation-sound) Groth-Sahai proof, (non-KDM-)CCA secure PKE scheme, and a one-time signature scheme. Although this conversion also requires a (non-KDM-)CCA secure scheme, it only needs to encrypt one group element. Therefore, it does not need to support a large plaintext space, and thus we can use the Cramer-Shoup scheme. According to [15], assuming the SXDH assumption in asymmetric bilinear groups, and assuming that the one-time signature scheme shown in [15] under the SXDH assumption is used, if we want to prove the membership of the “linear subspace” language, described by a system of \(x\) linear equations with \(y\) variables using the simulation-sound version of the Groth-Sahai proof, then the proof size becomes \(O(x + y) \cdot O(\lambda ) = O((x+y)\lambda )\).
Now, we can construct a projection-KDM-CCA secure scheme that can encrypt \(n\)-bit plaintexts via the second method in [15] as follows: A plaintext is encrypted twice, by the KDM-CPA secure scheme and a (non-KDM-)CPA secure scheme (we use the ElGamal scheme), and then attach a “simulation-sound” Groth-Sahai NIZK proof that proves that the two ciphertexts encrypt a same plaintext. Note that the ciphertext size of the projection-KDM-CPA secure scheme is \(O(n \lambda ^2)\) bits, and the ElGamal scheme (for encrypting \(n\) group elements) has ciphertext size \(O(n \lambda )\) bits. Furthermore, the equality of the plaintext by \(n\)-bit version of BHHO-based projection-KDM-CPA scheme and the plaintext of the ElGamal scheme, can be checked by \(O(n \lambda )\) linear equations with \(O(n)\) variables, and thus the proof size is \(O(n \lambda ^2)\) bits. Therefore, in total, the resulting projection-KDM-CCA secure scheme for \(n\)-bit plaintexts, which is based on the SXDH assumption, has ciphertext size \(O(n \lambda ^2)\).
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kitagawa, F., Matsuda, T., Hanaoka, G., Tanaka, K. (2015). Efficient Key Dependent Message Security Amplification Against Chosen Ciphertext Attacks. In: Lee, J., Kim, J. (eds) Information Security and Cryptology - ICISC 2014. ICISC 2014. Lecture Notes in Computer Science(), vol 8949. Springer, Cham. https://doi.org/10.1007/978-3-319-15943-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-15943-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15942-3
Online ISBN: 978-3-319-15943-0
eBook Packages: Computer ScienceComputer Science (R0)