Abstract
In STOC’08, Peikert and Waters presented a black-box construction of CCA-secure public key encryption (PKE) scheme from lossy trapdoor functions (LTDFs) [20], and they mentioned in the paper that their construction is a hybrid of Naor-Yung [18] and Canetti-Halevi-Katz [5], since the twin encryption technique and a strongly one-time signature are simultaneously used. It is well-known that a one-time signature brings either large ciphertext overhead if built from general assumptions like one-way functions, or additional computation cost during key generation/signing if built from number theoretic assumptions.
In this paper, we demonstrate that one can actually remove the one-time signature from the PW-scheme, and the resulting KEM can also be proved CCA-secure. However, the resulting KEM is not good enough, in particular, applying the known parameters choices of [20], one obtains a session key with length only sub-linear to the security parameter, thus not a suitable key for subsequent cryptographic tasks. We then to further into the analysis and manage to instantiate our KEM with standard assumptions to obtain a valid key.
This research is supported by the National Natural Science Foundation of China (Grant No. 60970139) and the Strategic Priority Program of Chinese Academy of Sciences (Grant No. XDA06010702).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abe, M., Cui, Y., Imai, H., Kiltz, E.: Efficient hybrid encryption from ID-based encryption. Des. Codes Crypt. 54(3), 205–240 (2010)
Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)
Boneh, D., Katz, J.: Improved efficiency for CCA-secure cryptosystems built using identity-based encryption. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 87–103. Springer, Heidelberg (2005)
Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identity-based techniques. In: ACM CCS 2005, pp. 320–329. ACM, New York (2005)
Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004)
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer, Heidelberg (2002)
Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 523–540. Springer, Heidelberg (2004)
Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)
Even, S., Goldreich, O., Micali, S.: On-line/Off-line digital signatures. J. Cryptology 9(1), 35–67 (1996)
Freeman, D.M., Goldreich, O., Kiltz, E., Rosen, A., Segev, G.: More constructions of lossy and correlation-secure trapdoor functions. J. Cryptology 26(1), 39–74 (2013)
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)
Hemenway, B., Ostrovsky, R.: On homomorphic encryption and chosen-ciphertext security. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 52–65. Springer, Heidelberg (2012)
Hemenway, B., Ostrovsky, R.: Lossy trapdoor functions from smooth homomorphic hash proof systems. In: ECCC, vol. 16(127) (2009)
Kiltz, E., Mohassel, P., O’Neill, A.: Adaptive trapdoor functions and chosen-ciphertext security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 673–692. Springer, Heidelberg (2010)
Lai, J., Deng, R.H., Liu, S.: Chameleon all-but-one TDFs and their application to chosen-ciphertext security. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 228–245. Springer, Heidelberg (2011)
Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC 1990, pp. 427–437. ACM, New York (1990)
Phan, D.H., Pointcheval, D.: About the security of ciphers (semantic security and pseudo-random permutations). In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 182–197. Springer, Heidelberg (2004)
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: STOC 2008, pp. 187–196. ACM, New York (2008)
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. Full version of [20]. http://www.cc.gatech.edu/~cpeikert/pubs/lossy_tdf.pdf
Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)
Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009)
Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS 1999, pp. 543–553. IEEE Computer Society Press, Los Alamitos (1999)
Shoup, V.: A proposal for an ISO standard for public key encryption (2001). http://eprint.iacr.org/2001/112
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive: Report 2004/332 (2004)
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Xue, H., Li, B., Lu, X., Jia, D., Liu, Y.: Efficient lossy trapdoor functions based on subgroup membership assumptions. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 235–250. Springer, Heidelberg (2013)
Zhang, R.: Tweaking TBE/IBE to PKE transforms with chameleon hash functions. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 323–339. Springer, Heidelberg (2007)
Zhang, J., Xie, X., Zhang, R., Zhang, Z.: A generic construction from selective-IBE to public-key encryption with non-interactive opening. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 195–209. Springer, Heidelberg (2012)
Acknowledgements
We thank Jingyong Chang for discussion about the details of the works. We are also grateful to the anonymous reviewers for their helpful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A The PW-Scheme
Let \((Gen,Sign,Ver)\) be a strongly unforgeable one-time signature scheme where the public verification keys are in \(\{0,1\}^v\). Let \((S_{inj},S_{lossy},F,F^{-1})\) give a collection of \((n,k)\)-lossy trapdoor functions, and let \((S_{abo},G_{abo},G^{-1}_{abo})\) give a collection of \((n,k')\)-ABO lossy trapdoor functions having branches set \(B=\{0,1\}^v\). We require that \((n-k)+(n-k')\le n-\kappa ,\) for some \(\kappa =\kappa (n)=\omega (\log n)\). Let \(\mathcal H\) be a universal family of hash functions from \(\{0,1\}^n\) to \(\{0,1\}^\ell \), where \(0<\ell \le \kappa -2\log (1/\epsilon )\) for some negligible \(\epsilon =\mathrm{negl}(\lambda )\). The message space is \(\{0,1\}^\ell .\) The CCA-secure scheme \((\mathcal G,\mathcal E,\mathcal D)\) is as follows.
-
\(\mathcal G\): takes as input \(1^{\lambda }\). Run \((s,t)\leftarrow S_{inj}(1^{\lambda })\) and \((s',t')\leftarrow S_{abo}(1^{\lambda },0^v)\). Choose \(h\xleftarrow {R}\mathcal H\). Finally, output the public key \(pk=(s,s',h)\) and secret key \(sk=(t,t',pk)\).
-
\(\mathcal E\): takes as input \(1^{\lambda }\), \(pk\) and \(m\in \{0,1\}^\ell \). It generates one-time signature key pair \((vk,sk_{\sigma })\leftarrow Gen\), then choose \(x\xleftarrow {R}\{0,1\}^n\) and compute
$$c_1=F(s,x),\ c_2=G_{abo}(s',vk,x),\ c_3=m\oplus h(x).$$Finally, it signs the tuple \((c_1,c_2,c_3)\) using \(sk_{\sigma }\) as \(\sigma =Sign(sk_{\sigma },(c_1,c_2,c_3)).\) The ciphertext is
$$c=(vk,c_1,c_2,c_3,\sigma ).$$ -
\(\mathcal D\): takes as input \(1^{\lambda }\), \(sk=(t,t',pk)\) and a ciphertext \(c=(vk,c_1,c_2,c_3,\sigma )\). It first checks that whether \(Ver(vk,(c_1,c_2,c_3),\sigma )=1;\) if not, it outputs \(\bot \). It then computes \(x=F^{-1}(t,c_1)\), and checks that \(c_1=F(s,x)\) and \(c_2=G_{abo}(s',vk,x)\); if not, it outputs \(\bot .\) Finally, it outputs \(m=c_3\oplus h(x)\).
B The LDL-Scheme
Let \((S_{inj},S_{lossy},F,F^{-1})\) be a collection of \((n,k)\)-lossy trapdoor functions, and let \((S_{ch},F_{ch},\) \(F^{-1}_{ch},CLB_{ch})\) be a collection of \((n,k')\)-chameleon ABO lossy trapdoor functions having branches \(\mathbb A\times \mathbb B:=\{A_{\lambda }\times B_{\lambda }\}_{\lambda \in \mathbb N}\). Let \(\mathcal H\) be a universal family of hash functions from \(\{0,1\}^n\) to \(\{0,1\}^\ell \). We also require that \((n-k)+(n-k')\le n-\kappa ,\) for some \(\kappa =\kappa (n)=\omega (\log n)\), and \(0<\ell \le \kappa -2\log (1/\epsilon )\) for some negligible \(\epsilon =\mathrm{negl}(\lambda )\). The message space is \(\{0,1\}^\ell .\) The CCA-secure scheme \((\mathcal G',\mathcal E',\mathcal D')\) is as follows.
-
\(\mathcal G'\): takes as input \(1^{\lambda }\). Run \((s,t)\leftarrow S_{inj}(1^{\lambda })\) and \((s',t')\leftarrow S_{ch}(1^{\lambda })\). Choose \(h\xleftarrow {R}\mathcal H\) and a collision-resistant hash function \(H:\{0,1\}^*\rightarrow A_{\lambda }\). Finally, output the public key \(pk=(s,s',h,H)\) and secret key \(sk=(t,t',pk)\).
-
\(\mathcal E'\): takes as input \(1^{\lambda }\), \(pk\) and \(m\in \{0,1\}^\ell \). It choose \(x\xleftarrow {R}\{0,1\}^n\) and \(r\xleftarrow {R} B_{\lambda }\), then compute
$$c_0=h(x)\oplus m, c_1=F(s,x),c_2=F_{ch}(s',u,r,x),$$where \(u=H(c_0,c_1)\). Finally, it outputs the ciphertext \(c=(c_0,c_1,c_2,r)\).
-
\(\mathcal D'\): takes as input \(1^{\lambda }\), \(sk\) and a ciphertext \(c=(c_0,c_1,c_2,r)\). It computes \(x=F^{-1}(t,c_1)\) and \(u=H(c_0,c_1).\) Then check whether \(c_1=F(s,x)\) and \(c_2=F_{ch}(s',u,r,x)\); if not, it outputs \(\bot .\) Finally, it outputs \(m=c_0\oplus h(x)\).
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Liang, B., Zhang, R., Li, H. (2015). Simpler CCA-Secure Public Key Encryption from Lossy Trapdoor Functions . In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-16745-9_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16744-2
Online ISBN: 978-3-319-16745-9
eBook Packages: Computer ScienceComputer Science (R0)