Simpler CCA-Secure Public Key Encryption from Lossy Trapdoor Functions

Abstract

In STOC’08, Peikert and Waters presented a black-box construction of CCA-secure public key encryption (PKE) scheme from lossy trapdoor functions (LTDFs) [20], and they mentioned in the paper that their construction is a hybrid of Naor-Yung [18] and Canetti-Halevi-Katz [5], since the twin encryption technique and a strongly one-time signature are simultaneously used. It is well-known that a one-time signature brings either large ciphertext overhead if built from general assumptions like one-way functions, or additional computation cost during key generation/signing if built from number theoretic assumptions.

In this paper, we demonstrate that one can actually remove the one-time signature from the PW-scheme, and the resulting KEM can also be proved CCA-secure. However, the resulting KEM is not good enough, in particular, applying the known parameters choices of [20], one obtains a session key with length only sub-linear to the security parameter, thus not a suitable key for subsequent cryptographic tasks. We then to further into the analysis and manage to instantiate our KEM with standard assumptions to obtain a valid key.

This research is supported by the National Natural Science Foundation of China (Grant No. 60970139) and the Strategic Priority Program of Chinese Academy of Sciences (Grant No. XDA06010702).

Appendices

A The PW-Scheme

Let \((Gen,Sign,Ver)\) be a strongly unforgeable one-time signature scheme where the public verification keys are in \(\{0,1\}^v\). Let \((S_{inj},S_{lossy},F,F^{-1})\) give a collection of \((n,k)\)-lossy trapdoor functions, and let \((S_{abo},G_{abo},G^{-1}_{abo})\) give a collection of \((n,k')\)-ABO lossy trapdoor functions having branches set \(B=\{0,1\}^v\). We require that \((n-k)+(n-k')\le n-\kappa ,\) for some \(\kappa =\kappa (n)=\omega (\log n)\). Let \(\mathcal H\) be a universal family of hash functions from \(\{0,1\}^n\) to \(\{0,1\}^\ell \), where \(0<\ell \le \kappa -2\log (1/\epsilon )\) for some negligible \(\epsilon =\mathrm{negl}(\lambda )\). The message space is \(\{0,1\}^\ell .\) The CCA-secure scheme \((\mathcal G,\mathcal E,\mathcal D)\) is as follows.

• \(\mathcal G\): takes as input \(1^{\lambda }\). Run \((s,t)\leftarrow S_{inj}(1^{\lambda })\) and \((s',t')\leftarrow S_{abo}(1^{\lambda },0^v)\). Choose \(h\xleftarrow {R}\mathcal H\). Finally, output the public key \(pk=(s,s',h)\) and secret key \(sk=(t,t',pk)\).

• \(\mathcal E\): takes as input \(1^{\lambda }\), \(pk\) and \(m\in \{0,1\}^\ell \). It generates one-time signature key pair \((vk,sk_{\sigma })\leftarrow Gen\), then choose \(x\xleftarrow {R}\{0,1\}^n\) and compute

  $$c_1=F(s,x),\ c_2=G_{abo}(s',vk,x),\ c_3=m\oplus h(x).$$

  Finally, it signs the tuple \((c_1,c_2,c_3)\) using \(sk_{\sigma }\) as \(\sigma =Sign(sk_{\sigma },(c_1,c_2,c_3)).\) The ciphertext is

  $$c=(vk,c_1,c_2,c_3,\sigma ).$$

• \(\mathcal D\): takes as input \(1^{\lambda }\), \(sk=(t,t',pk)\) and a ciphertext \(c=(vk,c_1,c_2,c_3,\sigma )\). It first checks that whether \(Ver(vk,(c_1,c_2,c_3),\sigma )=1;\) if not, it outputs \(\bot \). It then computes \(x=F^{-1}(t,c_1)\), and checks that \(c_1=F(s,x)\) and \(c_2=G_{abo}(s',vk,x)\); if not, it outputs \(\bot .\) Finally, it outputs \(m=c_3\oplus h(x)\).

B The LDL-Scheme

Let \((S_{inj},S_{lossy},F,F^{-1})\) be a collection of \((n,k)\)-lossy trapdoor functions, and let \((S_{ch},F_{ch},\) \(F^{-1}_{ch},CLB_{ch})\) be a collection of \((n,k')\)-chameleon ABO lossy trapdoor functions having branches \(\mathbb A\times \mathbb B:=\{A_{\lambda }\times B_{\lambda }\}_{\lambda \in \mathbb N}\). Let \(\mathcal H\) be a universal family of hash functions from \(\{0,1\}^n\) to \(\{0,1\}^\ell \). We also require that \((n-k)+(n-k')\le n-\kappa ,\) for some \(\kappa =\kappa (n)=\omega (\log n)\), and \(0<\ell \le \kappa -2\log (1/\epsilon )\) for some negligible \(\epsilon =\mathrm{negl}(\lambda )\). The message space is \(\{0,1\}^\ell .\) The CCA-secure scheme \((\mathcal G',\mathcal E',\mathcal D')\) is as follows.

• \(\mathcal G'\): takes as input \(1^{\lambda }\). Run \((s,t)\leftarrow S_{inj}(1^{\lambda })\) and \((s',t')\leftarrow S_{ch}(1^{\lambda })\). Choose \(h\xleftarrow {R}\mathcal H\) and a collision-resistant hash function \(H:\{0,1\}^*\rightarrow A_{\lambda }\). Finally, output the public key \(pk=(s,s',h,H)\) and secret key \(sk=(t,t',pk)\).

• \(\mathcal E'\): takes as input \(1^{\lambda }\), \(pk\) and \(m\in \{0,1\}^\ell \). It choose \(x\xleftarrow {R}\{0,1\}^n\) and \(r\xleftarrow {R} B_{\lambda }\), then compute

  $$c_0=h(x)\oplus m, c_1=F(s,x),c_2=F_{ch}(s',u,r,x),$$

  where \(u=H(c_0,c_1)\). Finally, it outputs the ciphertext \(c=(c_0,c_1,c_2,r)\).

• \(\mathcal D'\): takes as input \(1^{\lambda }\), \(sk\) and a ciphertext \(c=(c_0,c_1,c_2,r)\). It computes \(x=F^{-1}(t,c_1)\) and \(u=H(c_0,c_1).\) Then check whether \(c_1=F(s,x)\) and \(c_2=F_{ch}(s',u,r,x)\); if not, it outputs \(\bot .\) Finally, it outputs \(m=c_0\oplus h(x)\).