More Efficient Construction of Bounded KDM Secure Encryption

Abstract

Let \(sk_i\) be the secret-key of user i for \(i=1, \ldots , \ell \), and \(pk_j\) be the public-key of user \(j \in \{1, \ldots , \ell \}\). A bounded Key Dependent Message (KDM) secure encryption scheme \(\mathcal{E}_{\mathrm{b-KDM}}\) provides security even when one encrypts \(f(sk_1, \ldots , sk_{\ell })\) under \(pk_j\) for any function f which has arbitrarily fixed circuit size. An \(\mathcal{E}_{\mathrm{b-KDM}}\) is known to be constructed from projection KDM seucrity. In this paper, we first show that it can be obtained from much weaker KDM security than the projection KDM security. We next present more efficient \(\mathcal{E}_{\mathrm{b-KDM}}\) than before under various assumptions.

1 Introduction

1.1 Background

Key dependent message (KDM) security has been studied by many researchers recently. A KDM-secure encryption scheme provides security even when one encrypts the secret-key sk under the corresponding public-key pk. More generally, a KDM-secure encryption scheme with respect to a set of functions \(\mathcal{F}\) provides security even when one encrypts \(f(sk_1, \ldots , sk_{\ell })\) under \(pk_j\) for any function \(f \in \mathcal{F}\), where \(sk_i\) is the secret-key of user i for \(i=1, \ldots , \ell \), and \(pk_j\) is the public-key of user \(j \in \{1, \ldots , \ell \}\).

Boneh et al. [5] showed the first KDM-secure public-key encryption scheme in the standard model which is called BHHO encryption scheme. It is KDM-secure with respect to the set of all “affine in the exponent” functions under the DDH assumption.

Then a natural question is “can we construct a KDM-secure encryption scheme with respect to the set of all functions ?” Barak et al. [4] affirmatively solved this problem by showing that there exists a KDM-secure encryption scheme with respect to the set of all functions which have arbitrarily fixed circuit size. Such encryption schemes are called bounded KDM secure. Barak et al. constructed a bounded KDM secure encryption scheme under either the DDH assumption or the LWE assumption.

On the other hand, a function is called projection if each output bit depends on at most one input bit. An encryption scheme is called projection KDM secure if it is KDM secure with respect to the set of all projection functions. Applebaum [1] showed that a bounded KDM secure encryption scheme can be obtained from a projection KDM secure encryption scheme.

Bellare et al. [6] then showed a clean method to construct a bounded KDM secure encryption scheme from a garbling scheme \(\mathsf{Ga}\) and a projection KDM secure encryption scheme \(\mathcal{E}\). Their scheme is more efficient than the schemes of [1, 4]. (See [6, Fig. 20] for comparison.)¹ However, the size of ciphertexts is still very large.

To summarize, it is known that bounded KDM security can be obtained from projection KDM security. However, the size of ciphertexts is very large.

1.2 Our Contribution

In this paper, we first show that bounded KDM security can be obtained from much weaker KDM security than the projection KDM security. Based on this, we next present a more efficient construction of bounded KDM secure encryption schemes than Bellare et al. [6] under various assumptions.

In the scheme of Bellare et al. [6], a ciphertext of \(f(sk_1, \ldots , sk_{\ell })\) consists of (F, Y), where F is a garbled circuit and Y is a ciphertext of a projection KDM secure encryption scheme \(\mathcal{E}\). Our scheme has the same structure, but \(\mathcal{E}\) is required to be more weakly KDM secure. (More precisely, our weak KDM security is related to the underlying garbling scheme \(\mathsf{Ga}\).)

As a result, the size of our Y is k times smaller than that of Bellare et al. [6], where k is the security parameter. Further suppose that the number of gates of \(f(sk_1, \ldots , sk_{\ell })\) is \(O(k\ell )\). Then the total size of our ciphertexts is \(O(k^3 \ell )\) under the DDH assumption while it is \(O(k^4 \ell )\) in the scheme of Bellare et al. [6], where BHHO encryption scheme is used in both schemes.

A projection KDM secure encryption scheme can be constructed from any KDM secure encryption scheme with respect to the set of affine (in the exponent) functions, where the secret-key is viewed as a bit string.² We can also construct our weakly KDM secure encryption scheme from such encryption schemes.

• As stated above, BHHO encryption scheme is KDM-secure with respect to the set of “affine in the exponent functions” under the DDH assumption.

• Brakerski and Goldwasser [3] showed a BHHO-like encryption scheme under the subgroup indistinguishablity assumptions. In particular, they presented a KDM secure encryption scheme with respect to the set of affine functions under the Paillier’s decisional composite residuosity (DCR) assumption.

• Applebaum et al. [2] constructed a symmetric-key encryption scheme which is KDM-secure with respect to the set of affine functions under the LPN assumption.

Hence we can construct a more efficient bounded KDM secure encryption scheme than Bellare et al. [6] under the DDH assumption, the DCR assumption and the LPN assumption respectively.

We also point out that the security proof of Bellare et al. [6] is not complete, and show how to fix it.

2 Preliminaries

PPT means probabilistic polynomial time, and PT means polynomial time. If A is a PPT algorithm, then \(y \leftarrow A(x_1, \ldots \), \(x_n; r)\) represents the act of running the algorithm A with inputs \(x_1, \ldots , x_n\) and coins r to get an output y, and \(y \leftarrow A(x_1, \ldots , x_n)\) represents the act of picking r at random and letting \(y \leftarrow A(x_1, \ldots , x_n; r)\).

If X is a set, then \(x \mathop {\leftarrow }\limits ^{\$}X\) represents the act of choosing x randomly from X. |X| denotes the cardinality of X. If X is a string, then |X| denotes the bit length of X, and lsb(X) denotes the least significant bit of X. If X and Y are bit strings, \(X\Vert Y\) denotes the concatenation.

Let k be a security parameter.

2.1 DDH Assumption

Let \(\mathbb {G}\) be a group of prime order p. The DDH assumption (on \(\mathbb {G}\)) is that the distributions \((g, g^x , g^y , g^{xy})\) and \((g, g^x , g^y , g^{z})\) are computationally indistinguishable, where g is a random generator for \(\mathbb {G}\) and \(x, y, z \mathop {\leftarrow }\limits ^{\$}Z_q\).

2.2 KDM Security

Let \(\mathcal{E}= (K,E,D )\) be a public key encryption scheme, \(\mathcal{S}=\{S_k\}\) be the space of secret keys and \(\mathcal{M}=\{M_k\}\) be the space of messages. For an integer \(\ell >0\), define

$$\begin{aligned} ALL_k^{(\ell )}=\{f \mid f:(S_k)^{\ell } \rightarrow M_k\}. \end{aligned}$$

We then define the KDM\(^{(\ell )}\) attack game between a challenger and an adversary \(\mathcal{A}\) with respect to a function class \(\mathcal{F}=\{\mathcal{F}_k\}\) such that \(\mathcal{F}_k \subseteq ALL_k^{(\ell )}\) as follows.

• Initialize. The challenger chooses \(b \mathop {\leftarrow }\limits ^{\$}\{0,1\}\) and generates key pairs \((sk_i, pk_i) \leftarrow K(1^k)\) for all \(i \in \{1, \ldots ,\ell \}\). The challenger then sends \((pk_1, \ldots , pk_{\ell })\) to the adversary \(\mathcal{A}\).

• Query. The adversary \(\mathcal{A}\) makes adaptive queries of the form \((j,f) \in \{1, \ldots , \ell \} \times \mathcal{F}_k\). For each query, the challenger computes \(x= f(sk_1, \ldots , sk_{\ell })\) and sends the following ciphertext to the adversary \(\mathcal{A}\).

  $$ c = \left\{ \begin{array}{lcc} E_{pk_j} (x) &{} if&{} b = 0 \\ E_{pk_j}(0^{|x|}) &{} if&{} b = 1 \end{array} \right. $$

• Finish. The adversary \(\mathcal{A}\) outputs a guess \(b' \in \{0,1\}\).

Define \( \mathtt{Adv}_{\mathcal{E},\ell }^\mathrm{kdm} (\mathcal{A}) = |2 \mathrm{Pr}[b'=b] - 1| \). We say that \(\mathcal{E}\) is KDM\(^{(\ell )}\) secure with respect to \(\mathcal{F}\) if \(\mathtt{Adv}_{\mathcal{E},\ell }^\mathrm{kdm} (\mathcal{A})\) is negligible for any PPT adversary \(\mathcal{A}\).

The KDM security of symmetric-key encryption schemes is defined similarly.

2.3 BHHO Encryption Scheme

Boneh et al. showed a KDM-secure public-key encryption scheme w.r.t. a class of affine in the exponent functions under the DDH assumption [5]. Let \(\mathbb {G}\) be a group of prime order p and g be a generator of \(\mathbb {G}\).

• Key Generation. Let \(t = \lceil 3 \, \log _2 p \, \rceil \). Choose \((g_1 , \ldots , g_t) \mathop {\leftarrow }\limits ^{\$}\mathbb {G}^t, (s_1, \cdots , s_t) \mathop {\leftarrow }\limits ^{\$}\{0, 1\}^{t}\). Let \(h \leftarrow (g_{1}^{s_1} \cdots g_t^{s_t})^{-1}\) and define the public and secret keys as

  $$\begin{aligned} pk = (g_1 , \dots , g_t, h) \, \mathrm{and} \, sk = (s_1 , \dots , s_t). \end{aligned}$$

• Encryption. For a plaintext \(m \in \mathbb {G}\), choose \(r \mathop {\leftarrow }\limits ^{\$}Z_p\) and output a ciphertext

  $$\begin{aligned} (g_{1}^{r}, \dots , g_t^{r}, \, h^{r} \cdot m). \end{aligned}$$

• Decryption. For a ciphertext \((c_1 , \dots , c_t, d)\), output \(m = d \cdot (c_{1}^{s_1} \cdots c_t^{s_t})\).

We say that f is an affine in the exponent function if \(f(x_1, \ldots , x_n)=g^{a_0+ \sum _{i=1}^n a_ix_i}\), where \(x_i \in \{0,1\}^n\) and \(a_i \in Z_p\). Define \(\mathcal{F}_{\mathrm{affine}}=\{\mathcal{F}_k\}\) in such a way that \(\mathcal{F}_k=ALL_k^{(\ell )} \cap \{f \mid f \text { is an affine in the exponent function}\}\).

Proposition 1

[5]. The above encryption scheme is KDM\(^{(\ell )}\) secure w.r.t. \(\mathcal{F}_{\mathrm{affine}}\) under the DDH assumption.

2.4 Bounded-KDM Security

Let q(k) be a polynomial in k. A function f is q(k)-bounded if it can be expressed as a boolean circuit such that the number of gates is q(k). Define \(\mathcal{F}_{\mathrm{q-gates}}=\{\mathcal{F}_k\}\), where \(\mathcal{F}_k=ALL_k^{(\ell )} \cap \{f \mid f \text { is q(k)-bounded}\}\). Then an encryption scheme \(\mathcal{E}\) is q-bounded KDM\(^{(\ell )}\) secure if it is KDM\(^{(\ell )}\) secure w.r.t. \(\mathcal{F}_{\mathrm{q-gates}}\).

2.5 Projection KDM Security

A function f is called a projection if each output bit depends on at most one input bit. Define \(\mathcal{F}_{\mathrm{proj}}=\{\mathcal{F}_k\}\) in such a way that \(\mathcal{F}_k=ALL_k^{(\ell )} \cap \{f \mid f \text { is a projection}\}\). We then say that an encryption scheme \(\mathcal{E}\) is projection KDM\(^{(\ell )}\) secure if it is KDM\(^{(\ell )}\) secure w.r.t. \(\mathcal{F}_{\mathrm{proj}}\).

3 Garbling Scheme [6]

3.1 Circuits

A boolean circuit is a 5-tuple \(f = (n, m,q, A\), B, G). Here \(n \ge 2\) is the number of inputs, \(m \ge 1\) is the number of outputs, and \(q \ge 1\) is the number of gates. We let Inputs \(= \{1, . . . , n\}\), Gates \(= \{n + 1, . . . , n + q\}\), Wires \(= \{1, . . . , n+q\}\) and Outputs \(= \{ n+q-m+1, \ldots , n+q\}\). Then A: Gates \(\rightarrow \) Wires\(\setminus \)Outputs is a function to identify each gate’s first incoming wire, and B : Gates \(\rightarrow \) Wires\(\setminus \)Outputs is a function to identify each gate’s second incoming wire. We require \(A(g)< B(g) < g\) for each gate \(g \in \) Gates. Finally G : Gates \(\times \{0, 1\}^2 \rightarrow \{0, 1\}\) is a function that determines the functionality of each gate.

Each gate has two inputs, one output and arbitrary functionality. The wires are numbered 1 to \(n + q\). The ith bit of the input is presented along wire i. Every non-input wire is the outgoing wire of some gate. The outgoing wire of each gate serves as the name of that gate. We denote the output of f on input \(x \in \{0,1\}^n\) by \(y=f(x)\). See Appendix A for an example.

Let

$$ \varPhi _{topo}(f) = (n,m,q,A,B), \ \varPhi _{size}(f) = (n,m,q) $$

We say that \(\varPhi _{topo}(f)\) and \(\varPhi _{size}(f)\) are side information functions.

3.2 Garbling Scheme

A garbling scheme is a three-tuple of algorithms \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\) such as follows.

• \((F, e) \leftarrow \mathsf{Gb}(1^k, f)\), where \(f = (n, m,q, A\), B, G) is a boolean circuit, F is its garbled circuit and e is a key of \(\mathsf{En}\).

• \(X \leftarrow \mathsf{En}(e, x)\), where \(x \in \{0,1\}^n\) is a real input and X is its garbled input.

• \(y \leftarrow \mathsf{Ev}(F, X)\), where y is the output of F on input X.

The correctness condition requires that if \((F, e) \leftarrow \mathsf{Gb}(1^k, f)\), then

$$\begin{aligned} \mathsf{Ev}[F, \mathsf{En}(e, x) ]=f(x) \end{aligned}$$

for any \(x \in \{0,1\}^n\).

3.3 Security of Garbling Schemes

For a garbling scheme \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\) and a side information function \(\varPhi \), we consider a game between a challenger and an adversary \(\mathcal{A}\) as follows.

1. 1.

   \(\mathcal{A}\) chooses \((f_0,x_0)\) and \((f_1,x_1)\) such that \(f_0(x_0)=f_1(x_1)\) and \(\varPhi (f_0)=\varPhi (f_1)\), and sends them to the challenger.

2. 2.

   The challenger chooses \(b \mathop {\leftarrow }\limits ^{\$}\{0,1\}\), and computes \((F, e) \leftarrow \mathsf{Gb}(1^k, f_b)\) and \(X \leftarrow \mathsf{En}(e, x_b)\). He then sends (F, X) to \(\mathcal{A}\).

3. 3.

   \(\mathcal{A}\) outputs a bit \(b'\).

Define the advantage as \( \mathtt{Adv}_{\mathsf{Ga}, \varPhi }^{garble}(\mathcal{A})=|2\Pr (b'=b)-1| \). We say that \(\mathsf{Ga}\) is \(\varPhi \)-secure if \(\mathtt{Adv}_{\mathsf{Ga}, \varPhi }^{garble}(\mathcal{A})\) is negligible for every PPT adversary \(\mathcal{A}\).

Bellare et al. [6] showed a \(\varPhi _{topo}\)-secure garbling scheme \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\) which is called Garble1. We illustrate it in Figs. 11 and 12 of Appendix B. We also show how to construct \(\varPhi _{size}\)-secure garbling schemes in Appendix C.

4 Bounded KDM Secure Encryption by Bellare et al.

4.1 Generic Construction

Bellare et al. [6] constructed a q-bounded KDM\(^{(\ell )}\) secure encryption scheme \(\mathcal{E}' = (K',E',D')\) from

• a \(\varPhi _{size}\)-secure garbling scheme \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\) and

• a projection KDM\(^{(\ell )}\) secure encryption scheme \(\mathcal{E}= (K,E,D)\).

A ciphertext of \(f(sk_1, \ldots , sk_{\ell })\) under \(pk_j\) is given by \((F,E_{pk_j}(X))\), where

• F is a garbled circuit of an identity circuit ID, and

• X is a garbled input of a real input \( f(sk_1, \ldots , sk_{\ell })\Vert 0^{\ell |sk|-L} \), where \(L=|f(sk_1, \ldots , sk_{\ell })|\).

The decryption is given by

$$ F(X) = ID(f(sk_1, \ldots , sk_{\ell })\Vert 0^{\ell |sk|-L}) = f(sk_1, \ldots , sk_{\ell })\Vert 0^{\ell |sk|-L}. $$

More precisely, the key generation algorithm \(K'\) is the same as K, and it outputs \((pk,sk) \leftarrow K(1^k)\). The encryption algorithm \(E'\) and the decryption algorithm \(D'\) are given in Fig. 1. There ID is a circuit such that the number of gates is \(q+n\), and \(ID(z)=z\) for any \(z \in \{0,1\}^n\), where \(n = \max (|sk| \cdot \ell , |x|)\).

Fig. 1.

Generic construction of q-bounded KDM\(^{(\ell )}\) secure encryption scheme.

Proposition 2

[6]. Suppose that

• \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\) is \(\varPhi _{size}\)-secure and \(\mathsf{En}(e, \cdot )\) is a projection function.

• \(\mathcal{E}= (K,E,D)\) is projection KDM\(^{(\ell )}\) secure.

Then the above encryption scheme \(\mathcal{E}'\) is q-bounded KDM\(^{(\ell )}\) secure. (See Fig. 2.)

Fig. 2.

q-bounded KDM secure \(\mathcal{E}'(\mathsf{Ga}, \mathcal{E})\).

4.2 Instantiation Under DDH

Bellare et al. [6, Sect. 7.2] instantiated Proposition 2 by using Garble1 [6, Sect. 5]³ and BHHO encryption scheme [5]. (See Fig. 3.)

Fig. 3.

q-bounded KDM\(^{(\ell )}\) secure public-key encryption scheme \(\mathcal{E}'\) of Bellare et al.

First construct a \(\varPhi _{size}\)-secure garbling scheme \(\widehat{Garble1} = (\mathsf{Gb, En, Ev})\) from (\(\varPhi _{topo}\)-secure) Garble1\(= (\mathsf{Gb1, En1, Ev1})\) by using the method of Appendix C. (See the comments of Fig. 20 of [6].) We need to show that \(\mathsf{En}(e, \cdot )\) is a projection. In Garble1,

$$ e = (X_1^0, X_1^1, \ldots , X_n^0, X_n^1), \ X = \mathsf{En1}(e,x) = (X_1^{x_1}, \ldots , X_n^{x_n}), $$

where \(X_i^j \in \{0,1\}^k\), \(x=(x_1, \ldots , x_n)\) and \(x_i \in \{0,1\}\). Therefore En1 \((e, \cdot )\) is a projection. Hence \(\mathsf{En}(e, \cdot )\) is also a projection because \(\mathsf{En}=\mathsf{En1}\) the method of Appendix C.

Note that

$$\begin{aligned} |X|=|X_1^{x_1}|+ \ldots + |X_n^{x_n}|=kn. \end{aligned}$$

(1)

Next construct a projection KDM\(^{(\ell )}\) secure encryption scheme \(\mathcal{E}= (K,E,D)\) as follows. To compute \(Y=E_{pk}(X)\), encrypt each bit of X by using BHHO encryption scheme. For more details, the key generation algorithm K is the same as that of BHHO encryption scheme, and for \(X=(\epsilon _1, \ldots , \epsilon _{kn})\), let

$$\begin{aligned} E_{pk}(X)=(\mathrm{BHHO}_{pk}(g^{\epsilon _1}), \ldots , \mathrm{BHHO}_{pk}(g^{\epsilon _{kn}})), \end{aligned}$$

(2)

where \(\epsilon _i \in \{0,1\}\) and \(\mathrm{BHHO}_{pk}(g^{\epsilon _i})\) denotes a BHHO ciphertext of \(g^{\epsilon _i}\) for \(i=1, \ldots , kn\). This \(\mathcal{E}\) is projection KDM\(^{(\ell )}\) secure under the DDH assumption.

The obtained encryption scheme \(\mathcal{E}'\) from \(\widehat{Garble1}\) and the above \(\mathcal{E}\) is q-bounded KDM\(^{(\ell )}\) secure under the DDH assumption from Proposition 2.

Now suppose that we want to encrypt \(f(sk_1, \ldots , sk_{\ell })\). In Fig. 1, \(X=\mathsf{En}(e,z)\) at line 05 has bit length kn from Eq. (1), where

$$\begin{aligned} n=\max (|sk| \cdot \ell , |f(sk_1, \ldots , sk_{\ell })|) \end{aligned}$$

(3)

Therefore \(Y=E_{pk}(X)\) at line 06 consists of kn cihertexts of BHHO encryption scheme. The total ciphertext consists of a garbled circuit F of ID and kn ciphertexts of BHHO encryption scheme. (See the third column of Fig. 20 of [6].)

5 How to Prove Proposition 2

In this section, we first point out that the proof of Proposition 2 by Bellare et al. [6] is not complete. We next show how to fix it.

5.1 Proof by Bellare et al.

Bellare et al. [6] proved Proposition 2 as follows. Let \(\mathcal{A}\) be an adversary attacking \(\mathcal{E}'\). To simplify the exposition, they first consider the case \(\mathcal{A}\) makes only a single query. Then they sketch how to extend it to the general case.

Single query case. Suppose that \(\mathcal{A}\) makes a single query (j, f). Let C be a circuit of n input wires, n output wires, and \(q + n\) gates such that

$$ C(x) = f( \text{ the } \text{ first } |sk| \ell \text{ bits } \text{ of } x) \Vert 0^{n-|f(sk_{1}, \cdots , sk_{\ell })|}, $$

where \(n=\max (|sk| \cdot \ell , |f(sk_1, \ldots , sk_{\ell })|)\). Then we have

$$\begin{aligned} C(\mathrm{\mathbf{K}}) = f(sk_{1} \Vert \cdots \Vert sk_{\ell }) \Vert 0^{n-|f(sk_{1}, \cdots , sk_{\ell })|} \end{aligned}$$

(4)

for \(\mathrm{\mathbf{K}} = sk_{1} \Vert \cdots \Vert sk_{\ell } \Vert 0^{n-|sk| \cdot \ell }\).

We consider a series of Games \(G_0, \ldots , G_4\) as shown in Fig. 4, where \(G_0\) is equivalent to the KDM attack game with \(b=0\) because \(C(\mathrm{\mathbf{K}})\) is given by Eq. (4). Each game changes lines 04–05 of Fig. 1 step by step. Let \(p_i=\Pr (b'=1 \text { in Game } G_i)\).

• \(|p_0-p_1|\) is negligible because \(\mathrm{ID}(C(\mathrm{\mathbf{K}}))=C(\mathrm{\mathbf{K}})\), \(\varPhi _{size}(\mathrm{ID})=\varPhi _{size}(C)\) and the garbling scheme is \(\varPhi _{size}\)-secure.

• \(|p_1-p_2|\) is negligible because \(\mathsf{En}(e, \cdot )\) is a projection function, and \(\mathcal{E}\) is KDM\(^{(\ell )}\) secure w.r.t. \(\{\text {all projection functions}\}\).

• \(p_2=p_3\) because \((F, E_{pk_j} (X))\) is the same in each game.

• \(|p_3-p_4|\) is negligible because \(\mathrm{ID}(C(0^n))=C(0^n)\), \(\varPhi _{size}(\mathrm{ID})=\varPhi _{size}(C)\) and the garbling scheme is \(\varPhi _{size}\)-secure.

Their proof stops at this point. However, Game \(G_4\) is not the KDM attack game with \(b=1\).

Fig. 4.

Proof of Proposition 2.

5.2 How to Fix the Proof

To complete the proof, we use the following proposition.

Proposition 3

[5]. Suppose that the function class \(\mathcal{F}\) contains all constant functions. Then the KDM security w.r.t. \(\mathcal{F}\) implies IND-CPA security.

Any constant function is a projection function. Therefore the set of all projection functions contain all constant functions.

Now we add Game \(G_5\) and Game \(G_6\) which are shown in Fig. 5. Then

Fig. 5.

Game \(G_5\) and Game \(G_6\).

• \(p_4 = p_5\) because \((F, E_{pk_j} (0^{|X|}))\) is the same in each game.

• \(|p_5-p_6|\) is negligible bacause \(\mathcal{E}\) is IND-CPA secure from Proposition 3.

Game \(G_6\) is the KDM attack game with \(b=1\) because the output of Game \(G_6\) is \(\mathcal{E}'_{pk_j}(0^{|f(sk_{1} \Vert \cdots \Vert sk_{\ell })|})\). Finally \(|p_0-p_6|\) is negligible form the above discussion. This completes the proof.

6 Our Main Theorem

As shown above, bounded KDM security can be obtained from projection KDM security. However, the size of ciphertexts is still very large. In this section, we show that it can be obtained from a much weaker notion than the projection KDM security.

The encryption scheme \(\mathcal{E}'=(K', E', D')\) given in Fig. 1 consists of

• a garbling scheme \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\) and

• an encryption scheme \(\mathcal{E}= (K,E,D)\) such that \(K'=K\).

We denote such \(\mathcal{E}'\) by \(\mathcal{E}'(\mathsf{Ga}, \mathcal{E})\).

For a garbling scheme \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\), first define \(\widehat{\mathsf{En}}\) as

$$\begin{aligned} \widehat{\mathsf{En}}_{n,e}(x)= \mathsf{En}(e, x\Vert 0^{n-|x|}). \end{aligned}$$

(5)

Next define the set of functions \(\mathcal{F}(\mathsf{Ga})=\{\mathcal{F}_k\}\) as follows.

$$ \mathcal{F}_k=ALL_k^{(\ell )} \cap \{\widehat{\mathsf{En}}_{n,e} \mid (F,e) \leftarrow \mathsf{Gb}(1^k, C), \text {where}~\varPhi _{size}(C)=(n, n,n+q)\}. $$

Then our main Theorem is as follows. (See Fig. 2.)

Theorem 1

\(\mathcal{E}'(\mathsf{Ga}, \mathcal{E})\) is q-bounded KDM\(^{(\ell )}\) secure if \(\mathsf{Ga}\) is \(\varPhi _{size}\)-secure, and \(\mathcal{E}\) is IND-CPA secure and KDM\(^{(\ell )}\)-secure w.r.t. \(\mathcal{F}(\mathsf{Ga})\).

The proof is the same as that of Proposition 2 which we fixed. In particular,

• \(|p_1-p_2|\) is negligible because \(\mathcal{E}\) is KDM\(^{(\ell )}\) secure w.r.t. \(\mathcal{F}(\mathsf{Ga})\).

• \(|p_5-p_6|\) is negligible because \(\mathcal{E}\) is IND-CPA secure.

Let \(\widehat{\mathsf{Ga}}\) denote the \(\varPhi _{size}\)-secure garbling scheme which is obtained from a \(\varPhi _{topo}\)-secure garbling scheme Ga by using the method of Appendix C. Then we have the following corollary.

Corollary 1

\(\mathcal{E}'(\widehat{\mathsf{Ga}}, \mathcal{E})\) is q-bounded KDM\(^{(\ell )}\) secure if \(\mathsf{Ga}\) is \(\varPhi _{topo}\)-secure, and \(\mathcal{E}\) is IND-CPA secure and KDM\(^{(\ell )}\)-secure w.r.t. \(\mathcal{F}(\mathsf{Ga})\).

Proof

Let \(\widehat{\mathsf{Ga}} = (\mathsf{Gb', En', Ev'})\) and \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\). Then \(\mathsf{En'=En}\) in the method of Appendix C. Hence we obtain this corollary from the definition of \(\mathcal{F}(\mathsf{Ga})\).    \(\square \)

Let’s compare Theorem 1 with Proposition 2.

• In Proposition 2, \(\mathcal{E}\) needs to be KDM\(^{(\ell )}\) secure w.r.t. the set of “all projection functions”. Therefore Bellare et al. had to encrypt each bit of \(X=\mathsf{En}(e,z)\) by using BHHO encryption scheme.

• In our theorem, on the other hand, \(\mathcal{E}\) needs to be KDM\(^{(\ell )}\) secure w.r.t. \(\mathcal{F}(\mathsf{Ga})\) only. Therefore we can construct a more efficient \(\mathcal{E}\) with an appropriate garbling scheme Ga as shown in the following sections.

Another difference is that in Theorem 1, \(\mathcal{E}\) needs to be IND-CPA secure. However, it is not a matter because any encryption scheme must be IND-CPA secure anyway. See Table 1.

Table 1. Underlying primitive for bounded KDM security.

7 Our Instantiation Under DDH

In this section, we show a more efficient bounded KDM secure encryption scheme \(\mathcal{E}'(\widehat{\mathsf{Ga}}, \mathcal{E})\) than Bellare et al. [6] under the DDH assumption based on Corollary 1. The encryption scheme \(\mathcal{E}\) is based on BHHO encryption scheme [5], and the garbling scheme \(\mathsf{Ga}\) is a variant of Garble1 [6] which we call Garble1\(+\).

Let \(\mathbb {G}\) be a group of prime order p and g be a generator of \(\mathbb {G}\) as required in BHHO encryption scheme.

7.1 Garble1\(+\)

We define \((\mathsf{Gb, Ev})\) of Garble1\(+\) as shown in Figs. 6 and 7. Namely

$$\begin{aligned} e= & {} (u_1^0, u_1^1, \ldots , u_n^0, u_n^1), \end{aligned}$$

(6)

$$\begin{aligned} \mathsf{En}(e,x)= & {} (g^{u_1^{x_1}}, \ldots , g^{u_n^{x_n}}), \end{aligned}$$

(7)

where \(u_i^j \in Z_p\), and

$$\begin{aligned} X_i^0 \leftarrow H(g^{u_i^0}), \ X_i^1 \leftarrow H(g^{u_i^1}) \end{aligned}$$

(8)

for \(i=1, \ldots , n\) in Gb, where \(H:\mathbb {G} \rightarrow \{0,1\}^k\) is a hash function such that H(v) is uniformly distributed over \(\{0,1\}^k\) when \(v \mathop {\leftarrow }\limits ^{\$}\mathbb {G}\).

The rest is the same as Garble1 [6] which is shown Appendix B. Then Garble1\(+\) is \(\varPhi _{topo}\)-secure similarly to Garble1.

Fig. 6.

Garble1\(+\) (1).

Fig. 7.

Garble1\(+\) (2).

7.2 KDM-Secure Encryption w.r.t. \(\mathcal{F}(Garble1+)\)

We next show an efficient encryption scheme \(\mathcal{E}=(K,E,D)\) which is KDM\(^{(\ell )}\)-secure w.r.t. \(\mathcal{F}(Garble1+)\).

• The key generation algorithm K is the same as that of BHHO encryption scheme. Let \((sk,pk) \leftarrow K(1^k)\).

• For a message \((m_1, \ldots , m_n) \in \mathbb {G}^n\), let

  $$\begin{aligned} E_{pk}(m_1, \ldots , m_n) =(\mathrm{BHHO}_{pk}(m_1), \ldots , \mathrm{BHHO}_{pk}(m_n)). \end{aligned}$$

  (9)

We stress that \(m_i \in \mathbb {G}^n\) in the above encryption scheme while \(m_i \in \{1,g\}\) in that of Bellare et al. [6].

Theorem 2

The above encryption scheme \(\mathcal{E}= (K,E,D)\) is IND-CPA secure and KDM\(^{(\ell )}\) secure w.r.t. \(\mathcal{F}(Garble1+)\) under the DDH assumption.

Proof

\(\mathcal{E}\) is IND-CPA secure because BHHO encryption scheme is IND-CPA secure. We will prove that it is \(\text {KDM}^{(\ell )}\) secure w.r.t. \(\mathcal{F}(Garble1+)\).

In the KDM\(^{(\ell )}\) attack game, the challenger generates key pairs \((sk_i, pk_i) \leftarrow K(1^k)\) for all \(i \in \{1, \ldots ,\ell \}\). Define \(L=\ell |sk|\) and let

$$\begin{aligned} (sk_1, \ldots , sk_{\ell })=(s_1, \ldots , s_L), \end{aligned}$$

where \(s_i \in \{0,1\}\) for \(i=1, \ldots , L\).

Then for \(e=(u_1^0, u_1^1, \ldots , u_n^0, u_n^1)\) of Eq. (6), we have

$$\begin{aligned} \widehat{\mathsf{En}}_{n,e}(sk_1, \ldots , sk_{\ell })= & {} \widehat{\mathsf{En}}_{n,e}(s_1, \ldots , s_L) \\= & {} (g^{u_1^{s_1}}, \ldots , g^{u_L^{s_L}}, g^{u_{L+1}^0}, \ldots , g^{u_n^0}) \end{aligned}$$

from Eqs. (7) and (5). Further from Eq. (9), we have

$$\begin{aligned} E_{pk}(\widehat{\mathsf{En}}_{n,e}(sk_1, \ldots , sk_{\ell }))= & {} E_{pk}(g^{u_1^{s_1}}, \ldots , g^{u_L^{s_L}}, g^{u_{L+1}^0}, \ldots , g^{u_n^0}) \\= & {} (\mathrm{BHHO}_{pk}(g^{u_1^{s_1}}), \ldots , \mathrm{BHHO}_{pk}(g^{u_L^{s_L}}), \\&\mathrm{BHHO}_{pk}(g^{u_{L+1}^{0}}), \ldots , \mathrm{BHHO}_{pk}(g^{u_n^0})). \end{aligned}$$

We note that

$$ u_i^0 +(u_i^1-u_i^0) \times {s_i}= \left\{ \begin{array}{ccc} u_i^0 &{}if&{} s_i=0 \\ u_i^1 &{}if&{} s_i=1 \end{array} \right. $$

Therefore we have

$$\begin{aligned} u_i^{s_i}=u_i^0 +(u_i^1-u_i^0) \times {s_i}. \end{aligned}$$

This means that \(u_i^{s_i}\) is an affine function of \((s_1, \ldots , s_L)\) for fixed \(e=(u_1^0, u_1^1, \ldots , u_n^0, u_n^1)\). More precisely, let \(a_0=u_i^0\) and

$$ a_j= \left\{ \begin{array}{cl} u_i^1-u_i^0 &{}\text { if } j=i \\ 0 &{}\text { otherwise} \end{array} \right. $$

Then \(u_i^{s_i}\) is written as

$$\begin{aligned} u_i^{s_i}=a_0 + \sum _{j=1}^L a_j s_j. \end{aligned}$$

Let

$$\begin{aligned} \mathsf{Exp}_{e}(s_1, \ldots , s_L)_i=g^{u_i^{s_i}}=g^{a_0 + \sum _{j=1}^L a_j s_j }. \end{aligned}$$

(10)

Then \(\mathsf{Exp}_{e}(s_1, \ldots , s_L)_i\) belongs to \(\mathcal{F}_{\mathrm{affine}}\) of Sect. 2.3 for \(i=1, \ldots , L\). Further for \(i=L+1, \ldots , n\), \(g^{u_i^0}\) is a constant function. Hence they also belong to \(\mathcal{F}_{\mathrm{affine}}\).

Now let \(\mathcal{A}\) be an adversary who attacks \(\mathcal{E}\) w.r.t. \(\mathcal{F}(Garble1+)\). We construct an adversary \(\mathcal{B}\) who attacks BHHO encryption scheme w.r.t. \(\mathcal{F}_{\mathrm{affine}}\) as follows.

Upon receiving \((pk_1, \ldots , pk_{\ell })\) from the challenger, \(\mathcal{B}\) sends them to \(\mathcal{A}\). Suppose that \(\mathcal{A}\) queries \((j, \widehat{\mathsf{En}}_{n,e})\) such that \(e=(u_1^0, u_1^1, \ldots , u_n^0, u_n^1)\). Then \(\mathcal{B}\) does the following.

1. 1.

   For \(i=1, \ldots , L\), \(\mathcal{B}\) queries \((j, \mathsf{Exp}_e(\cdot )_i)\) to the challenger, and receives a ciphertext \(c_i\), where \(\mathsf{Exp}_e(\cdot )_i\) is defined by Eq. (10).

2. 2.

   For \(i=L+1, \ldots , n\), \(\mathcal{B}\) queries \((j, g^{u_i^0})\) to the challenger, and receives a ciphertext \(c_i\).

3. 3.

   \(\mathcal{B}\) returns \(C=(c_1, \ldots , c_n)\) to \(\mathcal{A}\).

It is easy to see that C is a right challenge ciphertext for \((j, \widehat{\mathsf{En}}_{n,e})\). Finally \(\mathcal{B}\) outputs whatever \(\mathcal{A}\) does. Then we have \( \mathtt{Adv}_{\mathcal{E},\ell }^\mathrm{kdm} (\mathcal{A})= \mathtt{Adv}_{\mathrm{BHHO},\ell }^\mathrm{kdm} (\mathcal{B}) \). Therefore \(\mathtt{Adv}_{\mathcal{E},\ell }^\mathrm{kdm} (\mathcal{A})\) is negligible under the DDH assumption because \(\mathtt{Adv}_{\mathrm{BHHO},\ell }^\mathrm{kdm} (\mathcal{B})\) is negligible under the DDH assumption.    \(\square \)

7.3 Final Construction

Finally, our q-bounded KDM\(^{(\ell )}\)-secure encryption scheme \(\mathcal{E}'\) is obtained by substituting Garble1\(+\) and the encryption scheme \(\mathcal{E}\) of Sect. 7.2 into Corollary 1 (Fig. 8).

Corollary 2

Let \(\mathcal{E}\) be the encryption scheme given by Sect. 7.2. Then \(\mathcal{E}'(\widehat{Garble1+}, \mathcal{E})\) is q-bounded KDM\(^{(\ell )}\)-secure under the DDH assumption.

Proof

From Corollary 1 and Theorem 2.    \(\square \)

Fig. 8.

Proposed q-bounded KDM\(^{(\ell )}\) secure public-key encryption scheme \(\mathcal{E}'\).

8 Comparison

Let’s compare two q-bounded KDM\(^{(\ell )}\)-secure encryption schemes under the DDH assumption (namely, the schemes in Sects. 4.2 and 7). In both schemes, \(\mathcal{E}'_{pk}(x_1, \ldots , x_n)\) consists of (F, Y), where F is a garbled circuit of ID. We compare \(Y=E_{pk}(X)\) in Tables 2 and 3.

Table 2. \(Y=E_{pk}(X)\) (1).

Table 3. \(Y=E_{pk}(X)\) (2).

Our \(\mathcal{E}\) is KDM secure w.r.t. only \(\mathcal{F}(Garble1+)\) while it must be KDM secure w.r.t. the set of all projection functions in the scheme of Bellare et al. Therefore

• \(E_{pk}(X)\) encrypts \(g^{u_i^{x_i}}\) for \(i=1, \ldots , n\) in our scheme

• while it must encrypt each bit of \(X_i^{x_i} \in \{0,1\}^k\) for \(i=1, \ldots , n\) in the scheme of Bellare et al.

The size of each ciphertext of BHHO encryption scheme is \(O(k^2)\) from Sect. 2.3, where \(\log p=O(k)\). Therefore

• \(|Y|=O(k^2n)\) in our scheme and

• \(|Y|=O(k^3n)\) in the scheme of Bellare et al.

Thus |Y| is reduced to 1 / k in our scheme.

The circuit ID has gate size \(r=q+n\) from lines 101–105 of Fig. 1. Therefore the universal circuit which realizes ID has the gate size \(O(r \log r)\) from Eq. (12). Hence \(|F|=O(kr \log r)\) in both schemes because each gate of F has size O(k). See Table 4 for the total size of ciphertexts \(|F|+|Y|\).

Table 4. Size of ciphertexts (k is the security parameter.)

When \(f(sk_1, \ldots , sk_{\ell })\) is encrypted, \(n=\max (|sk|\cdot \ell , |f(sk_1, \ldots , sk_{\ell })|)\). Suppose that \(|f(sk_1, \ldots , sk_{\ell }|)=O(|sk|\cdot \ell )\) and \(q=O(n)\). Then \(n=O(|sk|\cdot \ell )=O(k\ell )\) and \(r=q+n=O(n)=O(k\ell )\).

In this case, \(O(k^2n)=O(k^3 \ell )\), \(O(k^3n)=O(k^4 \ell )\) and \(O(kr \log r)=O(k^2 \ell \log k)\) because \(n=poly(k)\). Hence the total size of ciphertexts is \(O(k^3 \ell )\) in our scheme, and \(O(k^4 \ell )\) in the scheme of Bellare et al. Thus it is k times smaller in our scheme (Table 5).

Table 5. Size of ciphertexts for \(q=O(|sk|\cdot \ell )\) and \(|f(sk_1, \ldots , sk_{\ell }|=O(|sk|\cdot \ell )\).

9 Generalization

In general, we can construct

• a KDM secure encryption scheme w.r.t. \(\mathcal{F}(Garble1)\) from any KDM secure encryption scheme w.r.t. the set of affine functions, and

• a KDM secure encryption scheme w.r.t. \(\mathcal{F}(Garble1+)\) from any KDM secure encryption scheme w.r.t. the set of affine in the exponent functions,

where the secret-key is viewed as a bit string. By using each of them, we can construct a bounded KDM secure encryption scheme based on Corollary 1.

If the message space of our weakly KDM secure encryption scheme is large enough, then the size of our Y is k times smaller than that of Bellare et al. [6]. In this section, we show such examples.

9.1 Symmetric-Key Encryption Scheme

Proposition 2 holds for symmetric-key encryption schemes also as stated in [6]. Similarly, our Theorem 1 and Corollary 1 hold for symmetric-key encryption schemes too. The proofs are the same.

Applebaum et al. [2] showed a symmetric-key encryption scheme which is KDM\(^{(\ell )}\) secure w.r.t. the set of affine functions (not in the exponent) under the LPN assumption. We call it ACPS encryption scheme. We can construct a bounded KDM\(^{(\ell )}\) secure symmetric-key encryption scheme under the LPN assumption as follows. We use Garble1. Then

$$ e = (X_1^0, X_1^1, \ldots , X_n^0, X_n^1), \ X = \mathsf{En}(e,x) = (X_1^{x_1}, \ldots , X_n^{x_n}), $$

where \(X_i^j \in \{0,1\}^k\), \(x=(x_1, \ldots , x_n)\) and \(x_i \in \{0,1\}\). To compute \(Y=E_{pk}(X)\) at line 06 of Fig. 1, encrypt each \(X_i^j\) by using ACPS encryption scheme. Namely

$$ E(X)=(\mathrm{ACPS}(X_1^{x_1}), \ldots , \mathrm{ACPS}(X_n^{x_n})), $$

where \(\mathrm{ACPS}(X_i^{x_i})\) denotes an ACPS ciphertext of \(X_i^{x_i}\). Now \(X_i^{x_i}\) is written as

$$\begin{aligned} X_i^{x_i}=X_i^0 + (X_i^1-X_i^0) \times x_i. \end{aligned}$$

(11)

This means that \(X_i^{x_i}\) is an affine function of \((x_1, \ldots , x_n)\). Therefore we can show that E is KDM\(^{(\ell )}\) secure w.r.t. \(\mathcal{F}(Garble1)\). Hence \(\mathcal{E}'(\widehat{Garble1}, \mathcal{E})\) is q-bounded KDM\(^{(\ell )}\) secure under the LPN assumption from Corollary 1 (Fig. 9).

On the other hand, if we use Proposition 2, we must encrypt each bit of \(X_i^j\) by ACPS encryption scheme.

Fig. 9.

Proposed q-bounded KDM\(^{(\ell )}\) secure symmetric-key encryption scheme \(\mathcal{E}'\) .

9.2 Subgroup Indistinguishability Assumptions

Brakerski and Goldwasser [3] showed a BHHO-like encryption scheme under the subgroup indistinguishablity assumptions. In particular, they presented a KDM secure encryption scheme with respect to the set of affine functions under the Paillier’s decisional composite residuosity (DCR) assumption. In this encryption scheme, the message space is \(Z_N\), where \(N=pq\).

Now we can construct a bounded KDM\(^{(\ell )}\) secure public-key encryption scheme under the DCR assumption by applying our technique to this encryption scheme and Garble1.

Appendices

A    Example of Boolean Circuit

In an example of Fig. 10, \(n=4, m=1, q=3\), Inputs \(= \{1, \ldots , 4\}\), Gates \(= \{5, \ldots , 7\}\), Wires \(= \{1, \ldots , 7\}\), Outputs \(= \{ 7\}\), \(G_5(x,y)=x \wedge y\) and

$$\begin{aligned} A(5)=1, A(6)=3, A(7)=5, \end{aligned}$$

$$\begin{aligned} B(5)=2, B(6)=4, B(7)=6. \end{aligned}$$

Fig. 10.

A boolean circuit f.

B    Garble1

Bellare et al. [6] showed a \(\varPhi _{topo}\)-secure garbling scheme \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\) which is called Garble1.

For a k bit string A, let \(A[1:k-1]\) denote the first \(k-1\) bits of A. Define \(B[1:k-1]\) similarly. For a pseudo-random function \(\mathsf{F}\), let

$$\begin{aligned} \mathbb {E}_{A, B}^{T}(M)= & {} \mathsf{F}_{A[1:k-1]}(T) \oplus \mathsf{F}_{B[1:k-1]}(T) \oplus M, \\ \mathbb {D}_{A, B}^{T}(C)= & {} \mathsf{F}_{A[1:k-1]}(T) \oplus \mathsf{F}_{B[1:k-1]}(T) \oplus C, \end{aligned}$$

Then Garble1 is given in Figs. 11 and 12.

Fig. 11.

Garble1 (1).

Fig. 12.

Garble1 (2).

C    How to Achieve \(\varPhi _{size}\)-Security

In a topological circuit, only \((n,m,q',A,B)\) is specified, but not the gate function G. A universal circuit \(\mathsf{UC}_{(n,m,q)}\) is a topological circuit \((n,m,q',A,B)\) which can realize any boolean circuit f such that \(\varPhi _{size}(f)=(n,m,q)\) by using an appropriate gate function G. Valiant [8] constructed a universal circuit which has asymptotically optimal gate size

$$\begin{aligned} q'=O(q \log q). \end{aligned}$$

(12)

Let \(\mathsf{UC}_{(n,m,q)}(G)\) denote a boolean circuit which is obtained from \(\mathsf{UC}_{(n,m,q)}\) and G.

A \(\varPhi _{size}\)-secure garbling scheme \(\mathsf{Ga} = (\mathsf{Gb, En, Ev})\) can be obtained from a universal circuit and any \(\varPhi _{topo}\)-secure garbling scheme \( (\mathsf{Gb1, En1, Ev1})\) as follows.

• \(\mathsf{Gb}(1^k, f)\): Let \(\varPhi _{size}(f)=(n,m,q)\). Find a gate function G such that \(\mathsf{UC}_{(n,m,q)}(G)\) realizes f. Then output \((F, e) \leftarrow \mathsf{Gb1}(1^k, \mathsf{UC}_{(n,m,q)}(G))\).

• \( (\mathsf{En, Ev})=(\mathsf{En1, Ev1})\).