Simulation-Based Selective Opening CCA Security for PKE from Key Encapsulation Mechanisms

We study simulation-based, selective opening security against chosen-ciphertext attacks (SIM-SO-CCA security) for public key encryption (PKE). In a selective opening, chosen-ciphertext attack (SO-CCA), an adversary has access to a decryption oracle, sees a vector of ciphertexts, adaptively chooses to open some of them, and obtains the corresponding plaintexts and random coins used in the creation of the ciphertexts. The SIM-SO-CCA notion captures the security of unopened ciphertexts with respect to probabilistic polynomial-time (ppt) SO-CCA adversaries in a semantic way: what a ppt SO-CCA adversary can compute can also be simulated by a ppt simulator with access only to the opened messages. Building on techniques used to achieve weak deniable encryption and non-committing encryption, Fehr et al. (Eurocrypt 2010) presented an approach to constructing SIM-SO-CCA secure PKE from extended hash proof systems (EHPSs), collision-resistant hash functions and an information-theoretic primitive called Cross Authentication Codes (XACs). We generalize their approach by introducing a special type of Key Encapsulation Mechanism (KEM) and using it to build SIM-SO-CCA secure PKE. We investigate what properties are needed from the KEM to achieve SIM-SO-CCA security. We also give three instantiations of our construction. The first uses hash proof systems, the second relies on the \(n\)-Linear assumption, and the third uses indistinguishability obfuscation (\(i\mathcal {O}\)) in combination with extracting, puncturable Pseudo-Random Functions in a similar way to Sahai and Waters (STOC 2014). Our results establish the existence of SIM-SO-CCA secure PKE assuming only the existence of one-way functions and \(i\mathcal {O}\). This result further highlights the simplicity and power of \(i\mathcal {O}\) in constructing different cryptographic primitives.

[1]  Moni Naor,et al.  Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[2]  Rafail Ostrovsky,et al.  Round-Optimal Secure Two-Party Computation , 2004, CRYPTO.

[3]  Yunlei Zhao,et al.  Identity-Based Encryption Secure Against Selective Opening Chosen-Ciphertext Attack , 2014, IACR Cryptol. ePrint Arch..

[4]  Mihir Bellare,et al.  Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening , 2009, EUROCRYPT.

[5]  Rafail Ostrovsky,et al.  Deniable Encryption , 1997, IACR Cryptol. ePrint Arch..

[6]  Kefei Chen,et al.  Fixing the Sender-Equivocable Encryption Scheme in Eurocrypt 2010 , 2013, 2013 5th International Conference on Intelligent Networking and Collaborative Systems.

[7]  Brent Waters,et al.  How to use indistinguishability obfuscation: deniable encryption, and more , 2014, IACR Cryptol. ePrint Arch..

[8]  Moni Naor,et al.  Adaptively secure multi-party computation , 1996, STOC '96.

[9]  Brent Waters,et al.  Lossy Trapdoor Functions and Their Applications , 2011, SIAM J. Comput..

[10]  Rafail Ostrovsky,et al.  Lossy Encryption: Constructions from General Assumptions and Efficient Selective Opening Chosen Ciphertext Security , 2011, ASIACRYPT.

[11]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[12]  Dennis Hofheinz,et al.  All-But-Many Lossy Trapdoor Functions , 2012, EUROCRYPT.

[13]  Dennis Hofheinz,et al.  On definitions of selective opening security , 2012, IACR Cryptol. ePrint Arch..

[14]  Kefei Chen,et al.  Sender-Equivocable Encryption Schemes Secure against Chosen-Ciphertext Attacks Revisited , 2015, Int. J. Appl. Math. Comput. Sci..

[15]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[16]  Dennis Hofheinz,et al.  Standard versus Selective Opening Security: Separation and Equivalence Results , 2014, TCC.

[17]  SahaiAmit,et al.  On the (im)possibility of obfuscating programs , 2012 .

[18]  Eike Kiltz,et al.  Secure Hybrid Encryption from Weakened Key Encapsulation , 2007, CRYPTO.

[19]  Brent Waters,et al.  Identity-Based Encryption Secure against Selective Opening Attack , 2011, TCC.

[20]  Moni Naor,et al.  Magic Functions: In Memoriam: Bernard M. Dwork 1923--1998 , 2003, JACM.

[21]  Eike Kiltz,et al.  Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks , 2010, EUROCRYPT.

[22]  Ivan Damgård,et al.  Improved Non-committing Encryption Schemes Based on a General Complexity Assumption , 2000, CRYPTO.

[23]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.