Security and Communication Networks

Volume 2017 (2017), Article ID 2148534, 27 pages

https://doi.org/10.1155/2017/2148534

## Efficient KDM-CCA Secure Public-Key Encryption via Auxiliary-Input Authenticated Encryption

^{1}Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200240, China^{2}State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China^{3}Westone Cryptologic Research Center, Beijing 100070, China

Correspondence should be addressed to Shengli Liu

Received 1 April 2017; Revised 13 June 2017; Accepted 6 July 2017; Published 11 December 2017

Academic Editor: Muhammad Khurram Khan

Copyright © 2017 Shuai Han et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

KDM-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages which are closely related to the secret key , where , even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named* Auxiliary-Input Authenticated Encryption* (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including* IND-RKA* and* weak-INT-RKA*. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free.

#### 1. Introduction

For public-key encryption (PKE) schemes, Chosen-Ciphertext Attack (CCA) security is the de facto security notion. In the CCA security model, the adversary sees the public key and gets challenge ciphertexts, which are encryptions of messages of its choices. It is also allowed to make decryption queries and obtain the decrypted messages for ciphertexts (but not the challenge ciphertexts) of its choices. CCA security considers whether the challenge ciphertexts can protect the security of messages. Observe that the adversary does not know the secret keys; thus it is not able to submit messages that are closely related to the secret keys. Thus, there is a corner that is not covered by CCA security, that is, the security of messages which are closely dependent on the secret keys. It was Goldwasser and Micali [1] who first pointed out this problem. In 2002, the security of such key-dependent messages (KDM) was formalized by Black et al. [2]. Up to now, KDM-security has found many applications, such as anonymous credential systems [3] and hard disk encryption [4].

KDM-security means KDM-security for a set of functions. Loosely speaking, in the -KDM-security model, the adversary obtains public keys of users and has access to an encryption oracle. Each time, the adversary submits a function in the function set , the encryption oracle will encrypt or a dummy message (say ) and output the challenge ciphertext to the adversary. The -KDM-CPA security stipulates that the adversary cannot distinguish the two cases, and the -KDM-CCA security demands the indistinguishability of the two cases even if the adversary is also allowed to make decryption queries. KDM-CCA is obviously stronger than KDM-CPA security notion. Moreover, the KDM-security is stronger when the function set is larger.

*KDM**-CPA Security*. In 2008, Boneh et al. (BHHO) [4] proposed the first KDM-CPA secure PKE construction for the affine function set , from the Decisional Diffie-Hellman (DDH) assumption. Soon after, the BHHO scheme was generalized by Brakerski and Goldwasser [5], who presented KDM-CPA secure PKE constructions under the Quadratic Residuosity (QR) assumption or the Decisional Composite Residuosity (DCR) assumption. However, these schemes suffer from incompact ciphertext, which contains group elements ( denotes the security parameter throughout the paper).

Applebaum et al. [6] proved that a variant of the Regev scheme [7] is KDM-CPA secure and enjoys compact ciphertexts, that is, encompassing only group elements.

Brakerski et al. [8] provided a KDM-CPA secure PKE scheme for the polynomial function set , which contains all polynomials whose degrees are at most . The drawback of the scheme is incompact ciphertext, which contains group elements.

Barak et al. [9] presented a KDM-CPA secure PKE for the set of Boolean circuits whose sizes are a priori bounded, which is a very large function set. Nevertheless, their scheme is neither practical nor flexible.

In 2011, Malkin et al. [10] proposed the first efficient KDM-CPA secure PKE. The ciphertext of their PKE construction is almost compact and consists of only group elements.

*KDM**-CCA Security*. The first approach to KDM-CCA security was proposed by Camenisch, Chandran, and Shoup (CCS) [11]. The CCS approach follows the Naor-Yung paradigm [12], and the building blocks are a PKE scheme with CCA security, a PKE scheme with KDM-CPA security, and a noninteractive zero-knowledge (NIZK) proof system which proves that the two PKE schemes encrypt the same message.

The Groth-Sahai proofs [13] are the only practical NIZK. To obtain efficient KDM-CCA secure PKE, we have to employ an efficient PKE scheme with KDM-CPA security and the Groth-Sahai proofs if we follow the CCS approach [11]. Unfortunately, the existing efficient PKE schemes with KDM-CPA security, like [6, 10], are not compatible with the Groth-Sahai proofs, since the underlying groups of their schemes are not pairing-friendly ones.

Galindo et al. [14] proposed a KDM-CCA secure PKE scheme from the Matrix Decisional Diffie-Hellman assumption. Their scheme enjoys compact ciphertexts, but the KDM-CCA security of their scheme is constrained (more precisely, in their KDM-CCA security model, the adversary is only allowed to have access to the encryption oracle for a number of times linear in the secret key’s size).

In order to achieve both KDM-CCA security and efficiency for PKE, Hofheinz [15] developed another approach, making use of a novel primitive named “lossy algebraic filter.” The PKE scheme proposed by Hofheinz enjoys the security of KDM-CCA and the compactness of ciphertexts simultaneously, but the function set is made up of constant functions and selection functions .

In fact, it is a challenging job to enlarge the KDM-CCA function set while keeping the efficiency of the PKE scheme. Recently, Lu et al. [16] designed the first PKE achieving both KDM-CCA security and compact ciphertexts. Their construction is referred to as the LLJ scheme in this paper. The essential building block in their scheme is “authenticated encryption” (). The so-called INT--RKA security of turns out to be critical to the KDM-CCA security of the LLJ scheme. Unfortunately, their security reduction of the INT--RKA security of to the underlying DDH assumption is flawed. Roughly speaking, the problem of their security reduction is that there is no efficient way for the DDH adversary to convert the forgery provided by the INT--RKA adversary to a decision bit for solving the DDH problem, since it has no trapdoor. See our conference version [17] for details. The failure of ’s INT--RKA security reduction directly affects the validity of LLJ’s KDM-CCA security proof.

To construct efficient KDM-CCA secure PKE schemes, the CCS approach [11] is the unique way, to the best of our knowledge. However, the only efficient KDM-CPA secure PKE [10] is incompatible with the Groth-Sahai NIZK proofs [13]; thus the CCS approach must adopt a general inefficient NIZK.

*Our Contribution*. In this work, we focus on the design of efficient PKE schemes possessing KDM-CCA security and KDM-CCA security, respectively.(i)We develop a new primitive named* “Auxiliary-Input Authenticated Encryption”* (AIAE). We introduce new related-key attack (RKA) security notions for it, called* IND-**-RKA* and* weak-INT-**-RKA*.(a)We show a general paradigm for constructing such an AIAE from a one-time secure AE and a* tag-based hash proof system* (HPS) that is , extracting, and key-homomorphic.(b)We present an instantiation of tag-based HPS under the DDH assumption. Following our paradigm, we immediately obtain a DDH-based AIAE for the set of restricted affine functions.(ii)Using AIAE as an essential building block, we design the first PKE scheme enjoying KDM-CCA security and compactness of ciphertexts simultaneously. Specifically, the ciphertext of our scheme contains only group elements.(iii)Furthermore, we design the first PKE scheme enjoying KDM-CCA security and almost compactness of ciphertexts simultaneously. More precisely, the number of group elements contained in a ciphertext is independent of the security parameter .

In Table 1, we list the existing PKE schemes which either achieve KDM-CCA security or are KDM-secure for the set of polynomial functions.