Research Article | Open Access
Efficient KDM-CCA Secure Public-Key Encryption via Auxiliary-Input Authenticated Encryption
KDM-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages which are closely related to the secret key , where , even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named Auxiliary-Input Authenticated Encryption (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including IND-RKA and weak-INT-RKA. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free.
For public-key encryption (PKE) schemes, Chosen-Ciphertext Attack (CCA) security is the de facto security notion. In the CCA security model, the adversary sees the public key and gets challenge ciphertexts, which are encryptions of messages of its choices. It is also allowed to make decryption queries and obtain the decrypted messages for ciphertexts (but not the challenge ciphertexts) of its choices. CCA security considers whether the challenge ciphertexts can protect the security of messages. Observe that the adversary does not know the secret keys; thus it is not able to submit messages that are closely related to the secret keys. Thus, there is a corner that is not covered by CCA security, that is, the security of messages which are closely dependent on the secret keys. It was Goldwasser and Micali  who first pointed out this problem. In 2002, the security of such key-dependent messages (KDM) was formalized by Black et al. . Up to now, KDM-security has found many applications, such as anonymous credential systems  and hard disk encryption .
KDM-security means KDM-security for a set of functions. Loosely speaking, in the -KDM-security model, the adversary obtains public keys of users and has access to an encryption oracle. Each time, the adversary submits a function in the function set , the encryption oracle will encrypt or a dummy message (say ) and output the challenge ciphertext to the adversary. The -KDM-CPA security stipulates that the adversary cannot distinguish the two cases, and the -KDM-CCA security demands the indistinguishability of the two cases even if the adversary is also allowed to make decryption queries. KDM-CCA is obviously stronger than KDM-CPA security notion. Moreover, the KDM-security is stronger when the function set is larger.
KDM-CPA Security. In 2008, Boneh et al. (BHHO)  proposed the first KDM-CPA secure PKE construction for the affine function set , from the Decisional Diffie-Hellman (DDH) assumption. Soon after, the BHHO scheme was generalized by Brakerski and Goldwasser , who presented KDM-CPA secure PKE constructions under the Quadratic Residuosity (QR) assumption or the Decisional Composite Residuosity (DCR) assumption. However, these schemes suffer from incompact ciphertext, which contains group elements ( denotes the security parameter throughout the paper).
Brakerski et al.  provided a KDM-CPA secure PKE scheme for the polynomial function set , which contains all polynomials whose degrees are at most . The drawback of the scheme is incompact ciphertext, which contains group elements.
Barak et al.  presented a KDM-CPA secure PKE for the set of Boolean circuits whose sizes are a priori bounded, which is a very large function set. Nevertheless, their scheme is neither practical nor flexible.
In 2011, Malkin et al.  proposed the first efficient KDM-CPA secure PKE. The ciphertext of their PKE construction is almost compact and consists of only group elements.
KDM-CCA Security. The first approach to KDM-CCA security was proposed by Camenisch, Chandran, and Shoup (CCS) . The CCS approach follows the Naor-Yung paradigm , and the building blocks are a PKE scheme with CCA security, a PKE scheme with KDM-CPA security, and a noninteractive zero-knowledge (NIZK) proof system which proves that the two PKE schemes encrypt the same message.
The Groth-Sahai proofs  are the only practical NIZK. To obtain efficient KDM-CCA secure PKE, we have to employ an efficient PKE scheme with KDM-CPA security and the Groth-Sahai proofs if we follow the CCS approach . Unfortunately, the existing efficient PKE schemes with KDM-CPA security, like [6, 10], are not compatible with the Groth-Sahai proofs, since the underlying groups of their schemes are not pairing-friendly ones.
Galindo et al.  proposed a KDM-CCA secure PKE scheme from the Matrix Decisional Diffie-Hellman assumption. Their scheme enjoys compact ciphertexts, but the KDM-CCA security of their scheme is constrained (more precisely, in their KDM-CCA security model, the adversary is only allowed to have access to the encryption oracle for a number of times linear in the secret key’s size).
In order to achieve both KDM-CCA security and efficiency for PKE, Hofheinz  developed another approach, making use of a novel primitive named “lossy algebraic filter.” The PKE scheme proposed by Hofheinz enjoys the security of KDM-CCA and the compactness of ciphertexts simultaneously, but the function set is made up of constant functions and selection functions .
In fact, it is a challenging job to enlarge the KDM-CCA function set while keeping the efficiency of the PKE scheme. Recently, Lu et al.  designed the first PKE achieving both KDM-CCA security and compact ciphertexts. Their construction is referred to as the LLJ scheme in this paper. The essential building block in their scheme is “authenticated encryption” (). The so-called INT--RKA security of turns out to be critical to the KDM-CCA security of the LLJ scheme. Unfortunately, their security reduction of the INT--RKA security of to the underlying DDH assumption is flawed. Roughly speaking, the problem of their security reduction is that there is no efficient way for the DDH adversary to convert the forgery provided by the INT--RKA adversary to a decision bit for solving the DDH problem, since it has no trapdoor. See our conference version  for details. The failure of ’s INT--RKA security reduction directly affects the validity of LLJ’s KDM-CCA security proof.
To construct efficient KDM-CCA secure PKE schemes, the CCS approach  is the unique way, to the best of our knowledge. However, the only efficient KDM-CPA secure PKE  is incompatible with the Groth-Sahai NIZK proofs ; thus the CCS approach must adopt a general inefficient NIZK.
Our Contribution. In this work, we focus on the design of efficient PKE schemes possessing KDM-CCA security and KDM-CCA security, respectively.(i)We develop a new primitive named “Auxiliary-Input Authenticated Encryption” (AIAE). We introduce new related-key attack (RKA) security notions for it, called IND--RKA and weak-INT--RKA.(a)We show a general paradigm for constructing such an AIAE from a one-time secure AE and a tag-based hash proof system (HPS) that is , extracting, and key-homomorphic.(b)We present an instantiation of tag-based HPS under the DDH assumption. Following our paradigm, we immediately obtain a DDH-based AIAE for the set of restricted affine functions.(ii)Using AIAE as an essential building block, we design the first PKE scheme enjoying KDM-CCA security and compactness of ciphertexts simultaneously. Specifically, the ciphertext of our scheme contains only group elements.(iii)Furthermore, we design the first PKE scheme enjoying KDM-CCA security and almost compactness of ciphertexts simultaneously. More precisely, the number of group elements contained in a ciphertext is independent of the security parameter .
In Table 1, we list the existing PKE schemes which either achieve KDM-CCA security or are KDM-secure for the set of polynomial functions.
Overview of Our Construction. In the construction of our KDM-CCA secure PKE schemes, we adopt a key encapsulation mechanism (KEM) + data encapsulation mechanism (DEM) approach  and employ three building blocks: KEM, , and AIAE, as shown in Figure 1.(i)KEM and share the same pair of public and secret keys.(ii)A key k is encapsulated by KEM.Encrypt, and an encapsulation kem.c is generated by KEM.Encrypt along the way.(iii)The message is encrypted by Encrypt, and the resulting -ciphertext is c.(iv)The key k generated by KEM is used by AIAE.Encrypt to encrypt c with auxiliary input .c, and the resulting AIAE-ciphertext is aiae.c.(v)The ciphertext of our PKE scheme is (kem.c, aiae.c).
Following this approach, we design KDM-CCA and KDM-CCA secure PKE schemes, respectively, by constructing specific building blocks.
Differences to Conference Version. This paper constitutes an extended full version of . The new results in this paper are as follows.(i)In contrast to presenting a concrete construction of AIAE in the conference paper, we give a general paradigm for constructing AIAE from a one-time secure authenticated encryption (AE) and a tag-based hash proof system (HPS) in this paper.(a)In Section 3.2, we show that the resulting AIAE is IND-RKA secure and weak-INT-RKA secure, as long as the underlying tag-based HPS is , extracting, and key-homomorphic.(b)In Section 3.3, we give an instantiation of tag-based HPS based on the DDH assumption. Following our paradigm, we obtain a DDH-based AIAE scheme in Section 3.4. We view the specific AIAE proposed in the conference paper as an instantiation of the general paradigm presented in this paper.(ii)In this paper, we provide the full proofs of the theorems regarding the KDM-CCA security and KDM-CCA security of our PKEs. Compared with the conference paper, we add the proofs of Lemmas 16, 18, 25, 26, and 29, and the proof of indistinguishability between Hybrids 2 and 3 in Section 5.3.
Throughout this paper, denote by the security parameter. means choosing an element from set uniformly. means executing algorithm with input and randomness and assigning output to . We sometimes abbreviate this to . “PPT” is short for probabilistic polynomial-time. For integers , we denote and . For a security notion and a primitive , the advantage of a PPT adversary is typically denoted by and we denote . Let negl denote an unspecified negligible function.
Games. We will use games in our security definitions and proofs. Typically, a game G begins with an INITIALIZE procedure and ends with a FINALIZE procedure. In the game, there might be other procedures which perform as oracles. All procedures are presented with pseudocode, all sets are initialized as empty sets, and all variables are initialized as empty strings. In the execution of a game G with an adversary , firstly calls INITIALIZE and obtains its output; then makes arbitrary oracle queries to according to their specifications and obtains their outputs; finally calls FINALIZE. In the end of the execution, if FINALIZE outputs , then we write this as . The statement means that, in game G, is computed as or equals .
2.1. Public-Key Encryption
There are four PPT algorithms in a public-key encryption (PKE) scheme:(i)ParGen outputs a public parameter pars. We assume that pars implicitly defines a secret key space and a message space .(ii)KeyGen(pars) takes pars as input and outputs a public key pk and a secret key sk.(iii)Encrypt takes pk and a message as input and outputs a ciphertext pke.c.(iv)Decrypt takes sk and a ciphertext pke.c as input and outputs either a message or a symbol indicating the failure of the decryption.
We require PKE to have perfect correctness; that is, for all possible and all , we have
Definition 1 (KDM-CCA security). Let and let denote a set of functions from to . A scheme PKE is -KDM-CCA secure, if for any PPT adversary , we have , where -- is the security game shown in Figure 2.
2.2. Authenticated Encryption
There are three PPT algorithms in an authenticated encryption (AE) scheme:(i) generates a system parameter . We require to be an implicit input to other algorithms and assume that implicitly defines a key space and a message space .(ii) takes a key and a message as input and outputs a ciphertext ae.c.(iii) takes a key and a ciphertext as input and outputs a message or a symbol .
We require AE to have perfect correctness; that is, for all possible , all keys , and all ,
Definition 2 (one-time security). A scheme AE is one-time secure (OT-secure), that is, IND-OT and INT-OT secure, if for any PPT , both and , where IND-OT and INT-OT are the security games presented in Figure 3.
2.3. Key Encapsulation Mechanism
There are three PPT algorithms in a key encapsulation mechanism (KEM):(i) generates a public key pk and a secret key sk.(ii) takes as input and outputs a key together with a ciphertext kem.c.(iii) takes and a ciphertext kem.c as input and outputs either a key or a symbol .
We require to have perfect correctness; that is, for all possible , we have
2.4. Tag-Based Hash Proof System: Universal2, Extracting, and Key-Homomorphism
Definition 3 (tag-based hash proof system). A tag-based hash proof system is comprised of three PPT algorithms: (i) outputs a parameterized instance , which implicitly defines , , where are all finite sets with , is a set of hash functions indexed by , and is a function. We assume that is efficiently computable, and there are PPT algorithms sampling uniformly, sampling uniformly, sampling uniformly with a witness , and checking membership in .(ii) takes a projection key , an element with a witness , and a tag as input and outputs a hash value .(iii) takes a hashing key , an element , and a tag as input and outputs a hash value without knowing a witness. We require to be projective; that is, for all , all and , all with all witnesses and all , it holds that
Tag-based HPS is associated with a subset membership problem. Informally speaking, it asks to distinguish the uniform distribution over from the uniform distribution over .
Definition 4 (SMP). The Subset Membership Problem (SMP) related to is hard, if for any PPT adversary , one has where , , and .
Definition 5 (universal2). is called (strongly) , if for all possible , all , all , all , all with , and all , it holds thatwhere the probability is over .
The key difference between tag-based HPS and extended HPS lies in the definition of the property . Extended HPS requires (6) to hold for , while tag-based HPS requires (6) to hold only for . Hence, any () extended HPS is also a () tag-based HPS, but not vice versa. Tag-based HPS is essentially a weaker variant of extended HPS and admits more efficient constructions.
Dodis et al.  defined an extracting property for extended HPS, which requires the hash value to be uniformly distributed over for any and , as long as is randomly chosen from . Besides, Xagawa  considered a key-homomorphic property for extended HPS, which stipulates that holds for any , , and . Here we adapt these notions to tag-based HPS.
Definition 6 (extracting). is called extracting, if for all , all , all , and all , it holds that where .
Definition 7 (key-homomorphism). is called key-homomorphic, if for all , which defines , one has the following: (i)Both and are groups.(ii)For all and all , the mapping is a group homomorphism. That is, for all and all , it holds that
2.5. DCR, DDH, DL, and IVd Assumptions
Suppose that is a PPT algorithm generating , where , are safe primes of -bit, , and is a prime. We define the following:(i).
Then is a cyclic group of order . For and , we define(i),(ii),(iii).
Then is a cyclic group of order , and , where represents the internal direct product.
Damgård and Jurik  showed that the discrete logarithm of an element can be efficiently computed from and . Observe that ; thus for any , we have and
Definition 8 (DCR assumption). The Decisional Composite Residuosity (DCR) assumption holds for and , if for any PPT , it holds thatwhere , , and .
Definition 9 (IVd assumption). The assumption holds for and , if for any PPT , it holds thatwhere , , , and is allowed to query the oracle adaptively. Each time, can submit to the oracle, and selects randomly: if , the oracle outputs to ; otherwise it outputs to , where .
Definition 10 (DDH assumption). The DDH assumption holds for and , if for any PPT , it holds thatwhere , , .
Definition 11 (DL assumption). The Discrete Logarithm (DL) assumption holds for and , if for any PPT , it holds thatwhere , , .
2.6. Collision-Resistant Hashing
Definition 12 (collision-resistant hashing). Let be a set of hash functions. is said to be collision-resistant, if for any PPT , one has
3. Auxiliary-Input Authenticated Encryption
Our PKE constructions in Sections 4 and 5 will resort to a new primitive AIAE. To serve the KDM-CCA security of our PKE construction in Figure 1, our AIAE should satisfy the following properties.(i)AIAE must take an auxiliary input ai in both the encryption and decryption algorithms.(ii)AIAE must have IND--RKA security and weak-INT--RKA security. Compared to the INT--RKA security proposed in , the weak-INT--RKA security imposes a special rule to determine whether the adversary’s forgery is successful or not.
In the following, we present the syntax of AIAE and define its IND--RKA Security and Weak-INT--RKA Security. We also show a general paradigm of AIAE from tag-based HPS and give an instantiation of AIAE under the DDH assumption.
3.1. Auxiliary-Input Authenticated Encryption
Definition 13 (AIAE). There are three PPT algorithms in an AIAE scheme: (i)The parameter generation algorithm generates a system parameter . We require to be an implicit input to other algorithms and assume that implicitly defines a key space , a message space , and an auxiliary-input space .(ii)The encryption algorithm takes a key , a message , and an auxiliary input as input and outputs a ciphertext .(iii)The decryption algorithm takes a key , a ciphertext , and an auxiliary input as input and outputs a message or a symbol . We require to have perfect correctness; that is, for all possible , all keys , all messages , and all auxiliary-inputs ,
In fact, AIAE is a generalization of traditional AE, and traditional AE can be viewed as AIAE with .
Definition 14 (RKA security). Denote by a set of functions from to . A scheme is IND--RKA secure and weak-INT--RKA secure, if for any PPT , where IND--RKA and weak-INT--RKA are the security games presented in Figure 4.
3.2. Generic Construction of AIAE from Tag-Based HPS and OT-Secure AE
Our construction of AIAE needs the following ingredients.(i)A tag-based hash proof system , where the hash value space is , the tag space is , and the hashing key space is .(ii)A (traditional) authenticated encryption scheme , where the message space is and the key space is .(iii)A set of hash functions .
We present our AIAE construction in Figure 5, whose key space is , message space is , and auxiliary-input space is .
By the perfect correctness of , it is routine to check that has perfect correctness.
Theorem 15. If (i) is , extracting, key-homomorphic and has a hard subset membership problem, (ii) is one-time secure, and (iii) is collision-resistant, then the scheme AIAE in Figure 5 is IND--RKA and weak-INT--RKA secure. Here is the set of restricted affine functions.
Proof of Theorem 15 (IND--RKA Security). Denote by a PPT adversary who is against the IND--RKA security and queries ENCRYPT oracle for at most times. We show the IND--RKA security through a series of games. For an event , we denote by , , and the probability of occurring in games , , and , respectively.
Game . It is the original IND--RKA game. Denote the event by Succ. According to the definition, .
As for the th () ENCRYPT query , where , the challenger prepares the challenge ciphertext as follows:(i)pick together with witness ,(ii)compute ,(iii)compute ,(iv)invoke ,
and it outputs the challenge ciphertext to .
Game , . It is identical to , except that, for the first times of ENCRYPT queries, that is, , the challenger chooses randomly for the scheme.
Clearly is identical to ; thus .
Game , . It is identical to , except that, for the th ENCRYPT query, the challenger samples uniformly.
The difference between and lies in the distribution of . In game , is uniformly chosen from ; in game , is uniformly chosen from . Any difference between and results in a PPT adversary solving the subset membership problem related to THPS; thus we have that
Game , . It is identical to , except that, for the th ENCRYPT query, the challenger chooses randomly.
Lemma 16. For all , .
Proof. For game and game , the difference between them lies in the computation of in the th ENCRYPT query. In , is properly computed, while in , it is chosen from uniformly.
We analyze the information about the key hk that is used in game .(i)For the th () query, ENCRYPT does not use hk at all since is randomly chosen from .(ii)For the th () query, ENCRYPT can use to compute :(iii)For the th query, ENCRYPT uses to compute :Since , by the property of THPS, is uniformly distributed over conditioned on . Then as long as , is also randomly distributed over . Consequently, is essentially the same as , and .
Now, we show that game is computationally indistinguishable from game , . Note that the divergence between and lies in the distribution of in the th ENCRYPT query. In game , is uniformly chosen from ; in game , is uniformly chosen from . Any difference between these two games results in a PPT adversary solving the subset membership problem related to THPS; thus we have that
Game . It is identical to , except that when answering ENCRYPT queries, the challenger invokes .
In game , the challenger computes ; in game , the challenger computes . Since each is chosen from uniformly at random, , by a standard hybrid argument, any difference between and results in a PPT adversary against the IND-OT security of , so that .
Finally, in game , since the challenge ciphertexts are encryptions of , hence is perfectly hidden to . So .
Summing up, we proved the IND--RKA security.
This completes the proof of Theorem 15 (IND-