#### Abstract

KDM-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages which are closely related to the secret key , where , even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named* Auxiliary-Input Authenticated Encryption* (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including* IND-RKA* and* weak-INT-RKA*. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free.

#### 1. Introduction

For public-key encryption (PKE) schemes, Chosen-Ciphertext Attack (CCA) security is the de facto security notion. In the CCA security model, the adversary sees the public key and gets challenge ciphertexts, which are encryptions of messages of its choices. It is also allowed to make decryption queries and obtain the decrypted messages for ciphertexts (but not the challenge ciphertexts) of its choices. CCA security considers whether the challenge ciphertexts can protect the security of messages. Observe that the adversary does not know the secret keys; thus it is not able to submit messages that are closely related to the secret keys. Thus, there is a corner that is not covered by CCA security, that is, the security of messages which are closely dependent on the secret keys. It was Goldwasser and Micali [1] who first pointed out this problem. In 2002, the security of such key-dependent messages (KDM) was formalized by Black et al. [2]. Up to now, KDM-security has found many applications, such as anonymous credential systems [3] and hard disk encryption [4].

KDM-security means KDM-security for a set of functions. Loosely speaking, in the -KDM-security model, the adversary obtains public keys of users and has access to an encryption oracle. Each time, the adversary submits a function in the function set , the encryption oracle will encrypt or a dummy message (say ) and output the challenge ciphertext to the adversary. The -KDM-CPA security stipulates that the adversary cannot distinguish the two cases, and the -KDM-CCA security demands the indistinguishability of the two cases even if the adversary is also allowed to make decryption queries. KDM-CCA is obviously stronger than KDM-CPA security notion. Moreover, the KDM-security is stronger when the function set is larger.

*KDM**-CPA Security*. In 2008, Boneh et al. (BHHO) [4] proposed the first KDM-CPA secure PKE construction for the affine function set , from the Decisional Diffie-Hellman (DDH) assumption. Soon after, the BHHO scheme was generalized by Brakerski and Goldwasser [5], who presented KDM-CPA secure PKE constructions under the Quadratic Residuosity (QR) assumption or the Decisional Composite Residuosity (DCR) assumption. However, these schemes suffer from incompact ciphertext, which contains group elements ( denotes the security parameter throughout the paper).

Applebaum et al. [6] proved that a variant of the Regev scheme [7] is KDM-CPA secure and enjoys compact ciphertexts, that is, encompassing only group elements.

Brakerski et al. [8] provided a KDM-CPA secure PKE scheme for the polynomial function set , which contains all polynomials whose degrees are at most . The drawback of the scheme is incompact ciphertext, which contains group elements.

Barak et al. [9] presented a KDM-CPA secure PKE for the set of Boolean circuits whose sizes are a priori bounded, which is a very large function set. Nevertheless, their scheme is neither practical nor flexible.

In 2011, Malkin et al. [10] proposed the first efficient KDM-CPA secure PKE. The ciphertext of their PKE construction is almost compact and consists of only group elements.

*KDM**-CCA Security*. The first approach to KDM-CCA security was proposed by Camenisch, Chandran, and Shoup (CCS) [11]. The CCS approach follows the Naor-Yung paradigm [12], and the building blocks are a PKE scheme with CCA security, a PKE scheme with KDM-CPA security, and a noninteractive zero-knowledge (NIZK) proof system which proves that the two PKE schemes encrypt the same message.

The Groth-Sahai proofs [13] are the only practical NIZK. To obtain efficient KDM-CCA secure PKE, we have to employ an efficient PKE scheme with KDM-CPA security and the Groth-Sahai proofs if we follow the CCS approach [11]. Unfortunately, the existing efficient PKE schemes with KDM-CPA security, like [6, 10], are not compatible with the Groth-Sahai proofs, since the underlying groups of their schemes are not pairing-friendly ones.

Galindo et al. [14] proposed a KDM-CCA secure PKE scheme from the Matrix Decisional Diffie-Hellman assumption. Their scheme enjoys compact ciphertexts, but the KDM-CCA security of their scheme is constrained (more precisely, in their KDM-CCA security model, the adversary is only allowed to have access to the encryption oracle for a number of times linear in the secret key’s size).

In order to achieve both KDM-CCA security and efficiency for PKE, Hofheinz [15] developed another approach, making use of a novel primitive named “lossy algebraic filter.” The PKE scheme proposed by Hofheinz enjoys the security of KDM-CCA and the compactness of ciphertexts simultaneously, but the function set is made up of constant functions and selection functions .

In fact, it is a challenging job to enlarge the KDM-CCA function set while keeping the efficiency of the PKE scheme. Recently, Lu et al. [16] designed the first PKE achieving both KDM-CCA security and compact ciphertexts. Their construction is referred to as the LLJ scheme in this paper. The essential building block in their scheme is “authenticated encryption” (). The so-called INT--RKA security of turns out to be critical to the KDM-CCA security of the LLJ scheme. Unfortunately, their security reduction of the INT--RKA security of to the underlying DDH assumption is flawed. Roughly speaking, the problem of their security reduction is that there is no efficient way for the DDH adversary to convert the forgery provided by the INT--RKA adversary to a decision bit for solving the DDH problem, since it has no trapdoor. See our conference version [17] for details. The failure of ’s INT--RKA security reduction directly affects the validity of LLJ’s KDM-CCA security proof.

To construct efficient KDM-CCA secure PKE schemes, the CCS approach [11] is the unique way, to the best of our knowledge. However, the only efficient KDM-CPA secure PKE [10] is incompatible with the Groth-Sahai NIZK proofs [13]; thus the CCS approach must adopt a general inefficient NIZK.

*Our Contribution*. In this work, we focus on the design of efficient PKE schemes possessing KDM-CCA security and KDM-CCA security, respectively.(i)We develop a new primitive named* “Auxiliary-Input Authenticated Encryption”* (AIAE). We introduce new related-key attack (RKA) security notions for it, called* IND-**-RKA* and* weak-INT-**-RKA*.(a)We show a general paradigm for constructing such an AIAE from a one-time secure AE and a* tag-based hash proof system* (HPS) that is , extracting, and key-homomorphic.(b)We present an instantiation of tag-based HPS under the DDH assumption. Following our paradigm, we immediately obtain a DDH-based AIAE for the set of restricted affine functions.(ii)Using AIAE as an essential building block, we design the first PKE scheme enjoying KDM-CCA security and compactness of ciphertexts simultaneously. Specifically, the ciphertext of our scheme contains only group elements.(iii)Furthermore, we design the first PKE scheme enjoying KDM-CCA security and almost compactness of ciphertexts simultaneously. More precisely, the number of group elements contained in a ciphertext is independent of the security parameter .

In Table 1, we list the existing PKE schemes which either achieve KDM-CCA security or are KDM-secure for the set of polynomial functions.

*Overview of Our Construction*. In the construction of our KDM-CCA secure PKE schemes, we adopt a key encapsulation mechanism (KEM) + data encapsulation mechanism (DEM) approach [18] and employ three building blocks: KEM, , and AIAE, as shown in Figure 1.(i)KEM and share the same pair of public and secret keys.(ii)A key k is encapsulated by KEM.Encrypt, and an encapsulation kem.c is generated by KEM.Encrypt along the way.(iii)The message is encrypted by Encrypt, and the resulting -ciphertext is c.(iv)The key k generated by KEM is used by AIAE.Encrypt to encrypt c with auxiliary input .c, and the resulting AIAE-ciphertext is aiae.c.(v)The ciphertext of our PKE scheme is (kem.c, aiae.c).

Following this approach, we design KDM[]-CCA and KDM[]-CCA secure PKE schemes, respectively, by constructing specific building blocks.

*Differences to Conference Version*. This paper constitutes an extended full version of [17]. The new results in this paper are as follows.(i)In contrast to presenting a concrete construction of AIAE in the conference paper, we give a general paradigm for constructing AIAE from a one-time secure authenticated encryption (AE) and a* tag-based hash proof system* (HPS) in this paper.(a)In Section 3.2, we show that the resulting AIAE is IND-RKA secure and weak-INT-RKA secure, as long as the underlying tag-based HPS is , extracting, and key-homomorphic.(b)In Section 3.3, we give an instantiation of tag-based HPS based on the DDH assumption. Following our paradigm, we obtain a DDH-based AIAE scheme in Section 3.4. We view the specific AIAE proposed in the conference paper as an instantiation of the general paradigm presented in this paper.(ii)In this paper, we provide the full proofs of the theorems regarding the KDM-CCA security and KDM-CCA security of our PKEs. Compared with the conference paper, we add the proofs of Lemmas 16, 18, 25, 26, and 29, and the proof of indistinguishability between Hybrids 2 and 3 in Section 5.3.

#### 2. Preliminaries

Throughout this paper, denote by the security parameter. means choosing an element from set uniformly. means executing algorithm with input and randomness and assigning output to . We sometimes abbreviate this to . “PPT” is short for probabilistic polynomial-time. For integers , we denote and . For a security notion and a primitive , the advantage of a PPT adversary is typically denoted by and we denote . Let negl denote an unspecified negligible function.

*Games*. We will use games in our security definitions and proofs. Typically, a game G begins with an INITIALIZE procedure and ends with a FINALIZE procedure. In the game, there might be other procedures which perform as oracles. All procedures are presented with pseudocode, all sets are initialized as empty sets, and all variables are initialized as empty strings. In the execution of a game G with an adversary , firstly calls INITIALIZE and obtains its output; then makes arbitrary oracle queries to according to their specifications and obtains their outputs; finally calls FINALIZE. In the end of the execution, if FINALIZE outputs , then we write this as . The statement means that, in game G, is computed as or equals .

##### 2.1. Public-Key Encryption

There are four PPT algorithms in a public-key encryption (PKE) scheme:(i)ParGen outputs a public parameter pars. We assume that pars implicitly defines a secret key space and a message space .(ii)KeyGen(pars) takes pars as input and outputs a public key pk and a secret key sk.(iii)Encrypt takes pk and a message as input and outputs a ciphertext pke.c.(iv)Decrypt takes sk and a ciphertext pke.c as input and outputs either a message or a symbol indicating the failure of the decryption.

We require PKE to have perfect correctness; that is, for all possible and all , we have

*Definition 1 (KDM[]-CCA security). *Let and let denote a set of functions from to . A scheme PKE is -KDM-CCA secure, if for any PPT adversary , we have , where -- is the security game shown in Figure 2.

##### 2.2. Authenticated Encryption

There are three PPT algorithms in an authenticated encryption (AE) scheme:(i) generates a system parameter . We require to be an implicit input to other algorithms and assume that implicitly defines a key space and a message space .(ii) takes a key and a message as input and outputs a ciphertext ae.c.(iii) takes a key and a ciphertext as input and outputs a message or a symbol .

We require AE to have perfect correctness; that is, for all possible , all keys , and all ,

*Definition 2 (one-time security). *A scheme AE is one-time secure (OT-secure), that is, IND-OT and INT-OT secure, if for any PPT , both and , where IND-OT and INT-OT are the security games presented in Figure 3.

**(a)**

**(b)**

##### 2.3. Key Encapsulation Mechanism

There are three PPT algorithms in a key encapsulation mechanism (KEM):(i) generates a public key pk and a secret key sk.(ii) takes as input and outputs a key together with a ciphertext kem.c.(iii) takes and a ciphertext kem.c as input and outputs either a key or a symbol .

We require to have perfect correctness; that is, for all possible , we have

##### 2.4. Tag-Based Hash Proof System: Universal_{2}, Extracting, and Key-Homomorphism

Tag-based hash proof system (HPS) was first defined in [19]. The definition is similar to extended HPS [20], but the property is slightly different.

*Definition 3 (tag-based hash proof system). *A tag-based hash proof system is comprised of three PPT algorithms: (i) outputs a parameterized instance , which implicitly defines , , where are all finite sets with , is a set of hash functions indexed by , and is a function. We assume that is efficiently computable, and there are PPT algorithms sampling uniformly, sampling uniformly, sampling uniformly with a witness , and checking membership in .(ii) takes a projection key , an element with a witness , and a tag as input and outputs a hash value .(iii) takes a hashing key , an element , and a tag as input and outputs a hash value without knowing a witness. We require to be* projective*; that is, for all , all and , all with all witnesses and all , it holds that

Tag-based HPS is associated with a subset membership problem. Informally speaking, it asks to distinguish the uniform distribution over from the uniform distribution over .

*Definition 4 (SMP). *The Subset Membership Problem (SMP) related to is hard, if for any PPT adversary , one has where , , and .

*Definition 5 (universal _{2}). * is called (strongly) , if for all possible , all , all , all , all with , and all , it holds thatwhere the probability is over .

The key difference between tag-based HPS and extended HPS lies in the definition of the property [19]. Extended HPS requires (6) to hold for , while tag-based HPS requires (6) to hold only for . Hence, any () extended HPS is also a () tag-based HPS, but not vice versa. Tag-based HPS is essentially a weaker variant of extended HPS and admits more efficient constructions.

Dodis et al. [21] defined an extracting property for extended HPS, which requires the hash value to be uniformly distributed over for any and , as long as is randomly chosen from . Besides, Xagawa [22] considered a key-homomorphic property for extended HPS, which stipulates that holds for any , , and . Here we adapt these notions to tag-based HPS.

*Definition 6 (extracting). * is called extracting, if for all , all , all , and all , it holds that where .

*Definition 7 (key-homomorphism). * is called* key-homomorphic*, if for all , which defines , one has the following: (i)Both and are groups.(ii)For all and all , the mapping is a group homomorphism. That is, for all and all , it holds that

##### 2.5. DCR, DDH, DL, and IV_{d} Assumptions

Suppose that is a PPT algorithm generating , where , are safe primes of -bit, , and is a prime. We define the following:(i).

Then is a cyclic group of order . For and , we define(i),(ii),(iii).

Then is a cyclic group of order , and , where represents the internal direct product.

Damgård and Jurik [23] showed that the discrete logarithm of an element can be efficiently computed from and . Observe that ; thus for any , we have and

*Definition 8 (DCR assumption). *The Decisional Composite Residuosity (DCR) assumption holds for and , if for any PPT , it holds thatwhere , , and .

The Interactive Vector () assumption is implied by the DCR assumption, as shown in [5]. Here we recall the assumption according to [16].

*Definition 9 (IV _{d} assumption). *The assumption holds for and , if for any PPT , it holds thatwhere , , , and is allowed to query the oracle adaptively. Each time, can submit to the oracle, and selects randomly: if , the oracle outputs to ; otherwise it outputs to , where .

*Definition 10 (DDH assumption). *The DDH assumption holds for and , if for any PPT , it holds thatwhere , , .

*Definition 11 (DL assumption). *The Discrete Logarithm (DL) assumption holds for and , if for any PPT , it holds thatwhere , , .

##### 2.6. Collision-Resistant Hashing

*Definition 12 (collision-resistant hashing). *Let be a set of hash functions. is said to be* collision-resistant*, if for any PPT , one has

#### 3. Auxiliary-Input Authenticated Encryption

Our PKE constructions in Sections 4 and 5 will resort to a new primitive AIAE. To serve the KDM-CCA security of our PKE construction in Figure 1, our AIAE should satisfy the following properties.(i)AIAE must take an auxiliary input ai in both the encryption and decryption algorithms.(ii)AIAE must have IND--RKA security and weak-INT--RKA security. Compared to the INT--RKA security proposed in [16], the weak-INT--RKA security imposes a special rule to determine whether the adversary’s forgery is successful or not.

In the following, we present the syntax of* AIAE* and define its* IND-**-RKA Security* and* Weak-INT-**-RKA Security*. We also show a general paradigm of AIAE from tag-based HPS and give an instantiation of AIAE under the DDH assumption.

##### 3.1. Auxiliary-Input Authenticated Encryption

*Definition 13 (AIAE). *There are three PPT algorithms in an AIAE scheme: (i)The parameter generation algorithm generates a system parameter . We require to be an implicit input to other algorithms and assume that implicitly defines a key space , a message space , and an auxiliary-input space .(ii)The encryption algorithm takes a key , a message , and an auxiliary input as input and outputs a ciphertext .(iii)The decryption algorithm takes a key , a ciphertext , and an auxiliary input as input and outputs a message or a symbol . We require to have perfect correctness; that is, for all possible , all keys , all messages , and all auxiliary-inputs ,

In fact, AIAE is a generalization of traditional AE, and traditional AE can be viewed as AIAE with .

*Definition 14 (RKA security). *Denote by a set of functions from to . A scheme is IND--RKA secure and weak-INT--RKA secure, if for any PPT , where IND--RKA and weak-INT--RKA are the security games presented in Figure 4.

**(a)**

**(b)**

##### 3.2. Generic Construction of AIAE from Tag-Based HPS and OT-Secure AE

Our construction of AIAE needs the following ingredients.(i)A tag-based hash proof system , where the hash value space is , the tag space is , and the hashing key space is .(ii)A (traditional) authenticated encryption scheme , where the message space is and the key space is .(iii)A set of hash functions .

We present our AIAE construction in Figure 5, whose key space is , message space is , and auxiliary-input space is .

By the perfect correctness of , it is routine to check that has perfect correctness.

Theorem 15. *If (i) is , extracting, key-homomorphic and has a hard subset membership problem, (ii) is one-time secure, and (iii) is collision-resistant, then the scheme AIAE in Figure 5 is IND--RKA and weak-INT--RKA secure. Here is the set of restricted affine functions.*

*Proof of Theorem 15 (IND-**-RKA Security)*. Denote by a PPT adversary who is against the IND--RKA security and queries ENCRYPT oracle for at most times. We show the IND--RKA security through a series of games. For an event , we denote by , , and the probability of occurring in games , , and , respectively.

*Game *. It is the original IND--RKA game. Denote the event by Succ. According to the definition, .

As for the th () ENCRYPT query , where , the challenger prepares the challenge ciphertext as follows:(i)pick together with witness ,(ii)compute ,(iii)compute ,(iv)invoke ,

and it outputs the challenge ciphertext to .

*Game **, *. It is identical to , except that, for the first times of ENCRYPT queries, that is, , the challenger chooses randomly for the scheme.

Clearly is identical to ; thus .

*Game **, *. It is identical to , except that, for the th ENCRYPT query, the challenger samples uniformly.

The difference between and lies in the distribution of . In game , is uniformly chosen from ; in game , is uniformly chosen from . Any difference between and results in a PPT adversary solving the subset membership problem related to THPS; thus we have that

*Game **, *. It is identical to , except that, for the th ENCRYPT query, the challenger chooses randomly.

Lemma 16. *For all , .*

*Proof. *For game and game , the difference between them lies in the computation of in the th ENCRYPT query. In , is properly computed, while in , it is chosen from uniformly.

We analyze the information about the key hk that is used in game .(i)For the th () query, ENCRYPT does not use hk at all since is randomly chosen from .(ii)For the th () query, ENCRYPT can use to compute :(iii)For the th query, ENCRYPT uses to compute :Since , by the property of THPS, is uniformly distributed over conditioned on . Then as long as , is also randomly distributed over . Consequently, is essentially the same as , and .

Now, we show that game is computationally indistinguishable from game , . Note that the divergence between and lies in the distribution of in the th ENCRYPT query. In game , is uniformly chosen from ; in game , is uniformly chosen from . Any difference between these two games results in a PPT adversary solving the subset membership problem related to THPS; thus we have that

*Game *. It is identical to , except that when answering ENCRYPT queries, the challenger invokes .

In game , the challenger computes ; in game , the challenger computes . Since each is chosen from uniformly at random, , by a standard hybrid argument, any difference between and results in a PPT adversary against the IND-OT security of , so that .

Finally, in game , since the challenge ciphertexts are encryptions of , hence is perfectly hidden to . So .

Summing up, we proved the IND--RKA security.

This completes the proof of Theorem 15 (IND--RKA security).

*Proof of Theorem 15 (Weak-INT-**-RKA Security)*. Denote by a PPT adversary who is against the weak-INT--RKA security and queries ENCRYPT oracle for at most times. Similarly, the proof goes through a series of games, which are defined analogously, just like those games of the previous proof.

*Game *. It is the original weak-INT--RKA game.

As for the th () ENCRYPT query , the challenger computes the challenge ciphertext in similar steps as the previous proof and outputs to . Moreover, the challenger will put to a set , put to a set , and put to a set . In the end, the adversary outputs a forgery , where , and the challenger invokes the FINALIZE procedure as follows:(i)If , output .(ii)If such that but , output .(iii)If , output .(iv)Compute and . Output .

Denote the event that FINALIZE outputs by Forge. According to the definition, .

*Game *. It is identical to , except that the following rule is added to the procedure FINALIZE by the challenger:(i)If such that but , output .

Since and , any difference between and implies a hash collision of . So .

*Game **, *. It is identical to , except that, for the first times of ENCRYPT queries, that is, , the challenger chooses uniformly for the AE scheme.

Clearly is identical to ; thus .

*Game **, *. It is identical to , except that, for the th ENCRYPT query, the challenger samples uniformly.

The difference between and lies in the distribution of . In game , is uniformly chosen from ; in game , is uniformly chosen from . Any difference between these two games results in a PPT adversary solving the subset membership problem related to THPS. We emphasize that the PPT adversary (simulator) is able to check the occurrence of Forge in an efficient way, because the key hk can be chosen by the simulator itself. Consequently, the difference between and can be reduced to the subset membership problem smoothly.

Lemma 17. *For all , *

*Proof. *To bound the difference between and , we build an efficient adversary solving the subset membership problem. Given , where , aims to distinguish from .

simulates or for . Firstly, invokes , picks randomly, and sends to . Next, chooses .

As for the th () ENCRYPT query , where , prepares the challenge ciphertext in the following way. (i)If , computes just like that in both and . That is, chooses with witness , chooses randomly, and invokes .(ii)If , computes just like that in both and . That is, chooses with witness , computes and , and invokes .(iii)If