Tightly Secure Lossy Trapdoor Functions: Constructions and Applications

Qin, Baodong

doi:https://doi.org/10.1155/2019/3636759

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2019 | Article ID 3636759 | https://doi.org/10.1155/2019/3636759

Tightly Secure Lossy Trapdoor Functions: Constructions and Applications

Baodong Qin^1,2

Academic Editor: Gregorio Martinez Perez

Received03 Aug 2018

Revised26 Nov 2018

Accepted16 Dec 2018

Published16 Jan 2019

Abstract

Lossy trapdoor functions (LTFs), introduced by Peiker and Waters in STOC’08, are functions that may be working in another injective mode or a lossy mode. Given such a function key, it is impossible to distinguish an injective key from a lossy key for any (probabilistic) polynomial-time adversary. This paper studies lossy trapdoor functions with tight security. First, we give a formal definition for tightly secure LTFs. Loosely speaking, a collection of LTFs is tightly secure if the advantage to distinguish a tuple of injective keys from a tuple of lossy keys does not degrade in the number of function keys. Then, we show that tightly secure LTFs can be used to construct public-key encryption schemes with tight CPA security in a multiuser, multichallenge setting, and with tight CCA security in a multiuser, one-challenge setting. Finally, we present a construction of tightly secure LTFs from the decisional Diffie-Hellman assumption.

1. Introduction

In STOC’08, Peikert and Waters [1] introduced the notion of lossy trapdoor functions (LTFs), which have been proven to be a powerful primitive in cryptography. Specifically, LTFs imply many cryptographic primitives, such as (injective) trapdoor functions, collision-resistant hash functions, oblivious transfer, correlated-product trapdoor functions [2], and adaptive trapdoor functions [3] and have many “higher level” applications, such as leakage-resilient chosen-ciphertext secure cryptosystems [4–6] and deterministic public-key encryption [7].

Informally, an LTF is a function that can work in one of two computationally indistinguishable modes: injective mode and lossy mode. In the injective mode, each function is invertible via a trapdoor. In the lossy mode, each function statistically loses information about its input. Thus, in the security proof (e.g., PKE scheme), the change that a function works in the lossy mode from the injective mode has only a negligible effect on the adversary’s advantage. In addition, once all functions work in the lossy mode, a ciphertext contains nearly no information any more about the encrypted message. Such property can be used to achieve CPA security. LTFs parameterized with a tag are useful in the context of CCA-secure PKE schemes. One such tag-based LTFs are all-but-one lossy trapdoor functions (ABO-LTFs), also proposed in [1]. In ABO-LTFs, all of the tags are injective, except for one tag which is lossy. The lossy tag and the injective tag are (computationally) indistinguishable. There are also many variants of lossy trapdoor functions that are used in diverse scenarios, such as updatable lossy trapdoor functions [4, 5, 8], chameleon ABO-LTFs [9], evasive all-but-many LTFs [10] and all-but-many lossy trapdoor functions [11].

Security Proofs by Reductions. Many cryptographic primitives, including lossy trapdoor functions, are designed around computational hardness assumptions (e.g., factoring an integer that is a product of two large primes). The approach to prove security often uses the security reduction technique which aims to convert any efficient algorithm (also called adversary) that breaks the primitive with probability to an efficient algorithm that solves the underlying computational problem with probability . We say that the security reduction is tight if . Here, we simply assume that the running times of algorithms and are roughly the same. If we consider the explicit relations between the success probabilities, the security reductions often suffer from a nontrivial multiplicative reduction loss such that only can be guaranteed. A tight security reduction also means that the reduction loss is a (small) constant.

Design of cryptographic primitives with tight security reduction is an important problem since loose reductions imply security loss and large keys are needed to achieve a satisfactory level of security. However, many cryptographic primitives often suffer from loose security reduction, especially in a multiuser (or multichallenge) setting. Taking lossy trapdoor functions as an example, standard security notion for LTFs only considers one-user setting; i.e., the advantage of an adversary is defined to distinguish just one injective key from one lossy key. For multiple users, there will be many LTF keys. However, a generic hybrid security proof usually suffers from a reduction loss , where is the number of users. The issue of loose reduction may result in a significantly practical consequence. As an example, consider a realistic setting that there are users. According to the above discussion, the security level in the multiuser case reduces times than that in the one-user setting. In other words, a secure lossy trapdoor functions may not be secure again in the multiuser setting. LTFs have been used to build many high level cryptographic primitives, e.g., PKE, and the latter usually work in a multiuser setting. Though there are many constructions of lossy trapdoor functions [1, 12, 13], to the best of our knowledge, however, there is no study on lossy trapdoor functions in the multiuser setting.

1.1. Our Contribution

In this paper, we initially study lossy trapdoor functions in a multiuser setting and formalize the notion of tightly secure lossy trapdoor functions. A collection of tightly secure LTFs is still a collection of LTFs, except that, in a multiuser setting, the security reduction does not degrade in the number of users. This new notion seems to enhance the security of standard LTFs, but does not change the functionality of LTFs. We show that tightly secure LTFs can be used to construct tightly secure public-key encryption (PKE) against chosen-plaintext attacks (CPA) in the multiuser, multichallenge setting (multichallenge means that each user’s public key may be used to encrypt many challenge messages).

We naturally extend tight security from LTFs to ABO-LTFs and propose the notion of tightly secure ABO-LTFs. We show that a collection of tightly secure LTFs with a suitable collection of tightly secure ABO-LTFs can be used to construct tightly secure PKE against adaptive chosen-ciphertext attacks (CCA) in multiuser, one-ciphertext setting. In this application, it requires an additional cryptographic primitive, called strong one-time signature, to be tightly secure. We show that the discrete-log-based strong one-time signature scheme proposed in [14] is tightly secure.

Under the decisional Diffie-Hellman (DDH) assumption, we construct a collection of tightly secure LTFs, as well as a collection of tightly secure ABO-LTFs. The tight security of them mainly benefits from the property of random self-reducibility of the underlying assumption.

1.2. Related Work: Tightly Secure PKE

Public-key encryption (PKE), as one of the most important cryptographic primitives, often suffers from a loose security reduction. Bellare et al. [15] showed that security of PKE in the simple one-user, one-ciphertext setting implies security in the much more realistic multiuser, multiciphertext setting. However, the generic security reduction suffers from a reduction loss , where is the number of users and is the number of challenge ciphertexts.

The design of PKE schemes with tight security reduction in multiuser, multiciphertext setting is not easy. One obstacle, as pointed out by Hofheinz and Jager [16], is that the simulator in the CCA security reduction needs to answer all of the adversary’s decryption queries except its own single (many) challenge ciphertext(s). To resolve this dilemma, nearly all of known PKE schemes use either the so-called “proof of well-formedness” [17] or the so-called “all-but-one technique” [18]. Yet both approaches can only guarantee to simulate one or few challenge ciphertexts at a time. To simulate many challenge ciphertexts, a hybrid argument is required. As a result, the security reduction loss grows linearly with the number of challenge ciphertexts. Hofheinz and Jager [16] applied the Naor-Yung paradigm (two tightly IND-CPA-secure PKEs and one tightly secure polynomial-time SS-NIZK) to obtain a generic construction of CCA-secure PKE scheme with tightly security reduction. As an example, they constructed the first PKE scheme with tight CCA security from the DLIN assumption with the usage of pairings. Later, Gay et al. [19] proposed the first tightly CCA-secure pairing-free public-key encryption scheme based on DDH assumption. Recently, Wei et al. [20] presented an improved PKE scheme of [16] with more compact ciphertext size, and Gay et al. [21] presented an improved tightly CCA-secure pairing-free PKE scheme with small ciphertexts and small public keys. Tightly secure all-but-many LTFs (ABM-LTFs) can be used to construct tightly (selective-opening) CCA-secured PKE schemes. However, to date, there are very few candidates of ABM-LTFs with well-tightness [22].

2. Preliminaries

2.1. Notations

If is a finite set then denotes its size and denotes the operation of picking an element uniformly at random from . For any , we denote by the set . By , we denote the security parameter. We use PPT for the abbreviation of “ probabilistic polynomial-time”. We denote by the operation of running an algorithm with inputs and letting be the output.

2.2. Complexity Assumptions

In the following, let be a PPT algorithm that takes as input a security parameter and outputs a description of group , where is a group of prime order and is a random generator of . For an arbitrary , let denote the discrete logarithm to base such that . Furthermore, for any generator , let denote the set

Definition 1 (discrete logarithm assumption). Let be a random generator of and be a random group element. The discrete logarithm (DL) assumption states that the following advantage:is negligible in for every PPT algorithm .

Definition 2 (decisional Diffie-Hellman assumption). Let be a random generator of and , . The decisional Diffie-Hellman (DDH) assumption in group states that the advantageis negligible in for every PPT algorithm .

Random Self-Reducibility of DDH [15, Lemma 5.1]. The tight security reduction of our LTFs and ABO-LTFs mainly benefit from the self-reducibility property of the DDH problem. Namely, there exists a PPT algorithm that takes as input the group order , generator , , and a bit and outputs such that we have the following. See Table 1.

Pairwise Independent Hash Functions. A family of hash functions from domain to range is called pairwise independent if, for every distinct and every , .

Randomness Extractor [23, Lemma 2.4]. Let be two random variables such that and . Let be a family of pairwise independent hash functions from to .

If , then is an average-case strong extractor; i.e., the distribution is statistically -close to the distribution , where and .

Strongly Unforgeable One-Time Signature. A one-time signature scheme OTS consists of three algorithms (OTS.Gen, OTS.Sign, and OTS.Vrf), where OTS.Gen on input a security parameter outputs a verification key and a signing key ; OTS.Sign on input a signing key and a message outputs a signature ; OTS.Vrf on input a verification key , a message , and a signature outputs either 0 or 1. The correctness guarantees that OTS.Vrf() holds with probability 1, if and only if = OTS.Sign(). Next, we define the security notion of strong existential unforgeability under a one-time chosen message attack in multiuser setting. It is defined through a game played between a challenger and a PPT adversary . The challenger first generates independently pairs of keys and gives all to the adversary. For each signing key , the adversary can obtain at most one signature on a single message chosen by the adversary. Finally, the adversary outputs a pair and is said to succeed if there exists such that and . We denote by the adversary’s success probability (advantage). A one-time signature scheme is strongly unforgeable if the adversary has negligible advantage. If the advantage is independent of the number of users, the signature scheme is said to be tightness.

By the random self-reducibility of the discrete logarithm problem, we can show the following one-time signature scheme proposed in [14, Fig.4] is tightly secure in multiuser setting, if the schemes share the same group parameters. Let be a finite group with prime order and a random generator . Let be a collision-resistant hash function. The system parameter is . The signature scheme is described as follows.(i): it picks three random exponents as the signing key and sets .(ii): for any message , it chooses a random exponent and computes . The signature is .(iii): given a message and a signature , if , then it outputs 1; else it outputs 0.

Proof. Given a challenge discrete logarithm problem , our goal is to construct an algorithm that breaks the discrete-log problem by taking the adversary algorithm as a subroutine.
Let us denote by the key pairs and let be the signature queried by on message under signing key . Suppose that finally outputs a valid (forged) signature on message under the verification key . By the collision-resistance of hash function , it is clear that . Otherwise, . We first assume that . Now, simulates the game as follows. For each , it randomly chooses and implicitly sets . It then computes , , and and sets . By the randomness of , , and , the verification key has the same distribution as the real verification key.
For each signing query on message , computes and sets . returns the signature to . This signature has the same distribution as the real signature. Finally, generates a forged signature under the verification key . The forged signature satisfies . Hence So, we haveIf , we must have . Similarly, we can construct another algorithm to solve the discrete logarithm problem for the case . For any case, the two algorithms and are independent of the adversary’s point of view. So, we can randomly guess which algorithm we will use to break the discrete logarithm problem using as the subroutine.
Let be the even that forges a valid signature and let be the even that the collision of occurs. Denote by the probability that solves the discrete logarithm problem as stated in Definition 1. Denote by the probability for any PPT adversary to find a collision of ; that is, . By the aforementioned analysis, if the event does not occur, then solves the discrete-log problem with probability at least . So,This shows that the above one-time signature is tightly secure in the multiuser setting.

3. Definitions for Tightly Secure LTFs and ABO-LTFs

In the following, unless described otherwise, all quantities are implicitly functions of a security parameter . We first recall the standard notions of lossy trapdoor functions and all-but-one lossy trapdoor functions from [1] and then introduce their tight security.

3.1. Tightly Secure LTFs

Definition 3 (lossy trapdoor functions). A collection of -lossy trapdoor functions consists of the following (PPT) algorithms: (i): this is the system parameter generation algorithm. It takes as input a security parameter and outputs the system parameters .(ii): this is the key generation algorithm. It takes as input the system parameter and outputs an (injective) evaluation key and an inversion key .(iii): this is the lossy key generation algorithm. It takes as input the system parameter and outputs an (lossy) evaluation key and the special symbol (indicating that this evaluation key does not have corresponding inversion key).(iv): this is the function evaluation algorithm. It takes as input an evaluation key and a preimage and outputs an image .(v): this is the inversion algorithm. It takes as input an inversion key and an image and outputs a preimage . We require that has the following properties.
Correctness. For all possible , all , and all , we have
Lossiness. For all possible and all , we say that is -lossy, if the image set is of size at most .
Indistinguishability. For all possible and for any PPT adversary , we require that can not distinguish an injective key from a lossy key with nonnegligible advantage. Namely, the functionis negligible in , where and .

Definition 4 (tightly secure LTFs). We say that a collection of LTFs is tightly secure if, for any PPT adversary , the following indistinguishability advantage is negligible and independent of , the number of injective or lossy keys.The above two oracles and are defined as follows: taking an integer as input, firstly runs to obtain the -th injective key and returns it to the adversary; firstly runs to obtain the -th lossy key and returns it to the adversary. Clearly, the standard indistinguishability is just the case that .

3.2. Tightly Secure ABO-LTFs

In an ABO-LTF collection, each function has an extra input called branch. In the following, we denote by the set of branches.

Definition 5 (all-but-one LTFs). A collection of -all-but-one lossy trapdoor functions with branch set consists of the following (PPT) algorithms: (i): this is the system parameter generation algorithm. It takes as input a security parameter and outputs the system parameters .(ii): this is the key generation algorithm. It takes as input the system parameter and a branch and outputs an evaluation key and an inversion key .(iii): this is the function evaluation algorithm. It takes as input the evaluation key , a branch , and a preimage and outputs an image .(iv): this is the inversion algorithm. It takes as input the inversion key , a branch , and an image and outputs a preimage . We require that has the following properties.
Correctness. For all , all , and all possible , if , then holds for all .
Lossiness. If the above , then is of size at most . is usually called lossy branch.
Hidden Lossy Branch. For any PPT adversary that gives the system parameter and outputs two branches , the advantageis negligible in , where and .

Definition 6 (tightly secure ABO-LTFs). We say that a collection of ABO-LTFs is tightly secure if for any PPT adversary ; the following indistinguishability advantage is negligible and independent of , the number of evaluation keys:The above oracle ( or ) is defined as follows: for , the adversary outputs the -th pair of branches and is given an evaluation key , where . Clearly, the hidden lossy branch property of ABO-LTFs is just the case that .

4. Constructions of Tightly Secure PKE Schemes

4.1. Definitions for PKE

Definition 7 (public-key encryption). A public-key encryption scheme with message space consists of the following PPT algorithms.
. This is the system parameter generation algorithm. It takes as input a security parameter and outputs system parameters .
. This is the key generation algorithm. It takes as input the system parameters and outputs a public key and a secret key .
. This is the message encryption algorithm. It takes as input a public key and a message and outputs a ciphertext .
/⊥ ←. This is the decryption algorithm. It takes as input the secret key and a ciphertext and outputs a message or a special symbol (indicating that is an invalid ciphertext).
For correctness, we require that, for all , all , and all , it always has .

Security. We recall the security definition of indistinguishability against adaptive chosen-ciphertext attacks (CCA) in multiuser and multichallenge settings from [15, 16]. The following experiment is played between the challenger and an adversary and is parameterized by integers (i.e., the number of users, challenge ciphertexts/encryption queries, and decryption queries).

Experiment (1)Initialization phase: the challenger runs only once to generate the system parameter and runs times to generate key pairs , . Then, it tosses a random coin , initializes a list to an empty list, and defines counters and for each .(2)Query phase: receives as input and may adaptively query the challenger for two types of operations.(I)Encryption queries: the adversary submits two messages of equal length and an index . If then the challenger returns . Otherwise, it returns , appends to , and sets .(II)Decryption queries: the adversary submits a ciphertext and an index . If or then the challenger returns . Otherwise it returns and sets .(3)Guess phase: eventually, the adversary outputs a bit as a guess of .

The advantage of in the above experiment is defined as

Definition 8 (IND-CCA security). We say that breaks the -IND-CCA security if runs in times and . A public-key encryption scheme is -IND-CCA-secure if there exists no adversary that -breaks the -IND-CCA security.

Definition 9 (IND-CPA security). In the above experiment, if , then we say is -IND-CPA-secure.

Clearly, if there is only one-user and one-challenger ciphertext, i.e., , the -IND-CCA security in the above sense is exactly the classical definition of IND-CCA security [24], and -IND-CPA security is exactly the classical definition of IND-CPA security (or semantic security) [25]. The generic reduction from [15] showed that if -breaks the -IND-CCA security, there exists that breaks the -IND-CCA security and , . Thus, the security reduction loses (at most) a factor of . A security reduction is called tight if the corresponding reduction loss is constant.

4.2. CPA-Secure PKE Scheme

In this section, we propose a generic construction of PKE scheme from LTFs and show its IND-CPA security in the setting that has polynomial number of users and challenge ciphertexts. Our security proof shows that if the underlying LTFs are tightly secure, then so is the PKE scheme.

The CPA-secure PKE scheme with message space is given in Box 1. It applies the following components:(i)A collection of -lossy trapdoor functions: (ii)A family of pairwise independent hash functions:

Let be a negligible function in . We require that the parameters in the above primitives satisfy the condition .

Theorem 10. Let be the security parameter, and let be integers. Then, the PKE scheme described in Box 1 is -IND-CPA-secure, whereand the runtime of is roughly the runtime of the IND-CPA experiment with an adversary of runtime . Clearly, if the underlying LTFs are tightly secure, then the obtained PKE is tightly CPA-secure.

Outline of Proof. The proof is very simple. First, by the indistinguishability of , we replace all users’ LTF injective evaluation keys with lossy evaluation keys. Now, in the challenge ciphertexts, each function works in lossy mode and thus reveals at most -bit information of . Applying to , it can extract a random string, which will hide the information of the encrypted message.

Proof. We proceed in a sequence of games. Let be a fixed adversary that breaks the IND-CPA security of the above PKE scheme in the multiuser setting. Assume that it makes at most encryption queries to each user’s encryption oracles. Let denote the event that wins in Game .
Game 1. This is the original IND-CPA experiment. Roughly speaking, the challenger runs only once. Then, it runs times to generate public/secret key pairs and tosses a random coin . The adversary takes these public keys as input and may make at most queries to each encryption oracle . Every encryption query is of the form , where and and are two equal length messages. The challenger responds with . Finally, the adversary outputs a bit as the guess of . We say that wins the game if . So,Game 2. This game is identical to Game 1 except that we replace all users’ LTF injective keys with lossy keys. By the indistinguishability property of the LTF collection, it follows thatfor some adversary attacking LTF’s indistinguishability.
The proof is as follows. Given the system parameter of LTF, the simulator sets and asks the LTF challenger to generation LTF keys . The simulator sets and returns it to the adversary. Once the adversary asks an encryption query , the simulator tosses a random coin in advance and computes the challenge ciphertext as in Game 1. Clearly, if all are generated by the injective key generation algorithm , the view of the adversary is exactly Game 1; otherwise, it is exactly Game 2. This completes the proof.
Game 3. This game is identical to Game 2, except that we replace in each challenge ciphertext with a uniformly distributed string . We show thatThe proof is as follows. First, observe that, in Game 2, all in challenge ciphertexts are lossy functions. So the image size of is at most . Since , by the property of , it follows that is statistically -close to , where and is uniformly distributed over . Recall that there are at most challenge ciphertexts. The proof completes. Since and , we further have thatRecall that, in Game 3, each challenge message is perfectly hidden by the random string ; i.e., ; it follows thatTaking all together, we get Theorem 10.

4.3. CCA-Secure PKE Scheme

Next, we propose a generic construction of PKE scheme from LTFs and ABO-LTFs and show its CCA security in the setting that has polynomial number of users and one-challenge ciphertext. Our security proof shows that if the underlying LTFs and ABO-LTFs are tightly secure, then so is the PKE scheme.

The CCA-secure PKE scheme with message space is given in Box 2. It applies the following components:(i)A collection of -lossy trapdoor functions: (ii)A collection of -all-but-one lossy trapdoor functions: with branch set (iii)A family of pairwise independent hash functions: (iv)A strongly unforgeable one-time signatures scheme: .

Let be a negligible function in . We require that the parameters in the above primitives satisfy the condition ; the branch set contains the set of signature verification keys.

Theorem 11. Let be the security parameter and let , , be integers such that , . Then, the PKE scheme described in Box 2 is -IND-CCA-secure, whereand the runtime of , , is roughly the runtime of the IND-CCA experiment with an adversary of runtime .

Outline of Proof. The proof idea mainly follows [1]. First, by the all-but-one property, we replace each ABO lossy branch with the corresponding verification key of the challenge ciphertext. Since the underlying OTS is strongly unforgeable, all branches in decryption queries would be distinct with the corresponding lossy branch. Thus, all ABO functions in the decryption queries are injective. By this observation, we can replace the decryption key with the ABO inversion key. Next, by the indistinguishability of LTFs, we replace all users’ LTF injective keys with lossy keys. Now, in the challenge ciphertexts, each function works in lossy mode and reveals at most bits information of . So, the application of guarantees that the ciphertexts of and are indistinguishable.

Proof. We proceed in a sequence of games. Let be a fixed adversary that breaks the IND-CCA security of the PKE scheme in the multiuser setting. Assume that it makes at most one encryption query (resp., decryption query) to each user’s encryption oracle (resp., decryption oracle). Let denote the probability that wins in Game .
Game 1. This is the original IND-CCA experiment. Roughly speaking, the challenger first runs only once. It then runs times to generate public/secret key pairs and tosses a random coin . The adversary receives these public keys as input and may make one query to each encryption oracle and queries to each decryption oracle . Each encryption query is of the form where , and and are two equal length messages, and the challenger responds with . Each decryption query is of the form , where . The challenger will respond with . Finally, the adversary outputs a bit as the guess of . We say that wins the game if . Clearly, the adversary is not allowed to ask for the decryption of the challenge ciphertext; i.e., . According to the definition of IND-CCA experiment, we have thatHereafter, we use to denote a decryption query, in which the ciphertext is encrypted under public key , and denote by the challenge ciphertext under user ’s public key.
Game 2. This game is identical to Game 1 except that it rejects all decryption queries in which the verification key is the same as that of the corresponding challenge ciphertext for any . Recall that is forbidden to ask for decryption query such that . So, . Suppose that there exists some decryption query , in which . It must have that . By the strong unforgeability of the underlying one-time signature, we have the following result:for some adversary attacking the strong unforgeability of the underlying OTS in the multiuser setting.
The proof is as follows. The simulator asks the OTS challenger to generate the system parameter and one-time key pairs . The simulator will receive the OTS system parameter and verification keys . The simulator then generates the other system parameters of the PKE scheme, including , and generates PKE key pairs as in Game 1. The simulator sends the PKE system parameter and PKE public keys to the adversary. As the simulator knows all users’ decryption keys, it can answer the adversary’s decryption queries as in Game 1. To answer encryption queries, the simulator tosses a random coin in advance. Given , the simulator randomly chooses and and computes , , and . The simulator sends the message to the OTS challenger to obtain a signature which is signed under the corresponding signing key . The simulator sends the challenge ciphertext to the adversary. Clearly, the view of the adversary in the above simulated environment is the same as that in Game 1. In Game 2, the simulator rejects to answer all decryption queries such that . If such decryption query is not rejected in Game 1, must be a valid message-signature pair under the verification key . The simulator sends it to the OTS challenger as the output of the simulator. This completes the proof.
Game 3. This game is identical to Game 2, except that each ABO function is chosen to have a lossy branch . That is, for user , it first generates an OTS key pair and replaces with . We show that the adversary’s views in Game 2 and Game 3 are computationally indistinguishable, under the assumption of the hidden lossy branch properties of all ABO-LTF collections. Formally, we havewhere is an adversary attacking the hidden lossy branch properties of the ABO-LTF collection.
The proof is as follows: Given an ABO system parameter , the simulator first generates the remainder PKE system parameters of as in Game 2. It then generates OTS key pairs and sends to the ABO challenger to obtain ABO evaluation keys . Next, the simulator implements the key generation algorithm to generate the remainder public keys and secret keys as that in Game 2. Since the simulator knows all secret key (i.e., the inversion keys of LTF functions), it can answer the adversary’s decryption queries and encryption queries as that in Game 2. Clearly, if is generated by , the simulated environment is exactly Game 2; otherwise it is exactly Game 3. This completes the proof.
Game 4. This game is identical to Game 3 except that we keep all users’ ABO inversion key and use to recover the image in the decryption query . Recall that, in each decryption query , if the verification key , the ciphertext is rejected directly. So, we only need to recover the image of for the case that . Since and are both injective, there is a unique such thatThat is, Game 3 uses the LTF inversion key to recover , while Game 4 uses the ABO inversion key to recover . Therefore, these two games are conceptionally equivalent; i.e.,Game 5. This game is identical to Game 4 except that we replace all users’ LTF injective evaluation keys with lossy evaluation keys. Assuming the indistinguishability of injective and lossy functions of LTFs, it has thatfor some adversary attacking the indistinguishability of the LTF collections.
The proof is as follows. Given the LTF system parameter , the simulator generates the remainder PKE system parameters as in Game 4. It then asks the LTF challenger to generate evaluation keys , which are wehther generated by the injective key generation algorithm or by the lossy key generation algorithm depending on the LTF challenger’s random coin. The simulator generates the remainder public keys for each user as in Game 4; i.e., it first generates OTS key pairs and then generates . The simulator sets as the public key for user . Since the simulator knows the PKE public keys and secret keys (i.e., the inversion key of the ABO functions), it can answer the adversary’s encryption queries and decryption queries as in Game 4. Clearly, if all are injective evaluation keys, the adversary’s view is exactly identical to Game 4; if all are lossy evaluation keys, the adversary’s view is exactly identical to Game 5. This completes the proof.
Game 6. This game is identical to Game 5 except that we replace with a random string in each challenge ciphertext. We observe that, in Game 5, and are both lossy functions. So the image size of is at most . Since , by the property of the family of pairwise independent hash functions , it has that is statistically -close to uniform even given . Recall that there are at most challenge ciphertexts. Thus,In Game 6, since all (in challenge ciphertexts) are uniformly distributed over , the adversary has no advantage in this game; i.e.,Taking all together, Theorem 11 follows.

From One-Challenge Ciphertext to Multichallenge Ciphertexts. As introduced in [15], for multichallenge ciphertexts, a generic (hybrid) security reduction will suffer from a reduction loss . According to the above security proof, to achieve tight security, it is better to replace all injective branches with lossy branches simultaneously in Game 3. This requires that all the lossy branches are tightly indistinguishable from the injective branches. However, the ABO-LTFs only have one lossy branch, which is indistinguishable from the other (injective) branches. A good choice is to use all-but-many lossy trapdoor functions that have polynomial number of lossy branches. Though there are some constructions of ABM-LTFs, all of them either have loose security proof or rely on nonstandard assumptions. It is still an open problem to find efficient and tightly secure ABM-LTFs under reasonable assumptions, as pointed out in [11].

5. Instantiations under DDH Assumption

The constructions come from Peikert and Waters DDH-based LTFs and ABO-LTFs [1], and our main work is to prove its tightness in the multiuser setting. We first introduce some basic notations and results.

5.1. Basic Notations

Let be a group description outputted by . Below, we let , , and be row vectors. Let and be matrices over , and let be matrix over . We define the following:(i) is the outer product of and .(ii).(iii) is component-wise multiplication of and .(iv).

Prior to describing the construction, we introduce the following lemma that is useful in our security proofs.

Lemma 12. Let be a group description outputted by . For any positive integer , define matrices , where , , and . Let be random matrices over . Then, for any PPT adversary , it holds thatwhere is an algorithm distinguishing the DDH problem over .

Proof. The proof goes through a sequence of games. In each game, is given matrices . In , the distribution of is the same as that of ; i.e., picks random vectors and and sets for . In , all are sampled as that in , except that the group elements in the first rows of are with random elements of . Clearly, in , has the same distribution as that of . Next, we show that the distributions of in any two successive games and () are computationally indistinguishable under the DDH assumption.
Given a DDH challenge problem , first involves algorithm for times independently to obtain tuples . Then, runs algorithm for times independently to obtain tuples , where . Now, chooses a random vector and sets matrix as the following form:whereNow, we discuss the distributions of for two cases: If is a DDH-tuple, by the property of algorithm , the tuples are also DDH-tuples, and thus has the same distribution as that in . If is not a DDH-tuple, it has that and the tuples are randomly distributed over . Clearly, with probability at least , all hold. By the property of algorithm , the tuples () are randomly distributed over . So, in this case, is distributed as that in with probability of at least . Therefore, for any , we have thatThe theorem follows directly from the above result.

5.2. Tightly Secure LTFs

The collection of LTFs with domain is described in Box 3.

Theorem 13. If the DDH assumption holds in , then the construction in Box 3 is a collection of lossy trapdoor functions with lossiness . Particularly, for any PPT adversary , there exists a DDH distinguisher of roughly the same complexity as such that

Proof. We first show its correctness and lossiness and then prove its indistinguishability.
Correctness. If is an injective evaluation key, then, for any string , it has thatSo, and the correctness follows.
Lossiness. If is a lossy evaluation key, then, for any string , it has thatSo, for any fixed lossy evaluation key, the image of is completely determined by , which has only possible values. Therefore, the above collection of LTFs is -lossy.
Indistinguishability. By Lemma 12, any number of lossy evaluation keys is computationally indistinguishable from random matrices . If the diagonal elements of each matrix multiply , the results are injective keys. A random matrix, whose diagonal elements multiply a fixed element , is still a random matrix. Thus, the injective keys are computationally indistinguishable from random matrices, and the computational distance is at most .

5.3. Tightly Secure ABO-LTFs

The collection of ABO-LTFs with domain is described in Box 4.

Theorem 14. If the DDH assumption holds in , then the construction in Box 4 is a collection of all-but-one lossy trapdoor functions with lossiness . Particularly, for any PPT adversary , there exists a DDH distinguisher of roughly the same complexity as such that

Proof. We first show its correctness and lossiness, and then prove its indistinguishability.
Correctness. If , then is an injective evaluation key. For any string , it has that So, and the correctness follows.
Lossiness. If , then is a lossy evaluation key, which is the same as the lossy evaluation key in previous LTFs. So, the lossiness is .
Hidden Lossy Branch. As the discussion on LTFs, for any tuple of branches , the evaluation keys generated by , are computationally indistinguishable from a tuple of random matrices with distance at most . Therefore, for any two tuples of branches and , the evaluation keys generated by are computationally indistinguishable from the evaluation keys generated by with distance .

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work is supported by the National Natural Science Foundation of China (Grant no. 61502400 and no. 61872292), the Natural Science Basic Research Plan in Shaanxi Province of China (Grant no. 2018JQ6007), and the Foundation of Sichuan Educational Committee (Grant no. 16ZB0140).

References

C. Peikert and B. Waters, “Lossy trapdoor functions and their applications,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC '08), C. Dwork, Ed., pp. 187–196, ACM, 2008.
View at: Publisher Site | Google Scholar
A. Rosen and G. Segev, “Chosen-ciphertext security via correlated products,” SIAM Journal on Computing, vol. 39, no. 7, pp. 3058–3088, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
E. Kiltz, P. Mohassel, and A. O'Neill, “Adaptive trapdoor functions and chosen-ciphertext security,” in Proceedings of the EUROCRYPT 2010, H. Gilbert, Ed., vol. 6110 of LNCS, pp. 673–692, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
S. Li, Y. Mu, M. Zhang, and F. Zhang, “Updatable lossy trapdoor functions and its application in continuous leakage,” in Provable security, L. Chen and J. Han, Eds., vol. 10005 of Lecture Notes in Comput. Sci., pp. 309–319, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
M. Zhang, J. Huang, H. Shen, Z. Xia, and Y. Ding, “Consecutive leakage-resilient and updatable lossy trapdoor functions and application in sensitive big-data environments,” IEEE Access, vol. 6, pp. 43936–43945, 2018.
View at: Publisher Site | Google Scholar
Y. Chen, B. Qin, and H. Xue, “Regular lossy functions and their applications in leakage-resilient cryptography,” Theoretical Computer Science, vol. 739, pp. 13–38, 2018.
View at: Publisher Site | Google Scholar | MathSciNet
D. Zhang, B. Li, Y. Liu, H. Xue, X. Lu, and D. Jia, “Towards tightly secure deterministic public key encryption,” in Information and Communications Security, S. Qing, C. Mitchell, L. Chen, and D. Liu, Eds., vol. 10631 of Lecture Notes in Comput. Sci., pp. 154–161, Springer, Berlin, Germany, 2018.
View at: Publisher Site | Google Scholar | MathSciNet
S. Li, Y. Mu, M. Zhang, and F. Zhang, “Continuous Leakage Resilient Lossy Trapdoor Functions,” Information, vol. 8, no. 2, p. 38, 2017.
View at: Publisher Site | Google Scholar
J. Lai, R. H. Deng, and S. Liu, “Chameleon all-but-one TDFs and their application to chosen-ciphertext security,” in Proceedings of the PKC 2011, D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, Eds., vol. 6571 of LNCS, pp. 228–245, Springer, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
Z. Huang, S. Liu, and K. Chen, “n-Evasive all-but-many lossy trapdoor function and its constructions,” Security and Communication Networks, vol. 8, no. 4, pp. 550–564, 2015.
View at: Publisher Site | Google Scholar
D. Hofheinz, “All-But-Many Lossy Trapdoor Functions,” in Proceedings of the EUROCRYPT 2012, D. Pointcheval and T. Johansson, Eds., vol. 7237 of LNCS, pp. 209–227, Springer, Berlin, Germany, 2012.
View at: Publisher Site | Google Scholar
L. Cheng, Q. Wu, and Y. Zhao, “Compact lossy and all-but-one trapdoor functions from lattice,” ICST Transactions on Security and Safety, vol. 4, no. 12, p. 153517, 2017.
View at: Publisher Site | Google Scholar
C. Zhang, W. Ma, H. Chen, and F. Zhao, “Lossy trapdoor functions based on the PLWE,” Cluster Computing, 2017.
View at: Publisher Site | Google Scholar
H. Wee, “Public Key Encryption against Related Key Attacks,” in Public Key Cryptography – PKC 2012, M. Fischlin, J. Buchmann, and M. Manulis, Eds., vol. 7293 of Lecture Notes in Computer Science, pp. 262–279, Springer, Berlin, Germany, 2012.
View at: Publisher Site | Google Scholar
M. Bellare, A. Boldyreva, and S. Micali, “Public-key encryption in a multi-user setting: security proofs and improvements,” in EUROCRYPT 2000, B. Preneel, Ed., vol. 1807 of Lecture Notes in Computer Science, pp. 259–274, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar
D. Hofheinz and T. Jager, “Tightly secure signatures and public-key encryption,” in Advances in cryptology---CRYPTO 2012, R. Safavi-Naini, Ed., vol. 7417 of Lecture Notes in Comput. Sci., pp. 590–607, Springer, Berlin, Germany, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack,” in Advances in Cryptology—CRYPTO '98, H. Krawczyk, Ed., vol. 1462 of Lecture Notes in Computer Science, pp. 13–25, Springer, Berlin, Germany, 1998.
View at: Publisher Site | Google Scholar
H. Wee, “Efficient chosen-ciphertext security via extractable hash proofs,” in Advances in cryptology---CRYPTO 2010, T. Rabin, Ed., vol. 6223 of Lecture Notes in Comput. Sci., pp. 314–332, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
R. Gay, D. Hofheinz, E. Kiltz, and H. Wee, “Tightly CCA-secure encryption without pairings,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, M. Fischlin and J. Coron, Eds., vol. 9665 of Lecture Notes in Computer Science, pp. 1–27, Springer, Berlin, Germany.
View at: Publisher Site | Google Scholar | MathSciNet
P. Wei, W. Wang, B. Zhu, and S. M. Yiu, “Tightly-Secure Encryption in the Multi-user, Multi-challenge Setting with Improved Efficiency,” in Proceedings of the Australasian Conference on Information Security and Privacy Part I, J. Pieprzyk and S. Suriadi, Eds., vol. 10342 of Lecture Notes in Computer Science, pp. 3–22, Springer International Publishing, 2017.
View at: Publisher Site | Google Scholar
R. Gay, D. Hofheinz, and L. Kohl, “Kurosawa-Desmedt meets tight security,” in Proceedings of the 37th Annual International Cryptology Conference, J. Katz and H. Shacham, Eds., vol. 10403 of Lecture Notes in Computer Science, pp. 133–160, Springer, Santa Barbara, CA, USA.
View at: Publisher Site | Google Scholar | MathSciNet
X. Boyen and Q. Li, “All-but-many lossy trapdoor functions from lattices and applications,” in Advances in Cryptology - CRYPTO 2017, Part III, J. Katz and H. Shacham, Eds., vol. 10403 of Lecture Notes in Computer Science, pp. 298–331, Springer, 2017.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith, “Fuzzy extractors: how to generate strong keys from biometrics and other noisy data,” SIAM Journal on Computing, vol. 38, no. 1, pp. 97–139, 2008.
View at: Publisher Site | Google Scholar | MathSciNet
C. Rackoff and D. R. Simon, “Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack,” in Proceedings of the Advances in Cryptology — CRYPTO ’91, J. Feigenbaum, Ed., vol. 576 of LNCS, pp. 433–444, Springer, Berlin , Germany, 1991.
View at: Publisher Site | Google Scholar
S. Goldwasser and S. Micali, “Probabilistic encryption & how to play mental poker keeping secret all partial information,” in Proceedings of the fourteenth annual ACM symposium on Theory of computing, STOC '82, H. R. Lewis, B. B. Simons, W. A. Burkhard, and L. H. Landweber, Eds., pp. 365–377, San Francisco, Calif, USA, May 1982.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2019 Baodong Qin. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

879

Downloads

870

Citations