Efficient KDM-CCA Secure Public-Key Encryption via Auxiliary-Input Authenticated Encryption

Han, Shuai; Liu, Shengli; Lyu, Lin

doi:https://doi.org/10.1155/2017/2148534

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Appendix Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 2148534 | https://doi.org/10.1155/2017/2148534

Efficient KDM-CCA Secure Public-Key Encryption via Auxiliary-Input Authenticated Encryption

Shuai Han,^1,2Shengli Liu ,^1,2,3and Lin Lyu^1,2

Academic Editor: Muhammad Khurram Khan

Received01 Apr 2017

Revised13 Jun 2017

Accepted06 Jul 2017

Published11 Dec 2017

Abstract

KDM-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages which are closely related to the secret key , where , even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named Auxiliary-Input Authenticated Encryption (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including IND-RKA and weak-INT-RKA. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free.

1. Introduction

For public-key encryption (PKE) schemes, Chosen-Ciphertext Attack (CCA) security is the de facto security notion. In the CCA security model, the adversary sees the public key and gets challenge ciphertexts, which are encryptions of messages of its choices. It is also allowed to make decryption queries and obtain the decrypted messages for ciphertexts (but not the challenge ciphertexts) of its choices. CCA security considers whether the challenge ciphertexts can protect the security of messages. Observe that the adversary does not know the secret keys; thus it is not able to submit messages that are closely related to the secret keys. Thus, there is a corner that is not covered by CCA security, that is, the security of messages which are closely dependent on the secret keys. It was Goldwasser and Micali [1] who first pointed out this problem. In 2002, the security of such key-dependent messages (KDM) was formalized by Black et al. [2]. Up to now, KDM-security has found many applications, such as anonymous credential systems [3] and hard disk encryption [4].

KDM-security means KDM-security for a set of functions. Loosely speaking, in the -KDM-security model, the adversary obtains public keys of users and has access to an encryption oracle. Each time, the adversary submits a function in the function set , the encryption oracle will encrypt or a dummy message (say ) and output the challenge ciphertext to the adversary. The -KDM-CPA security stipulates that the adversary cannot distinguish the two cases, and the -KDM-CCA security demands the indistinguishability of the two cases even if the adversary is also allowed to make decryption queries. KDM-CCA is obviously stronger than KDM-CPA security notion. Moreover, the KDM-security is stronger when the function set is larger.

KDM-CPA Security. In 2008, Boneh et al. (BHHO) [4] proposed the first KDM-CPA secure PKE construction for the affine function set , from the Decisional Diffie-Hellman (DDH) assumption. Soon after, the BHHO scheme was generalized by Brakerski and Goldwasser [5], who presented KDM-CPA secure PKE constructions under the Quadratic Residuosity (QR) assumption or the Decisional Composite Residuosity (DCR) assumption. However, these schemes suffer from incompact ciphertext, which contains group elements ( denotes the security parameter throughout the paper).

Applebaum et al. [6] proved that a variant of the Regev scheme [7] is KDM-CPA secure and enjoys compact ciphertexts, that is, encompassing only group elements.

Brakerski et al. [8] provided a KDM-CPA secure PKE scheme for the polynomial function set , which contains all polynomials whose degrees are at most . The drawback of the scheme is incompact ciphertext, which contains group elements.

Barak et al. [9] presented a KDM-CPA secure PKE for the set of Boolean circuits whose sizes are a priori bounded, which is a very large function set. Nevertheless, their scheme is neither practical nor flexible.

In 2011, Malkin et al. [10] proposed the first efficient KDM-CPA secure PKE. The ciphertext of their PKE construction is almost compact and consists of only group elements.

KDM-CCA Security. The first approach to KDM-CCA security was proposed by Camenisch, Chandran, and Shoup (CCS) [11]. The CCS approach follows the Naor-Yung paradigm [12], and the building blocks are a PKE scheme with CCA security, a PKE scheme with KDM-CPA security, and a noninteractive zero-knowledge (NIZK) proof system which proves that the two PKE schemes encrypt the same message.

The Groth-Sahai proofs [13] are the only practical NIZK. To obtain efficient KDM-CCA secure PKE, we have to employ an efficient PKE scheme with KDM-CPA security and the Groth-Sahai proofs if we follow the CCS approach [11]. Unfortunately, the existing efficient PKE schemes with KDM-CPA security, like [6, 10], are not compatible with the Groth-Sahai proofs, since the underlying groups of their schemes are not pairing-friendly ones.

Galindo et al. [14] proposed a KDM-CCA secure PKE scheme from the Matrix Decisional Diffie-Hellman assumption. Their scheme enjoys compact ciphertexts, but the KDM-CCA security of their scheme is constrained (more precisely, in their KDM-CCA security model, the adversary is only allowed to have access to the encryption oracle for a number of times linear in the secret key’s size).

In order to achieve both KDM-CCA security and efficiency for PKE, Hofheinz [15] developed another approach, making use of a novel primitive named “lossy algebraic filter.” The PKE scheme proposed by Hofheinz enjoys the security of KDM-CCA and the compactness of ciphertexts simultaneously, but the function set is made up of constant functions and selection functions .

In fact, it is a challenging job to enlarge the KDM-CCA function set while keeping the efficiency of the PKE scheme. Recently, Lu et al. [16] designed the first PKE achieving both KDM-CCA security and compact ciphertexts. Their construction is referred to as the LLJ scheme in this paper. The essential building block in their scheme is “authenticated encryption” (). The so-called INT--RKA security of turns out to be critical to the KDM-CCA security of the LLJ scheme. Unfortunately, their security reduction of the INT--RKA security of to the underlying DDH assumption is flawed. Roughly speaking, the problem of their security reduction is that there is no efficient way for the DDH adversary to convert the forgery provided by the INT--RKA adversary to a decision bit for solving the DDH problem, since it has no trapdoor. See our conference version [17] for details. The failure of ’s INT--RKA security reduction directly affects the validity of LLJ’s KDM-CCA security proof.

To construct efficient KDM-CCA secure PKE schemes, the CCS approach [11] is the unique way, to the best of our knowledge. However, the only efficient KDM-CPA secure PKE [10] is incompatible with the Groth-Sahai NIZK proofs [13]; thus the CCS approach must adopt a general inefficient NIZK.

Our Contribution. In this work, we focus on the design of efficient PKE schemes possessing KDM-CCA security and KDM-CCA security, respectively.(i)We develop a new primitive named “Auxiliary-Input Authenticated Encryption” (AIAE). We introduce new related-key attack (RKA) security notions for it, called IND--RKA and weak-INT--RKA.(a)We show a general paradigm for constructing such an AIAE from a one-time secure AE and a tag-based hash proof system (HPS) that is , extracting, and key-homomorphic.(b)We present an instantiation of tag-based HPS under the DDH assumption. Following our paradigm, we immediately obtain a DDH-based AIAE for the set of restricted affine functions.(ii)Using AIAE as an essential building block, we design the first PKE scheme enjoying KDM-CCA security and compactness of ciphertexts simultaneously. Specifically, the ciphertext of our scheme contains only group elements.(iii)Furthermore, we design the first PKE scheme enjoying KDM-CCA security and almost compactness of ciphertexts simultaneously. More precisely, the number of group elements contained in a ciphertext is independent of the security parameter .

In Table 1, we list the existing PKE schemes which either achieve KDM-CCA security or are KDM-secure for the set of polynomial functions.

Overview of Our Construction. In the construction of our KDM-CCA secure PKE schemes, we adopt a key encapsulation mechanism (KEM) + data encapsulation mechanism (DEM) approach [18] and employ three building blocks: KEM, , and AIAE, as shown in Figure 1.(i)KEM and share the same pair of public and secret keys.(ii)A key k is encapsulated by KEM.Encrypt, and an encapsulation kem.c is generated by KEM.Encrypt along the way.(iii)The message is encrypted by Encrypt, and the resulting -ciphertext is c.(iv)The key k generated by KEM is used by AIAE.Encrypt to encrypt c with auxiliary input .c, and the resulting AIAE-ciphertext is aiae.c.(v)The ciphertext of our PKE scheme is (kem.c, aiae.c).

Following this approach, we design KDM[]-CCA and KDM[]-CCA secure PKE schemes, respectively, by constructing specific building blocks.

Differences to Conference Version. This paper constitutes an extended full version of [17]. The new results in this paper are as follows.(i)In contrast to presenting a concrete construction of AIAE in the conference paper, we give a general paradigm for constructing AIAE from a one-time secure authenticated encryption (AE) and a tag-based hash proof system (HPS) in this paper.(a)In Section 3.2, we show that the resulting AIAE is IND-RKA secure and weak-INT-RKA secure, as long as the underlying tag-based HPS is , extracting, and key-homomorphic.(b)In Section 3.3, we give an instantiation of tag-based HPS based on the DDH assumption. Following our paradigm, we obtain a DDH-based AIAE scheme in Section 3.4. We view the specific AIAE proposed in the conference paper as an instantiation of the general paradigm presented in this paper.(ii)In this paper, we provide the full proofs of the theorems regarding the KDM-CCA security and KDM-CCA security of our PKEs. Compared with the conference paper, we add the proofs of Lemmas 16, 18, 25, 26, and 29, and the proof of indistinguishability between Hybrids 2 and 3 in Section 5.3.

2. Preliminaries

Throughout this paper, denote by the security parameter. means choosing an element from set uniformly. means executing algorithm with input and randomness and assigning output to . We sometimes abbreviate this to . “PPT” is short for probabilistic polynomial-time. For integers , we denote and . For a security notion and a primitive , the advantage of a PPT adversary is typically denoted by and we denote . Let negl denote an unspecified negligible function.

Games. We will use games in our security definitions and proofs. Typically, a game G begins with an INITIALIZE procedure and ends with a FINALIZE procedure. In the game, there might be other procedures which perform as oracles. All procedures are presented with pseudocode, all sets are initialized as empty sets, and all variables are initialized as empty strings. In the execution of a game G with an adversary , firstly calls INITIALIZE and obtains its output; then makes arbitrary oracle queries to according to their specifications and obtains their outputs; finally calls FINALIZE. In the end of the execution, if FINALIZE outputs , then we write this as . The statement means that, in game G, is computed as or equals .

2.1. Public-Key Encryption

There are four PPT algorithms in a public-key encryption (PKE) scheme:(i)ParGen outputs a public parameter pars. We assume that pars implicitly defines a secret key space and a message space .(ii)KeyGen(pars) takes pars as input and outputs a public key pk and a secret key sk.(iii)Encrypt takes pk and a message as input and outputs a ciphertext pke.c.(iv)Decrypt takes sk and a ciphertext pke.c as input and outputs either a message or a symbol indicating the failure of the decryption.

We require PKE to have perfect correctness; that is, for all possible and all , we have

Definition 1 (KDM[]-CCA security). Let and let denote a set of functions from to . A scheme PKE is -KDM-CCA secure, if for any PPT adversary , we have , where -- is the security game shown in Figure 2.

2.2. Authenticated Encryption

There are three PPT algorithms in an authenticated encryption (AE) scheme:(i) generates a system parameter . We require to be an implicit input to other algorithms and assume that implicitly defines a key space and a message space .(ii) takes a key and a message as input and outputs a ciphertext ae.c.(iii) takes a key and a ciphertext as input and outputs a message or a symbol .

We require AE to have perfect correctness; that is, for all possible , all keys , and all ,

Definition 2 (one-time security). A scheme AE is one-time secure (OT-secure), that is, IND-OT and INT-OT secure, if for any PPT , both and , where IND-OT and INT-OT are the security games presented in Figure 3.

(a)

(b)

2.3. Key Encapsulation Mechanism

There are three PPT algorithms in a key encapsulation mechanism (KEM):(i) generates a public key pk and a secret key sk.(ii) takes as input and outputs a key together with a ciphertext kem.c.(iii) takes and a ciphertext kem.c as input and outputs either a key or a symbol .

We require to have perfect correctness; that is, for all possible , we have

2.4. Tag-Based Hash Proof System: Universal₂, Extracting, and Key-Homomorphism

Tag-based hash proof system (HPS) was first defined in [19]. The definition is similar to extended HPS [20], but the property is slightly different.

Definition 3 (tag-based hash proof system). A tag-based hash proof system is comprised of three PPT algorithms: (i) outputs a parameterized instance , which implicitly defines , , where are all finite sets with , is a set of hash functions indexed by , and is a function. We assume that is efficiently computable, and there are PPT algorithms sampling uniformly, sampling uniformly, sampling uniformly with a witness , and checking membership in .(ii) takes a projection key , an element with a witness , and a tag as input and outputs a hash value .(iii) takes a hashing key , an element , and a tag as input and outputs a hash value without knowing a witness. We require to be projective; that is, for all , all and , all with all witnesses and all , it holds that

Tag-based HPS is associated with a subset membership problem. Informally speaking, it asks to distinguish the uniform distribution over from the uniform distribution over .

Definition 4 (SMP). The Subset Membership Problem (SMP) related to is hard, if for any PPT adversary , one has where , , and .

Definition 5 (universal₂). is called (strongly) , if for all possible , all , all , all , all with , and all , it holds thatwhere the probability is over .

The key difference between tag-based HPS and extended HPS lies in the definition of the property [19]. Extended HPS requires (6) to hold for , while tag-based HPS requires (6) to hold only for . Hence, any () extended HPS is also a () tag-based HPS, but not vice versa. Tag-based HPS is essentially a weaker variant of extended HPS and admits more efficient constructions.

Dodis et al. [21] defined an extracting property for extended HPS, which requires the hash value to be uniformly distributed over for any and , as long as is randomly chosen from . Besides, Xagawa [22] considered a key-homomorphic property for extended HPS, which stipulates that holds for any , , and . Here we adapt these notions to tag-based HPS.

Definition 6 (extracting). is called extracting, if for all , all , all , and all , it holds that where .

Definition 7 (key-homomorphism). is called key-homomorphic, if for all , which defines , one has the following: (i)Both and are groups.(ii)For all and all , the mapping is a group homomorphism. That is, for all and all , it holds that

2.5. DCR, DDH, DL, and IV_d Assumptions

Suppose that is a PPT algorithm generating , where , are safe primes of -bit, , and is a prime. We define the following:(i).

Then is a cyclic group of order . For and , we define(i),(ii),(iii).

Then is a cyclic group of order , and , where represents the internal direct product.

Damgård and Jurik [23] showed that the discrete logarithm of an element can be efficiently computed from and . Observe that ; thus for any , we have and

Definition 8 (DCR assumption). The Decisional Composite Residuosity (DCR) assumption holds for and , if for any PPT , it holds thatwhere , , and .

The Interactive Vector () assumption is implied by the DCR assumption, as shown in [5]. Here we recall the assumption according to [16].

Definition 9 (IV_d assumption). The assumption holds for and , if for any PPT , it holds thatwhere , , , and is allowed to query the oracle adaptively. Each time, can submit to the oracle, and selects randomly: if , the oracle outputs to ; otherwise it outputs to , where .

Definition 10 (DDH assumption). The DDH assumption holds for and , if for any PPT , it holds thatwhere , , .

Definition 11 (DL assumption). The Discrete Logarithm (DL) assumption holds for and , if for any PPT , it holds thatwhere , , .

2.6. Collision-Resistant Hashing

Definition 12 (collision-resistant hashing). Let be a set of hash functions. is said to be collision-resistant, if for any PPT , one has

3. Auxiliary-Input Authenticated Encryption

Our PKE constructions in Sections 4 and 5 will resort to a new primitive AIAE. To serve the KDM-CCA security of our PKE construction in Figure 1, our AIAE should satisfy the following properties.(i)AIAE must take an auxiliary input ai in both the encryption and decryption algorithms.(ii)AIAE must have IND--RKA security and weak-INT--RKA security. Compared to the INT--RKA security proposed in [16], the weak-INT--RKA security imposes a special rule to determine whether the adversary’s forgery is successful or not.

In the following, we present the syntax of AIAE and define its IND--RKA Security and Weak-INT--RKA Security. We also show a general paradigm of AIAE from tag-based HPS and give an instantiation of AIAE under the DDH assumption.

3.1. Auxiliary-Input Authenticated Encryption

Definition 13 (AIAE). There are three PPT algorithms in an AIAE scheme: (i)The parameter generation algorithm generates a system parameter . We require to be an implicit input to other algorithms and assume that implicitly defines a key space , a message space , and an auxiliary-input space .(ii)The encryption algorithm takes a key , a message , and an auxiliary input as input and outputs a ciphertext .(iii)The decryption algorithm takes a key , a ciphertext , and an auxiliary input as input and outputs a message or a symbol . We require to have perfect correctness; that is, for all possible , all keys , all messages , and all auxiliary-inputs ,

In fact, AIAE is a generalization of traditional AE, and traditional AE can be viewed as AIAE with .

Definition 14 (RKA security). Denote by a set of functions from to . A scheme is IND--RKA secure and weak-INT--RKA secure, if for any PPT , where IND--RKA and weak-INT--RKA are the security games presented in Figure 4.

(a)

(b)

3.2. Generic Construction of AIAE from Tag-Based HPS and OT-Secure AE

Our construction of AIAE needs the following ingredients.(i)A tag-based hash proof system , where the hash value space is , the tag space is , and the hashing key space is .(ii)A (traditional) authenticated encryption scheme , where the message space is and the key space is .(iii)A set of hash functions .

We present our AIAE construction in Figure 5, whose key space is , message space is , and auxiliary-input space is .

By the perfect correctness of , it is routine to check that has perfect correctness.

Theorem 15. If (i) is , extracting, key-homomorphic and has a hard subset membership problem, (ii) is one-time secure, and (iii) is collision-resistant, then the scheme AIAE in Figure 5 is IND--RKA and weak-INT--RKA secure. Here is the set of restricted affine functions.

Proof of Theorem 15 (IND--RKA Security). Denote by a PPT adversary who is against the IND--RKA security and queries ENCRYPT oracle for at most times. We show the IND--RKA security through a series of games. For an event , we denote by , , and the probability of occurring in games , , and , respectively.

Game . It is the original IND--RKA game. Denote the event by Succ. According to the definition, .

As for the th () ENCRYPT query , where , the challenger prepares the challenge ciphertext as follows:(i)pick together with witness ,(ii)compute ,(iii)compute ,(iv)invoke ,

and it outputs the challenge ciphertext to .

Game , . It is identical to , except that, for the first times of ENCRYPT queries, that is, , the challenger chooses randomly for the scheme.

Clearly is identical to ; thus .

Game , . It is identical to , except that, for the th ENCRYPT query, the challenger samples uniformly.

The difference between and lies in the distribution of . In game , is uniformly chosen from ; in game , is uniformly chosen from . Any difference between and results in a PPT adversary solving the subset membership problem related to THPS; thus we have that

Game , . It is identical to , except that, for the th ENCRYPT query, the challenger chooses randomly.

Lemma 16. For all , .

Proof. For game and game , the difference between them lies in the computation of in the th ENCRYPT query. In , is properly computed, while in , it is chosen from uniformly.
We analyze the information about the key hk that is used in game .(i)For the th () query, ENCRYPT does not use hk at all since is randomly chosen from .(ii)For the th () query, ENCRYPT can use to compute :(iii)For the th query, ENCRYPT uses to compute :Since , by the property of THPS, is uniformly distributed over conditioned on . Then as long as , is also randomly distributed over . Consequently, is essentially the same as , and .

Now, we show that game is computationally indistinguishable from game , . Note that the divergence between and lies in the distribution of in the th ENCRYPT query. In game , is uniformly chosen from ; in game , is uniformly chosen from . Any difference between these two games results in a PPT adversary solving the subset membership problem related to THPS; thus we have that

Game . It is identical to , except that when answering ENCRYPT queries, the challenger invokes .

In game , the challenger computes ; in game , the challenger computes . Since each is chosen from uniformly at random, , by a standard hybrid argument, any difference between and results in a PPT adversary against the IND-OT security of , so that .

Finally, in game , since the challenge ciphertexts are encryptions of , hence is perfectly hidden to . So .

Summing up, we proved the IND--RKA security.

This completes the proof of Theorem 15 (IND--RKA security).

Proof of Theorem 15 (Weak-INT--RKA Security). Denote by a PPT adversary who is against the weak-INT--RKA security and queries ENCRYPT oracle for at most times. Similarly, the proof goes through a series of games, which are defined analogously, just like those games of the previous proof.

Game . It is the original weak-INT--RKA game.

As for the th () ENCRYPT query , the challenger computes the challenge ciphertext in similar steps as the previous proof and outputs to . Moreover, the challenger will put to a set , put to a set , and put to a set . In the end, the adversary outputs a forgery , where , and the challenger invokes the FINALIZE procedure as follows:(i)If , output .(ii)If such that but , output .(iii)If , output .(iv)Compute and . Output .

Denote the event that FINALIZE outputs by Forge. According to the definition, .

Game . It is identical to , except that the following rule is added to the procedure FINALIZE by the challenger:(i)If such that but , output .

Since and , any difference between and implies a hash collision of . So .

Game , . It is identical to , except that, for the first times of ENCRYPT queries, that is, , the challenger chooses uniformly for the AE scheme.

Clearly is identical to ; thus .

Game , . It is identical to , except that, for the th ENCRYPT query, the challenger samples uniformly.

The difference between and lies in the distribution of . In game , is uniformly chosen from ; in game , is uniformly chosen from . Any difference between these two games results in a PPT adversary solving the subset membership problem related to THPS. We emphasize that the PPT adversary (simulator) is able to check the occurrence of Forge in an efficient way, because the key hk can be chosen by the simulator itself. Consequently, the difference between and can be reduced to the subset membership problem smoothly.

Lemma 17. For all ,

Proof. To bound the difference between and , we build an efficient adversary solving the subset membership problem. Given , where , aims to distinguish from .
simulates or for . Firstly, invokes , picks randomly, and sends to . Next, chooses .
As for the th () ENCRYPT query , where , prepares the challenge ciphertext in the following way. (i)If , computes just like that in both and . That is, chooses with witness , chooses randomly, and invokes .(ii)If , computes just like that in both and . That is, chooses with witness , computes and , and invokes .(iii)If , embeds its own challenge to , that is, . Then it computes , , and invokes . outputs the challenge ciphertext to . Moreover, puts to , to , and to .
Obviously, simulates in the case of and simulates in the case of .
Finally, sends a forgery to , with . Then decides whether FINALIZE outputs or not with the help of hk. (i)If , outputs (to its own challenger).(ii)If such that but , outputs .(iii)If , outputs .(iv) computes .(v)If such that but , outputs .(vi) computes and outputs .With the help of , is able to perfectly simulate FINALIZE, just like that in both and . Moreover, outputs to its own challenger if and only if the event Forge occurs.
As a result, we have that .

Game , . It is identical to , except that, for the th ENCRYPT query, the challenger chooses randomly.

Lemma 18. For all , .

Proof. For game and game , the difference between them lies in the computation of in the th ENCRYPT query. In , is properly computed; in , is chosen from uniformly.
We consider the information about the key hk that is used in .(i)For the th () query, ENCRYPT does not use hk at all since is randomly chosen from .(ii)For the th () query, similar to the proof of Lemma 16, ENCRYPT can use to compute .(iii)For the th query, similar to the proof of Lemma 16, ENCRYPT uses to compute :(iv)The FINALIZE procedure, which defines the event Forge, uses to compute :We divide the event Forge into the following two subevents:
(i) Subevent: . Let us first consider the event . We show that By the fact that and by the property of THPS, is uniformly distributed over conditioned on . Then as long as , is also randomly distributed over . Hence, is the same as before queries FINALIZE, and consequently, occurs with the same probability in and .
Next we consider the event Forge conditioned on . We show thatSince and , by the property of THPS, is uniformly distributed over conditioned on and . With a similar argument, is also randomly distributed over . Hence, is the same as when , and consequently, the probability that Forge occurs in and conditioned on is the same.
In conclusion, we have that (ii) Subevent: . By the new rule added in game , Forge and will imply . In addition, Forge and will imply that , due to the special rule in the weak-INT--RKA game (see Figure 4). Then it is straightforward to check that and Since , by the property of THPS, () is uniformly distributed over conditioned on . Then as long as (which equals ) , (which equals ) is also randomly distributed over . Also in this subevent, implies ; thus the probability of is bounded by . So we have the following claim. We present the full description of the reduction in Appendix A.
Claim 19. One has .
Combining the above two subevents together, Lemma 18 follows.

Now, we show that game is computationally indistinguishable from game , . Note that the divergence between and lies in the distribution of in the th ENCRYPT query. In game , is uniformly chosen from ; in game , is uniformly chosen from . Similar to Lemma 17, any difference between these two games results in a PPT adversary solving the subset membership problem related to THPS; thus we have that

Finally, in game , note that the challenger does not use hk to compute at all; thus hk is uniformly random to . Consequently, in the FINALIZE procedure, we haveBy the extracting property of THPS, is uniformly random over . Therefore, as long as , is uniformly random over as well. Hence, the probability of is bounded by , and we have .

In all, we proved the weak-INT--RKA security.

This completes the proof of Theorem 15 (weak-INT--RKA security).

Remark 20. We emphasize that the special rule in the weak-INT--RKA game (cf. Figure 4) plays an essential role in proving Lemma 18. Below is the reason.
Without this special rule, the adversary is allowed to submit () which is different from (), even if holds. In this case, we cannot expect to employ the INT-OT security of the underlying AE scheme to show that the second subevent () occurs with only a negligible probability. To demonstrate the problem clearly, suppose that the adversary submits in the th ENCRYPT query and submits in the FINALIZE procedure, where is a constant. Then we havewhere the second equality follows from the key-homomorphism of THPS. Thus, and are closely related but may not be equal; in particular, the quotient () is a constant.
Consequently, it is hard for us to show that the subevent occurs with a negligible probability. The reason is as follows. To show that it is infeasible for any PPT adversary , who obtains in the th ENCRYPT query, to generate an AE-ciphertext satisfying () , it seems that INT-RKA security of AE is required to some extent. We definitely cannot require INT-RKA security for the underlying AE scheme, since we are constructing (weak) INT-RKA secure (AI)AE scheme AIAE. As a result, it is hard to prove Lemma 18 without our special rule in the weak-INT--RKA game.

3.3. Tag-Based HPS from the DDH Assumption

Qin et al. [19] gave a construction of tag-based HPS from the -LIN assumption. Here we construct a key-homomorphic under the DDH assumption in Figure 6. With a routine check, the projective property of follows.

Theorem 21. in Figure 6 is , extracting, and key-homomorphic. Moreover, the subset membership problem related to is hard under the DDH assumption for GenN and .

Proof of Theorem 21.
. Suppose that , , and with . For , we analyze the distribution of conditioned on and .
Denote . Firstly , which may leak the values of and .
Nextwhich may further leak the value of .
Similarly,By the fact that , we have . Then as long as , is independent of , , and , and consequently, is uniformly distributed over .
Therefore, conditioned on and , () is randomly distributed over .
Extracting. Suppose that and . For , we analyze the distribution of .
By (26), with . Since , we have . Then when is randomly chosen from , is uniformly distributed over . Consequently, is randomly distributed over .
Key-Homomorphism. For all , all , all , all , and all , we have . Then it follows thatSubset Membership Problem. The subset membership problem related to requires that is computationally indistinguishable from , where and . It trivially holds under the DDH assumption for GenN and .

3.4. Instantiation: AIAE_DDH from DDH-Based THPS_DDH and OT-Secure AE

When plugging the (cf. Figure 6) into the paradigm in Figure 5, we immediately obtain an AIAE scheme under the DDH assumption, as shown in Figure 7. The key space is .

By combining Theorem 15 with Theorem 21, we have the following corollary regarding the RKA security of .

Corollary 22. If (i) the DDH assumption holds for GenN and , (ii) AE is one-time secure, and (iii) is collision-resistant, then the scheme in Figure 7 is IND--RKA and weak-INT--RKA secure. Here .

Remark 23. Our enjoys the following property: will be randomly distributed over , as long as any element in is uniformly chosen. As a result, the one-time security of AE will guarantee that holds for any except with probability . This fact will be used in the security proof of the PKE schemes presented in Sections 4 and 5.

4. PKE with n-KDM-CCA Security

Denote by the DDH-based AIAE scheme in Figure 7, where the key space is . We need two other building blocks, following the approach in Figure 1. KEM: to be compatible with this , we have to design a KEM encapsulating a key tuple . : to support the set of affine functions, we have to construct a special public-key encryption , so that after a computationally indistinguishable change, can serve as an entropy filter for the affine function set.

The proposed PKE scheme is presented in Figure 8, in which the shadowed parts highlight algorithms of KEM and .

The correctness of PKE is guaranteed by the correctness of , , and KEM.

Theorem 24. If (i) the DCR assumption holds for GenN and , (ii) is IND--RKA and weak-INT--RKA secure, and (iii) the DL assumption holds for GenN and , then the proposed scheme PKE in Figure 8 is -KDM[]-CCA secure.

Proof of Theorem 24. Denote by a PPT adversary who is against the -KDM[]-CCA security, querying ENCRYPT oracle for at most times and DECRYPT oracle for at most times. The theorem is proved through a series of games. A rough description of differences between adjacent games is summarized in Table 2.

In the proof, deals with the -user case; is used to eliminate the utilization of the () part of in the ENCRYPT oracle; the aim of is to use to hide a base key of in the ENCRYPT oracle; is used to eliminate the utilization of in the DECRYPT oracle; in , the IND--RKA security of leads to the -KDM-CCA security, because now is concealed by perfectly.

Game . It is the -KDM-CCA game. Denote the event by Succ. According to the definition, .

For the th user, , let and denote the corresponding public key and secret key, respectively.

Game . It is identical to , except the way of answering the DECRYPT query . More precisely, the challenger outputs if for some , where is the challenge ciphertext of the th ENCRYPT oracle query .

Case 1 . DECRYPT will output in since is prohibited by DECRYPT.

Case 2 ( but ). We show that, in , DECRYPT will output , due to , with overwhelming probability. Recall that , , , so where and are parts of public keys of th user and th user, respectively, and are uniformly random over . So ; hence , except with negligible probability .

Thus and are the same except with probability at most according to the union bound, and .

Game . It is identical to , except the way the challenger samples the secret keys , . In game , the challenger first chooses and randomly from ; next it computes for .

Obviously, the secret keys are uniformly distributed. Hence is identical to , and .

Game . It is identical to , except the way the challenger responds to the th () ENCRYPT query . In game , instead of using the public key , the challenger uses the secret key to prepare and in the following way:(i) (ii)

Note that for ,Thus, is the same as , and .

Game . It is identical to , except the way the challenger responds to the th () ENCRYPT query . In game , in the case of , and are computed without the use of :(i) (ii) where .

Note thatwhere the third equality follows from .

We analyze the difference between and via the following lemma.

Lemma 25. One has

Proof. According to the last line of (35), the way that is computed from is the same in and . Therefore the only divergence between and lies in .
We show that any difference between and results in a PPT adversary solving the problem. is provided with and has access to its oracle. simulates game or game for . Firstly, prepares pars and generates , , as in and . As for the th () ENCRYPT query from , where , proceeds as follows: it queries its own oracle with , , , , where the symbol “” denotes dummy messages. Then obtains its challenges , , , and neglects “” terms. According to the definition of oracle, is one of the following:
Case 1 . .
Case 2 . , , .
Next uses the obtained and the secret keys to compute via (35) for . In the meantime, can also simulate DECRYPT for since it knows the secret keys. Finally, outputs 1 if the event occurs.
In Case , simulates game perfectly for ; in Case , simulates game perfectly for . Any difference between and results in ’s advantage over the problem. Thus Lemma 25 follows.

Game . It is identical to , except for the following differences. In the INITIALIZE procedure of game , the challenger picks and randomly. As for the th () ENCRYPT query , the challenger computes as follows:(i) .

The only difference between and is the distribution of . In game , , while in game , . Just like Lemma 25, any difference between and results in a PPT adversary solving problem by invoking . Therefore, .

Game . It is identical to , except for the following differences. In the INITIALIZE procedure of game , the challenger picks randomly. As for the th () ENCRYPT query , the challenger computes and in a different way:(i)Pick and randomly, and compute .(ii)

Clearly is uniformly random over , just like that in game . In the meantime, for , we haveThus, is the same as , and .

Game . It is identical to , except the way the challenger answers the DECRYPT oracle queries . In game , it uses and to decrypt , where . More precisely, it computes and in the following way:(i) (ii) (iii)

According to (8), for , we have thatHence is essentially the same as , and .

Game . It is identical to , except the way of answering the DECRYPT oracle queries , . More precisely, a rejection rule is added in DECRYPT:(i)If , output .

Denote by the event that ever queries the DECRYPT oracle with , satisfying

Obviously, is identical to unless occurs. Thus,

To show the computational indistinguishability of and , we must prove that is negligible. To this end, is divided into two subevents:(i): ever queries the DECRYPT oracle with , satisfying(ii): ever queries the DECRYPT oracle with , satisfyingObviously, We will defer the analysis of to subsequent games. Through the following lemma, we provide the analysis of .

Lemma 26. One has .

Proof. In DECRYPT of game , the challenger will reply to unless and . Consequently, the () part of , that is, , , and the value of , is enough for answering DECRYPT queries. In particular, the values of are not necessary in DECRYPT.

is further divided into the following two subevents:(i)-1: ever queries the DECRYPT oracle with , satisfying(ii)-2: ever queries the DECRYPT oracle with , satisfyingRecall that are chosen in INITIALIZE.

We will consider the two subevents in game separately via the following two claims.

Claim 27. One has .

Proof. In game , the values of are not needed in DECRYPT, and the computation of in ENCRYPT only makes use of . Thus the only information about leaked to is through the computation of in ENCRYPT, which may leak the values of , , , : for ,If -1 occurs, for concreteness, say that , then where is independent of , thus uniformly distributed over from ’s view. By Remark 23, for where , the probability of is upper bounded by .
Then by a union bound.

Claim 28. One has .

Proof. Similar to the discussion in the proof for the previous claim, in game , the only information about and involved is through ENCRYPT, which uses the value of , , , via computing (see (49)) and also uses as the encryption key of AIAE.Encrypt.
Note that because of the randomness of , are uniformly distributed and independent of . Therefore it is possible to construct an algorithm to simulate DECRYPT and ENCRYPT of game without and . The algorithm can also simulate AIAE.Encrypt as long as it has access to a weak-INT--RKA encryption oracle of the scheme.
More precisely, we construct a PPT adversary , which has access to oracle, against the weak-INT--RKA security of the scheme, where . does not choose in INITIALIZE any more, and it implicitly sets to be the encryption key used by its weak-INT--RKA challenger. does not choose either, and instead, it chooses uniformly from . picks and , , randomly. To simulate ENCRYPT, can use to compute via (49) and use , , to compute . Note that is able to compute , even if , because it knows the () part of , that is, and , . Then submits to its own oracle and obtains . The final ciphertext is . According to the weak-INT--RKA security game, the oracle will encrypt with the auxiliary input under the transformed key ; that is, the oracle behaves as . Thus ’s simulation of ENCRYPT is identical to . For DECRYPT, answers decryption queries with the () part of all the secret keys and , just like .
Suppose that ever queries the DECRYPT oracle with , such that occurs. For concreteness, say that , then for ,Thus , where . can compute as above using and outputs to its weak-INT--RKA challenger as a forgery. We analyze the success probability of as follows.(i)Firstly, a valid decryption query from satisfies for all ; thus will hold for all ; that is, always outputs a fresh forgery.(ii)Secondly, if for some , then it is easy to have that and thus . Furthermore for , it clearly holds that (cf. (49)); thus and . That is, if for some , then it holds that . Obviously it satisfies the special rule required for the weak-INT--RKA security.(iii)Finally, if occurs in this decryption query, then , where , will imply that ’s forgery is successful. By a union bound, we have that .

In conclusion, Lemma 26 follows from the above two claims.

This completes the proof of Lemma 26.

Game . It is identical to , except for the following differences. In the INITIALIZE procedure of game , the challenger picks an independent besides . As for the th () ENCRYPT oracle query , the challenger employs a different key for in the computation of :(i);(ii).

We stress that the challenger still employs in the computation of .

In , the only place that involves the value of is in the computation of in the ENCRYPT oracle. Specifically, for ,Note that the computation of in the ENCRYPT oracle only involves . Moreover, observe that neither nor is used in DECRYPT. Hence, is perfectly hidden by .

Therefore, the challenger could always employ another in the computation of and utilize in the ’s encryption in the ENCRYPT oracle, as in .

Then game and game are essentially the same from ’s view, so and .

Game . It is identical to , except the way the challenger answers the th () ENCRYPT oracle query . More precisely, in game , the challenger computes in the following way:(i).

Observe that, in and , is employed only in the encryption, where it uses as the encryption key with . Any difference between and results in a PPT adversary against the IND--RKA security of the scheme. Therefore, and .

Finally in , the challenger always computes the encryption of in the ENCRYPT oracle, so is perfectly hidden from ’s view. Thus, .

To complete the proof of Theorem 24, we only need to prove the following lemma.

Lemma 29. One has .

Proof. In , neither DECRYPT nor ENCRYPT uses the values of . The only information leaked about them lies in the public keys , , which reveal the values of , , , , where we denote for some base , .

is further divided into the following disjoint two subevents:(i)-1: ever queries the DECRYPT oracle with , satisfying(ii)-2: ever queries the DECRYPT oracle with , satisfying

We will analyze the two subevents in game separately via the following two claims.

Claim 30. One has .

Proof. If -1 occurs, for concreteness, say that , then and is independent of . Thus is uniformly distributed over from ’s view, and will not hold except with negligible probability .
Then according to a union bound, .

Claim 31. One has

Proof. In game , if - occurs, then we can construct a PPT adversary to compute the discrete logarithm of based on , where . With , simulates INITIALIZE as follows. picks , uniformly from and sets for . Then is uniformly distributed over . Next, samples secret keys and computes public keys just the same way as INITIALIZE in . Since knows all the secret keys together with , can perfectly simulates ENCRYPT and DECRYPT the same way as does. Furthermore, is hidden by perfectly from ’ view. If we denote , then for , .
If -2 occurs in DECRYPT, for concreteness, say that , that is, , then can compute by solving the equation , or equivalently, Since is hidden from the point of view of , is multiplicative invertible except with negligible probability . Thus will succeed in computing the discrete logarithm of based on and output to its challenger. Clearly, we have

In conclusion, Lemma 29 follows from the above two claims.

This completes the proof of Lemma 29.

In all, we proved the -KDM[]-CCA security.

This completes the proof of Theorem 24.

5. PKE with n-KDM[]-CCA Security

5.1. The Basic Idea

We extend the construction of -KDM[]-CCA secure PKE to that of -KDM[]-CCA secure PKE. We allow adversaries to submit polynomial function in in the form of modular arithmetic circuit (MAC) [10], which is a polynomial-sized circuit computing . We stress that there is no a priori bound on the size of modular arithmetic circuits. The only requirement is that the degree of the polynomials is a priori bounded. We still follow the approach in Figure 1 in our PKE construction. Indeed, we use the same and KEM as those in the previous -KDM[]-CCA secure PKE in Figure 8. We only need to construct a new to serve as an entropy filter for the polynomial function set. Moreover, the new should employ the same pair of public and secret keys with KEM. That is, we have and with , for .

5.2. Reducing Polynomials of 8n Variables to Polynomials of 8 Variables

How to Reduce 8n-Variable Polynomial . In the -KDM[]-CCA security game, the adversary is allowed to query the ENCRYPT oracle with for . Note that the function is a polynomial in the secret keys ; thus has variables and is of degree at most . The bad news is that contains as many as monomial functions. Note that this number can be exponentially large.

The good news is that we found an efficient way to greatly reduce the number of monomials from to . In particular, the polynomial can always be changed to a polynomial of variables, consisting of at most monomial functions. Now this number is polynomial in .

The efficient method for reducing the -variable polynomial is as follows. In the INITIALIZE procedure, could be computed as and for and . By using , could be represented as shifts of ; that is, Consequently, in variables can be reduced to in variables ; that is,The degree of the resulting polynomial is still upper bounded by . Moreover, the coefficients of are completely determined by the shifts .

How to Determine Coefficients for Efficiently with Only . In order to compute the coefficients of , we can repeat the following procedure:(i)Choose uniformly.(ii)Feed modular arithmetic circuit (which functions as ) with as input. We stress that are always the ones chosen in INITIALIZE.(iii)Record the output of the circuit.

Repeating the above procedure about times, all the coefficients can be extracted through solving a linear system of equations:The overall time complexity for computing the coefficients is polynomial in .

5.3. How to Design : A Warmup

To illustrate the ideas behind our construction, we take a simple case as consideration: construct for a concrete type of monomial function; that is,Algorithms Encrypt and Decrypt are shown in Figure 9.

Security Proof. Now we sketch the proof of KDM-CCA security for this concrete type of monomial functions, that is, . The proof is similar to that for Theorem 24 (cf. Table 2). The only difference lies in games -, which are related to the building block . Next, we will replace - with the following hybrids (i.e., Hybrid 1–Hybrid 3), as shown in Figure 10. Concretely, the Encrypt part of ENCRYPT is changed in a computationally indistinguishable way, so that it can serve as an entropy filter for this concrete monomial function, reserving the entropy of .

Suppose that the adversary submits to the ENCRYPT oracle. Our purpose is to eliminate the use of in the computation of , so the entropy of is reserved.

Hybrid 0. In the INITIALIZE procedure, the secret keys are computed as and for , . This hybrid is identical to in the proof of Theorem 24.

Hybrid 1. Using , reduce to , and calculate the coefficient of , such that

Hybrid 2. Implement Encrypt using . This hybrid corresponds to in the proof of Theorem 24.(i)Invoke Encrypt to set up table.(ii)Invoke Decrypt to compute from table.(iii)Employ rather than in the computation of , that is, , and compute .

Clearly, computed via Decrypt are the same as computed via Encrypt. Therefore, this is just a conceptual change.

Hybrid 3. This hybrid corresponds to in the proof of Theorem 24.(i)table is computed similarly as that in Encrypt, except for a small difference. More precisely, in table, the entry located in row 1 and column 1 is now computed as rather than . By the assumption, this difference is computationally undetectable (see Appendix B for a formal analysis).(ii)Invoke Decrypt to compute from table.(iii)Compute , and .

Through a routine calculation, we have ; hence .

Consequently, Hybrid 3 can be implemented in an equivalent way.

Hybrid 3 (Equivalent Form). (i) table is computed similarly as that in Encrypt, except for a small difference. More precisely, the entry located in row 1 and column 1 in table is now computed as rather than .

(ii) Compute , and .

Now is not used in Encrypt any more.

After these computationally indistinguishable changes, the Encrypt part of the ENCRYPT oracle reserves the entropy of .

Similarly, we can change the DECRYPT oracle in a computationally indistinguishable way, so that is not involved at all. More precisely, DECRYPT uses only the part of secret key and . This change corresponds to - in the proof of Theorem 24. Loosely speaking, is used to ensure that all entries in table are elements in . If this is not the case, DECRYPT rejects immediately. Consequently, the DECRYPT oracle leaks nothing about . We can also show the computational indistinguishability of this change, through a similar analysis as that of in the proof of Theorem 24.

5.4. The General Designed for

In Section 5.3, we presented the construction of for a concrete type of monomial functions. Generally, a polynomial function of degree might contain as many as monomials. In order to construct a general for the set of polynomial functions, we must handle all types of monomial functions. To this end, we generate a table for each type of nonconstant monomial and associate it with a , which is named as a title. Algorithms Encrypt and Decrypt are shown in Figure 11.

(a)

(b)

(c)

Neglecting the coefficients of monomials, there are types of nonconstant monomial functions whose degrees are at most . For each nonconstant monomial type , we can associate it with a degree tuple . Let denote the set of all such degree tuples, that is, .

For each degree tuple , which corresponds to the monomial , we generate and by invoking the algorithm TableGen shown in Figure 11. Finally in , is hidden by the product of all the titles.

Meanwhile, with the help of the secret key , we can recover from by invoking the algorithm CalculateV in Figure 11. Thus, the titles could always be extracted from one by one, and finally is recovered.

Security Proof. We sketch the proof of KDM-CCA security for the set of polynomial functions. The proof is also similar to that for Theorem 24 (cf. Table 2). The only difference lies in games -. Next, we will replace - with the following hybrids (Hybrid 1–Hybrid 3). Specifically, the Encrypt part of ENCRYPT is changed in a computationally indistinguishable way, so that it can serve as an entropy filter for polynomial functions of degree at most , reserving the entropy of .

Suppose that the adversary submits to the ENCRYPT oracle. Our purpose is to eliminate the use of in the computation of , so the entropy of is reserved.

Hybrid 0. In the INITIALIZE procedure, the secret keys are computed as and for , . This hybrid is identical to in the proof of Theorem 24.

Hybrid 1. Using , reduce to , and compute the coefficients of , as discussed in Section 5.2. Thenwhere is the constant term of .

Hybrid 2. Implement Encrypt using . This hybrid corresponds to in the proof of Theorem 24.(i)For each (1)invoke ,(2)invoke .(ii)Employ rather than in the computation of , that is, , and compute .

Clearly, for each , computed via CalculateV is the same as computed via TableGen. Therefore, this change is just conceptual.

Hybrid 3. This hybrid corresponds to in the proof of Theorem 24.(i)For each (1) is computed by , except for a small difference; more precisely, in , the entry located in row 1 and column is now computed as rather than ; by the assumption, this difference is computationally undetectable,(2)extract from the (modified) by invoking .(ii)Compute , and .

Through a routine calculation, for each , we have

Hence,

Consequently, Hybrid 3 can be implemented in an equivalent way.

Hybrid 3 (Equivalent Form). (i) For each is computed by , except for a small difference. More precisely, in , the entry located in row 1 and column is now computed as rather than .

(ii) Compute , and .

Now is not used in Encrypt any more.

After these computationally indistinguishable changes, the Encrypt part of the ENCRYPT oracle reserves the entropy of .

With a similar argument as that in Section 5.3, we can change the DECRYPT oracle in a computationally indistinguishable way, so that is not employed at all.

Appendix

A. Proof of Claim 19

We build a PPT adversary against the INT-OT security of AE. Suppose that the INT-OT challenger picks a key randomly. is given and has access to the oracle for one time.

Firstly, prepares in the same way as in . That is, invoke , pick randomly, and set . sends to . Besides, chooses .

As for the th () ENCRYPT query , where , prepares the challenge ciphertext in the following way.(i)If , computes just like that in . That is, picks with witness , chooses , and invokes .(ii)If , computes just like that in . That is, picks with witness , computes and , and invokes .(iii)If , does not use the key hk at all, and instead, it will resort to its own oracle. More precisely, picks randomly and computes . Then implicitly sets as the key used by its challenger and queries its oracle with and gets the challenge . According to the oracle, we have . As discussed in the proof of Lemma 18, is uniformly random in . Therefore, the simulation of is the same as that in .

outputs the challenge ciphertext to . Moreover, puts to , to , and to .

Finally, sends a forgery to , with . prepares its own forgery with respect to the AE scheme as follows.(i)If , aborts the game.(ii)If such that but , aborts the game.(iii)If , aborts the game.(iv) computes .(v)If such that but , aborts the game.(vi)If , aborts the game. If , outputs to its INT-OT challenger.

We analyze ’s success probability. As discussed in the proof of Lemma 18, the subevent will imply that , , , and . Since implicitly sets as the key used by its challenger, then , , and implies that and ; that is, the output by is a fresh forgery.

In summary, perfectly simulates for and outputs a fresh forgery as long as the subevent occurs. Thus, we have that . This completes the proof of Claim 19.

B. Proof of Indistinguishability between Hybrids 2 and 3 in Section 5.3

To show the indistinguishability between Hybrids 2 and 3, we build a PPT adversary to solve the problem. Firstly, generates secret and public keys in INITIALIZE as Hybrid 0 does. When submits an encryption query , reduces to as Hybrid 1 does and obtains the coefficient . Then simulates Encrypt as follows.

(i) For the th row of table, computes and as in Hybrids 2 and 3.

(ii) For the 1st row, queries its own oracle with and obtains its challenge ; that is, Case (): or Case (): .

sets , which is if and if . Then generates the remaining elements in the 1st row of table using its public keys and sets the 1st row of table to be

also computes from via , which equals Case (): or Case (): .

(iii) For the 2nd row, queries its own oracle with ; remember that has the secret keys and obtains its challenge ; that is, Case (): or Case (): .

sets ; that is, if and if . Thus in both cases. Then generates the remaining elements in the 2nd row of table using its public keys and sets the 2nd row of table to be

also computes from via , which equals Case (): or Case (): .

(iv) For the 3rd row, queries its own oracle with and obtains its challenge ; that is, Case (): or Case (): .

sets ; similarly, it is easy to check that in both cases. Then generates the remaining elements in the 3rd row of table using its public keys and sets the 3rd row of table to be

also computes from via , which equals Case (): or Case (): .

(v) For the 4~8th rows, computes table similarly as above.

(vi) Finally, computes from table, just as in Hybrids 2 and 3 (also as the original Decrypt algorithm), and computes , using the secret keys.

If , perfectly simulates Hybrid 2. If , perfectly simulates Hybrid 3. Any difference between Hybrids 2 and 3 results in ’s advantage over the problem.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China Grant nos. 61672346 and 61373153.

References

S. Goldwasser and S. Micali, “Probabilistic encryption,” Journal of Computer and System Sciences, vol. 28, no. 2, pp. 270–299, 1984.
View at: Publisher Site | Google Scholar | MathSciNet
J. Black, P. Rogaway, and T. Shrimpton, “Encryption-scheme security in the presence of key-dependent messages,” in Selected Areas in Cryptography, K. Nyberg and H. M. Heys, Eds., vol. 2595 of Lecture Notes in Computer Science, pp. 62–75, Springer, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
J. Camenisch and A. Lysyanskaya, “An efficient system for non-transferable anonymous credentials with optional anonymity revocation,” in Advances in Cryptology, B. Pfitzmann, Ed., vol. 2045 of Lecture Notes in Computer Science, pp. 93–118, Springer, 2001.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh, S. Halevi, M. Hamburg, and R. Ostrovsky, “Circular-secure encryption from decision Diffie-Hellman,” in Advances in Cryptology, D. Wagner, Ed., vol. 5157 of Lecture Notes in Computer Science, pp. 108–125, Springer, 2008.
View at: Publisher Site | Google Scholar | MathSciNet
Z. Brakerski and S. Goldwasser, “Circular and leakage resilient public-key encryption under subgroup indistinguishability (or: quadratic residuosity strikes back),” in Advances in Cryptology, T. Rabin, Ed., vol. 6223 of Lecture Notes in Computer Science, pp. 1–20, Springer, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
B. Applebaum, D. Cash, C. Peikert, and A. Sahai, “Fast cryptographic primitives and circular-secure encryption based on hard learning problems,” in Advances in Cryptology, S. Halevi, Ed., vol. 5677 of Lecture Notes in Computer Science, pp. 595–618, Springer, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC '05), H. N. Gabow and R. Fagin, Eds., pp. 84–93, ACM, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
Z. Brakerski, S. Goldwasser, and Y. T. Kalai, “Black-box circular-secure encryption beyond affine functions,” in Theory of Cryptography, Y. Ishai, Ed., vol. 6597 of Lecture Notes in Computer Science, pp. 201–218, Springer, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
B. Barak, I. Haitner, D. Hofheinz, and Y. Ishai, “Bounded key-dependent message security,” in Advances in Cryptology, H. Gilbert, Ed., vol. 6110 of Lecture Notes in Computer Science, pp. 423–444, Springer, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
T. Malkin, I. Teranishi, and M. Yung, “Efficient circuit-size independent public key encryption with KDM security,” in Advances in Cryptology, K. G. Paterson, Ed., vol. 6632 of Lecture Notes in Computer Science, pp. 507–526, Springer, 2011.
View at: Publisher Site | Google Scholar | MathSciNet
J. Camenisch, N. Chandran, and V. Shoup, “A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks,” in Advances in Cryptology, A. Joux, Ed., vol. 5479 of Lecture Notes in Computer Science, pp. 351–368, Springer, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
M. Naor and M. Yung, “Public-key cryptosystems provably secure against chosen ciphertext attacks,” in Proceedings of the 22nd Annual ACM Symposium on Theory of Computing (STOC '90), H. Ortiz, Ed., pp. 427–437, May 1990.
View at: Google Scholar
J. Groth and A. Sahai, “Efficient non-interactive proof systems for bilinear groups,” in Advances in Cryptology, N. P. Smart, Ed., vol. 4965 of Lecture Notes in Computer Science, pp. 415–432, Springer, 2008.
View at: Publisher Site | Google Scholar | MathSciNet
D. Galindo, J. Herranz, and J. Villar, “Identity-based encryption with master key-dependent message security and leakage-resilience,” in European Symposium on Research in Computer Security, S. Foresti, M. Yung, and F. Martinelli, Eds., vol. 7459 of Lecture Notes in Computer Science, pp. 627–642, 2012.
View at: Publisher Site | Google Scholar
D. Hofheinz, “Circular chosen-ciphertext security with compact ciphertexts,” in Advances in Cryptology, T. Johansson and P. Q. Nguyen, Eds., vol. 7881 of Lecture Notes in Computer Science, pp. 520–536, Springer, 2013.
View at: Publisher Site | Google Scholar
X. Lu, B. Li, and D. Jia, “KDM-CCA security from RKA secure authenticated encryption,” in Advances in Cryptology. Part I, E. Oswald and M. Fischlin, Eds., vol. 9056 of Lecture Notes in Computer Science, pp. 559–583, Springer, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
S. Han, S. Liu, and L. Lyu, “Efficient KDM-CCA secure public-key encryption for polynomial functions,” in Annual International Conference on the Theory and Applications of Cryptology and Information Security, J. H. Cheon and T. Takagi, Eds., vol. 10032 of Lecture Notes in Computer Science, pp. 307–338, Springer, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
R. Cramer and V. Shoup, “Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack,” SIAM Journal on Computing, vol. 33, no. 1, pp. 167–226, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
B. Qin, S. Liu, and K. Chen, “Efficient chosen-ciphertext secure public-key encryption scheme with high leakage-resilience,” IET Information Security, vol. 9, no. 1, pp. 32–42, 2015.
View at: Publisher Site | Google Scholar
R. Cramer and V. Shoup, “Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption,” in Advances in Cryptology, L. R. Knudsen, Ed., vol. 2332 of Lecture Notes in Computer Science, pp. 45–64, Springer, 2002.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Dodis, E. Kiltz, K. Pietrzak, and D. Wichs, “Message authentication, revisited,” in Advances in Cryptology, D. Pointcheval and T. Johansson, Eds., vol. 7237 of Lecture Notes in Computer Science, pp. 355–374, Springer, 2012.
View at: Publisher Site | Google Scholar | MathSciNet
K. Xagawa, “Message authentication codes secure against additively related-key attacks,” in Proceedings of the Symposium on Cryptography and Information Security (SCIS '13), 2013.
View at: Google Scholar
I. DamgÅrd and M. Jurik, “A generalisation, a simplification and some applications of Paillier's probabilistic public-key system,” in Public Key Cryptography, K. Kim, Ed., vol. 1992 of Lecture Notes in Computer Science, pp. 119–136, Springer, 2001.
View at: Publisher Site | Google Scholar | MathSciNet

Copyright

Copyright © 2017 Shuai Han et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

2575

Downloads

792

Citations

Security and Communication Networks

Efficient KDM-CCA Secure Public-Key Encryption via Auxiliary-Input Authenticated Encryption

Abstract

1. Introduction

2. Preliminaries

2.1. Public-Key Encryption

2.2. Authenticated Encryption

2.3. Key Encapsulation Mechanism

2.4. Tag-Based Hash Proof System: Universal2, Extracting, and Key-Homomorphism

2.5. DCR, DDH, DL, and IVd Assumptions

2.6. Collision-Resistant Hashing

3. Auxiliary-Input Authenticated Encryption

3.1. Auxiliary-Input Authenticated Encryption

3.2. Generic Construction of AIAE from Tag-Based HPS and OT-Secure AE

3.3. Tag-Based HPS from the DDH Assumption

3.4. Instantiation: AIAEDDH from DDH-Based THPSDDH and OT-Secure AE

4. PKE with n-KDM-CCA Security

5. PKE with n-KDM[]-CCA Security

5.1. The Basic Idea

5.2. Reducing Polynomials of 8n Variables to Polynomials of 8 Variables

5.3. How to Design : A Warmup

5.4. The General Designed for

Appendix

A. Proof of Claim 19

B. Proof of Indistinguishability between Hybrids 2 and 3 in Section 5.3

Conflicts of Interest

Acknowledgments

References

Copyright

2.4. Tag-Based Hash Proof System: Universal₂, Extracting, and Key-Homomorphism

2.5. DCR, DDH, DL, and IV_d Assumptions

3.4. Instantiation: AIAE_DDH from DDH-Based THPS_DDH and OT-Secure AE