SELECTIVE OPENING SECURE FUNCTIONAL ENCRYPTION

Yuanyuan Ji1, Haixia Xu2 and Peili Li1 1 Chinese Academy of Sciences, Beijing, China State Key Laboratory of Information Security, Institute of Information Engineering, CAS, Beijing, China 2 jiyuanyuan@iie.ac.cn, xuhaixia@iie.ac.cn, lipeili@iie.ac.cn ABSTRACT Functional encryption (FE) has more fine-grained control to encrypted data than traditional encryption schemes. The well-accepted security of FE is indistinguishability-based security (IND-FE) and simulation-based security (SIMFE), but the security is not sufficient. For example, if an adversary has the ability to access a vector of ciphertexts and can ask to open some information of the messages, such as coins used in the encryption or secret key in multikey setting, whether the privacy of the unopened messages is guaranteed. This is called selective opening attack (SOA). In this paper, we propose a stronger security of FE which is secure against SOA (we call SOFE) and propose a concrete construction of SO-FE scheme in the standard model. Our scheme is a non-adaptive IND-FE which satisfies selective opening secure in the simulation sense. In addition, the scheme can encrypt messages of any bit length other than bitwise and it is secure against SOA-C and SOAK simultaneously while the two attacks were appeared in different model before. According to the different functionality f, our scheme can specialize as IBE, ABE and even PE schemes secure against SOA. KEYWORDS Functional encryption, Selective opening attack, Indistinguishability obfuscation, Deniable encryption 1. INTRODUCTION Traditional encryption schemes provide rather coarse-grained access to encrypted data, because the receiver can get the message in its entirety if he possesses the right key or he can learn nothing without the secret key. Thus a new encryption scheme — functional encryption (FE), with much more fine-grained control, has been extensively studied. FE was introduced by Boneh, Sahai and Waters [13]. A FE scheme means one who owns SKf can decrypt the cipher of m to get the value of f(m). It requires that the user learns nothing other than f(m). There are two well-accepted security notions for FE: indistinguishable based security definition (IND-FE) and simulation based definition (SIM-FE) [13]. But the security can’t David C. Wyld et al. (Eds) : NETCOM, NCS, WiMoNe, CSEIT, SPM - 2015 pp. 115–130, 2015. © CS & IT-CSCP 2015 DOI : 10.5121/csit.2015.51610 116 Computer Science & Information Technology (CS & IT) satisfy people’s needs because of the different modes of attack, here we consider selective opening attack. Selective opening security had been first investigated to the traditional public key encryption field by Bellare, Hofheinz and Yilek [10] in 2009. In the public key encryption system, there are two kinds of selective opening attack (SOA). One is coin-revealing SOA (SOA-C), that is to say, if an adversary obtains a number of ciphertexts and then corrupts a subset of the senders, obtaining not only the corresponding messages but also the coins under which they were encrypted, then the unopened messages still remain privacy. The other is key-revealing SOA (SOA-K), which means if an adversary obtains a number of ciphertexts encrypted under different public keys, then the senders are asked to reveal a subset of the corresponding decryption keys, in this case it remains secure for the rest of the messages. Creating an encryption scheme secure against SOA has important practical meaning. Under the complex environment of cloud computing, distributed shares in a distributed file-system are allotted to different servers to perform a task, if a subset of the distributed servers are corrupted by an adversary who may get the encrypted messages as well as the randomness, then can messages under the other uncorrupted severs remain secure? Achieving security against SOA is challenging but even so there has been some works to achieve the security goal ([5], [6], [8], [4], [9], [7]). There are two flavors of definitions to capture security under selective opening attacks: simulation-based selective opening security (SIM-SO) and indistinguishability-based selective opening security (IND-SO) [5]. Because IND-SO security notion requires that the joint plaintext distribution should be conditionally effective re-sampled, which restricts SOA security to limited setting, so we just concern SIMSO security. SO secure PKE scheme had been investigated by Bellare et al. [5] in 2009. Bellare showed that any lossy encryption is able to achieve SO security. Later on, several other SOA secure PKE schemes had been constructed ([6],[9],[8]). In 2011, with the development of IBE, Bellare, Waters and Yilek [11] introduced SOA to IBE. In IBE, ciphertexts and secret keys SKID are generated according to the corresponding target identity ID, only the right SKID can open the ciphertexts and an adversary can make many key queries using the ID (different from the challenge ID) as input. Later, Junzuo Lai et al. [12] proposed a concrete CCA2 secure SO-IBE scheme. However, almost known SO-IBE schemes utilize the technology of one-side public openability which means these schemes have to encrypt bit by bit which is comparatively inefficient, and it is challenging to construct a SOA secure IBE scheme which is not bitwise. FE schemes seems to be different from PKE or IBE, but it aims to keep the encrypted message secret even though the adversary can get some special information SKf. But if the adversary has more ability to open a part of the message and get the randomness used in the encryption, can the security of the unopened messages be kept? [13] and [15] proved that the simulation secure FE can not be achieved in the standard model. So in this paper, we focus on the construction of IND-FE and simulation-based secure against SOA Computer Science & Information Technology (CS & IT) 1.1 Related Works With the development of indistinguishability obfuscation (io), many difficult cryptography tasks can be achieved. In 2013, [16] proposed a concrete construction of functional encryption for all circuits. In their scheme, the SKf is generated by using indistinguishability obfuscation, at the same time, it uses double encryption of the same message as the ciphertext and statistical simulation soundness NIZK ( SSS-NIZK ) to get well-formed ciphertexts. With the help of io, their scheme can hide important process (decryption and compution) in the SKf. In 2014, Sahai and Waters [3] introduced a new technique: puncture programs. They proposed an effective method to transform the private key encryption to the public key encryption and they designed a deniable encryption scheme which had opened for 16 years [2]. In deniable encryption, if a sender is forced to reveal to an adversary both his message and the randomness under encryption, he should be able to provide a fake randomness and a fake message that will make the adversary believe the ciphertext is encryption of the fake message. 1.2 Our Contributions The contribution of this work consists of the following two steps. We first propose a new security model of functional encryption secure against selective opening attacks (including coins and private keys), which we call SO-FE, and then propose a concrete construction of SO-FE scheme for general function without random oracle. In view of the impossiblility result of the SIM-FE in the standard model and the limitation of the IND-SO, the security of our scheme is indistinguishable based secure FE and simulation based secure against SOA. In our scheme, we combine the coin-revealing selective opening security and key-revealing selective opening security owing to the special property of KeyGen process of FE. Before, SOA-C and SOA-K are mentioned in different scenes, specially, SOA-K is only used in the multi-key encryption, the feature of FE can make sure the key query even though ciphertexts are encrypted under the same public key. The SO-FE scheme can be applied to the special situation, such as SO-IBE scheme, SO-ABE scheme, SO-PE scheme. Thus using io, we can get many encryption schemes secure against selective opening attacks. So far there are only SO-IBE schemes (ABE or PE scheme secure against SOA haven’t be proposed). Moreover, all known SO-IBE schemes are bitwise, while our scheme can encrypt the message with any bit. 1.3 Our Technique There are two difficult challenges in achieving this goal. The first is the corrupt query of coins in SOA-C process: when the adversary chooses a set I and asks to open the corresponding messages and randomness, how can the simulator provide the eligible randomness which is indistinguishable from the real one. The second is key queries in SOAK process — a feature of FE security formalizations since [13], that allows the adversary to obtain the decryption key of any reasonable functionality f of his choice, but how to define reasonablity in SOA-based security model. 117 118 Compute uter Science & Information Technology (CS & IT) To solve the first problem, we ad adopt deniable encryption (DE, refer to section 2.2)) which w can output a fake random r0 (satisfie fies DEEnc ( pkDE, m0, r0) = C). The special property of o DE can make sure the simulator generat rates a fake randomness to cheat the adversary that the th opened coins match the opened cipherss aand the opened messages. To solve the second problem, w we impose restrictions on the adversary’s choice off functions that can be queried to the key gen generation. Here we define reasonable function. Intuition. We start by giving ann overview of the main ideas behind our SOA-based ed security definition. To convey the core ore ideas, it suffices to consider the simple case se of X = m1,m2,f(m1,m2), (mi ∈ {0,1}). Su Suppose that the adversary queries secret keys for function fu f. Now, recall that the IND-security rity definition guarantees that an adversary cannot dif ifferentiate between encryption of x0 and x1 as long as f(x0) = f(x1) for every f. It is the only rest estriction of IND-security definition, in SOA A security model, the above restricting of f is not enou nough since an adversary can learn part inf information of message by making corrupt query y of o I. For example, an adversary can make ke I = {1} query and know m1, by using key query to f, it can learn f(m1,m2). In particular, if f( f(m1,0) f(m1,1), it is easy to guess the unopened mes essage m2. Obviously, it makes no sense in SOA-based security definition. So we make the lim imitation of f: if the input of f contains the he element of set m[I], which is opened in the corru rrupt query phase, thus except those messag ages in m[I], no matter what other input it is, the val alue of f is equal. That is to say, if ∃ i subje ject to xi ∈ m[I], the value of f(··· ,xi,···) are equall (··· (· can be any value). Bellow, we presentt a unified definition of reasonable function. Reasonable Function. Let M = {{m1,··· ,ml} and X = {x1,··· ,xl} be any message of message space M, M is the challenge meessage, I = {i1,··· ,it} ⊆ {1,··· ,l} is the query in the th SOA-C process. Define: ; < y1,y2,··· ,yl > denotes a permut utation of the values y1,··· ,yl such that the value yi is mapped to the k th location if yi is thee k th input to f. Thus, . X =< X I , X I > ‘ ’ Definition 1. (Reasonability). L Let {f} be a set of functions f ∈ F. We say f is reas asonable if f < X I , X I >= f < X I , X I > for ∀ X, X ∈ M. ’ ’ What we want to emphasize iss th that the key query and the corrupt query influence each ea other. The query of keys can increasee the knowledge of the adversary, which can affectt the th choice of I; the corrupt query of I can an make the adversary learn more about the message ge and can affect the choice of functionality ity f. In our scheme, we impose restrictions on the sequence seq of queries ( the key queries of f muust be made after the corrupt query of I ) to removee the t affect of the key queries, at the same ti time, on the KeyGen phase we limit the choice of f to t remove the affect of the corrupt query ry on the basis of the opened messages in m[I], because be an adversary may choose some sp special f in view of m[I] which can leak the inform rmation of unopened messages. Computer Science & Information Technology (CS & IT) 119 2. PRELIMINARIES 2.1 Functional encryption A functional encryption scheme for a functionality f is a tuple of four algorithms: Setup. This is a PPT algorithm that takes the security parameter as input. It outputs a public and master secret key pair (PK,MSK). Key Generation. This is a PPT algorithm that takes the functionality f as input, master secret key MSK. It outputs a decryption key SKf. Encryption. This is a PPT algorithm that takes as input a message m and the public parameter PK. It outputs the ciphertext C. Decryption. This algorithm takes the ciphertext C and the decryption key SKf as input, and outputs f(m). We utilize Garg et al.[16]’s construction of FE (dual system encryption): Setup. Generate (PKa,SKa) SetupPKE, (PKb,SKb) Setup Generation(MSK,f). SKf = io(Pf) (refer to the following table). PKE, crs Setup Encryption(m). c = (c1,c2, ), where c1 = Enc(PKa;m,r1), c2 = Enc(PKb;m,r2), proof of the fact that : ∃m,r1,r2 : c1 = Enc(PKa;m,r1) ∧ c2 = Enc(PKb;m,r2). NIZK Key is a NIZK Decryption. Compute SKf(c). 2.2 Deniable Encryption An encryption scheme is deniable if the sender can generate fake randomness that will make the ciphertext looks like an encryption of a different plain message, thus to keep the real message private. A deniable encryption scheme contains the following algorithms: SetupDE. This is a PPT algorithm that takes the security parameter as input. It outputs a public and master secret key pair ( pkDE, skDE ). EncDE. This is a PPT algorithm that takes as input a message m and the public parameter pkDE, and outputs the ciphertext C. 120 Computer Science & Information Technology (CS & IT) DecDE. This algorithm takes C and the decryption key skDE as input, and outputs m. ExpDE. This is a PPT algorithm that takes C,m0 as input. Output a fake random r0 which satisfies EncDE( pkDE, m0, r0) = C. We utilize SW’s [3] construction of DE: Bellare et al. [4] had proved no binding encryption scheme is simulator-based SOA security. That is why we use deniable encryption to realize our scheme. Specially, we use Sahai and Waters’ scheme [3] which proposed a construction of deniable encryption. The scheme is proved to be IND-CPA secure and one-bit message encryption by using the technology of puncture, but it is not hard to generalize one-bit to a message string. SetupDE. (pk PKE, sk PKE) Setup PKE. F1 is a puncturable extracting PRF, F2 is a puncturable statistically injective PRF, F3 is a puncturable PRF and (K1,K2,K3) is the corresponding puncturable PRFs’ keys. pkDE = ( io(PEnc ),io( PExp )), skDE = sk PKE. EncDE. c = io(PEnc) (m,r) DecDE. m = Dec PKE (sk DE,c). ExpDE. r0 io( PExp ) (c, m0, s): EncDE ( pkDE, m0, r0) = c. (s is a randomness.) 3. THE DEFINITION OF SO-FE We now propose the security model of a functional encryption secure against selective opening attacks, we call SO-FE. Definition 2. We define two games GameREAL and GameSIM (refer to the following table). GameREAL: Setup. The challenger runs the Setup algorithm of FE, generates (PK,MSK) and gives the public parameters to the adversary. Challenge. The adversary chooses a meessage distribution. The challenger chooses a message M from the distribution, and encrypts M . The ciphertext C is sent to the adversary. Corrupt query. The adversary makes one query to corrupt over a set of I (I ⊂ {1,2,··· ,l}), the challenger returns the messages m[I] and randomness r[I] used in challenge phase corresponding to I. Computer Science & Information Technology (CS & IT) Key Query. The adversary is allowed to issue Key generation queries. That is to say the adversary outputs the function f to the challenger (f is reasonable), then the challenger runs KeyGen on f to generate the corresponding private key SKf and sends SKf to the adversary. Final. The adversary guesses M. GameSIM: Setup. The simulator generates (PK,MSK) and sends PK to the adversary. Challenge. The simulator chooses a message M0 from the distribution, and encrypts M0 . The ciphertext C’ is sent to the adversary which is indistinguishable with C in GameREAL. Corrupt query. The adversary makes one query to corrupt over a set of I, the simulator runs Oracle to get the messages m[I] ⊆ M in GameREAL and generates fake randomness r∗[I] which satisfy C [I] = EncFE(m[I],r∗[I]). ‘ Key Query. The simulator runs KeyGen on f to generate SKf and sends SKf to the adversary. Final. The adversary guesses M. We define the advantage of the adversary in this SO-FE Game: AdvSO−FE(A) = |Pr[Gamereal ⇒ true] − Pr[GameSIM ⇒ true]| A functional encryption scheme is secure against SOA if all polynomial time adversaries A have at most a negligible advantage in the Game. Our scheme is post SO-FE, that is to say, the KeyGen queries of f must be made after the corrupt query of I. There are two reasons to explain why our scheme is asked to be post secure: one is to make sure the adversary choose the set of I without the help of the KeyGen queries. In the proof of the security, the simulator hope to run the adversary and utilize the rewind technology after the corrupt query hIi until the challenge cipher is not contain in I. The other is to make sure there is no leak about information of the challenge plaintext after the adversary receives SKf, because we restricy the choices of functions that can be queried based on I. The Specific reasons can refer to the proof of the security in section 5. 121 122 Computer Science & Information Technology (CS & IT) 4. A CONSTRUCTION OF SO-FE We now give our construction of SO-FE scheme. In fact, our construction is based on that of Garg et al.’ FE scheme, mixed with SW’ DE scheme. The dual public key encryption in FE is replaced with a dual DE. Let M = m1,m2,··· ,ml (mi ∈ {0,1}n), we have SetupSO−FE: The Setup algorithm first runs Setup NIZK to get crs and runs Setup DE twice to get (We utilize the SW’s DE scheme introduced in section 2, Ki (i = 1, 2, 3; F2, F3 in DE.) EncSO−FE: ∀i = 1,··· ,l, ∈ {a,b}, choose randomness Check if does not satisfy the above condition. = a, b) are keys of F1, If yes, choose randomness once again until the random a ci( a ) = io( PEnc )(mi , ri a ) b ci( b ) = io( PEnc )(mi , rib ) Creat a NIZK proof π i ← Pr oveNIZK (crs, (ci( a ) , ci( b ) ), ( ri a , rib , mi )) to prove the fact that: KeyGenSO−FE: Create an obfuscation of the program like the following Table 3, and output SKf = io(PKeyGen). DecSO−FE: Compute SKf (C). 5. THE SECURITY OF SO-FE The SO-FE scheme in section 4 is a SIM-SO FE scheme, the security model is given in section 3. Now we will give the security proof. Computer Science & Information Technology (CS & IT) 123 Theorem 1. If io is an indistinguishability obfuscator, DE is IND-CPA security and the NIZK is statistically simulation sound, the scheme is a no-adaptive secure SO-FE. Proof. In order to prove the FE scheme is SIM-SO security, we need to construct a simulator which can run in the GameSIM to simulate all the possibility in the GameREAL. That is to say, |Pr(GameREAL ⇒ true) − Pr(GameSIM ⇒ true)| neg(·). In short, the simulator needs to create equivocable ciphertexts as the challenge ciphertexts, then open them accordingly. Here, we must make sure the equivocable ciphertexts are indistinguishable from the real encryption of the messages in the REAL setting. In order to provide the environment of the adversary in GameREAL, on the corrupt phase, the simulator first gets the corrupt messages from the Oracle in the GameSIM and then outputs the fake randomness which is indistinguishable from the real random used in the encryption to the adversary (here we use the technology of DE). we proof the theorem through a series of Hybrids: Hybrid 0: Let A be an arbitrary adversary in GameREAL of the SO-FE security model. The challenger first generates (PK, MSK) and send the public key to to the adversary. Then the challenger chooses the message M from the message space M and encrypt the message running EncSO−FE. Later the adversary makes a corrupt query and some key generation queries, the challenger sends m[I],r[I] to A (r[I] is the real random used in encryption of m[I]). Finally, A give its guess of the message. We can see Pr(Hybrid0 ⇒ true) = Pr(GameREAL ⇒ true) Hybrid 1: We define Hybrid 1 to be the same as Hybrid 0, except that on the corrupt phase, the challenger first runs the Oracle in GameSIM to get the message m[I], for i ∈ |I|, = {a,b}, set s i R, ri = io(PExp )(mi,ci ,s i ). Output r[i] = (ria,rib). (c i is the cipher generated by simulator, mi is the output of Oracle). 124 Computer Science & Information Technology (CS & IT) We now say |Pr(Hybrid0 ⇒ true) − Pr(Hybrid1 ⇒ true)| neg(·), because the random returned in Hybrid 1 and Hybrid 0 are almost identically distributed in the view of A. The indistinguishability between Hybrid0 and Hybrid1 can reduce to the explainability of DE scheme. In [3], Sahai and Waters had proved the explainability of deniable encryption: if the io is indistinguishable and F1 is a puncturable extracting PRF, F2 is a puncturable statistically injective PRF, F3 is a general puncturable PRF, then the generated pseudo-randomness is indistinguishable with the real random. While in Hybrid 0, the encrypted randomness is chosen from set {0,1}|r|/S,(S = {(a,b)|a = F2(K2, F3(K3,a) ⊕ b),a = {0,1}|r1|,b = {0,1}|r2|}). Now we can see the size of S: for any fixed a, there exist at most one preimage a0 because of F2 is a puncturable statistically injective PRF, thus b = a0 ⊕ F3(K3,a) is well-determined. So |S| = 2|r1| and choose a random from S is negligible if r is large enough. Hybrid 2: We define Hybrid 2 is the same with Hybrid 1 except that on the KeyGen query phase, the challenger returns is defined as follows). Our scheme is noadaptive security, the KeyGen query is made after the challenge phase. It’s easy to see SK[f and SKf is indistinguishable . So |Pr(Hybrid1 ⇒ true)−Pr(Hybrid2 ⇒ true)| neg(·). The indistinguishability between Hybrid1 and Hybrid2 can reduce to the indistinguishability of io. Hybrid 3−p:(0 p q) We define Hybrid 3−p is the same with Hybrid 2 except that on the challenge phase, if i p, we replace the real challenge cipher to new ones which are generate by simulater, ( here specially the simulator choose messages mi = 1n and send the ciphers to A); If p < i q, the simulate sends the real challenge cipher to A. We can see Pr(Hybrid3−0 ⇒ true) =Pr(Hybrid2 ⇒ true) and Pr(Hybrid3−q ⇒ true) =Pr(GameSIM ⇒ true). So our aim is to prove |Pr(Hybrid3−0 ⇒ true) − Pr(Hybrid3−q ⇒ true)| neg(·). We define the Hybrid3−p is like the following table 7. Now we begin to explain the indistinguishability between Hybrid3−p and Hybrid3−(p−1). To prove the above problem, we first define the following hybrids and then reduce the indistinguishability to security of IND-CPA DE. Computer Science & Information Technology (CS & IT) 125 Hybrid3−(p−1)−(0): This hybrid is the same with Hybrid3−(p−1). Hybrid3−(p−1)−(1): This hybrid uses the trapdoor in NIZK to generate an fake proof to make sure that the adversary can believe two ciphertexts in double system encryption is an encryption of the same message. Hybrid3−(p−1)−(2): This hybrid change the pth ciphertext to where is a fake proof generated by SimNIZK. Hybrid3−(p−1)−(3): This hybrid is the same with Hybrid3−p−(2) except that the pth ciphertext is , where and on the io of KeyGen query phase, we replace and make sure we can use the key in the second part of the double encryption system. It’s not hard to see Hybrid3−(p−1)−(3) Hybrid3−p. If SSS-NIZK is computationally zero knowledge, then Hybrid3−(p−1)−(0), Hybrid3−(p−1)−(1) is indistinguish. For the indistinguishability between (1) and (2) or (2) and (3), we hope to reduce the problem to the IND-CPA secure DE. That is to say we hope to structure a simulator B who can run A, if there is an A who can distinguish (1) and (2) or (2) and (3), there is an adversary B who can distinguish the challenge cipher c∗ in Game of IND-CPA DE. The reduction can refer to appendix. So 6. CONCLUSION Our paper proposed a stronger security of FE which is secure against SOA and proposed a concrete construction of SO-FE scheme. A lot of work is worth doing in the future, for example, how to concrete a SO-FE without indistinguishability obfuscation. ACKNOWLEDGEMENTS We would like to thank all workers who have helped us to make the paper better. 126 Computer Science & Information Technology (CS & IT) REFERENCES [1] [2] Mihir Bellare, Dennis Hofheinz, Scott Yilek: Possibility and impossibility results for encryption and commitment secure under selective opening. EUROCRYPT 2009. LNCS, vol. 5479, pp. 1-35. Springer, Heidelberg (2009) Ran Canetti, Cynthia Dwork, Moni Naor and Rafi Ostrovsky: Deniable Encryption. CRYPTO. Cryptology ePrint Archive, Report 1996/002. pp 90-104. (1997) [3] Amit Sahai and Brent Waters: How to Use Indistinguishability Obfuscation: Deniable Encryption, and More. STOC 2014. Cryptology ePrint Archive, Report 2013/454. pp 475-484, (2014) [4] Mihir Bellare, Rafael Dowsley, Brent Waters, Scott Yilek: Standard security does not imply security against selective-opening. EUROCRYPT 2012. LNCS, vol. 7237, pp. 645-662. Springer, Heidelberg (2012) [5] Mihir Bellare, Dennis Hofheinz, Scott Yilek: Possibility and impossibility results for encryption and commitment secure under selective opening. EUROCRYPT 2009. LNCS, vol. 5479, pp. 1-35. Springer, Heidelberg (2009) [6] Serge Fehr, Dennis Hofheinz, Eike Kiltz, Hoeteck Wee: Encryption schemes secure against chosenciphertext selective opening attacks. EUROCRYPT 2010. LNCS, vol. 6110, pp. 381-402. Springer, Heidelberg (2010) [7] Zhengan Huang, Shengli Liu, Baodong Qin: Sender-equivocable encryption schemes secure against chosen-ciphertext attacks revisited. PKC2013. LNCS, vol. 7778, pp. 369-385. Springer, Heidelberg (2013) [8] Brett Hemenway, Benoit Libert, Rafail Ostrovsky, Damien Vergnaud: Lossy encryption: Constructions from general assumptions and efficient selective opening chosen ciphertext security. ASIACRYPT 2011. LNCS, vol. 7073, pp. 70-88. Springer, Heidelberg (2011) [9] Dennis Hofheinz: All-but-many lossy trapdoor functions. EUROCRYPT 2012. LNCS, vol. 7237, pp. 209-227. Springer, Heidelberg (2012) [10] Mihir Bellare, Scott Yilek: Encryption schemes secure under selective opening attack. IACR Cryptology ePrint Archive, 2009:101 (2009) [11] Mihir Bellare, Brent Waters, Scott Yilek: Identity-based encryption secure against selective opening attack. TCC 2011. LNCS, vol. 6597, pp. 235-252.Springer, Heidelberg (2011) ： [12] Junzuo Lai, Robert H. Deng, Shengli Liu,Jian Weng, Yunlei Zhao Identity-Based Encryption Secure against Selective Opening Chosen-Ciphertext Attack. EUROCRYPT 2014. LNCS, vol. 8441, pp 77-92. Springer, Heidelberg (2014) [13] Dan Boneh, Amit Sahai, Brent Waters: Functional Encryption: Definitions and Challenges. LNCS, vol. 6597, pp 253-27 (2011) [14] Florian B\ddot{o}hl, Dennis Hofheinz, Daniel Kraschewski: On definitions of selective opening security. PKC 2012. LNCS, vol. 7293, pp. 522-539. Springer, Heidelberg (2012) [15] Mihir Bellare, Adam O'Neill: Semantically - secure functional encryption: Possibility results, impossibility results and the quest for a general definition. Cryptology ePrint Archive, Report 2012:515 (2012) Computer Science & Information Technology (CS & IT) 127 [16] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai and Brent Waters: Candidate Indistinguishability Obfuscation and Functional Encryption for All Circuits. FOCS 2013, IEEE Computer Society. pp 40-49 (2013) [17] Dan Boneh and Brent Waters: Constrained pseudorandom functions and their applications. IACR Cryptology ePrint Archive, 2013:352. (2013) APPENDIX A. Puncturable PRF A puncturable family of PRFs F mapping ({0,1}n(·) {0,1}m(·)) is given by a triple of Turing Machines (KeyF,PunctureF,EvalF) satisfying the following conditions: Functionality preserved. For every PPT adversary A such that A(1 ) outputs a set S ⊆ {0,1}n( ), then we have Pseudorandom at punctured points.For every PPT adversary A such that A(1 ) outputs a set S ⊆ {0,1}n( ) and state , consider an experiment where K KeyF(1 ) and KS = PunctureF(K,S), for any PPT distinguisher D, we have |Pr[D( ,KS,S,EvalF(K,S)) = 1] − Pr[D( ,KS,S,Um( )·|S|) = 1]| neg( ) Definition 3. A puncturable statistically injective PRF family with failure probability (·) is a family of PRFs F such that with probability 1 − ( ) over the random choice of key K KeyF(1 ), we have that F(K,) is injective. Definition 4. A puncturable extracting PRF family with error (·) for min-entropy k(·) is a family of PRFs F mapping {0,1}n( ) {0,1}m( ) such that for all , if X is any distribution over {0,1}m( ) with min-entropy greater than k( ), then the statistical distance between (K KeyF(1 ),F(K,X)) and (K KeyF(1 ),Um( )) is at most ( ). B. Indistinguishability Obfuscator A uniform PPT machine io is called an indistinguishability obfuscator (io) for a circuit family {C } if the following conditions are satisfied: Functionality preserved. For all security parameters have Pr[C0(x) = C(x) : C0 ∈ N, for all C ∈ {C }, for all input x, we io( ,C)] = 1 Indistinguishability. For any PPT distinguisher D, for all security parameters ∈ N, for all pairs of circuits C0,C1 ∈ {C } which satisfies Pr[∀x,C0(x) = C1(x)] > 1−neg(·), then 128 Computer Science & Information Technology (CS & IT) |Pr[D(io( , C0)) = 1] − Pr[D(io( , C1)) = 1]| neg( ) C. NIZK A non-interactive zero-knowledge proof system (NIZK) contains three algorithms NIZK = (Setup,Prove,V er): crs Setup(1k stmt, stmt, ), where k is the security parameter, crs is the common reference string, stmt is the statement information, is a witness and is the proof, moreover b is 0/1 means rejection or acceptance. Completeness. Pr[crs Soundness. Pr[crs Setup, Prove(crs,stmt, ): V er(crs,stmt, ) = 1] = 1 Setup,∃(stmt, ) : (stmt /∈ L) ∧ V er(crs,stmt, ) = 1] neg(·) Zero-knowledge. If there exists a simulator S=(SimSetup,SimProve),such that for all PPT adversary A, it holds that is negligible. In [16], the FE scheme used statistically simulation sound NIZK, which they called SSS-NIZK, and Garg et al. proposed a concrete construction of SSS-NIKZ. Informally, a NIZK system is statistically simulation sound, if under a simulated crs, there is no valid proof for any false statement, except for the simulated proofs for statements fed into the SimSetup algorithm to generate crs. That is to say, f D. Reduct to IND-CPA DE Here we will explain the indistinguishability between Hybrid3−(p−1)−(1) and Hybrid3−(p−1)−(2) or Hybrid3−(p−1)−(2) and Hybrid3−(p−1)−(3). We hope to structure a simulator B who can run A, if there is an A who can distinguish (1) and (2) or (2) and (3), there is an adversary B who can distinguish the challenge cipher c∗ in Game of IND-CPA DE (refer to the following figures). Computer Science & Information Technology (CS & IT) 129 Fig.1.The reduction process: the indistinguishability between Hybrid3−(p−1)−(1) and Hybrid3−(p−1)−(2). [m]PK means encryption of m with public key PK. Take Hybrid3−(p−1)−(2) and Hybrid3−(p−1)−(3) for example: B gets PKC from the challenger from IND-CPA game of DE, then sets PKa = PKC and generates a pair of key (PKb,SKb). B sends (PKa,PKb) to adversary A in the SOAGame FE. B chooses message M∗A = m∗A,1,··· ,m∗A,l from message space and makes the challenger’s challenge message . The challenger will return a challenge cipher c∗B. Then B hides the c∗B into the challenge cipher in the following way: of A When A makes corrupt query hIi: B first check whether p ∈ I, if yes, B uses the rewind technology to repeatedly run A until p ∉ I; if not, B makes pseudo randomness using io(PExp) after knowing the message m[I]. When A make key generate queries hfi(q-bounded): B replaces in the SK[f to decrypt and make sure we can use the key in the second part of the double encryption system. Then send it to A. 130 Computer Science & Information Technology (CS & IT) Fig.2. The reduction process: the indistinguishability betwee n Hybrid3−(p−1)−(2) and Hybrid3−(p−1)−(3) Finally A will output its guess M0, then the B can utilize the pth guess to reply the challenger in Game DE. So if A can guess the message rightly, thus B can distinguish between the cipher of m0 or m1 with non-negligible advantage, which will break the INDCPA property of DE. AUTHORS Yuanyuan Ji, was born in henan, China, on Nov. 10, 1989. She is studying for a master’s degree at the university of Chinese academy of sciences, Beijing, China