Yuanyuan Ji1, Haixia Xu2 and Peili Li1
1
Chinese Academy of Sciences, Beijing, China
State Key Laboratory of Information Security,
Institute of Information Engineering, CAS, Beijing, China
2
jiyuanyuan@iie.ac.cn, xuhaixia@iie.ac.cn, lipeili@iie.ac.cn
ABSTRACT
Functional encryption (FE) has more fine-grained control to encrypted data than traditional
encryption schemes. The well-accepted security of FE is indistinguishability-based security
(IND-FE) and simulation-based security (SIMFE), but the security is not sufficient. For
example, if an adversary has the ability to access a vector of ciphertexts and can ask to open
some information of the messages, such as coins used in the encryption or secret key in multikey setting, whether the privacy of the unopened messages is guaranteed. This is called selective
opening attack (SOA).
In this paper, we propose a stronger security of FE which is secure against SOA (we call SOFE) and propose a concrete construction of SO-FE scheme in the standard model. Our scheme
is a non-adaptive IND-FE which satisfies selective opening secure in the simulation sense. In
addition, the scheme can encrypt messages of any bit length other than bitwise and it is secure
against SOA-C and SOAK simultaneously while the two attacks were appeared in different
model before. According to the different functionality f, our scheme can specialize as IBE, ABE
and even PE schemes secure against SOA.
KEYWORDS
Functional encryption, Selective opening attack, Indistinguishability obfuscation, Deniable
encryption
1. INTRODUCTION
Traditional encryption schemes provide rather coarse-grained access to encrypted data,
because the receiver can get the message in its entirety if he possesses the right key or he can
learn nothing without the secret key. Thus a new encryption scheme — functional encryption
(FE), with much more fine-grained control, has been extensively studied. FE was introduced
by Boneh, Sahai and Waters [13]. A FE scheme means one who owns SKf can decrypt the
cipher of m to get the value of f(m). It requires that the user learns nothing other than f(m).
There are two well-accepted security notions for FE: indistinguishable based security
definition (IND-FE) and simulation based definition (SIM-FE) [13]. But the security can’t
David C. Wyld et al. (Eds) : NETCOM, NCS, WiMoNe, CSEIT, SPM - 2015
pp. 115–130, 2015. © CS & IT-CSCP 2015
DOI : 10.5121/csit.2015.51610
116
Computer Science & Information Technology (CS & IT)
satisfy people’s needs because of the different modes of attack, here we consider selective
opening attack.
Selective opening security had been first investigated to the traditional public key encryption
field by Bellare, Hofheinz and Yilek [10] in 2009. In the public key encryption system, there
are two kinds of selective opening attack (SOA). One is coin-revealing SOA (SOA-C), that is
to say, if an adversary obtains a number of ciphertexts and then corrupts a subset of the
senders, obtaining not only the corresponding messages but also the coins under which they
were encrypted, then the unopened messages still remain privacy. The other is key-revealing
SOA (SOA-K), which means if an adversary obtains a number of ciphertexts encrypted under
different public keys, then the senders are asked to reveal a subset of the corresponding
decryption keys, in this case it remains secure for the rest of the messages. Creating an
encryption scheme secure against SOA has important practical meaning. Under the complex
environment of cloud computing, distributed shares in a distributed file-system are allotted to
different servers to perform a task, if a subset of the distributed servers are corrupted by an
adversary who may get the encrypted messages as well as the randomness, then can messages
under the other uncorrupted severs remain secure?
Achieving security against SOA is challenging but even so there has been some works to
achieve the security goal ([5], [6], [8], [4], [9], [7]). There are two flavors of definitions to
capture security under selective opening attacks: simulation-based selective opening security
(SIM-SO) and indistinguishability-based selective opening security (IND-SO) [5]. Because
IND-SO security notion requires that the joint plaintext distribution should be conditionally
effective re-sampled, which restricts SOA security to limited setting, so we just concern SIMSO security. SO secure PKE scheme had been investigated by Bellare et al. [5] in 2009.
Bellare showed that any lossy encryption is able to achieve SO security. Later on, several
other SOA secure PKE schemes had been constructed ([6],[9],[8]). In 2011, with the
development of IBE, Bellare, Waters and Yilek [11] introduced SOA to IBE. In IBE,
ciphertexts and secret keys SKID are generated according to the corresponding target identity
ID, only the right SKID can open the ciphertexts and an adversary can make many key
queries using the ID (different from the challenge ID) as input. Later, Junzuo Lai et al. [12]
proposed a concrete CCA2 secure SO-IBE scheme. However, almost known SO-IBE
schemes utilize the technology of one-side public openability which means these schemes
have to encrypt bit by bit which is comparatively inefficient, and it is challenging to construct
a SOA secure IBE scheme which is not bitwise.
FE schemes seems to be different from PKE or IBE, but it aims to keep the encrypted
message secret even though the adversary can get some special information SKf. But if the
adversary has more ability to open a part of the message and get the randomness used in the
encryption, can the security of the unopened messages be kept?
[13] and [15] proved that the simulation secure FE can not be achieved in the standard model.
So in this paper, we focus on the construction of IND-FE and simulation-based secure against
SOA
Computer Science & Information Technology (CS & IT)
1.1 Related Works
With the development of indistinguishability obfuscation (io), many difficult cryptography
tasks can be achieved. In 2013, [16] proposed a concrete construction of functional
encryption for all circuits. In their scheme, the SKf is generated by using indistinguishability
obfuscation, at the same time, it uses double encryption of the same message as the ciphertext
and statistical simulation soundness NIZK ( SSS-NIZK ) to get well-formed ciphertexts. With
the help of io, their scheme can hide important process (decryption and compution) in the
SKf. In 2014, Sahai and Waters [3] introduced a new technique: puncture programs. They
proposed an effective method to transform the private key encryption to the public key
encryption and they designed a deniable encryption scheme which had opened for 16 years
[2]. In deniable encryption, if a sender is forced to reveal to an adversary both his message
and the randomness under encryption, he should be able to provide a fake randomness and a
fake message that will make the adversary believe the ciphertext is encryption of the fake
message.
1.2 Our Contributions
The contribution of this work consists of the following two steps. We first propose a new
security model of functional encryption secure against selective opening attacks (including
coins and private keys), which we call SO-FE, and then propose a concrete construction of
SO-FE scheme for general function without random oracle. In view of the impossiblility
result of the SIM-FE in the standard model and the limitation of the IND-SO, the security of
our scheme is indistinguishable based secure FE and simulation based secure against SOA.
In our scheme, we combine the coin-revealing selective opening security and key-revealing
selective opening security owing to the special property of KeyGen process of FE. Before,
SOA-C and SOA-K are mentioned in different scenes, specially, SOA-K is only used in the
multi-key encryption, the feature of FE can make sure the key query even though ciphertexts
are encrypted under the same public key.
The SO-FE scheme can be applied to the special situation, such as SO-IBE scheme, SO-ABE
scheme, SO-PE scheme. Thus using io, we can get many encryption schemes secure against
selective opening attacks. So far there are only SO-IBE schemes (ABE or PE scheme secure
against SOA haven’t be proposed). Moreover, all known SO-IBE schemes are bitwise, while
our scheme can encrypt the message with any bit.
1.3 Our Technique
There are two difficult challenges in achieving this goal. The first is the corrupt query of
coins in SOA-C process: when the adversary chooses a set I and asks to open the
corresponding messages and randomness, how can the simulator provide the eligible
randomness which is indistinguishable from the real one. The second is key queries in SOAK process — a feature of FE security formalizations since [13], that allows the adversary to
obtain the decryption key of any reasonable functionality f of his choice, but how to define
reasonablity in SOA-based security model.
117
118
Compute
uter Science & Information Technology (CS & IT)
To solve the first problem, we ad
adopt deniable encryption (DE, refer to section 2.2)) which
w
can
output a fake random r0 (satisfie
fies DEEnc ( pkDE, m0, r0) = C). The special property of
o DE can
make sure the simulator generat
rates a fake randomness to cheat the adversary that the
th opened
coins match the opened cipherss aand the opened messages.
To solve the second problem, w
we impose restrictions on the adversary’s choice off functions
that can be queried to the key gen
generation. Here we define reasonable function.
Intuition. We start by giving ann overview of the main ideas behind our SOA-based
ed security
definition. To convey the core
ore ideas, it suffices to consider the simple case
se of X =
m1,m2,f(m1,m2), (mi ∈ {0,1}). Su
Suppose that the adversary queries secret keys for function
fu
f.
Now, recall that the IND-security
rity definition guarantees that an adversary cannot dif
ifferentiate
between encryption of x0 and x1 as long as f(x0) = f(x1) for every f. It is the only rest
estriction of
IND-security definition, in SOA
A security model, the above restricting of f is not enou
nough since
an adversary can learn part inf
information of message by making corrupt query
y of
o I. For
example, an adversary can make
ke I = {1} query and know m1, by using key query to f, it can
learn f(m1,m2). In particular, if f(
f(m1,0) f(m1,1), it is easy to guess the unopened mes
essage m2.
Obviously, it makes no sense in SOA-based security definition. So we make the lim
imitation of
f: if the input of f contains the
he element of set m[I], which is opened in the corru
rrupt query
phase, thus except those messag
ages in m[I], no matter what other input it is, the val
alue of f is
equal. That is to say, if ∃ i subje
ject to xi ∈ m[I], the value of f(··· ,xi,···) are equall (···
(· can be
any value). Bellow, we presentt a unified definition of reasonable function.
Reasonable Function. Let M = {{m1,··· ,ml} and X = {x1,··· ,xl} be any message of message
space M, M is the challenge meessage, I = {i1,··· ,it} ⊆ {1,··· ,l} is the query in the
th SOA-C
process. Define:
;
< y1,y2,··· ,yl > denotes a permut
utation of the values y1,··· ,yl such that the value yi is mapped
to the k th location if yi is thee k th input to f. Thus, . X =< X I , X I >
‘
’
Definition 1. (Reasonability). L
Let {f} be a set of functions f ∈ F. We say f is reas
asonable if
f < X I , X I >= f < X I , X I > for ∀ X, X ∈ M.
’
’
What we want to emphasize iss th
that the key query and the corrupt query influence each
ea other.
The query of keys can increasee the knowledge of the adversary, which can affectt the
th choice
of I; the corrupt query of I can
an make the adversary learn more about the message
ge and can
affect the choice of functionality
ity f. In our scheme, we impose restrictions on the sequence
seq
of
queries ( the key queries of f muust be made after the corrupt query of I ) to removee the
t affect
of the key queries, at the same ti
time, on the KeyGen phase we limit the choice of f to
t remove
the affect of the corrupt query
ry on the basis of the opened messages in m[I], because
be
an
adversary may choose some sp
special f in view of m[I] which can leak the inform
rmation of
unopened messages.
Computer Science & Information Technology (CS & IT)
119
2. PRELIMINARIES
2.1 Functional encryption
A functional encryption scheme for a functionality f is a tuple of four algorithms: Setup. This
is a PPT algorithm that takes the security parameter as input. It outputs a public and master
secret key pair (PK,MSK).
Key Generation. This is a PPT algorithm that takes the functionality f as input, master secret
key MSK. It outputs a decryption key SKf.
Encryption. This is a PPT algorithm that takes as input a message m and the public
parameter PK. It outputs the ciphertext C.
Decryption. This algorithm takes the ciphertext C and the decryption key SKf as input, and
outputs f(m).
We utilize Garg et al.[16]’s construction of FE (dual system encryption):
Setup. Generate (PKa,SKa)
SetupPKE, (PKb,SKb)
Setup
Generation(MSK,f). SKf = io(Pf) (refer to the following table).
PKE,
crs
Setup
Encryption(m). c = (c1,c2, ), where c1 = Enc(PKa;m,r1), c2 = Enc(PKb;m,r2),
proof of the fact that : ∃m,r1,r2 : c1 = Enc(PKa;m,r1) ∧ c2 = Enc(PKb;m,r2).
NIZK
Key
is a NIZK
Decryption. Compute SKf(c).
2.2
Deniable Encryption
An encryption scheme is deniable if the sender can generate fake randomness that will make
the ciphertext looks like an encryption of a different plain message, thus to keep the real
message private. A deniable encryption scheme contains the following algorithms:
SetupDE. This is a PPT algorithm that takes the security parameter as input. It outputs a
public and master secret key pair ( pkDE, skDE ).
EncDE. This is a PPT algorithm that takes as input a message m and the public parameter
pkDE, and outputs the ciphertext C.
120
Computer Science & Information Technology (CS & IT)
DecDE. This algorithm takes C and the decryption key skDE as input, and outputs m. ExpDE.
This is a PPT algorithm that takes C,m0 as input. Output a fake random r0 which satisfies
EncDE( pkDE, m0, r0) = C.
We utilize SW’s [3] construction of DE:
Bellare et al. [4] had proved no binding encryption scheme is simulator-based SOA security.
That is why we use deniable encryption to realize our scheme. Specially, we use Sahai and
Waters’ scheme [3] which proposed a construction of deniable encryption. The scheme is
proved to be IND-CPA secure and one-bit message encryption by using the technology of
puncture, but it is not hard to generalize one-bit to a message string.
SetupDE. (pk PKE, sk PKE)
Setup PKE. F1 is a puncturable extracting PRF, F2 is a puncturable
statistically injective PRF, F3 is a puncturable PRF and (K1,K2,K3) is the corresponding
puncturable PRFs’ keys. pkDE = ( io(PEnc ),io( PExp )), skDE = sk PKE.
EncDE. c = io(PEnc) (m,r)
DecDE. m = Dec PKE (sk DE,c).
ExpDE. r0
io( PExp ) (c, m0, s): EncDE ( pkDE, m0, r0) = c. (s is a randomness.)
3. THE DEFINITION OF SO-FE
We now propose the security model of a functional encryption secure against selective
opening attacks, we call SO-FE.
Definition 2. We define two games GameREAL and GameSIM (refer to the following table).
GameREAL:
Setup. The challenger runs the Setup algorithm of FE, generates (PK,MSK) and gives the
public parameters to the adversary.
Challenge. The adversary chooses a meessage distribution. The challenger chooses a
message M from the distribution, and encrypts M . The ciphertext C is sent to the adversary.
Corrupt query. The adversary makes one query to corrupt over a set of I (I ⊂ {1,2,··· ,l}), the
challenger returns the messages m[I] and randomness r[I] used in challenge phase
corresponding to I.
Computer Science & Information Technology (CS & IT)
Key Query. The adversary is allowed to issue Key generation queries. That is to say the
adversary outputs the function f to the challenger (f is reasonable), then the challenger runs
KeyGen on f to generate the corresponding private key SKf and sends SKf to the adversary.
Final. The adversary guesses M.
GameSIM:
Setup. The simulator generates (PK,MSK) and sends PK to the adversary.
Challenge. The simulator chooses a message M0 from the distribution, and encrypts M0 .
The ciphertext C’ is sent to the adversary which is indistinguishable with C in GameREAL.
Corrupt query. The adversary makes one query to corrupt over a set of I, the simulator runs
Oracle to get the messages m[I] ⊆ M in GameREAL and generates fake randomness r∗[I]
which satisfy C [I] = EncFE(m[I],r∗[I]).
‘
Key Query. The simulator runs KeyGen on f to generate SKf and sends SKf to the adversary.
Final. The adversary guesses M.
We define the advantage of the adversary in this SO-FE Game:
AdvSO−FE(A) = |Pr[Gamereal ⇒ true] − Pr[GameSIM ⇒ true]|
A functional encryption scheme is secure against SOA if all polynomial time adversaries A
have at most a negligible advantage in the Game.
Our scheme is post SO-FE, that is to say, the KeyGen queries of f must be made after the
corrupt query of I. There are two reasons to explain why our scheme is asked to be post
secure: one is to make sure the adversary choose the set of I without the help of the KeyGen
queries. In the proof of the security, the simulator hope to run the adversary and utilize the
rewind technology after the corrupt query hIi until the challenge cipher is not contain in I.
The other is to make sure there is no leak about information of the challenge plaintext after
the adversary receives SKf, because we restricy the choices of functions that can be queried
based on I. The Specific reasons can refer to the proof of the security in section 5.
121
122
Computer Science & Information Technology (CS & IT)
4. A CONSTRUCTION OF SO-FE
We now give our construction of SO-FE scheme. In fact, our construction is based on that of Garg
et al.’ FE scheme, mixed with SW’ DE scheme. The dual public key encryption in FE is replaced
with a dual DE.
Let M = m1,m2,··· ,ml (mi ∈ {0,1}n), we have
SetupSO−FE: The Setup algorithm first runs Setup NIZK to get crs and runs Setup DE twice to get
(We utilize the SW’s DE scheme introduced in section 2, Ki (i = 1, 2, 3;
F2, F3 in DE.)
EncSO−FE: ∀i = 1,··· ,l, ∈ {a,b}, choose randomness
Check if
does not satisfy the above condition.
= a, b) are keys of F1,
If yes, choose randomness once again until the random
a
ci( a ) = io( PEnc
)(mi , ri a )
b
ci( b ) = io( PEnc
)(mi , rib )
Creat a NIZK proof
π i ← Pr oveNIZK (crs, (ci( a ) , ci( b ) ), ( ri a , rib , mi )) to prove the fact that:
KeyGenSO−FE: Create an obfuscation of the program like the following Table 3, and output SKf =
io(PKeyGen). DecSO−FE: Compute SKf (C).
5. THE SECURITY OF SO-FE
The SO-FE scheme in section 4 is a SIM-SO FE scheme, the security model is given in section 3.
Now we will give the security proof.
Computer Science & Information Technology (CS & IT)
123
Theorem 1. If io is an indistinguishability obfuscator, DE is IND-CPA security and the NIZK is
statistically simulation sound, the scheme is a no-adaptive secure SO-FE.
Proof. In order to prove the FE scheme is SIM-SO security, we need to construct a simulator
which can run in the GameSIM to simulate all the possibility in the GameREAL. That is to say,
|Pr(GameREAL ⇒ true) − Pr(GameSIM ⇒ true)|
neg(·).
In short, the simulator needs to create equivocable ciphertexts as the challenge ciphertexts, then
open them accordingly. Here, we must make sure the equivocable ciphertexts are
indistinguishable from the real encryption of the messages in the REAL setting. In order to
provide the environment of the adversary in GameREAL, on the corrupt phase, the simulator first
gets the corrupt messages from the Oracle in the GameSIM and then outputs the fake randomness
which is indistinguishable from the real random used in the encryption to the adversary (here we
use the technology of DE).
we proof the theorem through a series of Hybrids:
Hybrid 0: Let A be an arbitrary adversary in GameREAL of the SO-FE security model. The
challenger first generates (PK, MSK) and send the public key to to the adversary. Then the
challenger chooses the message M from the message space M and encrypt the message running
EncSO−FE. Later the adversary makes a corrupt query and some key generation queries, the
challenger sends m[I],r[I] to A (r[I] is the real random used in encryption of m[I]). Finally, A give
its guess of the message.
We can see Pr(Hybrid0 ⇒ true) = Pr(GameREAL ⇒ true)
Hybrid 1: We define Hybrid 1 to be the same as Hybrid 0, except that on the corrupt phase, the
challenger first runs the Oracle in GameSIM to get the message m[I], for i ∈ |I|, = {a,b}, set s i
R, ri = io(PExp )(mi,ci ,s i ). Output r[i] = (ria,rib). (c i is the cipher generated by
simulator, mi is the output of Oracle).
124
Computer Science & Information Technology (CS & IT)
We now say |Pr(Hybrid0 ⇒ true) − Pr(Hybrid1 ⇒ true)| neg(·), because the random returned in
Hybrid 1 and Hybrid 0 are almost identically distributed in the view of A. The indistinguishability
between Hybrid0 and Hybrid1 can reduce to the explainability of DE scheme.
In [3], Sahai and Waters had proved the explainability of deniable encryption: if the io is
indistinguishable and F1 is a puncturable extracting PRF, F2 is a puncturable statistically injective
PRF, F3 is a general puncturable PRF, then the generated pseudo-randomness is indistinguishable
with the real random. While in Hybrid 0, the encrypted randomness is chosen from set
{0,1}|r|/S,(S = {(a,b)|a = F2(K2, F3(K3,a) ⊕ b),a = {0,1}|r1|,b = {0,1}|r2|}). Now we can see the
size of S: for any fixed a, there exist at most one preimage a0 because of F2 is a puncturable
statistically injective PRF, thus b = a0 ⊕ F3(K3,a) is well-determined. So |S| = 2|r1| and choose a
random from S is negligible if r is large enough.
Hybrid 2: We define Hybrid 2 is the same with Hybrid 1 except that on the KeyGen query phase,
the challenger returns
is defined as follows). Our scheme is noadaptive security, the KeyGen query is made after the challenge phase. It’s easy to see SK[f and
SKf is indistinguishable . So |Pr(Hybrid1 ⇒ true)−Pr(Hybrid2 ⇒ true)| neg(·).
The indistinguishability between Hybrid1 and Hybrid2 can reduce to the indistinguishability of
io.
Hybrid 3−p:(0 p q) We define Hybrid 3−p is the same with Hybrid 2 except that on the
challenge phase, if i p, we replace the real challenge cipher to new ones which are generate by
simulater, ( here specially the simulator choose messages mi = 1n and send the ciphers to A); If p
< i q, the simulate sends the real challenge cipher to A.
We can see Pr(Hybrid3−0 ⇒ true) =Pr(Hybrid2 ⇒ true) and Pr(Hybrid3−q ⇒ true) =Pr(GameSIM
⇒ true). So our aim is to prove |Pr(Hybrid3−0 ⇒ true) − Pr(Hybrid3−q ⇒ true)| neg(·). We
define the Hybrid3−p is like the following table 7.
Now we begin to explain the indistinguishability between Hybrid3−p and Hybrid3−(p−1). To
prove the above problem, we first define the following hybrids and then reduce the
indistinguishability to security of IND-CPA DE.
Computer Science & Information Technology (CS & IT)
125
Hybrid3−(p−1)−(0): This hybrid is the same with Hybrid3−(p−1).
Hybrid3−(p−1)−(1): This hybrid uses the trapdoor in NIZK to generate an fake proof to make
sure that the adversary can believe two ciphertexts in double system encryption is an encryption
of the same message.
Hybrid3−(p−1)−(2): This hybrid change the pth ciphertext to
where
is a fake proof generated by
SimNIZK.
Hybrid3−(p−1)−(3): This hybrid is the same with Hybrid3−p−(2) except that the pth ciphertext is
, where
and on the io of KeyGen
query phase, we replace
and make sure we can use the key in the second part of the
double encryption system. It’s not hard to see Hybrid3−(p−1)−(3) Hybrid3−p.
If SSS-NIZK is computationally zero knowledge, then Hybrid3−(p−1)−(0), Hybrid3−(p−1)−(1) is
indistinguish. For the indistinguishability between (1) and (2) or (2) and (3), we hope to reduce
the problem to the IND-CPA secure DE. That is to say we hope to structure a simulator B who
can run A, if there is an A who can distinguish (1) and (2) or (2) and (3), there is an adversary B
who can distinguish the challenge cipher c∗ in Game of IND-CPA DE. The reduction can refer to
appendix. So
6. CONCLUSION
Our paper proposed a stronger security of FE which is secure against SOA and proposed a
concrete construction of SO-FE scheme. A lot of work is worth doing in the future, for example,
how to concrete a SO-FE without indistinguishability obfuscation.
ACKNOWLEDGEMENTS
We would like to thank all workers who have helped us to make the paper better.
126
Computer Science & Information Technology (CS & IT)
REFERENCES
[1]
[2]
Mihir Bellare, Dennis Hofheinz, Scott Yilek: Possibility and impossibility results for encryption and
commitment secure under selective opening. EUROCRYPT 2009. LNCS, vol. 5479, pp. 1-35.
Springer, Heidelberg (2009)
Ran Canetti, Cynthia Dwork, Moni Naor and Rafi Ostrovsky: Deniable Encryption. CRYPTO.
Cryptology ePrint Archive, Report 1996/002. pp 90-104. (1997)
[3]
Amit Sahai and Brent Waters: How to Use Indistinguishability Obfuscation: Deniable Encryption,
and More. STOC 2014. Cryptology ePrint Archive, Report 2013/454. pp 475-484, (2014)
[4]
Mihir Bellare, Rafael Dowsley, Brent Waters, Scott Yilek: Standard security does not imply security
against selective-opening. EUROCRYPT 2012. LNCS, vol. 7237, pp. 645-662. Springer, Heidelberg
(2012)
[5]
Mihir Bellare, Dennis Hofheinz, Scott Yilek: Possibility and impossibility results for encryption and
commitment secure under selective opening. EUROCRYPT 2009. LNCS, vol. 5479, pp. 1-35.
Springer, Heidelberg (2009)
[6]
Serge Fehr, Dennis Hofheinz, Eike Kiltz, Hoeteck Wee: Encryption schemes secure against chosenciphertext selective opening attacks. EUROCRYPT 2010. LNCS, vol. 6110, pp. 381-402. Springer,
Heidelberg (2010)
[7]
Zhengan Huang, Shengli Liu, Baodong Qin: Sender-equivocable encryption schemes secure against
chosen-ciphertext attacks revisited. PKC2013. LNCS, vol. 7778, pp. 369-385. Springer, Heidelberg
(2013)
[8]
Brett Hemenway, Benoit Libert, Rafail Ostrovsky, Damien Vergnaud: Lossy encryption:
Constructions from general assumptions and efficient selective opening chosen ciphertext security.
ASIACRYPT 2011. LNCS, vol. 7073, pp. 70-88. Springer, Heidelberg (2011)
[9]
Dennis Hofheinz: All-but-many lossy trapdoor functions. EUROCRYPT 2012. LNCS, vol. 7237, pp.
209-227. Springer, Heidelberg (2012)
[10] Mihir Bellare, Scott Yilek: Encryption schemes secure under selective opening attack. IACR
Cryptology ePrint Archive, 2009:101 (2009)
[11] Mihir Bellare, Brent Waters, Scott Yilek: Identity-based encryption secure against selective opening
attack. TCC 2011. LNCS, vol. 6597, pp. 235-252.Springer, Heidelberg (2011)
:
[12] Junzuo Lai, Robert H. Deng, Shengli Liu,Jian Weng, Yunlei Zhao Identity-Based Encryption
Secure against Selective Opening Chosen-Ciphertext Attack. EUROCRYPT 2014. LNCS, vol. 8441,
pp 77-92. Springer, Heidelberg (2014)
[13] Dan Boneh, Amit Sahai, Brent Waters: Functional Encryption: Definitions and Challenges. LNCS,
vol. 6597, pp 253-27 (2011)
[14] Florian B\ddot{o}hl, Dennis Hofheinz, Daniel Kraschewski: On definitions of selective opening
security. PKC 2012. LNCS, vol. 7293, pp. 522-539. Springer, Heidelberg (2012)
[15] Mihir Bellare, Adam O'Neill: Semantically - secure functional encryption: Possibility results,
impossibility results and the quest for a general definition. Cryptology ePrint Archive, Report
2012:515 (2012)
Computer Science & Information Technology (CS & IT)
127
[16] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sahai and Brent Waters: Candidate
Indistinguishability Obfuscation and Functional Encryption for All Circuits. FOCS 2013, IEEE
Computer Society. pp 40-49 (2013)
[17] Dan Boneh and Brent Waters: Constrained pseudorandom functions and their applications. IACR
Cryptology ePrint Archive, 2013:352. (2013)
APPENDIX
A. Puncturable PRF
A puncturable family of PRFs F mapping ({0,1}n(·)
{0,1}m(·)) is given by a triple of Turing
Machines (KeyF,PunctureF,EvalF) satisfying the following conditions:
Functionality preserved. For every PPT adversary A such that A(1 ) outputs a set S ⊆ {0,1}n( ),
then we have
Pseudorandom at punctured points.For every PPT adversary A such that A(1 ) outputs a set S ⊆
{0,1}n( ) and state , consider an experiment where K
KeyF(1 ) and KS = PunctureF(K,S), for
any PPT distinguisher D, we have
|Pr[D( ,KS,S,EvalF(K,S)) = 1] − Pr[D( ,KS,S,Um( )·|S|) = 1]|
neg( )
Definition 3. A puncturable statistically injective PRF family with failure probability (·) is a
family of PRFs F such that with probability 1 − ( ) over the random choice of key K
KeyF(1 ), we have that F(K,) is injective.
Definition 4. A puncturable extracting PRF family with error (·) for min-entropy k(·) is a family
of PRFs F mapping {0,1}n( )
{0,1}m( ) such that for all , if X is any distribution over
{0,1}m( ) with min-entropy greater than k( ), then the statistical distance between (K
KeyF(1 ),F(K,X)) and (K KeyF(1 ),Um( )) is at most ( ).
B. Indistinguishability Obfuscator
A uniform PPT machine io is called an indistinguishability obfuscator (io) for a circuit family
{C } if the following conditions are satisfied:
Functionality preserved. For all security parameters
have
Pr[C0(x) = C(x) : C0
∈ N, for all C ∈ {C }, for all input x, we
io( ,C)] = 1
Indistinguishability. For any PPT distinguisher D, for all security parameters ∈ N, for all pairs
of circuits C0,C1 ∈ {C } which satisfies Pr[∀x,C0(x) = C1(x)] > 1−neg(·), then
128
Computer Science & Information Technology (CS & IT)
|Pr[D(io( , C0)) = 1] − Pr[D(io( , C1)) = 1]|
neg( )
C. NIZK
A non-interactive zero-knowledge proof system (NIZK) contains three algorithms NIZK =
(Setup,Prove,V er): crs
Setup(1k
stmt,
stmt, ), where k is
the security parameter, crs is the common reference string, stmt is the statement information, is
a witness and is the proof, moreover b is 0/1 means rejection or acceptance.
Completeness. Pr[crs
Soundness. Pr[crs
Setup,
Prove(crs,stmt, ): V er(crs,stmt, ) = 1] = 1
Setup,∃(stmt, ) : (stmt /∈ L) ∧ V er(crs,stmt, ) = 1]
neg(·)
Zero-knowledge. If there exists a simulator S=(SimSetup,SimProve),such that for all PPT
adversary A, it holds that
is negligible.
In [16], the FE scheme used statistically simulation sound NIZK, which they called SSS-NIZK,
and Garg et al. proposed a concrete construction of SSS-NIKZ. Informally, a NIZK system is
statistically simulation sound, if under a simulated crs, there is no valid
proof for any false statement, except for the simulated proofs for statements fed into the SimSetup
algorithm to generate crs. That is to say, f
D. Reduct to IND-CPA DE
Here we will explain the indistinguishability between Hybrid3−(p−1)−(1) and
Hybrid3−(p−1)−(2) or Hybrid3−(p−1)−(2) and Hybrid3−(p−1)−(3). We hope to structure a
simulator B who can run A, if there is an A who can distinguish (1) and (2) or (2) and (3),
there is an adversary B who can distinguish the challenge cipher c∗ in Game of IND-CPA DE
(refer to the following figures).
Computer Science & Information Technology (CS & IT)
129
Fig.1.The reduction process: the indistinguishability between Hybrid3−(p−1)−(1) and Hybrid3−(p−1)−(2).
[m]PK means encryption of m with public key PK.
Take Hybrid3−(p−1)−(2) and Hybrid3−(p−1)−(3) for example:
B gets PKC from the challenger from IND-CPA game of DE, then sets PKa = PKC and generates
a pair of key (PKb,SKb). B sends (PKa,PKb) to adversary A in the SOAGame FE. B chooses
message M∗A = m∗A,1,··· ,m∗A,l from message space and makes the challenger’s challenge
message
. The challenger will return a
challenge cipher c∗B. Then B hides the c∗B into the challenge cipher
in the following way:
of A
When A makes corrupt query hIi: B first check whether p ∈ I, if yes, B uses the rewind
technology to repeatedly run A until p ∉ I; if not, B makes pseudo randomness using io(PExp)
after knowing the message m[I].
When A make key generate queries hfi(q-bounded): B replaces
in the SK[f to
decrypt and make sure we can use the key in the second part of the double encryption system.
Then send it to A.
130
Computer Science & Information Technology (CS & IT)
Fig.2. The reduction process: the indistinguishability betwee n Hybrid3−(p−1)−(2) and Hybrid3−(p−1)−(3)
Finally A will output its guess M0, then the B can utilize the pth guess to reply the challenger in
Game DE. So if A can guess the message rightly, thus B can distinguish between the cipher of m0
or m1 with non-negligible advantage, which will break the INDCPA property of DE.
AUTHORS
Yuanyuan Ji, was born in henan, China, on Nov. 10, 1989. She is studying for a
master’s degree at the university of Chinese academy of sciences, Beijing, China