A Public Key Encryption Scheme Secure against
Key Dependent Chosen Plaintext and Adaptive
Chosen Ciphertext Attacks
Jan Camenisch1 , Nishanth Chandran2 , and Victor Shoup3
1
3
IBM Research, work funded by the European Community’s Seventh Framework
Programme (FP7/2007-2013) under grant agreement no. 216483
2
UCLA, work done while visiting IBM Research
NYU, work done while visiting IBM Research, supported by NSF award number
CNS-0716690
Abstract. Recently, at Crypto 2008, Boneh, Halevi, Hamburg, and Ostrovsky (BHHO) solved the long-standing open problem of “circular encryption,” by presenting a public key encryption scheme and proving
that it is semantically secure against key dependent chosen plaintext
attack (KDM-CPA security) under standard assumptions (and without
resorting to random oracles). However, they left as an open problem that
of designing an encryption scheme that simultaneously provides security
against both key dependent chosen plaintext and adaptive chosen ciphertext attack (KDM-CCA2 security). In this paper, we solve this problem.
First, we show that by applying the Naor-Yung “double encryption”
paradigm, one can combine any KDM-CPA secure scheme with any (ordinary) CCA2 secure scheme, along with an appropriate non-interactive
zero-knowledge proof, to obtain a KDM-CCA2 secure scheme. Second,
we give a concrete instantiation that makes use the above KDM-CPA secure scheme of BHHO, along with a generalization of the Cramer-Shoup
CCA2 secure encryption scheme, and recently developed pairing-based
NIZK proof systems. This instantiation increases the complexity of the
BHHO scheme by just a small constant factor.
1
Introduction
Encryption is the oldest cryptographic primitive; indeed, cryptography used to
be synonymous with encryption. Despite this, the right definition for the security of encryption schemes has still not been settled! The first formal definition
of security for public key encryption was that of semantic security [17], which,
loosely speaking, states that given an encryption of a message an adversary cannot learn any information about the message itself. As it turned out, this notion
of security does not offer sufficient protection for most practical applications [6],
as it does not take into account that an adversary could learn (partial information about) some plaintext when he has access to a decryption oracle. The
subsequent stronger notion of security against chosen ciphertext attacks (CCA2
security [31]) takes this into consideration and gives an adversary access to a
A. Joux (Ed.): EUROCRYPT 2009, LNCS 5479, pp. 351–368, 2009.
c International Association for Cryptologic Research 2009
�
�352
J. Camenisch, N. Chandran, and V. Shoup
decryption oracle that will decrypt any ciphertext except a particular “challenge
ciphertext”. CCA2 security was considered the final answer with regard to the
security of public key encryption schemes.
However, none of the above notions of security allow an adversary to obtain
encryptions of secret keys or, more generally, functions of secret keys. Black,
Rogaway, and Shrimpton formally defined such a notion, calling it Key Dependent Message (KDM) security [5]. A similar notion, called circular security, was
earlier defined by Camenisch and Lysyanskaya [11] and used to prevent sharing
of credentials. Both papers provided constructions in the random oracle model.
Without resorting to the use of random oracles, constructing a public key
encryption scheme (practical or not) that is semantically secure against key dependent chosen plaintext attack (KDM-CPA) was a long-standing open problem.
It was only recently that Boneh et al. [9] gave a construction of a KDM-CPA
secure public key encryption scheme. They proved their scheme secure under
the Decisional Diffie-Hellman (DDH) assumption. We will refer to their scheme
as the BHHO scheme, which extends to obtain KDM-CPA security under the
more general K-linear assumption [36,27] (which includes the DDH assumption
for K = 1 and the DLIN assumption [8] for K = 2). However, Boneh et al. left
as an open problem the construction of an encryption scheme that is simultaneously secure against key dependent chosen plaintext and chosen ciphertext
attack (KDM-CCA2).
Our Contribution. In this paper, we solve this problem by constructing the first
KDM-CCA2 secure public key encryption scheme that can be proved secure
under standard assumptions, and without random oracles. In fact, we show that
a variation of the Naor-Yung paradigm [30] allows one to combine any KDMCPA secure encryption scheme and any regular CCA2 secure encryption scheme,
together with a non-interactive zero knowledge (NIZK) proof [7], to obtain a
KDM-CCA2 secure encryption scheme.
Moreover, we give a nearly practical instantiation of our general construction
using the BBHO KDM-CPA scheme, a K-linear version [14,36,23] of the CramerShoup [13] CCA2 scheme, and recently developed pairing-based NIZK proof
systems [19,18,20]. In the BHHO scheme, a ciphertext is a couple of hundred
group elements and our construction blows this up only be a small constant factor
(two or three, depending on the cryptographic assumption one employs). For our
construction, we need a pairing e : G × Γ → GT , and we prove security under
the K-linear assumption in G and the L-linear assumption in Γ , for appropriate
constants K and L (and we also need a collision-resistant hash function).
Motivational Example: Key-Wrap. The “key-wrap” problem motivates the need
for KDM-CCA2 secure encryption in practice. The key-wrap mechanism is found,
for instance, in cryptographic coprocessors such as IBM’s Common Cryptographic
Architecture [25] and RSA’s Public Key Cryptographic Standards [33]. Cryptographic coprocessors are tamper-proof hardware tokens that process requests from
applications to perform cryptographic tasks such as encryption, signing and so on.
One can view these tokens as trusted hardware that stores keys of all users in the
�A Public Key Encryption Scheme Secure against Key Dependent
353
system. When an application (or user) wishes to perform a cryptographic task, it
authenticates itself to the token and the token processes the request. For the purpose of creating backup of data or to transport keys from one token to another, it is
often desired to encrypt keys (also known as “key wrapping”). Naturally, when we
encrypt private keys with other keys it might lead to a circularity. In other words,
an adversary might get to see an encryption of a secret key sk 1 with public key pk 2
as well as an encryption of a secret key sk 2 with public key pk 1 (such circularity
can in general be more complicated). Although one can circumvent this problem by
maintaining a hierarchy of keys and/or by maintaining separate keys for the purpose of wrapping other keys, this is not always convenient or possible. In addition,
since the hardware token performs decryption, an adversary may effectively have
access to a decryption oracle.
Labeled Encryption. In many applications in which one uses a CCA2 secure encryption scheme, the notion of a label is very useful. Very briefly, a label consists
of public data which is non-malleably attached to a ciphertext. In effect, it allows the encryptor to control the context in which a ciphertext is decrypted. This
notion has been around for a long time, under various names, e.g., “indicator”,
“tag”, “header”, “associated data” [28,38,37,12,29,26,32]. While one can always
implement the label mechanism by appending the label to the plaintext, this is
often not the most practical way to achieve this.
Coming back to the key-wrap problem, a label may be used to describe the
type of message being encrypted: if it encrypts a key, who the key belongs to, etc.
When the hardware token decrypts a ciphertext labeled as a key, it can restrict
the usage of the decrypted key; in particular, the token can ensure that such a
key is only used within the token in appropriate ways (e.g., decryption, further
key-wrap). Even if a token restricts the usage in this way, an adversary may
attempt a chosen ciphertext attack by submitting an encryption of a key that
actually belongs to Alice, and make it look like it belongs to Bob; moreover,
perhaps the adversary is authorized to decrypt ciphertexts under Bob’s key,
which in effect allows him to decrypt ciphertexts encrypted under Alice’s key.
However, if labels are used as described above, CCA2 security will prevent such
attacks from succeeding.
Because of their utility, we include labels in our definition of KDM-CCA2 security, and implement them in our construction. Moreover, we exploit the label mechanism for plain CCA2 encryption in our general construction to bind together the
two ciphertexts and NIZK proof of the Naor-Yung paradigm. In particular, we shall
see that the CCA2 encryption scheme we use directly support labels in a way that
interacts very nicely with pairing-based NIZK techniques, leading to a conceptually simple and quite efficient concrete instantiation of our general construction.
Another use of labels is to enlarge the message space of a CCA2 encryption
scheme: to encrypt a sequence of messages as a package, one can generate a
key pair for a strongly secure one-time signature scheme, and then encrypt each
message in the sequence using the verification key as a label, and then signing
the whole sequence of ciphertexts. This application is convenient for us, because
the BHHO scheme can only encrypt one bit of a secret key at a time.
�354
J. Camenisch, N. Chandran, and V. Shoup
Other related work. Backes, Pfitzmann and Scedrov [2] and Backes, Dürmuth
and Unruh [1] considered KDM-CCA2 security of symmetric and asymmetric
encryption schemes, respectively. They in fact define a notion of security stronger
than we consider in our paper, by allowing the adversary to obtain some of the
secret keys. They showed that RSA-OAEP ([4]) is secure in this sense in the
random oracle model.
Halevi and Krawczyk [22] studied key-dependent message security (under the
name key-dependent input (KDI) security) with respect to primitives such as
pseudo-random functions (PRFs) and block ciphers. They showed that in the idealcipher model, KDI secure PRFs can be built if one restricts the functions of the key
to be independent of the ideal-cipher. Further, they showed that this goal cannot
be achieved in the standard model. On the positive side, they show that if one allows the PRF construction to depend on a fixed public value, but does not allow
the function of the key to depend on this value, then KDI secure PRFs can be constructed in the standard model. Hofheinz and Unruh [24], constructed a symmetric
key encryption scheme that achieves KDM-CPA security when an adversary can
only make a bounded number of encryptions. Haitner and Holenstein [21] proved
negative results for KDM-CPA security of encryption schemes when an adversary
can query encryptions of specific functions of the secret key.
Outline of the paper. In §2, we give and discuss the definitions of KDM-CCA2,
NIZK proofs, and strong one-time signatures, i.e., the ingredients of our generic
construction, which is presented in §3.
In §4, we present concrete instantiations of our building blocks: We recall
the BHHO KDM-CPA encryption scheme, the K-linear version of the CramerShoup CCA2 encryption scheme, and Groth’s strongly secure one-time signature
scheme. As a service to the reader, we give a self-contained exposition of a simplified version of the NIZK proof system of Groth and Sahai [20] as it applies to
linear equations over a group. This allows us to completely describe the instantiation of our construction and analyze its complexity.
In the full version of the paper [10], we discuss an alternative construction
of KDM-CCA2 encryption that uses a CPA secure encryption scheme instead
of a CCA2 secure encryption scheme but requires an NIZK proof system that
provides (unbounded) simulation soundness [34,35]. In the full paper, we also
show how to make the general NIZK proofs of [20] (unbounded) simulation
sound, given a CCA2 secure encryption scheme that supports ciphertexts with
labels, which again illustrates the power labels.
2
2.1
Preliminaries
Notation
When we say that an algorithm is efficient, we mean that the algorithm runs
in probabilistic polynomial time in the security parameter. All our algorithms
and functions take as input an implicit security parameter. When we say that
a function is negligible, we mean that it is negligible in the implicit security
parameter. Let a�b denote the concatenation of string a with string b.
�A Public Key Encryption Scheme Secure against Key Dependent
2.2
355
Definition of KDM-CCA2 Security
Let E be a public key encryption system that supports ciphertexts with labels, which consists of three (probabilistic) efficient algorithms EncKeyGen, E
and D. EncKeyGen is a randomized key generation algorithm, that outputs a
public key/secret key pair (pk , sk ). The algorithm E takes as input a message
m (from the message space M), a public key pk and a label ℓ, and outputs a
ciphertext c := E(pk , m, ℓ). When we need to explicitly refer to the randomness in the encryption, we shall refer to an encryption of a message m with
randomness r by E(pk , m, ℓ; r). The decryption algorithm D takes as input a
secret key sk , a ciphertext c, and a label ℓ, and either outputs a message m
or reject. The (perfect) correctness condition is that (with probability one)
D(sk , E(pk , m, ℓ), ℓ) = m for all messages m, labels ℓ and (pk , sk ) pairs output
by EncKeyGen.
When we use a public key encryption scheme E that does not support labels, we refer to the encryption and decryption algorithms of such a scheme by
E(pk, m) and D(sk, c), respectively.
We extend the definition of key dependent message security from Black et
al. [5] to the notion of security against chosen ciphertext attack ([30,31,15]).
We will note that the standard definitions of public key encryption security are
specific instances of this definition.
Let S denote the space of secret keys output by EncKeyGen. As in [22] and [9],
key-dependence is defined with respect to a fixed set of functions C. Let n > 0
be an integer and let C be a finite set of functions C := {f : S n → M}. KDMsecurity is defined with respect to C through the following two experiments
between a challenger and an adversary A. Let d ∈ M be a fixed (dummy)
message in M. Experiment b (where b = 0, 1) is defined as follows:
1. Initialization phase: In both experiments the challenger runs EncKeyGen()
n times and obtains n key pairs (pk 1 , sk 1 ), (pk 2 , sk 2 ), · · · , (pk n , sk n ). It sends
the vector (pk 1 , pk 2 , · · · , pk n ) to A.
2. Query phase: In both experiments, A may adaptively make the following
two types of queries to the challenger.
(a) Encryption queries: A can make a query of the form (i, f, ℓ), where
1 ≤ i ≤ n, f ∈ C and ℓ is a label. The challenger responds by setting
m := f (sk 1 , sk 2 , · · · , sk n ) ∈ M.
In Experiment b = 0, it sets c := E(pk i , m, ℓ).
In Experiment b = 1, it sets c := E(pk i , d, ℓ).
In both experiments, the challenger sends c to A.
When the adversary A submits (i, f, ℓ) as an encryption query and the
response of the challenger is c, we call (i, c, ℓ) a target tuple.
(b) Decryption queries: In both experiments, A can make a query of the
form (i, c, ℓ), where 1 ≤ i ≤ n, c is a string to be decrypted using secret
key sk i and ℓ is a label. The only restriction is that (i, c, ℓ) cannot be
a (previous) target tuple. Note that c might not necessarily be a valid
�356
J. Camenisch, N. Chandran, and V. Shoup
ciphertext. That is, c might not be an output of E(pk j , m, ℓ) for some
1 ≤ j ≤ n, m ∈ M and ℓ.
In both experiments, the challenger responds with D(sk i , c, ℓ).
3. Final phase: Finally, the adversary outputs a bit b′ ∈ {0, 1}.
Definition 1 (KDM-CCA2). �A �public
scheme E is KDM��
� key� encryption
CCA2 secure with respect to C if �Pr W0 − Pr W1 � is negligible for all efficient
adversaries A, where Wb is the event that A outputs b′ = 1 in Experiment b.
Note that the standard security definitions for public key encryption can be
viewed as specific instances of the above general definition.
KDM-CPA: By restricting A from making any decryption queries, we get the
definition of key-dependent message semantic security (KDM-CPA) as defined in [9].
CCA2: When we restrict the set of functions C from which A can draw f to
the set of all constant functions on S n → M, we get the experiment for
multiple message, multiple key CCA2 security, which is equivalent to the
standard CCA2 security for a single message and single key (see [3]). If
we further restrict A from making any decryption queries, we obtain the
standard definition for semantic security (also see [3]).
Also note that, unlike regular CPA and CCA2 security, for both KDM-CPA and
KDM-CCA2 security, one cannot reduce the attack game to a single encryption
query and a single key pair.
We note that the definition of security by Backes et al. [1] is somewhat stronger
in that it allows the adversary to obtain some secret keys. To benefit from this in
practice, the users need to carefully keep track of which keys were compromised,
and which keys are related to each other via key-wrap. In contrast, our definition
pessimistically assumes that if one key is compromised then all potentially related
keys should be considered compromised as well—which is probably more realistic.
2.3
Non-interactive Zero-Knowledge Proofs
Let R be a binary relation that is efficiently computable. For pairs of the form
(x, w) ∈ R, x is referred to as the statement and w as the witness. Let L := {x :
(x, w) ∈ R for some w}.
A non-interactive proof system for R consists of the following efficient algorithms: a common reference string (CRS) generation algorithm CRSGen, a prover
P, and a verifier V. The CRSGen algorithm outputs the CRS denoted by C. P
takes as input C, statement x, and witness w. It produces a proof p if (x, w) ∈ R
and outputs failure otherwise. V takes as input C, x, and p. V outputs accept
if it accepts the proof and reject otherwise.
Definition 2 (NIZK[7,16]). (CRSGen, P, V) is a non-interactive zeroknowledge (NIZK) proof system for R if it has the following properties described
below:
�A Public Key Encryption Scheme Secure against Key Dependent
357
Perfect Completeness: For all C output by CRSGen(), for all (x, w) ∈ R, and
for all p := P(C, x, w), Pr[V(C, x, p) outputs reject] = 0.
Computational Soundness: Consider the following game:
1. CRSGen() is run to obtain C, which is given to the adversary A.
2. A responds with (x, p).
A wins the game if V(C, x, p) = accept and x ∈
/ L. Let W be the event that A
wins the game. Then, for all efficient adversaries A, we have Pr[W ] is negligible.
Computational Zero-knowledge: Let S := (S1 , S2 ) be a simulator running in polynomial time. Consider the following two experiments:
Experiment 0: CRSGen() is run and the output C is given to A. A is then
given oracle access to P(C, ·, ·).
Experiment 1: S1 () generates C and trapdoor t. A is given C, and is then given
oracle access to S′ (C, t, ·, ·), where S′ (C, t, x, w) is defined to be S2 (C, t, x) if
(x, w) ∈ R and failure if (x, w) ∈
/ R.
Let Wi be the event that A outputs 1� in Experiment i,� for i = 0 or 1. Then, for
all efficient adversaries A, we have �Pr[W0 ] − Pr[W1 ]� is negligible.
Note that Blum et al. [7] give a weaker, “one time” definition of computational
zero-knowledge, in which the adversary is allowed to see only one fake proof.
However, because we cannot reduce KDM-security to an attack game with a
single encryption query, this is insufficient for our purposes.
2.4
Strongly Secure One-Time Signatures
We also require a strongly secure one-time signature scheme. This is a signature
scheme that satisfies the following security property: after obtaining the verification key and a signature s on any message m of its choice, it is infeasible for
an efficient adversary to generate any valid signature s∗ on any message m∗ with
(s∗ , m∗ ) �= (s, m). See [10] for a more formal definition.
3
Generic Construction of a KDM-CCA2 Secure Scheme
In this section, we give a generic construction of KDM-CCA2 secure public
key encryption scheme E with respect to a set of functions C. We require the
following building blocks: a public key encryption scheme Ekdm that is KDMCPA secure with respect to the set of functions C; a regular CCA2 secure public
key encryption scheme Ecca that supports ciphertexts with labels; an NIZK proof
system P for the language Leq consisting of the set of all pairs of ciphertexts that
encrypt the same message using Ekdm and Ecca ; and a strongly secure one-time
signature scheme S.
�358
J. Camenisch, N. Chandran, and V. Shoup
At a high level, E is similar to the construction of [30,15]. To encrypt a message
m, we generate a key-pair for the scheme S, encrypt m using both Ekdm and Ecca ,
where the label for Ecca will contain the verification key generated above (along
with any input label). Using P, we give a proof that both ciphertexts contain
the same plaintext. We then sign the two ciphertexts as well as the proof using
S. The final ciphertext consists of the verification key, the two ciphertexts, the
proof, and the signature.
3.1
Construction
We now formally describe the scheme E := (EncKeyGen, E, D) in detail. Let
Ekdm := (EncKeyGenkdm , Ekdm , Dkdm ) (with key pair (pk kdm , sk kdm )) and let
Ecca := (EncKeyGencca , Ecca , Dcca ) (with key pair (pk cca , sk cca )). Let S :=
(SignKeyGen, Sign, Verify). Let Leq be the set of all triples (c1 , c2 , ℓ) such that
∃ m, r1 , r2 : c1 = Ekdm (pkkdm , m; r1 ) ∧ c2 = Ecca (pkcca , m, ℓ; r2 ).
Let P := (CRSGen, P, V) be an NIZK proof system for Leq . Note that there
maybe be common system parameters that are used to define Ekdm , Ecca , and
P, and these are input to all associated algorithms. The encryption scheme E
comprises of the following three algorithms.
EncKeyGen():
1. Run EncKeyGenkdm () and EncKeyGencca () to obtain key pairs
(pk kdm , sk kdm ) and (pk cca , sk cca ), respectively.
2. Run CRSGen() to generate the CRS C of the NIZK proof system P.
The public key is pk := (pk kdm , pk cca , C). The secret key is sk := sk kdm .
E(pk , m, ℓ):
1. Let ckdm := Ekdm (pk kdm , m; rkdm ).
2. Run SignKeyGen() to generate key pair (VK ots , SK ots ).
3. Let ccca := Ecca (pk cca , m, ℓ�VK ots ; rcca ).
4. Let p be the NIZK proof (using P) for (ckdm , ccca , ℓ�VK ots ) ∈ Leq .
5. Let c′ := ckdm �ccca �p and let s := SignSK ots (c′ ).
Then E(pk , m, ℓ) := ckdm �ccca�p�VK ots �s.
D(sk , c, ℓ): Parse c as ckdm �ccca �p�VK ots �s (and output reject if this
fails). Output reject if either VerifyVK ots (ckdm �ccca �p, s) = reject or
V(C, (ckdm , ccca , ℓ�VK ots ), p) = reject; otherwise, output Dkdm (sk , ckdm ).
The (perfect) correctness of the public key encryption scheme E trivially follows from the (perfect) correctness of the scheme Ekdm , (perfect) completeness
of the proof system P, and the (perfect) correctness of the signature scheme S.
3.2
Proof of Security
Theorem 1. Let Ekdm be a KDM-CPA secure scheme with respect to the set of
functions C. Let Ecca be a CCA2 secure scheme, S a strong one-time signature
scheme, and P an NIZK proof system for Leq . Then E, as constructed above, is
a KDM-CCA2 secure scheme with respect to C.
�A Public Key Encryption Scheme Secure against Key Dependent
359
Proof. The proof is through a sequence of games. We first present a schematic
description of the sequence of games used to prove that E is KDM-CCA2 secure.
The underlined parts indicate what has changed in each game.
Game Process encrypt query Process decrypt query
0 enc. (m, m); real p
dec. ckdm
1 enc. (m, m); real p
dec. ccca
dec. ccca
2 enc. (m, m); fake p
3 enc. (m, m); fake p
dec. ccca ; special reject
4 enc. (m, d); fake p
dec. ccca ; special reject
dec. ccca ; no special reject
5 enc. (m, d); fake p
6 enc. (d, d); fake p
dec. ccca
dec. ccca
7 enc. (d, d); real p
8 enc. (d, d); real p
dec. ckdm
justification
soundness for P
ZK for P
strong one-time sig. S
CCA2 for Ecca
strong one-time sig. S
KDM-CPA for Ekdm
ZK for P
soundness for P
The sequence of games involving the challenger Ch and adversary A are more
formally described below. Let Wi be the event that A outputs 1 in Game i.
Game 0: This is the actual attack game, i.e., Experiment 0 in Definition 1.
When responding to an encryption query, Ch encrypts the actual message
m using both encryption schemes. The label for Ecca additionally contains
VK ots which Ch picks using SignKeyGen(). Ch gives a real proof p that both
encryptions contain the same message. It produces the signature s using
SK ots .
Game 1: This game is exactly like Game 0, except that when responding to
a decryption query, Ch decrypts using secret key sk cca �instead of sk kdm .� It
follows from the soundness of the proof system P that �Pr[W1 ] − Pr[W0 ]� is
negligible.
Game 2: This game is exactly like Game 1, except that when responding to
an encryption query, Ch gives a simulated proof p (using the trapdoor of
the proof system) instead
of a real proof.
It follows from the zero-knowledge
�
�
property of P that �Pr[W2 ] − Pr[W1 ]� is negligible.
Game 3: This game is exactly like Game 2, except that when responding to a decryption query of the form (i, c, ℓ) from A such that c =
ckdm �ccca �p�VK ots �s, Ch first checks if there exists a target tuple of the
form (i, c∗ , ℓ), with c∗ = c∗kdm �ccca �p∗ �VK ots �s∗ for some c∗kdm , p∗ and s∗ . If
this is the case, then let c∗ be the first such response by Ch. Now if c∗ �= c,
then Ch rejects the encryption query. We call this the special rejection rule.
It follows from the strong one-time security of the signature scheme S that
Ch rejects
via the special
�
� rejection rule only with negligible probability and
hence �Pr[W3 ] − Pr[W2 ]� is negligible.
In Game 3, Ch never decrypts a ciphertext that was contained in a target tuple
using skcca . We can therefore make use of the CCA2 security of Ecca .
Game 4: This game is exactly like Game 3, except that when responding to
an encryption query, Ch encrypts the dummy message d using Ecca but still
encrypts the �actual message m�using Ekdm . It follows from the CCA2 security
of Ecca that �Pr[W4 ] − Pr[W3 ]� is negligible.
�360
J. Camenisch, N. Chandran, and V. Shoup
Game 5: This game is exactly like Game 4, except that when responding to a
decryption query, Ch no longer follows the special rejection rule that was defined in Game 3.� It follows from the
� strong one-time security of the signature
scheme S, that �Pr[W5 ] − Pr[W4 ]� is negligible.
Game 6: This game is exactly like Game 5, except that when responding to an
encryption query, Ch encrypts the dummy message d using both encryption
�
�
schemes.
� It follows from the KDM-CPA security of Ekdm that Pr[W6 ] −
Pr[W5 ]� is negligible.
Game 7: This game is exactly like Game 6, except that when responding to
an encryption query, Ch gives a real proof p that both encryptions contain
the
� same message.
� It follows from the zero-knowledge property of P that
�Pr[W7 ] − Pr[W6 ]� is negligible.
Game 8: This game is exactly like Game 7, except that when responding to
a decryption query, Ch decrypts using secret key sk kdm� instead of sk cca .� It
follows from the soundness of the proof system P that �Pr[W8 ] − Pr[W7 ]� is
negligible. Game 8 is Experiment 1 in Definition 1.
�
�
Combining the different games, we get that �Pr[W8 ]−Pr[W0 ]� is negligible, which
proves Theorem 1. A more detailed proof can be found in [10].
�
Note that we used the computational soundness property of the proof system P
only in Games 1 and 8 and in both these games, Ch only gave real proofs for
true statements. Hence “plain” soundness of P is sufficient and we do not require
the proof system to be simulation sound ([34]). In the definition of KDM-CCA2
security, one cannot reduce the attack game to a single encryption query and a
single public key. Therefore, one-time zero-knowledge (see remark after Definition 2) would not be sufficient for our proof (one-time zero-knowledge does not
imply multi-proof zero-knowledge). However, note that CCA2 security is sufficient, as the “single instance” definition implies the “multi-instance” definition
(see remark after Definition 1).
4
Specific Number-Theoretic Instantiation of a
KDM-CCA2 Secure Scheme
In this section, we give specific efficient instantiations of the building blocks
used to construct the generic scheme presented in §3. We introduce notation
and the number-theoretic assumptions in §4.1. In §4.2, we describe the KDMCPA scheme of Boneh et al. [9], while in §4.3, we describe the K-linear version
of the Cramer-Shoup CCA2 encryption scheme that we need. In §4.4 and §4.5,
we describe the NIZK proof system used to prove equality of plaintexts. We use
the efficient strongly one-time signature scheme of Groth [18] (which we describe
in §4.6), to complete our instantiation of a KDM-CCA2 secure scheme. In §4.7,
we discuss the size of the public key, system parameters, and ciphertext of our
encryption scheme.
�A Public Key Encryption Scheme Secure against Key Dependent
4.1
361
General Notation and Assumptions
Let G be a group of prime order q. We shall write G using multiplicative notation.
One naturally views G as a vector space over Zq , where for x ∈ Zq and g ∈ G,
the “scalar product” of x and g is really the power gx . Because of this, we shall
often employ concepts and terminology from linear algebra.
For vectors �g := (g1 , . . . , gR ) ∈ GR and �x := (x1 , . . . , xR ) ∈ ZR
q , define
�K
x1
xR
R
�g, �x := g1 . · · · . gR ∈ G. When we write i=1 �gi ∈ G for vectors �gi ∈ GR ,
we mean the component wise product of each of the R terms. Unless otherwise
specified, there is no a priori relation between g, �g, gi and g�i .
Definition 3 (K-linear assumption [36,27]). Let G be a group of prime
order q. For a constant K ≥ 1, the K-linear assumption in G is defined through
the following two experiments (0 and 1) between a challenger and an adversary
A that outputs 0 or 1.
Experiment 0: The challenger picks K + 1 random generators�of G:
K
g1 , g2 , . . . , gK+1 , picks random x1 , . . . , xK ∈ Zq and sets xK+1 = i=1 xi .
xK+1
x1
x2
A is given (g1 , g2 , . . . , gK+1 , g1 , g2 , . . . , gK+1 ) as input.
Experiment 1: The challenger picks K + 1 random generators of G:
g1 , g2 , . . . , gK+1 and picks random x1 , x2 , . . . , xK+1 ∈ Zq . A is given
xK+1
(g1 , g2 , . . . , gK+1 , g1x1 , g2x2 , . . . , gK+1
) as input.
� � �
The
assumption holds in G if for all efficient adversaries A, �Pr W0 −
��
� K-linear
Pr W1 � is negligible, where Wi is the event that A outputs 1 in Experiment i.
Another way to understand the K-linear assumption is as follows. Let us define group vectors �g1 , . . . , �gK ∈ GK+1 : �g1 := (g1 , 1, 1, . . . , 1, gK+1 ), �g2 :=
(1, g2 , 1, . . . , 1, gK+1 ), . . . , �gK := (1, 1, . . . , 1, gK , gK+1 ). Let T denote the subspace of GK+1 generated by �g1 , . . . , �gK . The K-linear assumption says that it
is hard to distinguish random elements of T from random elements of GK+1 .
Note that the standard Decisional Diffie-Hellman (DDH) assumption is the 1linear assumption and the linear assumption (introduced in [8]) is the 2-linear
assumption.
Pairings. Let G, Γ and GT be groups of prime order q. We shall use Roman
letters to denote elements in G and Greek letters to denote elements in Γ . A
pairing is a map e : G × Γ → GT that satisfies the following properties: (1) e is
bilinear, which means that for all a ∈ G and α ∈ Γ , the maps e(a, ·) : Γ → GT
and e(·, α) : G → GT are linear maps; (2) e is non-degenerate, which means that
its image is not {1}; and (3) e is efficiently computable.
4.2
KDM-CPA Secure Scheme Based on the K-Linear Assumption
In this section, we describe the public key encryption scheme of Boneh et
al. [9] based on the K-linear assumption. Let N := ⌈(K + 2) log2 q⌉. Ekdm =
(EncKeyGenkdm , Ekdm , Dkdm ) is as described below. The message space of this
scheme is the group G.
�362
J. Camenisch, N. Chandran, and V. Shoup
EncKeyGenkdm :
1. Pick random �g1 , . . . , �gK ∈ GN .
2. Pick random �s ∈ {0, 1}N .
3. Define hi := �gi , �s ∈ G for i = 1, . . . , K.
4. Output the secret key sk kdm := �s and the public key
pk kdm := (�g1 , . . . , �gK , h1 , . . . , hK ).
Ekdm (pk kdm , m):
1. Pick random r1 , . . . , rK ∈ Zq .
��K
�
�K
2. Output the ciphertext (�g, h) :=
giri , m · i=1 hri i ∈ GN × G.
i=1 �
Dkdm (sk kdm , (�g, h)): Output m := h/ �g, �s .
Note that the ith bit si of the secret key �s is encoded for the purpose of
encryption as gsi for some random (but fixed) g ∈ G.
The key space (of encoded secret keys) is GN . Define a function f�t,b : GnN →
and b ∈ G to be the map f�t,b (�u) := �u, �t · b. Let C be the
G for fixed �t ∈ ZnN
q
set of all functions f�t,b for all values of �t ∈ ZnN
and b ∈ G. Ekdm is KDM-CPA
q
secure with respect to the set of functions C [9].
Note that [9] explicitly describes the above scheme in the case K = 1, and
only briefly mentions its generalization to K > 1 (the explicit description of
which has been obtained from the authors of [9] via personal communication).
4.3
CCA2 Secure Scheme Based on the K-Linear Assumption
In this section, we describe a generalized version of the Cramer-Shoup encryption
scheme based on the K-linear assumption. This generalization was described
in [23] and [36]. However, given the K-linear decision problem, this scheme is
essentially already implicit in [14] (based on Theorems 2 and 3, along with
Example 1 in §7.4, of the full length version of that paper). This scheme is CCA2
secure and supports ciphertexts with labels. Ecca = (EncKeyGencca , Ecca , Dcca )
is as described below. The message space of this scheme is the group G, and the
label space is {0, 1}∗.
EncKeyGencca :
1. Pick random f1 , . . . , fK+1 ∈ G.
2. Pick random �x, �y, �z ∈ ZK+1
.
q
3. Define the following elements of GK+1 : �f1 := (f1 , 1, 1, . . . , 1, fK+1 ) , �f2 :=
(1, f2 , 1, . . . , 1, fK+1 ) , . . . , �fK := (1, 1, . . . , 1, fK , fK+1 ).
4. Define the following elements of G: ci := �fi , �x , di := �fi , �y , ei :=
�fi , �z (i = 1, . . . , K).
5. Output
the secret key sk cca := (�x�, �y , �z ) and the public key pk cca :=
�
K
K
K
{fj }K+1
j=1 , {ci }i=1 , {di }i=1 , {ei }i=1 .
Ecca (pk cca , m, ℓ):
1. Pick random w1 , . . . , wK ∈ Zq .
�A Public Key Encryption Scheme Secure against Key Dependent
363
�
��K wi
�K wi �K
t wi
�
∈ GK+1 ×
2. Compute (�f , a, b) :=
i=1 (di ei )
i=1 fi , m· i=1 ci ,
G × G, where t := H(�f , a, ℓ) ∈ Zq and H is a collision resistant hash
function. Output the ciphertext is (�f , a, b).
Dcca (sk cca , (�f , a, b), ℓ):
1. Verify that b = �f , �y + t�z .
2. Output m := �a/ �f , �x .
Note that the schemes in [14,36,23] do not explicitly support labels; however,
the proof of security immediately generalizes to allow this, provided one assumes
(as we do) that H is collision resistant.
4.4
NIZK Proofs for Satisfiable Systems of Linear Equations over
Groups
In this section, we describe the NIZK proofs for proving that a system of linear
equations over a group is satisfiable. These proofs are derived from Groth and
Sahai [20]. The paper [20] deals with much more general systems of equations; for
many applications, such as ours, we only need linear equations. For completeness,
and concreteness, we describe how the methods of [20] apply to this setting. Our
exposition is self contained, but brief.
Let G be a group
�W ofX prime order q. A linear equation over G is an equation of
the form g0 = j=1 gj j , where g0 , g1 , . . . , gW ∈ G are constants and X1 , . . . , XW
are variables. An assignment to the variables is a tuple (x1 , . . . , xW ) ∈ ZW
q , and
�W xj
such an assignment satisfies the equation if g0 = j=1 gj . A set S of linear
equations over G is called satisfiable if there exists an assignment to the variables
that simultaneously satisfies each equation in S.
Let Llsat be the language of all satisfiable sets of linear equations over G.
A witness for membership in Llsat is a satisfying assignment. Our goal is to
construct an efficient NIZK proof system for Llsat .
Our proof system for Llsat requires a pairing e : G×Γ → GT , where Γ and GT
are also groups of order q. In addition, we need to make the L-linear assumption
in Γ , for some constant L (typically, L is a small constant like 1 or 2, depending
on the assumption we make).
– The CRS generator works as follows:
1. Pick random γ1 , . . . , γL+1 ∈ Γ .
2. Define the following elements of Γ L+1 : �γ1 := (γ1 , 1, . . . , 1, γL+1 ), �γ2 :=
(1, γ2 , . . . , 1, γL+1 ), . . . , �γL := (1, 1, . . . , γL , γL+1 ).
3. Choose �γ ∈ Γ L+1 at random.
4. The common reference string is (γ1 , . . . , γL+1 , �γ ).
– Given a set S of equations, along with a satisfying assignment (x1 , . . . , xW ),
the prover works as follows:
�L
r
1. Commit to x1 , . . . , xW by setting �δj := �γ xj k=1 �γk jk , for j = 1, . . . , W ,
where the rjk ’s are randomly chosen elements of Zq .
�364
J. Camenisch, N. Chandran, and V. Shoup
2. The proof consists of the�commitments �δ1 , . . . , �δW , and, in addition,
Xj
W
for each equation g0 =
j=1 gj in S, the proof contains L corresponding
elements” p1 , . . . , pL ∈ G, which are computed as:
� “proof
rjk
(k = 1, . . . , L).
pk := W
j=1 gj
– To verify such a proof,�
the verifier takes the commitments �δ1 , . . . , �δW , and,
X
W
for each equation g0 = j=1 gj j in S, takes the corresponding proof elements
p1 , . . . , pL , and checks that
L
W
E(gj , �δj ) = E(g0 , �γ )
j=1
E(pk , �γk ).
(1)
k=1
is the biliear map that sends (g, (α1 , . . . , αL+1 ))
Here, E : G×Γ L+1 → GL+1
T
to (e(g, α1 ), . . . , e(g, αL+1 )).
The CRS contains 2(L + 1) elements of Γ , and a proof consists of W (L + 1) elements of Γ (for the commitments) and |S|L elements of G (for the proof elements).
We now show that the above proof system has perfect completeness, (statistical) soundness, and computational zero-knowledge.
Perfect completeness. To argue perfect completeness, using bilinearity, one
checks by a simple calculation that for any satisfying assignment (x1 , . . . , xW ),
and for any choice of the rjk ’s, equation (1) will always be satisfied.
Soundness. A simple fact that will be useful in proving both the soundness and
zero-knowledge property is the following, which the reader can easily verify using
bilinearity:
�R ∈ Γ L+1 are linearly independent, then the map
Lemma 1. If β�1 , . . . , β
�1 ) · · · E(hR , β
�R )
(h1 , . . . , hR ) �→ E(h1 , β
is an injective linear map from GR into GL+1
T .
To prove soundness, note that with overwhelming probability, the vectors
�γ , �γ1 , . . . , �γL form a basis for Γ L+1 . Suppose a proof contains commitments
�δ1 , . . . , �δW ∈ Γ L+1 . Regardless of how these commitments were actually com�L
r
puted, each �δj can be expressed uniquely as �δj = �γ xj k=1 �γk jk for some
� W Xj
xj , rj1 , . . . , rjL ∈ Zq . Now consider any particular equation g0∗ =
gj ,
�W j=1
xj
∗
∗
and
and corresponding proof elements p1 , . . . , pL . Define g0 :=
j=1 gj
�W rjk
for k = 1, . . . , L, using the xj ’s and rjk ’s determined
pk :=
j=1 gj
as above
by
the
commitments.
On�the one hand, by perfect completeness, we
�W
L
have j=1 E(gj , �δj ) = E(g0 , �γ ) k=1 E(pk , �γk ). On the other hand, if the
verification equation (1) holds for the given equation and proof elements, then
�L
�W
we also must have j=1 E(gj , �δj ) = E(g0∗ , �γ ) k=1 E(p∗k , �γk ). Thus, we have
�L
�L
E(g0 , �γ ) k=1 E(pk , �γk ) = E(g0∗ , �γ ) k=1 E(p∗k , �γk ). Applying Lemma 1 to the
linearly independent vectors �γ , �γ1 , . . . , �γL , we conclude that g0 = g0∗ (and in fact,
pk = p∗k for k = 1, . . . , L). It follows that if the proof verifies, then the assignment
x1 , . . . , xW determined by the commitments simultaneously satisfies all the given
equations.
�A Public Key Encryption Scheme Secure against Key Dependent
365
Zero Knowledge. The simulator generates a�“fake CRS” as follows: it geners
L
ates �γ1 , . . . , �γL as usual, but it computes �γ as k=1 �γj j for random s1 , . . . , sL ∈
Zq . The trapdoor for the fake CRS is (s1 , . . . , sL ).
In a fake CRS, �γ1 , . . . , �γL are linearly independent (with overwhelming probability), while �γ is a random element of the subspace V generated by �γ1 , . . . , �γL .
To simulate a proof for
set S of linear equations, the simulator
�La satisfiable
r
starts by setting �δj := k=1 �γk jk for random rjk ∈ Zq for j = 1, . . . , W and
�W X
k = 1, . . . , L. For each equation g0 = j=1 gj j in S, the simulator generates
�W r
proof elements p1 , . . . , pL as follows: pk := g0−sk j=1 gj jk (k = 1, . . . , L).
The reader may easily verify, using the bilinearity property, that the verification
equation (1) is satisfied.
We now argue that fake proofs are computationally indistinguishable from
real proofs. To this end, let us introduce a hybrid prover, which works exactly like a real prover, except that it uses a fake CRS. Such hybrid proofs
are computationally indistinguishable from real proofs, under the L-linear assumption for Γ . Moreover, hybrid proofs are statistically indistinguishable from
fake proofs. To see this, observe that with overwhelming probability, �γ1 , . . . , �γL
are linearly independent. Assuming this is true, in both the hybrid and fake
proofs, the distribution of the commitments are the same (uniformly and independently distributed over the subspace V ). Additionally, in both types of
proofs, the proof elements p1 , . . . , pL for a given equation are uniquely determined in the same way by the equation, the commitments, and the CRS; indeed,
both types of provers generate proof elements that satisfy the verification equation (1); moreover, applying Lemma 1 to the vectors �γ1 , . . . , �γL , we see that for
a fixed equation, commitments, and CRS, there exist unique p1 , . . . , pL that
satisfy (1).
4.5
NIZK Proof for Proving Equality of Plaintext
Given a ciphertext of Ekdm (from §4.2) of the form (�g, h) ∈ GN × G and a
ciphertext of Ecca (from §4.3) of the form (�f , a, b) ∈ GK+1 × G × G with respect
to a label ℓ ∈ {0, 1}∗, we want to prove that they are valid encryptions of the
same message. This is
by proving
that there exist�r1 , . . . , rK , w1 , . . . , wK ∈
�K
�done
K
K
Zq such that �g = i=1 �giri , �f = i=1 �fiwi , b = i=1 (di eti )wi , and h/a =
�K ri �K wi
�
i=1 ci , where t := H(f , a, ℓ).
i=1 hi /
This translates into N +(K +1)+1+1 = N +K +3 equations in 2K variables.
Using the proof system above, this means we need (2K)(L + 1) elements of Γ
for commitments, and (N + K + 3)L elements of G for the proofs.
4.6
Strongly Secure One-Time Signature Scheme
Here is the strongly secure one-time signature scheme S from Groth [18]. It
makes use of a group G of prime order q with generator g, and a hash function
H : {0, 1}∗ → Zq . The scheme is secure assuming the hardness of computing
discrete logs in G (which follows from the K-linear assumption) and assuming
H is collision resistant.
�366
J. Camenisch, N. Chandran, and V. Shoup
SignKeyGen: Pick random x, y ∈ Z∗q and r, s ∈ Zq , and set f := gx , h := gy ,
and c := f r hs . The verification key is VK = (f , h, c) and the secret key
SK = (x, y, r, s).
SignSK (m): To sign a message m ∈ {0, 1}∗, pick t at random from Zq . The
signature is s = (t, (x(r − t) + ys − H(m))/y).
VerifyVK (m, s): To verify the signature s = (t, w), check that c = gH(m) f t hw .
4.7
Size of Public Key, System Parameters and Ciphertext
Using the K-linear assumption for G and the L-linear assumption for Γ , the
size of the public key, system parameters and ciphertext are as follows, where
N := ⌈(K + 2) log2 q⌉.
The system parameters consists of the CRS which comprises 2(L+1) elements
of Γ , the descriptions of G, Γ, GT , e and the collision resistant hash function H
for Ecca and S.
The public key of E consists of (N + 1)K elements of G for the public key
pk kdm and 4K+1 elements of G for the public key pk cca , for a total of (N +5)K+1
elements of G.
The two ciphertexts (ckdm and ccca ) require (N + 1) and (K + 3) elements of
G, respectively, giving a total of N + K + 4 elements of G. To prove equality of
plaintexts, we require (2K)(L + 1) elements of Γ for commitments, and (N +
K + 3)L elements of G for the proofs. Finally, to sign the resulting ciphertexts
and proofs using the one-time signature scheme S, we require 3 elements of G
for the verification key VK of S and 2 elements of Zq for the signature.
Note that we can make the public key shorter, by making pk cca as part of
the system parameters; indeed, since the secret key sk cca is not needed (other
than in the proof of security), one can simply generate all of the group elements
appearing in pk cca at random (yielding a distribution that is statistically close
to the real distribution on public keys).
We emphasize that, typically, one would set K = 1, 2 and L = 1, 2, depending
on the groups G and Γ . For example, at one extreme, if G = Γ , then one could
set K = L = 2; at the other extreme, if G �= Γ , and there is no (known)
efficiently computable homomorphism from G to Γ or vice versa, then one could
set K = L = 1.
References
1. Backes, M., Dürmuth, M., Unruh, D.: OAEP is secure under key-dependent messages. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 506–523.
Springer, Heidelberg (2008)
2. Backes, M., Pfitzmann, B., Scedrov, A.: Key-dependent message security under
active attacks - BRSIM/UC-soundness of symbolic encryption with key cycles. In:
CSF, pp. 112–124 (2007)
3. Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: Security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000.
LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000)
�A Public Key Encryption Scheme Secure against Key Dependent
367
4. Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.)
EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995)
5. Black, J., Rogaway, P., Shrimpton, T.: Encryption-scheme security in the presence
of key-dependent messages. In: Selected Areas in Cryptography, pp. 62–75 (2002)
6. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA
encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS,
vol. 1462, pp. 1–12. Springer, Heidelberg (1998)
7. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC 1988, pp. 103–112 (1988)
8. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.)
CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)
9. Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from
decision diffie-hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp.
108–125. Springer, Heidelberg (2008)
10. Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure
against key dependent chosen plaintext and adaptive chosen ciphertext attacks.
Cryptology ePrint Archive, Report 2008/375 (2008), http://eprint.iacr.org/
11. Camenisch, J.L., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)
12. Camenisch, J.L., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144.
Springer, Heidelberg (2003)
13. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against
adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS,
vol. 1462, pp. 13–25. Springer, Heidelberg (1998)
14. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen, L.R. (ed.)
EUROCRYPT 2002. LNCS, vol. 2332, p. 45. Springer, Heidelberg (2002),
http://eprint.iacr.org/2001/085
15. Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography (extended abstract).
In: STOC 1991, pp. 542–552 (1991)
16. Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs
based on a single random string (extended abstract). In: FOCS 1990, pp. 308–317
(1990)
17. Goldwasser, S., Micali, S.: Probabilistic encryption and how to play mental poker
keeping secret all partial information. In: STOC 1982, pp. 365–377 (1982)
18. Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size
group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284,
pp. 444–459. Springer, Heidelberg (2006)
19. Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP.
In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer,
Heidelberg (2006)
20. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In:
Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer,
Heidelberg (2008)
21. Haitner, I., Holenstein, T.: On the (im)possibility of key dependent encryption. In:
TCC 2009 (2009)
22. Halevi, S., Krawczyk, H.: Security under key-dependent inputs. In: CCS 2007: Proceedings of the 14th ACM conference on Computer and communications security,
pp. 466–475. ACM, New York (2007)
�368
J. Camenisch, N. Chandran, and V. Shoup
23. Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation.
In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer,
Heidelberg (2007)
24. Hofheinz, D., Unruh, D.: Towards key-dependent message security in the standard model. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 108–
126. Springer, Heidelberg (2008)
25. IBM. IBM CCA Basic Services Reference and Guide for the IBM 4758 PCI and
IBM 4764 PCI-X Cryptographic Coprocessors: Releases 2.53, 2.54, 3.20, 3.23, 3.24,
3.25, 3.27, and 3.30 (2008)
26. Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S.,
Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg
(2006)
27. Kiltz, E.: Chosen-ciphertext secure key-encapsulation based on gap hashed diffiehellman. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 282–
297. Springer, Heidelberg (2007)
28. Lim, C.H., Lee, P.J.: Another method for attaining security against adaptively
chosen ciphertext attacks. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773,
pp. 420–434. Springer, Heidelberg (1994)
29. MacKenzie, P.D., Reiter, M.K., Yang, K.: Alternatives to non-malleability: Definitions, constructions, and applications. In: Naor, M. (ed.) TCC 2004. LNCS,
vol. 2951, pp. 171–190. Springer, Heidelberg (2004)
30. Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: STOC 1990, pp. 427–437 (1990)
31. Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and
chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576,
pp. 433–444. Springer, Heidelberg (1992)
32. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390.
Springer, Heidelberg (2006)
33. RSA Laboratories. PKCS #11 v2.20: Cryptographic Token Interface Standard
(2004)
34. Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosenciphertext security. In: FOCS 1999, pp. 543–553 (1999)
35. De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust noninteractive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139,
pp. 566–598. Springer, Heidelberg (2001)
36. Shacham, H.: A Cramer-Shoup encryption scheme from the linear assumption
and from progressively weaker linear variants. Cryptology ePrint Archive, Report
2007/074 (2007), http://eprint.iacr.org/
37. Shoup, V.: A proposal for an ISO standard for public key encryption, version 2.1
(2001), http://shoup.net/papers/
38. Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 1–16.
Springer, Heidelberg (1998)
�
