CCA-security from adaptive all-but-one lossy trapdoor functions

Abstract

In this paper, we propose the notion of adaptive all-but-one lossy trapdoor functions (aABO-LTFs), a variant of all-but-one lossy trapdoor functions. An aABO-LTF is parameterised by a set of branches. Given the lossy branch, the function statistically loses the information of its inputs. Given injective branches, the function is injective, and there is a trapdoor that enables efficient function inversion. What differentiates an aABO-LTF and an ABO-LTF is that for an aABO-LTF, the lossy branch is indistinguishable from the other branches even if the adversary gets to ask for function inversions on any injective branches apart from the lossy branch.We demonstrate the usefulness of the adaptivity of aABO-LTFs by providing generic and efficient constructions of an adaptively chosen-ciphertext secure (CCA-secure) public-key encapsulation mechanism (KEM) and an adaptive deterministic public-key encryption (DPKE) without random oracles using aABO-LTFs in a very simple black-box way. Our constructions are direct in the sense of that it avoids generic transformations using one-time signatures or message authentication codes typically found in standard model CCA-secure constructions.Moreover, we show that aABO-LTFs can be instantiated generically by lossy trapdoor primitives, including lossy trapdoor functions (LTFs) and identity-based (lossy) trapdoor functions (IB-LTFs). We also demonstrate that the lattice-based ABO-LTFs proposed by Alwen et al. (CRYPTO'13) are aABO-LTFs. Several existing CCA-secure KEM and DPKE schemes can be described by our generic constrictions. Therefore, our work unifies these seemingly unrelated schemes and explains the design principles behind these schemes.