Abstract
KDM[F]-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages f(sk) which are closely related to the secret key sk, where f∈F, even if the adversary is allowed to make decryption queries. In this paper, we study the design of KDM-CCA secure PKE. To this end, we develop a new primitive named Auxiliary-Input Authenticated Encryption (AIAE). For AIAE, we introduce two related-key attack (RKA) security notions, including IND-RKA and weak-INT-RKA. We present a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption (AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption. Using AIAE as an essential building block, we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional Composite Residuosity (DCR) assumptions. Specifically, (i) our first PKE construction is the first one achieving KDM[Faff]-CCA security for the set of affine functions and compactness of ciphertexts simultaneously. (ii) Our second PKE construction is the first one achieving KDM[Fpolyd]-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneously. Our PKE constructions are very efficient; in particular, they are pairing-free and NIZK-free.
Highlights
For public-key encryption (PKE) schemes, ChosenCiphertext Attack (CCA) security is the de facto security notion
We focus on the design of efficient PKE schemes possessing key-dependent messages (KDM)[Faff ]-CCA security and KDM[Fdpoly]-CCA security, respectively
(a) We show a general paradigm for constructing such an Authenticated Encryption (AIAE) from a one-time secure authenticated encryption (AE) and a tag-based hash proof system (HPS) that is universal2, extracting, and key-homomorphic
Summary
For public-key encryption (PKE) schemes, ChosenCiphertext Attack (CCA) security is the de facto security notion. Galindo et al [14] proposed a KDM-CCA secure PKE scheme from the Matrix Decisional Diffie-Hellman assumption Their scheme enjoys compact ciphertexts, but the KDMCCA security of their scheme is constrained (more precisely, in their KDM-CCA security model, the adversary is only allowed to have access to the encryption oracle for a number of times linear in the secret key’s size). (ii) Using AIAE as an essential building block, we design the first PKE scheme enjoying KDM[Faff ]-CCA security and compactness of ciphertexts simultaneously. (v) The ciphertext of our PKE scheme is (kem.c, aiae.c) Following this approach, we design KDM[Faff ]-CCA and KDM[Fdpoly]-CCA secure PKE schemes, respectively, by constructing specific building blocks.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
