KDM-CCA Security of the Cramer-Shoup Cryptosystem, Revisited
Jinyong Chang
1,2
and Rui Xue
1
1
State Key Laboratory of Information Security, Institute of Information Engineering,
Chinese Academy of Sciences, Minzhuang Road 89#, Beijing, China
2
Department of Mathematics, Changzhi University, Changzhi, China
Keywords:
Key-dependent Message Security, CCA Security, DDH Assumption, Public Key Encryption.
Abstract:
An encryption scheme is key-dependent message chosen plaintext attack (KDM-CPA) secure means that it
is secure even if an adversary obtains encryptions of messages that depend on the secret key. However,
there are not many schemes that are KDM-CPA secure, let alone key-dependent message chosen ciphertext
attack (KDM-CCA) secure. So far, only two general constructions, due to Camenisch, Chandran, and Shoup
(Eurocrypt 2009), and Hofheinz (Eurocrypt 2013), are known to be KDM-CCA secure in the standard model.
Another scheme, a concrete implementation, was recently proposed by Qin, Liu and Huang (ACISP 2013),
where a KDM-CCA secure scheme was obtained from the classic Cramer-Shoup (CS) cryptosystem w.r.t. a
new family of functions. In this paper, we revisit the KDM-CCA security of the CS-scheme and prove that, in
two-user case, the CS-scheme achieves KDM-CCA security w.r.t. richer ensembles, which covers the result of
Qin et al.. In addition, we present another proof about the result in (QLH13) by extending our approach used
in two-user case to n-user case, which achieves a tighter reduction to the decisional Diffie-Hellman (DDH)
assumption.
1 INTRODUCTION
Secure encryption is the most basic task in cryptog-
raphy, and significant works have gone into defining
and attaining it. Many commonly accepted defini-
tions for secure encryption (GM84; RS91; RALS11)
assume that the plaintext messages to be encrypted
cannot depend on the secret decryption keys them-
selves. Over the last few years, it was observed that
in some situations the plaintext messages do depend
on the secret keys. Such situations may arise in hard-
disk encryption (BHHO08), computational soundness
results in formal methods (BRS02), or specific proto-
cols (CL01). Security in this more demanding setting
was termed KDM-CPA security (BRS02).
1
KDM-CPA security does not follow from stan-
dard security (CGH12), and there are indications
that KDM-CPA security (at least in its most general
form) cannot be proven using standard techniques
(BHHI10). For this reason, KDM-CPA security has
also received much attention in other settings, includ-
ing symmetric key encryption(BPS08), identity-based
encryption (GHV12).
1
A specific notion, called circular security, was defined
by Camenisch and Lysyanskaya in (CL01).
In this paper, we mainly focus on the KDM secu-
rity in public key encryption (PKE) setting. There-
fore, firstly, let us recall the classic definition of
KDM-CPA security w.r.t. an efficiently computable
function ensemble F , proposed by Black et al. in
(BRS02). In particular, an adversary is given n pub-
lic keys pk
1
,··· , pk
n
and can access an oracle O that
upon receiving a query (i, f ), where f is a function
in F , and i [n] is an index, returns an encryption
of f (sk
1
,··· ,sk
n
) under the public key pk
i
. Then the
scheme is KDM-CPA secure w.r.t. F if the adversary
cannot distinguish between the oracle O and an ora-
cle O
0
that always returns an encryption of (say) the
(same length) all-zero string.
When considering an active adversary, we re-
quire a stronger form of KDM-CPA security, namely,
KDM-CCA security. In short, KDM-CCA security
requires the scheme is secure against an adversary
who has access to an additional decryption oracle.
Naturally, to avoid a trivial notion, the adversary is not
allowed to submit any of those given from encryption
oracle to its decryption oracle.
So far, only two general constructions, due to
Camenisch et al. (CCS09) and Hofheinz (H13),
are known to be KDM-CCA secure in the standard
299
Chang J. and Xue R..
KDM-CCA Security of the Cramer-Shoup Cryptosystem, Revisited.
DOI: 10.5220/0005048802990306
In Proceedings of the 11th International Conference on Security and Cryptography (SECRYPT-2014), pages 299-306
ISBN: 978-989-758-045-1
Copyright
c
2014 SCITEPRESS (Science and Technology Publications, Lda.)
model. In particular, Camenisch et al. showed that
a variation of the Naor-Yung paradigm (NY90) al-
lows one to obtain KDM-CCA security from any
KDM-CPA secure encryption scheme. In 2013,
Hofheinz constructed a KDM-CCA secure scheme
with compact ciphertexts w.r.t. selector functions
( f
i
(sk
1
,··· ,sk
n
) = sk
i
) using a new but intricate tool
named lossy algebraic filters. However, none of them
are competitive with current KDM-free but CCA-
secure schemes in terms of parameters and efficiency.
Temporarily putting the efficiency aside, we also
observe that, up to now, the existing KDM-CCA (even
KDM-CPA) secure schemes are usually limited to
affine functions with some individual exceptions such
as (BHHI10; BGK11). Therefore, how to achieve
more KDM security beyond the affine functions has
become an open problem.
Recently, in the excellent work of (QLH13), Qin
et al. proved that the tailored CS-scheme is KDM-
CCA secure w.r.t. a new function ensemble F (we
call QLH-ensemble) which covers some affine func-
tions, as well as other functions that are not contained
in the affine ensemble. Morever, compared to other
KDM-CCA secure proposals, Qin et al.s scheme is
the most practical and efficient one due to the effi-
ciency of CS-scheme.
Then the following question arises naturally: Can
we find other ensembles and prove that the CS-scheme
is also KDM-CCA secure w.r.t. these ensembles?
Our Motivation and Contribution. The argument
of this paper is motivated by those of (QLH13). We
revisit Qin et al.s proof, and find that they defined a
specific ensemble (i.e. QLH-ensemble) and reduced
the KDM-CCA security w.r.t. QLH-ensemble to the
CCA security of the CS-scheme and, hence, (indi-
rectly) to the DDH assumption. In particular, in the
hybrid argument, assume that there exists a KDM-
CCA adversary A who has the “ability” to distinguish
the distributions of following ciphertexts:
C
0
=
··· ,Enc(pk
i
`1
, f
i
`1
),Enc(pk
i
`
, f
i
`
),
Enc(pk
i
`+1
,0
| f
i
`+1
|
),···
,
and
C
00
=
··· ,Enc(pk
i
`1
, f
i
`1
),Enc(pk
i
`
,0
| f
i
`
|
),
Enc(pk
i
`+1
,0
| f
i
`+1
|
),···
,
where f
i
j
is the jth function queried by A. Then
they constructed an adversary A
0
who implements a
chosen-ciphertext attack on the CS-scheme using A
as a subroutine. Then our idea is that whether we
can directly reduce the KDM-CCA security to the
DDH assumption and hence obtain KDM-CCA se-
curity w.r.t. much richer ensembles. As a result, we
show that, in the two-user case, this conjecture is true.
On the other hand, in the original proof presented
by Qin et al., the simulator A
0
has to embed his public
key pk
(obtained from his challenger) into the pub-
lic keys pk
1
,··· , pk
n
that will be given to A. There-
fore, he chooses randomly i
[n] and embeds pk
into the i
th position. He also “hopes” A will query
the encryption of f
i
`
under the public key pk
i
so that
he can embed his challenge ciphertext. However, the
probability of i
= i
`
equals 1/n. In other words, A
0
has only the probability of 1/n to successfully embed
his challenge. This results in their reduction to DDH
assumption much looser. Then, when extending the
technique used in two-user case to n-user case, we
also obtain a new proof of the result in (QLH13) with
a tighter reduction.
2 PRELIMINARIES
2.1 Decisional Diffie-Hellman (DDH)
Assumption
Let G be a group of prime order q and g be a ran-
dom generator. We let P
DDH
be the distribution
(g,g
x
,g
y
,g
xy
) in G
4
where x,y are uniform in Z
q
. Let
R
DDH
be the distribution (g,g
x
,g
y
,g
z
) in G
4
, where
x,y,z are uniform in Z
q
.
Definition 1 (DDH Assumption). We say the deci-
sional Diffie-Hellman problem is hard over group G
if, for any probabilistic polynomial time (PPT) distin-
guisher D, there exists a negligible function negl(λ)
such that
Adv
DDH
G,D
(λ) := |Pr[r
$
P
DDH
: D(r) = 1]
Pr[r
$
R
DDH
: D(r) = 1]| negl(λ).
Remark. Let p be a strong prime with p = 2q + 1,
where q is also a prime. If we let QR
p
be the sub-
group of quadratic residues in Z
p
, then it is a cyclic
group with order q. It is widely believed that the DDH
assumption over QR
p
holds (CS02).
2.2 Target Collision-Resistant (TCR)
Hash Functions
A family of hash functions H = {H : D R} is called
a TCR family, if for any PPT A, Adv
TCR
H ,A
(λ) is negli-
SECRYPT2014-InternationalConferenceonSecurityandCryptography
300
gible, where
Adv
TCR
H ,A
(λ) := Pr[x
$
D,H
$
H , y A(x,H) :
x 6= y H(x) = H(y)].
2.3 KDM-CCA Security
Now, we recall the formal definition of KDM-CCA
security of a public key encryption scheme P K E =
(Pars,Gen, Enc, Dec) proposed by Camenisch et al.
(CCS09). Let K be the space of secret keys of PK E.
For n = n(λ), let F = { f : K
n
M } be a set of func-
tions. We define the following experiment between a
challenger and an adversary A.
Exp
KDM-CCA
P K E,A
(λ,b):
1. Initialization Phase: The challenger runs
Pars(1
λ
) to generate a public parameter pp and
then runs Gen(pp) n times to generate n key-pairs
(pk
i
,sk
i
), i [n]. It sends pp and the public keys
pk
i
, i [n] to A. The challenger also initializes a
list CL :=
/
0 to an empty list.
2. Query Phase: A may adaptively query the chal-
lenger for two types of operations.
Encryption Queries: The adversary selects
(i, f ) [n] × F and submits it to the challenger.
The challenger computes c = Enc(pp, pk
i
,m),
where m depends on the value of b. If
b = 0, then m = 0
| f (sk
1
,···,sk
n
)|
, else m =
f (sk
1
,··· ,sk
n
). Then it appends (i,c) to CL.
Finally, the challenger sends c to the adversary.
Decryption Queries: The adversary submits
a ciphertext c together with an index i [n]
to the challenger. If (i,c) CL, the chal-
lenger returns ; otherwise returns the output
of Dec(pp,sk
i
,c).
3. Guess Phase: The adversary outputs a bit b
0
{0,1}. Then the experiment also outputs b
0
.
Definition 2 (KDM-CCA). A public key encryption
scheme P K E is KDM-CCA secure w.r.t. F if for
any PPT adversary A, the advantage
Adv
KDM-CCA
P K E,A
(λ) :=
Pr[Exp
KDM-CCA
P K E,A
(λ,0) = 1]
Pr[Exp
KDM-CCA
P K E,A
(λ,1) = 1]
is negligible.
2.4 New Function Ensembles
In this subsection, we propose a series of function en-
sembles which will be used for the KDM-CCA secu-
rity of the CS-scheme in later sections. Let q be a
prime. Let S be a finite set contained in Z
6
q
which,
in fact, will be corresponding to the secret key space
of CS-scheme. For any nonzero elements a
1
,a
2
,a
3
in
Z
q
, we define an ensemble F
q,n
a
1
,a
2
,a
3
over S
n
. Formally,
let sk
i
= (x
i1
,x
i2
,y
i1
,y
i2
,z
i1
,z
i2
) S, for 1 i n.
Each function f F
q,n
a
1
,a
2
,a
3
can be expressed as
f (sk
1
,··· ,sk
n
) =
t
1
,t
2
,t
3
α
t
1
,t
2
,t
3
i> j,i, j[n],s
1
,s
2
,s
3
∈{1,2}
[(x
i,s
1
+ a
1
x
j,s
1
)
b
i, j,t
1
·(y
i,s
2
+a
2
y
j,s
2
)
b
i, j,t
2
·(z
i,s
3
+a
3
z
j,s
3
)
b
i, j,t
3
] (mod q),
where α
t
1
,t
2
,t
3
Z
q
, b
i, j,t
1
,b
i, j,t
2
and b
i, j,t
3
N.
Now, we present two special cases in order to il-
lustrate that our new function ensembles are properly
larger.
Case 1: For k {1, 2}, the functions x
2k
+
a
1
x
1k
,x
3k
+a
1
x
2k
,··· ,x
nk
+a
1
x
n1,k
, (similarly, y
2k
+
a
2
y
1k
,y
3k
+a
2
y
2k
,··· ,y
nk
+a
2
y
n1,k
, z
2k
+a
3
z
1k
,z
3k
+
a
3
z
2k
,··· ,z
nk
+a
3
z
n1,k
) are all contained in F
n,q
a
1
,a
2
,a
3
.
It is clear that a PKE achieving KDM security
w.r.t. this ensemble has the so-called “all-or-nothing”
sharing property. Thus, it can also be used to discour-
age delegation of credentials in an anonymous cre-
dential system proposed by Camenisch and Lysyan-
skaya in (CL01).
On the other hand, if a
1
= a
2
= a
3
= 1, then
the ensemble F
n,q
-1,-1,-1
essentially equals to the QLH-
ensemble (see Appendix). Therefore, our following
result, which states that the “tailored” Cramer-Shoup
scheme is KDM-CCA secure w.r.t. the series of en-
sembles, completely covers that of (QLH13) when the
number of users equals 2.
Case 2: When either the degrees b
i, j,t
1
,b
i, j,t
2
, or b
i, j,t
3
is higher than 1, the new ensembles naturally contain
a great many of functions that do not belong to the
affine function ensemble.
3 THE TAILORED CS-SCHEME
Note that the message space of CS-scheme is G of
order (prime) q, whereas the secret key space is Z
6
q
.
Therefore, we have to tailor the traditional CS-scheme
(i.e. encode the elements of Z
q
into elements of G).
In particular, we assume that there exist an efficient
injective encoding encode : Z
q
G and a decoding
decode : G Z
q
such that decode(encode(x)) = x
for all x Z
q
(CS02).
Now, we recall the tailored CS-scheme T C S =
(Pars,Gen, Enc, Dec) as follows (QLH13).
Public Parameters Generation Pars(1
λ
): Gen-
erate a group G with order q, where q is a λ-bits
prime. Choose g
1
,g
2
$
G and H
$
H , where H
KDM-CCASecurityoftheCramer-ShoupCryptosystem,Revisited
301
is a TCR family from G
3
Z
q
. Output the public
parameter pp = (G,q,g
1
,g
2
,H).
Key Generation Gen(pp): Randomly choose
elements x
1
,x
2
,y
1
,y
2
,z
1
,z
2
from Z
q
and com-
pute c = g
x
1
1
g
x
2
2
,d = g
y
1
1
g
y
2
2
,h = g
z
1
1
g
z
2
2
. Out-
put the public/private keys pair (pk,sk) =
(c,d, h), (x
1
,x
2
,y
1
,y
2
,z
1
,z
2
)
.
Encryption Enc(pp, pk,m): To encrypt a mes-
sage m Z
q
, one chooses r Z
q
at random. Then
compute
u
1
= g
r
1
,u
2
= g
r
2
,e = h
r
· encode(m), v = c
r
d
rα
,
where α = H(u
1
,u
2
,e). Output the ciphertext C =
(u
1
,u
2
,e,v).
Decryption Dec(pp,sk,C): Given a cipher-
text C = (u
1
,u
2
,e,v), one runs as follows.
Compute α = H(u
1
,u
2
,e), and check whether
u
x
1
+y
1
α
1
u
x
2
+y
2
α
2
= v. If not, output and halt; else,
output m = decode(e/u
z
1
1
u
z
2
2
).
The correctness of the scheme can be verified easily.
About its security, we have the following theorem.
Theorem 1 ((CS02; QLH13)). If H is a family of
TCR hash functions and the DDH assumption holds
in QR
p
, then the tailored CS-scheme T C S is CCA
secure. More precisely, for any PPT adversary A, we
have
Adv
CCA
T C S,A
(λ) 2 · (Adv
DDH
QR
p
,B
1
(λ)
+ Adv
TCR
H ,B
2
(λ) +
(Q
d
+ 4)
q
),
where B
1
, B
2
are DDH-distinguisher and TCR-
adversary, respectively, and Q
d
is the number of As
decryption queries.
4 SECURITY PROOF
4.1 KDM-CCA Security (2-User Case)
Now we turn to the KDM-CCA security of the tai-
lored CS-scheme w.r.t. the ensembles we proposed.
We will note that it is instructive to treat the two-user
case. Therefore, firstly, we specially restate the en-
sembles F
q,n
a
1
,a
2
,a
3
in two-user case (i.e. F
q,2
a
1
,a
2
,a
3
) in
order to make our proof easy to understand. Actually,
each function f F
q,n
a
1
,a
2
,a
3
can also be considered as a
multivariate polynomial with the following six argu-
ments
x
21
+ a
1
x
11
,x
22
+ a
1
x
12
,y
21
+ a
2
y
11
,
y
22
+ a
2
y
12
,z
21
+ a
3
z
11
,z
22
+ a
3
z
12
.
Theorem 2. Let n = 2 and p be a safe prime number
with p = 2q +1. For any nonzero elements a
1
,a
2
,a
3
Z
q
, if H is a family of TCR hash functions, and the
DDH assumption holds in QR
p
, then the tailored CS-
scheme T C S described in Section 3 achieves KDM-
CCA security w.r.t. the ensemble F
q,2
a
1
,a
2
,a
3
. More pre-
cisely, for any PPT adversary A, there exist a DDH-
distinguisher B and a TCR-adversary B
1
, such that
Adv
KDM-CCA
T C S,A
(λ) Q · (Adv
DDH
QR
p
,B
(λ)
+ Adv
TCR
H ,B
1
(λ) +
Q
d
q Q
d
),
assuming that A makes at most Q queries to the en-
cryption oracle and Q
d
queries to the decryption ora-
cle.
Proof. Let A be any PPT adversary who implements
a key-dependent message chosen ciphertexts attack
on the tailored CS-scheme T C S . Let Q denote the
number of queries to the encryption oracle and Q
d
the
number of queries to the decryption oracle. We will
proceed in a sequence of games, each of which is a
modification of the previous one. Let X
i
be the output
of A in Game
i
.
Game
0
: This game is the KDM-CCA security exper-
iment for b = 0. Therefore, we have
Pr[X
0
= 1] = Pr[Exp
KDM-CCA
T C S,A
(λ,0) = 1].
Game
`
(` = 1,···Q): This game is the same as
Game
`1
except that the challenger responds the kth
encryption query (i
k
, f
k
) with
C
k
=
Enc(pp, pk
i
k
, f
k
(sk
1
,sk
2
)), k = 1, 2, · · · , `;
Enc(pp, pk
i
k
,0
| f
k
(sk
1
,sk
2
)|
), k = ` + 1,··· ,Q.
Obviously, Game
Q
is the KDM-CCA security experi-
ment for b = 1 and
Pr[X
Q
= 1] = Pr[Exp
KDM-CCA
T C S,A
(λ,1) = 1].
Thus,
Adv
KDM-CCA
T C S,A
(λ) = |Pr[Exp
KDM-CCA
T C S,A
(λ,0) = 1]
Pr[Exp
KDM-CCA
T C S,A
(λ,1) = 1]|
= |Pr[X
0
= 1] Pr[X
Q
= 1]|
Q
`=1
Pr[X
`1
= 1] Pr[X
`
= 1]
.
Next, we claim that, for any ` [Q], there exist two
suitable adversaries B and B
1
, who attack on the
DDH assumption and the TCR-security of H , respec-
tively, such that
Pr[X
`1
= 1] Pr[X
`
= 1]
Adv
DDH
QR
p
,B
(λ)
+ Adv
TCR
H ,B
1
(λ) +
Q
d
q Q
d
.
SECRYPT2014-InternationalConferenceonSecurityandCryptography
302
Then we have
Adv
KDM-CCA
T C S,A
(λ) Q ·
Adv
DDH
QR
p
,B
(λ)
+ Adv
TCR
H ,B
1
(λ) +
Q
d
q Q
d
.
Therefore, the KDM-CCA security of the tailored CS-
scheme T C S follows.
Finally, we turn to prove the above claim. In par-
ticular, for ` [Q], we construct an adversary B who
attacks on the DDH assumption over G(= QR
p
) us-
ing A as a subroutine.
In particular, when given (G, q) and a tuple
(g
1
,g
2
,u
1
,u
2
) coming from either the distribution
P
DDH
or R
DDH
, B randomly and independently
chooses
x
11
,x
12
,y
11
,y
12
,z
11
,z
12
,x
21
,x
22
,y
21
,y
22
,z
21
,z
22
Z
q
,
and computes
c
1
= g
x
11
1
g
x
12
2
,d
1
= g
y
11
1
g
y
12
2
,h
1
= g
z
11
1
g
z
12
2
,
c
2
= g
x
21
1
g
x
22
2
,d
2
= g
y
21
1
g
y
22
2
,h
2
= g
z
21
1
g
z
22
2
.
Then pick H
$
H . Give pp = (G,q,g
1
,g
2
,H),
pk
1
= (c
1
,d
1
,h
1
), and pk
2
= (c
2
,d
2
,h
2
)
to A. Note that B knows the two secret
keys sk
1
= (x
11
,x
12
,y
11
,y
12
,z
11
,z
12
), sk
2
=
(x
21
,x
22
,y
21
,y
22
,z
21
,z
22
). Therefore, he can compute
all the functions f of the secret keys and answer all
decryption queries from A as in the actual decryption
algorithms.
Next, we describe how to answer encryption
queries from A. For the kth encryption queries (i
k
, f
k
)
(without loss of generality, we assume that i
`
= 1), B
works as follows. Choose b
$
{0,1}.
For k {1,··· , ` 1}, compute C
k
=
Enc(pp, pk
i
k
, f
k
(sk
1
,sk
2
)) and return it to
A.
For k = `, compute
e
`
= u
z
11
1
u
z
12
2
· encode(m
b
),
and
v
`
= u
x
11
+y
11
α
`
1
u
x
12
+y
12
α
`
2
,
where α
`
= H(u
1
,u
2
,e
`
), and
m
b
=
0
| f
`
(sk
1
,sk
2
)|
, if b = 0;
f
`
(sk
1
,sk
2
), if b = 1.
Let C
`
= (u
1
,u
2
,e
`
,v
`
) and return it to A.
For k {` + 1,··· ,Q}, compute C
k
=
Enc(pp, pk
i
k
,0
| f
k
(sk
1
,sk
2
)|
) and return it to
A.
Finally, B stores (i
1
,C
1
),··· , (i
Q
,C
Q
) in the cipher-
text list CL. That completes the description of B.
Obviously, when the input (g
1
,g
2
,u
1
,u
2
) of B
comes from P
DDH
, the output of the encryption oracle
is a legitimate ciphertext and B successfully simulates
Game
`1
(when b = 0) or Game
`
(when b = 1) for A.
Next, we analyze As view when Bs input
(g
1
,g
2
,u
1
,u
2
) comes from R
DDH
. Let u
1
= g
r
1
1
and
u
2
= g
r
2
2
:= g
ωr
2
1
. We may assume that r
1
6= r
2
, since
this occurs except with negligible probability. In the
following, we call (u
0
1
,u
0
2
,e
0
,v
0
) G
4
a valid cipher-
text if and only if log
g
1
u
0
1
= log
g
2
u
0
2
. Then the fact
that As view is essentially independent of the bit b
follows immediately from the following two claims.
Claim 1. If the decryption oracle rejects all invalid
ciphertexts during the attack, then the distribution of
the hidden bit b is independent of the adversary’s
view.
Proof of Claim 1. Consider the point Q = (z
11
,z
12
)
Z
2
q
. If the decryption oracle rejects all invalid ci-
phertexts during the whole attack, then the adver-
sary As view consists of the public parameter pp =
(G,q,g
1
,g
2
,H), the public keys pk
1
, pk
2
, the valid ci-
phertexts submitted to the decryption oracle and the
answers from it, and the answers from encryption or-
acle. In order to make our analysis clarity, we divide
it into the following three phases. In short, A may
obtain “more information” in the latter phase than the
former one.
At the beginning of the attack, the adversary’s
view only consists of the public parameter pp =
(G,q,g
1
,g
2
,H) and the public keys pk
1
, pk
2
.
Now, A can learn the following equations from
pk
1
, pk
2
:
z
11
+ ωz
12
= log
g
1
h
1
,
z
21
+ ωz
22
= log
g
1
h
2
,
(1)
in which only one equation is related to Q:
z
11
+ ωz
12
= log
g
1
h
1
. (2)
Therefore, Q is a random point on the line (2).
Next, we consider that the adversary As view
consists of the valid ciphertexts submitted to the
decryption oracle and the answers from it, except
for pp, pk
1
, and pk
2
. Since the decryption ora-
cle only answer valid ciphertexts (u
0
1
,u
0
2
,e
0
,v
0
), A
only obtains the following equation that is linearly
dependent on (2):
r
0
z
11
+ r
0
ωz
12
= r
0
log
g
1
h
1
.
Hence, Q remains a random point on the line (2).
KDM-CCASecurityoftheCramer-ShoupCryptosystem,Revisited
303
Finally, we inject the outputs (u
11
,u
12
,e
1
,v
1
),··· ,
(u
Q1
,u
Q2
,e
Q
,v
Q
) of Bs encryption answers into
As view, where
e
1
= ε
1
· encode( f
1
(sk
1
,sk
2
)),
.
.
.
e
`1
= ε
`1
· encode( f
`1
(sk
1
,sk
2
)),
e
`
= ε
`
· encode(m
b
),
e
`+1
= ε
`+1
· encode(0
| f
`+1
(sk
1
,sk
2
)|
),
.
.
.
e
Q
= ε
Q
· encode(0
| f
Q
(sk
1
,sk
2
)|
),
for ε
j
= u
z
i
j
1
j1
u
z
i
j
2
j2
, j [Q]\{`}; ε
`
= u
z
11
1
u
z
12
2
, and
m
b
=
0
| f
`
(sk
1
,sk
2
)|
, if b = 0;
f
`
(sk
1
,sk
2
), if b = 1.
Note that the items v
1
,··· ,v
Q
is independent of
Q although they have relations to the secret keys
sk
1
,sk
2
. Therefore, A can obtain (at most) the fol-
lowing equations from e
1
,··· ,e
Q
:
f
1
(sk
1
,sk
2
) := a
1
,
.
.
.
f
Q
(sk
1
,sk
2
) := a
Q
.
(3)
According to the definition of the ensemble
F
q,2
a
1
,a
2
,a
3
, we know that the adversary can learn at
most the following two equations from (3):
2
z
21
+ a
3
z
11
:= a
11
,
z
22
+ a
3
z
12
:= a
22
.
(4)
Putting (1) and (4) together, A can distill
z
11
+ ωz
12
= log
g
1
h
1
,
z
21
+ ωz
22
= log
g
1
h
2
,
z
21
+ a
3
z
11
= a
11
,
z
22
+ a
3
z
12
= a
22
.
(5)
We can easily know that the coefficient matrix of
(5) equals 3.
In addition, from ε
`
= u
z
11
1
u
z
22
2
, we have
r
1
z
11
+ ωr
2
z
12
= log
g
1
ε
`
. (6)
Therefore, A obtains a new system of equations
composed by (5) and (6). Let A
1
be the coefficient
matrix of the new system. Obviously, the rank of
A
1
equals 4 since r
1
6= r
2
.
Hence, the conditional distribution of ε
`
, condition-
ing on everything in the adversary’s view other than
e
`
, is uniform. It follows that b is independent of the
adversary’s view.
2
We still ignore the equations including x
i j
,y
i j
, for i, j
{1,2}, since they are independent of the point Q.
Claim 2. The decryption oracle will reject all invalid
ciphertexts, except with negligible probability.
Proof of Claim 2. Now, we analyze the distribution
of P
i
= (x
i1
,x
i2
,y
i1
,y
i2
) Z
4
q
, for i = 1,2, conditioned
on the adversary’s view. Without loss of generality,
we only consider the point P
1
. As in the proof of
Claim 1, at the beginning of the attack, the adver-
sary’s view consists of the public parameter pp =
(G,q,g
1
,g
2
,H) and the public keys pk
1
= (c
1
,d
1
,h
1
),
and pk
2
= (c
2
,d
2
,h
2
). Hence, the adversary A learns
the following system:
3
x
11
+ ωx
12
= log
g
1
c
1
,
y
11
+ ωy
12
= log
g
1
d
1
,
x
21
+ ωx
22
= log
g
1
c
2
,
y
21
+ ωy
22
= log
g
1
d
2
.
(7)
After receiving the challenge ciphertexts (u
11
,u
12
,
e
1
,v
1
),··· , (u
Q1
,u
Q2
,e
Q
,v
Q
) that are encrypted under
the public keys pk
i
1
,··· , pk
i
Q
, respectively, A can also
get (at most) the following equations from e
1
,··· ,e
Q
:
f
1
(sk
1
,sk
2
) = a
1
,
.
.
.
f
Q
(sk
1
,sk
2
) = a
Q
.
(8)
Getting rid of the equations from the system (8) that
are independent of P
1
, the adversary can distill (in
worst case) the equations:
x
21
+ a
1
x
11
:= a
11
,
x
22
+ a
1
x
12
:= a
12
,
y
21
+ a
2
y
11
:= a
21
,
y
22
+ a
2
y
12
:= a
22
.
(9)
In addition, he can also obtain (note that i
`
= 1)
r
0
1
x
i
1
1
+ ωr
0
1
x
i
1
2
+ α
1
r
0
1
y
i
1
1
+ α
1
ωr
0
1
y
i
1
2
= log
g
1
v
1
,
.
.
.
r
0
`1
x
i
`1
1
+ ωr
0
`1
x
i
`1
2
+ α
`1
r
0
`1
y
i
`1
1
+α
`1
ωr
0
`1
y
i
`1
2
= log
g
1
v
`1
,
r
1
x
11
+ ωr
2
x
12
+ α
`
r
1
y
11
+ α
`
ωr
2
y
12
= log
g
1
v
`
,
r
0
`+1
x
i
`+1
1
+ ωr
0
`+1
x
i
`+1
2
+ α
`+1
r
0
`+1
y
i
`+1
1
+α
`+1
ωr
0
`+1
y
i
`+1
2
= log
g
1
v
`+1
,
.
.
.
r
0
Q
x
i
Q
1
+ ωr
0
Q
x
i
Q
2
+ α
Q
r
0
Q
y
i
Q
1
+α
Q
ωr
0
Q
y
i
Q
2
= log
g
1
v
Q
.
(10)
from v
1
,··· ,v
Q
, in which r
0
j
, for j [Q]\{`}, is the
randomness of the jth encryption. Since the equations
in (10) are linear combinations of those in (7), except
for
r
1
x
11
+ ωr
2
x
12
+ αr
1
y
11
+ αωr
2
y
12
= log
g
1
v
`
.
3
We also ignore the equations including z
i j
, i, j {1,2}
since they are independent of P
1
.
SECRYPT2014-InternationalConferenceonSecurityandCryptography
304
Combining all the equations listed in (7), (9), and (10)
that are “useful” for A to fix the point P
1
, we have
x
11
+ ωx
12
= log
g
1
c
1
,
y
11
+ ωy
12
= log
g
1
d
1
,
x
21
+ ωx
22
= log
g
1
c
2
,
y
21
+ ωy
22
= log
g
1
d
2
,
x
21
+ a
1
x
11
:= a
11
,
x
22
+ a
1
x
12
:= a
12
,
y
21
+ a
2
y
11
:= a
21
,
y
22
+ a
2
y
12
:= a
22
,
r
1
x
11
+ ωr
2
x
12
+ αr
1
y
11
+ αωr
2
y
12
= log
g
1
v
`
.
(11)
It can be easily verified that the rank of coefficient
matrix of (11) equals 7.
Now assume that A submits an invalid cipher-
text C
:= (u
11
,u
12
,e
1
,v
1
) 6= (u
11
,u
12
, e
1
,v
1
), where
u
11
= g
r
1
1
,u
12
= g
r
2
2
, and r
1
6= r
2
. Let α
=
H(u
11
,u
12
,e
1
). We consider the following three
cases.
(u
11
,u
12
,e
1
) = (u
11
,u
12
,e
1
). Then α = α
. But
v
1
6= v
1
implies that C
will certainly be rejected.
(u
11
,u
12
,e
1
) 6= (u
11
,u
12
,e
1
) and α
= α. Then
a straightforward reduction to the TCR-property
of H implies that this case occurs with negligible
probability. That is, if we denote F be the event
that (u
11
,u
12
,e
1
) 6= (u
11
,u
12
,e
1
) and α
= α, then
we can easily construct an adversary B
1
satisfying
Pr[F] Adv
TCR
H ,B
1
(λ).
(u
11
,u
12
,e
1
) 6= (u
11
,u
12
,e
1
) and α
6= α. In
this case, the decryption oracle will reject unless
u
11
x
11
+y
11
α
u
12
x
12
+y
12
α
= v
1
, i.e.
r
1
x
11
+ ωr
2
x
12
+ α
r
1
y
11
+ α
ωr
2
y
12
= log
g
1
v
1
.
(12)
Then the coefficient matrix of the new sys-
tem formed by adding this equation into the
system (11) has rank of 8. Therefore, dif-
ferent values of v
1
give different solutions for
(x
11
,x
12
,y
11
,y
12
). It follows that the adversary
guesses (x
11
,x
12
,y
11
,y
12
) correctly with proba-
bility at most 1/q. Hence, the first invalid ci-
phertext C
is accepted with probability at most
1/q. Similarly, the ith invalid ciphertext is ac-
cepted with probability at most 1/(q i + 1)
1/(q Q
d
), where Q
d
is the total number of de-
cryption queries. By the union bound, we know
that the decryption oracle rejects the ciphertext
C
, except with (at most) negligible probability
Q
d
/(q Q
d
).
Combining the conclusions of Claim 1 with that
of Claim 2 completes the proof of the theorem.
4.2 KDM-CCA Security with a Tighter
Reduction (n-User Case)
In this subsection, we present a new proof of Qin et
al.s result in (QLH13), which has the benefit that our
new proof achieves a tighter reduction to the DDH
assumption than that of (QLH13). From a technol-
ogy perspective, we simply and straightly reduce the
KDM-CCA security of T CS to the DDH assumption,
using a similar analysis as in Theorem 2, instead of
Qin et al.s approach that reduce the KDM security to
CCA security of the CS-scheme. Formally, we have
Theorem 3. Let p be a safe prime number with p =
2q + 1 and n be a polynomial of λ. If H is a family of
TCR hash functions, and the DDH assumption holds
in QR
p
, then the tailored CS-scheme T C S described
in Section 3 achieves KDM-CCA security w.r.t. the
QLH-ensemble (i.e. F
q,n
-1,-1,-1
) . More precisely, for any
PPT adversary A, there exist a DDH-distinguisher B
and a TCR-adversary B
1
, such that
Adv
KDM-CCA
T C S,A
(λ) Q ·
Adv
DDH
QR
p
,B
(λ)
+ Adv
TCR
H ,B
1
(λ) +
Q
d
q Q
d
,
assuming that A makes at most Q queries to the en-
cryption oracle and Q
d
queries to the decryption ora-
cle.
Since the main idea is completely analogous to
that of Theorem 2, we omit it here.
5 CONCLUSIONS
In this paper, we introduced a series of new function
ensembles and, in the two-user case, proved that the
tailored CS-scheme achieves the KDM-CCA security
w.r.t. the ensembles, which completely covers the re-
sult in (QLH13). As Qin et al. said in (QLH13),
though the new function ensembles do not cover all
the affine functions, it suffices for some applications
like the anonymous credential systems. Moreover, in
n-user case, we also give a new proof of the result in
(QLH13), which achieves a tighter reduction to the
DDH assumption.
ACKNOWLEDGEMENTS
The authors are grateful to anonymous reviewers for
many invaluable comments and suggestions. This
work is supported by National Natural Science Foun-
dation of China (No.61170280), the Strategic Priority
KDM-CCASecurityoftheCramer-ShoupCryptosystem,Revisited
305
Research Program of Chinese Academy of Sciences
(No.XDA06010701), and the Foundation of Institute
of Information Engineering for Cryptography.
REFERENCES
Backes, M., Pfitzmann, B., Scedrov, A. (2008). Key-
dependent message security under active attacks -
BRSIM/UC-soundness of dolev-yao-style encryption
with key cycles. Journal of Computer Security. Vol.
16(5), pp. 497-530.
Barak, B., Haitner, I., Hofheinz, D., Ishai, Y. (2010).
Bounded key-dependent message security. In EURO-
CRYPT’10. LNCS, vol. 6110, pp. 423-444. Springer,
Heidelberg.
Black, J., Rogaway, P., Shrimpton, T. (2002). Encryption-
scheme security in the presence of key-dependent
messages. In SAC’02. LNCS, vol. 2595, pp. 62-75.
Springer, Heidelberg.
Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.
(2008). Circular-secure encryption from decision
Diffie-Hellman. In CRYPTO’08. LNCS, vol. 5157, pp.
108-125. Springer, Heidelberg.
Brakerski, Z., Goldwasser, S., Kalai, Y.T. (2011). Black-
box circular-secure encryption beyond affine func-
tions. In TCC’11. LNCS, vol. 6597, pp. 201-218.
Springer, Heidelberg.
Camenisch, J., Chandran, N., Shoup, V. (2009). A public
key encryption scheme secure against key dependent
chosen plaintext and adaptive chosen ciphertext at-
tacks. In EUROCRYPT’09. LNCS, vol. 5479, pp. 351-
368. Springer, Heidelberg.
Camenisch, J., Lysyanskaya, A. (2001). An efficient sys-
tem for non-transferable anonymous credentials with
optional anonymity revocation. In EUROCRYPT’01.
LNCS, vol. 2045, pp. 93-118. Springer, Heidelberg.
Cash, D., Green, M. and Hohenberger, S. (2012). New
definitions and separations for circular security. In
PKC’12. LNCS, vol. 7293, pp. 540-557. Springer,
Heidelberg.
Cramer, R., Shoup, V. (2002). Universal hash proofs and
a paradigm for adaptive chosen ciphertext secure
public-key encryption. In EUROCRYPT’02. LNCS,
vol. 2332, pp. 45-64. Springer, Heidelberg.
Galindo, D., Herranz, J., Villar, J. (2012). Identity-based en-
cryption with master keydependent message security
and leakage-resilience. In ESORICS’12. LNCS, vol.
7459, pp. 627-642. Springer, Heidelberg.
Goldwasser, S., Micali, S. (1984). Probabilistic encryption.
J. Comput. Syst. Science. Vol. 28(2), pp. 270-299.
Hofheinz, D. (2013). Circular chosen-ciphertext secu-
rity with compact ciphertexts. In EUROCRYPT’13.
LNCS, vol. 7881, pp. 520-536. Springer, Heidelberg.
Naor, M., Yung, M. (1990). Public-key cryptosystems
provably secure against chosen ciphertext attacks. In
STOC’90. pp. 427-437. ACM.
Qin, B., Liu, S., Huang, Z. (2013). Key-dependent message
chosen-ciphertext security of the Cramer-Shoup cryp-
tosystem. In ACISP’13. LNCS, vol. 7959, pp. 136-
151. Springer, Heidelberg.
Rackoff, C., Simon, D. (1992). Non-interactive zero-
knowledge proof of knowledge and chosen ciphertext
attack. In CRYPTO’91. LNCS, vol. 576, pp. 433-444.
Springer, Heidelberg.
Roman, R., Alcaraz Tello, C., Lopez, J., Sklavos, N. (2011).
Key management systems for sensor networks in the
context of the Internet of things. Computers & Elec-
trical Engineering. Vol. 37(2), pp. 147-159.
APPENDIX (QLH-Ensemble)
Let q be a prime number and X be a subset of Z
q
.
Then the QLH-function ensemble is a family of func-
tions F
q,n
:= { f : X
n
Z
N
} and each function f
F
q,n
is defined as
f (x
1
,··· ,x
n
) =
t
α
t
i6= j,i, j[n]
(x
i
x
j
)
a
i, j,t
mod q,
where α
t
Z
q
and a
i, j,t
N.
Specific to the tailored CS-scheme, we can repre-
sent functions from the QLH-ensemble as
f (sk
1
,··· ,sk
n
)
=
t
1
,t
2
,t
3
α
t
1
,t
2
,t
3
i> j,i, j[n],s
1
,s
2
,s
3
∈{1,2}
[(x
i,s
1
x
j,s
1
)
b
i, j,t
1
· (y
i,s
1
y
j,s
1
)
b
i, j,t
2
· (z
i,s
1
z
j,s
1
)
b
i, j,t
3
] (mod q),
where sk
i
= (x
i1
,x
i2
,y
i1
,y
i2
,z
i1
,z
i2
) is the secret key
for the ith user, α
t
1
,t
2
,t
3
Z
q
, b
i, j,t
1
,b
i, j,t
2
and b
i, j,t
3
N.
SECRYPT2014-InternationalConferenceonSecurityandCryptography
306