A Posteriori Openable Public Key Encryption

Bultel, Xavier; Lafourcade, Pascal

doi:10.1007/978-3-319-33630-5_2

Xavier Bultel^17,18 &
Pascal Lafourcade^17,18

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 471))

Included in the following conference series:

IFIP International Conference on ICT Systems Security and Privacy Protection

2094 Accesses
3 Citations

Abstract

We present a public key encryption primitive called A Posteriori Openable Public Key Encryption (APO-PKE). In addition to conventional properties of public key cryptosystems, our primitive allows each user, who has encrypted messages using different public keys, to create a special decryption key. A user can give this key to a judge to open all messages that have been encrypted in a chosen time interval with the public keys of the receivers. We provide a generic efficient construction, in the sense that the complexity of the special key generation algorithm and this key size are independent of the number of ciphertexts. We give security models for our primitive against chosen plaintext attack and analyze its security in the random oracle model.

This research was conducted with the support of the “Digital Trust” Chair from the University of Auvergne Foundation.

You have full access to this open access chapter, Download conference paper PDF

How Secure is Deterministic Encryption?

CCA Secure A Posteriori Openable Encryption in the Standard Model

Public Key Encryption with Authorized Keyword Search

Keywords

1 Introduction

Since the emergence of the Internet, email communication is accessible to anyone. Email privacy is an important computer security topic. Without public key encryption schemes, plaintext messages are sent and stored by the mail server without any protection. Fortunately, there exist many straightforward to use softwares that allow everyone to encrypt and sign emails using public key cryptography, such as the well known GnuPG^{Footnote 1} tool. Unfortunately, these softwares are rarely used [27], consequently encrypted emails may be considered as a suspect behavior. Hence as P. Zimmermann, the designer of PGP, said:“If privacy is outlawed, only outlaws will have privacy”. We hope that in a near future everybody can privately exchange emails. Then our motivation is based on the following scenario, where Alice is implied in a court case. To find some clues, the judge needs to read emails that Alice has sent during a specified time period. The judge uses his power to obtain from Alice’s email server all emails sent by Alice (including dates of dispatch and receiver identities). If the messages are not encrypted then the judge can read emails without relation to the investigation, which is a privacy violation. On the other hand, if messages are encrypted with the receiver public key then the judge can suspect Alice to hide crucial information for the investigation. Moreover, without the receivers’ private keys, Alice has no solution to prove her innocence and cannot reveal his correspondence to the judge.

To solve this problem, Alice needs a mechanism to give to the judge a possibility to open all messages sent during a specified time period. Using our solution Alice can construct such a special key called an interval-key. With this key, the judge can only read the encrypted messages sent during this specific interval of time, because this key does not allow him to open other encrypted messages stored on the email server. Nowadays, to the best of our knowledge, there is no efficient cryptographic solution that offers such functionality to the users. The goal of this paper is to propose a practical and efficient solution to this problem.

In many public key cryptosystems, when a ciphertext is generated, it is possible to create a special key that allows a person to decrypt it, without knowing the corresponding secret key. For example, in ElGamal [13], $C =(C_1,C_2) = (g^r,g^{x\cdot r}\cdot m)$ is the ciphertext of the message m with the public key $g^x$ and a random element r (for g a generator of G a group of prime order). Knowing the random element r, the public key of Bob $g^x$ and the ciphertext C a third party can compute $C_2/(g^x)^r = m$ to recover the plaintext. Using this property it is possible to construct a naïve solution by giving n random elements to a third party to decrypt n ciphertexts. However, this method presents an inherent limitation when the number n is large and the user has to store all the random elements used to encrypt all the messages during an interval of time. The aim of this paper is to allow a user to construct an interval-key to decrypt several consecutive messages in a time interval where the size of the key, the stored information and the key generation complexity are constant and do not increase with the number of ciphertexts.

Contributions: We first present the notion of Random Coin Decryptable Public Key Encryption (RCD-PKE). The idea of RCD-PKE is that one can open a ciphertext with the secret key and also use the random coin used during the encryption to open a cipher. We show that several existing schemes in the literature satisfy this notion, e.g. [1, 10, 14]. We use the RCD-PKE property to construct a scheme that allows a user to generate an interval-key for a judge to open all the messages he sent during a period of time. This scheme, called A Posteriori Openable Public Key Encryption (APO-PKE), allows the judge to open all messages sent between two given dates. The number of ciphertexts is potentially infinite but the judge decryption capability is limited to the a posteriori chosen interval. It contains, like a standard public key encryption, a key generation function, an encryption function and a decryption function. It also has an extraction function that, given two ciphertexts and a secret value, generates an interval-key for the judge. Using this interval-key he can then open all messages encrypted by different public keys between the two ciphertexts for which the key has been created. Our scheme is generic since it only relies on any IND-CPA secure RCD-PKE and hash functions.

Performances: Our scheme has reasonable encryption and decryption execution time overhead comparing to the PKE we use, because the size of ciphertexts generated by our scheme is approximately the double of the size of the PKE encryption. Moreover the generation of the interval-key, its size and the stored information are also independent of the number of messages contained in the interval of time. Finally, there is no restriction neither about the total number of generated ciphertexts nor about the number of ciphertexts in a time interval.

Security: We provide the security models to prove the security of our schemes in the Random Oracle Model (ROM). We prove that the judge colluding with some users cannot learn more than the messages for which he received the interval-key. We also show that several users cannot collude in order to learn information about plaintexts contained in an interval of ciphertexts with the judge interval-key. We also demonstrate that the judge gets the same plaintext as the one received by the owners of the secret keys. This means that it is not possible to forge fake messages that the judge can open and not the owners of the secret keys, and vice-versa.

Our construction allows us to use the extraction algorithm only once per judge (or per set of encrypted mails). Our security model captures this situation. It is not going against our motivation as long as we consider that two judges having an interval key in two different court cases (for the same set of mails) do not collude. To avoid this drawback, we need to reinitialize the secret values stored by a user after the generation of an interval-key, in order to be able to produce new interval-key on the next encrypted data. We leave the construction of an APO-PKE with constant interval key generation complexity and constant interval key size allowing several interval key generations for the same judge and the same set of encrypted mails as an open problem.

Related Work: Functional encryption [26] is a public-key encryption primitive that allows a user to evaluate a function on the plaintext message using a key and a ciphertext. This cryptographic primitive was formalized in [5]. It generalizes many well know cryptographic primitives such identity based encryption [4] or attribute based encryption [26]. Moreover, some schemes that evaluate an arbitrary function have been proposed in [17, 18]. A posteriori openable encryption can be seen as a functional encryption, where all ciphertexts (resp. plaintexts) that are encrypted by one user correspond to a unique large ciphertext (resp. plaintext). Then the interval-keys allow a user to find only some parts of the corresponding plaintext. Our proposal scheme is an efficient solution for this kind of functional encryption.

Deniable encryption [7, 22] is an encryption system that allows to encrypt two messages (original and hidden messages) in the same ciphertext. Using his secret key, the receiver can retrieve the original message. Using another shared secret key, the receiver can also decrypt the hidden message. It is not possible for the sender to prove that his encryption does not contain an hidden encrypted message. In our a posteriori openable encryption, the judge is only convinced that the plaintext that he decrypts is the same message that the plaintext decrypted by the secret key of the receiver. This notion differs from undeniability since the judge is convinced that a message he decrypts using interval key has actually been sent and received, but does not deal with message from another channel that the given encryption system (including different way to encrypt or decrypt a message in the same ciphertext).

Some cryptographic primitives deal with time in decryption mechanism or rights delegation. Timed-Release Encryption (TRE), first proposed in [24], is a public key encryption where encrypted messages cannot be opened before a release-time chosen by the person who encrypted the messages. In this primitive, it is generally a time server that allows the receiver to decrypt the message in the future at a given date. Several TRE with diverse security properties have been proposed [3, 8, 9]. More recently, an extension of TRE, called Time-Specific Encryption (TSE), has been proposed in [25] and deals with time intervals. Somehow these primitive are close to our because APO-PKE allows somebody to give decryption capabilities in the future, after that encrypted messages has been sent. However, TRE and TSE cannot be used to achieve APO-PKE, because TRE ciphertext are intended to only one user and decryption capabilities cannot be delegated to another party. Moreover, in TRE, time of decryption capability must be chosen during the encryption phase, while in our primitive it can be chosen at any time (a posteriori).

It is interesting to note that some TRE possess a pre-open mechanism [21] that allows the sender to give decryption capabilities before the pre-specified release-time. In this case, a security requirement (called binding property) ensures that the decrypted message from the pre-open mechanism is the message decrypted by the receiver after the release-time [11]. For our primitive, we define a similar property, called integrity, since we require that decrypted messages using an interval key must be equal to the messages decrypted by the legitimate receivers.

Finally, Key-Insulated Encryption (KIE) [12, 20, 23] is a public key encryption primitive where messages are encrypted from a tag corresponding to a time period and a public key. At each time period corresponds a partial secret key computed from a master key and the previous partial secret key. Moreover, the public key is never changed. The motivation of this primitive is to provide secret keys that can be stored in an untrusted device without compromising the master key. Indeed, the leakage of a secret key compromises only messages received in a specified time interval, and future encryptions remain secure. In the motivation of [12], the authors give another interesting use of this primitive based on [16]. They provide a secure delegation of decryption rights in a time period. However, this type of delegation allows them to delegate decryption rights only on pre-defined time period. For example, if the time period corresponds to one month then right delegation cannot be restricted to the last week of a month and the first week of the following month without revealing all messages of these two months. Moreover, delegator must give a different secret key to each time period, so the decryption keys are proportional to the number of time periods contained in the interval. Our goal is to propose decryption delegation capabilities to the sender, while KIE only focuses on receiver decryption right delegation. Thus this primitive cannot solve our problem.

Outline: In the next section, we introduce some cryptographic tools and define the notion of RCD-PKE. In Sect. 3, we present a generic A Posteriori Openable Public Key Encryption. Then in Sect. 4, we provide security models and analyze the security of our scheme before concluding in the last section. All the proofs of our security results are given in the full version of this paper [6].

2 Random Coin Decryptable Public Key Encryption

We first recall the definition of probabilistic public key encryption.

Definition 1

(Probabilistic Public Key Encryption ( PKE )). A probabilistic PKE is a triplet of polynomial time algorithms $(\textsf {Gen},\textsf {Enc},\textsf {Dec})$ such that $\textsf {Gen}(1^k)$ returns a public/private key pair $(\textsf {pk},\textsf {sk}) $, $\textsf {Enc}_{\textsf {pk}}(m;\sigma )$ returns a ciphertext c from the public key $\textsf {pk}$, the message m and the random coin $\sigma $, and $\textsf {Dec}_{\textsf {sk}}(c)$ returns a plaintext m or a bottom symbol $\perp $ from a secret key $\textsf {sk}$ and a ciphertext c. Moreover the following equation holds: $\textsf {Dec}_{\textsf {sk}}(\textsf {Enc}_{\textsf {pk}}(m;\sigma ))=m$.

A PKE scheme $\varPi $ is said indistinguishable under chosen-plaintext attack ($\textsf {IND}\text {-}\textsf {CPA}$) [19] if for any polynomial time adversary $\mathcal {A}$, the difference between $\frac{1}{2}$ and the probability that $\mathcal {A}$ wins the $\textsf {IND}\text {-}\textsf {CPA}$ experiment described in Fig. 1 is negligible.

We introduce the notion of Random Coin Decryptable $\mathsf{PKE}$ (RCD-PKE). A public key encryption scheme is said RCD-PKE, if there exists a second way to decrypt the ciphertext with the random coin used to construct the ciphertext. This primitive is a kind of PKE with double decryption mechanism (DD-PKE) which is defined in [15]. Actually RCD-PKE is a DD-PKE where the second secret key is the random coin and is used once.

Definition 2

(Random Coin Decryptable PKE ( RCD - PKE )). A probabilistic PKE is Random Coin Decryptable if there exists a polynomial time algorithm $\textsf {CDec}$ such that for any public key $\textsf {pk}$, any message m, and any coin $\sigma $, the following equation holds: $\textsf {CDec}_{\sigma }(\textsf {Enc}_{\textsf {pk}}(m;\sigma ),\textsf {pk})=m$.

For instance, ElGamal encryption scheme is RCD-PKE. It is possible, from a ciphertext $c = \textsf {Enc}_{\textsf {pk}}(m;\sigma ) = (c_0,c_1) = (g^\sigma ,\textsf {pk}^\sigma \cdot m)$ to use the algorithm $\textsf {CDec}_{\sigma }(c,\textsf {pk})$ that computes $c_1/\textsf {pk}^\sigma $ to retrieve the plaintext message m. Many probabilistic encryption schemes in the literature are RCD-PKE, e.g. [1, 10, 14]. Algorithms $\textsf {CDec}$ of these two cryptosystems $\textsf {PKE}$ are given in the full version of this paper [6]. We also introduce the concepts of valid key pair and of verifiable key PKE .

Definition 3

(Verifiable Key PKE ( VK - PKE )). We say that a key pair $(\textsf {pk},\textsf {sk})$ is valid for $\textsf {PKE}=(\textsf {Gen},\textsf {Enc},\textsf {Dec})$ when for any message m and any random coin $\sigma $ the equation $\textsf {Dec}_{\textsf {sk}}(\textsf {Enc}_{\textsf {pk}}(m;\sigma ))=m$ holds. We say that a probabilistic $\textsf {PKE}$ is verifiable-key (VK) when there exists an algorithm $\textsf {Ver}$ such that $\textsf {Ver}(\textsf {pk},\textsf {sk})=1$ if and only if $(\textsf {pk},\textsf {sk})$ is valid for PKE.

In many probabilistic public key cryptosystems, the public key is generated from the secret key by a deterministic algorithm. For example, the ElGamal public key is the value $g^x$ computed from the secret key x. In this case, it suffices to check that $g^\textsf {sk}=\textsf {pk}$ in order to be convinced that a key pair $(\textsf {pk},\textsf {sk})$ is valid. It is easy to see that [1, 10] are also VK-PKE.

3 A Posteriori Openable Public Key Encryption

An APO-PKE is a public key encryption scheme, where Alice can use receiver public keys to send them encrypted messages that can be opened thanks to the corresponding secret keys. The goal of an APO-PKE is to allow Alice to keep enough information to be able to construct a key to a posteriori open a sequence of messages that she had encrypted during an interval of time. We do not consider real time but a sequence of n successive ciphertexts $\{C_x\}_{1 \le x \le n} $ that have been encrypted by Alice with possibly different public keys. Then with an APO-PKE, it is possible for Alice to extract a key for a judge that opens all ciphertexts between the message $C_i$ and the message $C_j$ where $1\le i<j \le n$. We call this key an interval-key denoted by $K^\textsf {pko}_{i\rightarrow j}$ where $\textsf {pko}$ is the public key of the opener (here the judge). Moreover before encrypting her first message with a public key, Alice needs to initialize a secret global state denoted $\textsf {st}$. The goal of $\textsf {st}$ is to keep all required information to generate an interval-key and to encrypt a new message. Naturally each time Alice encrypts a message with a public key, $\textsf {st}$ is updated (but has a constant size). Finally an APO-PKE, formally described in Definition 4, contains an algorithm that opens all ciphertexts in a given interval of time thanks to the interval-key forged by Alice.

Note that all key pairs come from the same algorithm $\textsf {APOgen}$. However, for the sake of clarity, we denote by $\textsf {pko}$ and $\textsf {sko}$ (for opener public key and opener secret key) the keys of an interval-key recipient, e.g. a judge that can open some messages, denoted by O (for opener) in the rest of the paper.

Definition 4

(A Posteriori Openable Public Key Encryption ( APO - PKE )). An APO-PKE is defined by:

$\textsf {APOgen}(1^k)$: This algorithm generates a key pair for a user. It returns a public/private key pair $(\textsf {pk},\textsf {sk})$.
$\textsf {APOini}(1^k)$: This algorithm initializes a global state $\textsf {st}$ and returns it.
$\textsf {APOenc}_{\textsf {pk}}^{\textsf {st}}(m)$: This algorithm encrypts a plain-text m using a public key $\textsf {pk}$ and a global state $\textsf {st}$. It returns a ciphertext C and $\textsf {st}$ updated.
$\textsf {APOdec}_{\textsf {sk}}(C)$: This algorithm decrypts a ciphertext C using the secret key $\textsf {sk}$. It returns a plaintext m or $\perp $ in case of error.
$\textsf {APOext}_{\textsf {pko}}^{\textsf {st}}(C_i,C_j)$: This algorithm generates an interval-key $K^\textsf {pko}_{i\rightarrow j}$ that allows the owner O of the public key $\textsf {pko}$ to decrypt all messages $\{C_x\}_{i \le x \le j}$ using algorithm $\textsf {APOpen}$.
$\textsf {APOpen}_{\textsf {sko}}(K_{i \rightarrow j} ^{\textsf {pko}}, \{C_x\}_{i \le x \le j} ,\{\textsf {pk}_x\}_{i \le x \le j})$: Inputs of this algorithm contain a ciphertext set $\{C_x\}_{i \le x \le j}$ and all the associated public keys $\{\textsf {pk}_x\}_{i \le x \le j} $. This algorithm allows a user to decrypt all encrypted messages sent during an interval using his secret key $\textsf {sk}$ and the corresponding interval-key $K_{i \rightarrow j} ^{\textsf {pko}}$. It returns a set of plaintexts $\{m_x\}_{i \le x \le j}$ or $\perp $ in case of error.

In Scheme 1, we give a generic construction of APO-PKE based on an IND-CPA secure RCD-PKE and three hash functions.

Scheme 1

(Generic APO-PKE ( G-APO )). Let k be a security parameter, $\mathcal {E}=(\textsf {Gen},\textsf {Enc},\textsf {Dec})$ be a RCD and VK PKE scheme, $\mathcal {R}$ be the set of possible random coins of $\mathcal {E}$ and $\mathsf {F}:\{0,1\}^* \rightarrow \{0,1\}^k$, $\mathsf {G}:\{0,1\}^* \rightarrow \mathcal {R}$ and $\mathsf {H}:\{0,1\}^* \rightarrow \{0,1\}^{2k}$ be three universal hash functions. Our generic $\textsf {APO}\text {-}\textsf {PKE}$ is defined by the following six algorithms where $\oplus $ denotes the exclusive-or, |x| denotes the bit size of message x and y||z the concatenation of y with z:

$\textsf {APOgen}(1^k)$: This algorithm generates $(\textsf {pk},\textsf {sk})$ with $\textsf {Gen}$ and returns it.
$\textsf {APOini}(1^k)$: This algorithm picks three random values $\widehat{\sigma }\mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^k$, $\widetilde{\sigma }\mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^k$ and $K\mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^k$ of the same size, and returns the state $\textsf {st}= (K || \widehat{\sigma }|| \widetilde{\sigma })$.
$\textsf {APOenc}_{\textsf {pk}}^{\textsf {st}}(m)$: We note that $\textsf {st}=(K || \widehat{\sigma }_N || \widetilde{\sigma }_N)$. This algorithm picks a random $\widehat{m}$ such that $|\widehat{m}|=|m|$ and computes $\widetilde{m}=\widehat{m}\oplus m$. Let $\widehat{\sigma }\mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^k$ and $\widetilde{\sigma }\mathop {\leftarrow }\limits ^{{}_\$}\{0,1\}^k$ be two random values of size $|\widehat{\sigma }_N|$. This algorithm computes $\widehat{C}=\textsf {Enc}_{\textsf {pk}}(\widehat{m}||(\widehat{\sigma }\oplus \mathsf {F}(\widehat{\sigma }_N));\mathsf {G}(\widehat{\sigma }_N))$ and $\widetilde{C}=\textsf {Enc}_{\textsf {pk}}(\widetilde{m}||(\widetilde{\sigma }_N \oplus \mathsf {F}(\widetilde{\sigma }) );\mathsf {G}(\widetilde{\sigma }))$. It also computes $D=(\widehat{\sigma }_N||\widetilde{\sigma }) \oplus \mathsf {H}(K||\widehat{C}||\widetilde{C})$. Finally it updates the state $\textsf {st}$ with $(K || \widehat{\sigma }|| \widetilde{\sigma })$ and returns $C=(\widehat{C}|| \widetilde{C}|| D)$.
$\textsf {APOdec}_{\textsf {sk}}(C)$ : The decryption algorithm computes the decryption of $\widehat{m}||\widehat{\sigma }=\textsf {Dec}_{\textsf {sk}}(\widehat{C})$ and the decryption of $\widetilde{m}||\widetilde{\sigma }=\textsf {Dec}_{\textsf {sk}}(\widetilde{C})$, where $C=(\widehat{C}|| \widetilde{C}|| D)$. It returns $m=\widehat{m}\oplus \widetilde{m}$.
$\textsf {APOext}_{\textsf {pko}}^{\textsf {st}}(C_i,C_j)$ : Using the state $\textsf {st}=(K || \widehat{\sigma }_N || \widetilde{\sigma }_N)$, $C_i=(\widehat{C}_i || \widetilde{C}_i || D_i)$ and $C_j=(\widehat{C}_j || \widetilde{C}_j || D_j)$, this algorithm computes $\widehat{\sigma }_{i-1}||\widetilde{\sigma }_i = D_i \oplus \mathsf {H}(K || \widehat{C}_i || \widetilde{C}_i)$ and $\widehat{\sigma }_{j-1}||\widetilde{\sigma }_j = D_j \oplus \mathsf {H}(K || \widehat{C}_j || \widetilde{C}_j)$. It picks $r\mathop {\leftarrow }\limits ^{{}_\$}\mathcal {R}$ and returns $K_{i \rightarrow j} ^{\textsf {pko}}=\textsf {Enc}_{\textsf {pko}}((\widehat{\sigma }_{i-1}||\widetilde{\sigma }_j);r)$.
$\textsf {APOpen}_{\textsf {sko}}(K_{i \rightarrow j} ^{\textsf {pko}}, \{(\widehat{C}_x||\widetilde{C}_x||D_x)\}_{i \le x \le j} ,\{\textsf {pk}_x\}_{i \le x \le j})$ : This algorithm begins to recovering values $ \widehat{\sigma }_{i-1}||\widetilde{\sigma }_{j}=\textsf {Dec}_{\textsf {sko}}( K_{i \rightarrow j} ^{\textsf {pko}} )$.
- For all x in $\{i,i+1,\ldots ,j\}$, it computes $\widehat{R}=\mathsf {G}(\widehat{\sigma }_{x-1})$ and opens $\widehat{C}_x$ as follows $\widehat{m}_x||\widehat{\sigma }_x^*=\textsf {CDec}_{\widehat{R}}(\widehat{C}_x,\textsf {pk}_x)$. It computes the next $\widehat{\sigma }_x=\widehat{\sigma }^*_x \oplus \mathsf {F}(\widehat{\sigma }_{x-1})$. If $\textsf {Enc}_{\textsf {pk}_x}((\widehat{m}_x||\widehat{\sigma }^*_x);\mathsf {G}(\widehat{\sigma }_{x-1}))$ $ \not = \widehat{C}_x$ then it returns $\perp $.
- For all x in $\{j,j-1,\ldots ,i\}$, it computes $\widetilde{R}=\mathsf {G}(\widetilde{\sigma }_{x})$ and opens $\widetilde{C}_x$ as follows $\widetilde{m}_x||\widetilde{\sigma }_{x-1}^*=\textsf {CDec}_{\widetilde{R}}(\widetilde{C}_x,\textsf {pk}_x)$. It computes the previous $\widetilde{\sigma }_{x-1}=\widetilde{\sigma }^*_{x-1} \oplus \mathsf {F}(\widetilde{\sigma }_{x})$. If $\textsf {Enc}_{\textsf {pk}_x}((\widetilde{m}_x||\widetilde{\sigma }^*_{x-1});\mathsf {G}(\widetilde{\sigma }_{x}))$ $\not = \widetilde{C}_x$ then it returns $\perp $.
Finally, it returns $\{\widehat{m}_x \oplus \widetilde{m}_x\}_{i\le x \le j}$.

The encryption algorithm $\textsf {APOenc}$ separates the plaintext m in two parts using xor operation such that $m=\widehat{m} \oplus \widetilde{m}$. We generate two random coins $\widehat{\sigma }$ and $ \widetilde{\sigma }$. Using the two previous coins $\widehat{\sigma }_N$ and $\widetilde{\sigma }_N$ in the state $\textsf {st}$, we encrypt into two different ciphertexts $\widehat{C}$ and $ \widetilde{C}$ the following two messages $\widehat{m}||(\widehat{\sigma } \oplus \mathsf {F}(\widehat{\sigma }_N))$ and $\widetilde{m}||(\widetilde{\sigma }_N \oplus \mathsf {F}(\widetilde{\sigma }))$. Finally we hide the usefull random elements with $\mathsf {H}(K|| \widehat{C}|| \widetilde{C})$.

Knowing the secret key it is possible to recover $\widehat{m}$ and $\widetilde{m}$ and then to obtain the plaintext m thanks to the algorithm $\textsf {APOdec}$.

An interval-key for the owner O of a public key $\textsf {pko}$ is constructed using the algorithm $\textsf {APOext}$. It is simply the encryption with $\textsf {pko}$ of $\widehat{\sigma }_N$ and $\widetilde{\sigma }$. At each encryption, the values $\widehat{\sigma }_{i-1}$ and $\widetilde{\sigma }_i$ are masked by a “one time pad" with the digest $\mathsf {H}(K||\widehat{C}_i||\widetilde{C}_i)$ in $D_i$. Then with the ciphertexts $C_i$, $C_j$ and the secret value K we can construct an interval-key that contains these values $\widehat{\sigma }_{i-1}$ and $\widetilde{\sigma }_j$.

Using an interval-key ${K_{i \rightarrow j} ^{\textsf {pko}}}$ it is possible to open all ciphertexts encrypted during an interval of time with the algorithm $\textsf {APOpen}$: thanks to the $\textsf {RCD}$ property, someone who knows values $\widehat{\sigma }_N$ and $\widetilde{\sigma }$ for one ciphertext can open each part $\widehat{C}$ and $\widetilde{C}$ of it in order to recover $\widehat{\sigma }$ and $\widetilde{\sigma }_N$, and $\widehat{m}$ and $\widetilde{m}$, hence m. We also notice that with $\widehat{\sigma }_{i}$ it is possible to decrypt all ciphertexts in $\{\widehat{C}_x \}_{(i+1) \le x \le N}$. In the other hand, with $\widetilde{\sigma }_j$ it is possible to decrypt all ciphertexts in $\{\widetilde{C}_x \}_{1 \le x \le j}$. Then it is possible to recover all messages between $C_i$ and $C_j$. Thus, it is possible to decrypt all messages between $C_i$ and $C_j$ with the knowledge of $\widehat{\sigma }_{i-1}$ and $\widetilde{\sigma }_j$.

If the interval always contains the first message, we give a more efficient algorithm. The idea is to only keep one part of the ciphertext, by consequence we do not need to split into two the message m. Hence the size of the ciphertext is smaller. Similarly if the algorithm always ends with the last encrypted message, we can also drop one half of the ciphertext and the tag value following the same idea. These simpler schemes are given in the full version of this paper [6].

4 Model and Security

We present the security properties of an $\textsf {APO}\text {-}\textsf {PKE}$ scheme and we analyze the security of our $\textsf {G}\text {-}\textsf {APO}$ scheme. The first security property corresponds to a chosen-plaintext attack scenario where the adversary has access to interval-keys on intervals that do not contain the challenge. We next introduce the notion of indistinguishability under chosen sequence of plaintext attack security (IND-CSPA) that corresponds to a chosen-plaintext attack scenario where the challenge is an interval of ciphertexts and the corresponding interval-key generated for a given judge public key. The last property is integrity, and captures the integrity of messages decrypted by $\textsf {APOpen}$ algorithm. All security proofs are detailed in [6].

4.1 IND-CPA security

It concerns the resistance of an $\textsf {APO}\text {-}\textsf {PKE}{}$ against a collusion of adversaries that have access to interval-keys in a chosen-plaintext attack scenario. For example, if we consider a judge who receives an interval-key to open a sequence of ciphertexts and who colludes with ciphertext recipients; then it ensures that they cannot deduce any information about messages that are not in the sequence. Indeed, he cannot request an interval-key for an interval containing the challenge. We define the $\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}$ security when only one interval-key can be asked during the experiment. Our scheme is proved secure in this model.

Definition 5

( OT - IND - CPA Experiment). Let $\varPi $ be an $\textsf {APO}\text {-}\textsf {PKE}$, let k be a security parameter, and let $\mathcal {A}=(\mathcal {A}_0,\mathcal {A}_1)$ be a pair of polynomial time algorithms. We define the one-time indistinguishability under interval opener chosen-plaintext attack (OT-IND-CPA) experiment as follows:

The adversaries $\mathcal {A}_0$ and $\mathcal {A}_1$ have access to the following oracles:

$\mathcal {O}^{{\mathbf {\mathsf{{CPA}}}}}_{\mathbf {\mathsf{{enc}}}}$ : On the first call to this oracle, it initializes the following values $l=1$ and $n=1$. This oracle takes as input a public key $\textsf {pk}$ and a message m. It returns $C_l=\textsf {APOenc}_{\textsf {pk}}^{\textsf {st}_*}(m)$. It increments the counter l. Only in the first phase, it increments the value n that counts the number of calls to the encryption oracle before the generation of the challenge.
$\mathcal {O}^{{\mathbf {\mathsf{{CPA}}}}}_{\mathbf {\mathsf{{ext}}}}$ : The adversary can ask this oracle only one time during the experiment. This oracle takes a public key $\textsf {pko}$ and two ciphertexts $C'_a$ and $C'_b$. In the second phase, if there exists $C_i=C'_a$ and $C_j=C'_b$ such that $i\le n \le j$ then the oracle rejects the query. Else, if $C'_a=C_{n}$ or $C'_b=C_{n}$, it rejects the query. Else it returns $\textsf {APOext}_{\textsf {pko}}^{\textsf {st}_*}(C'_a,C'_b)$.

We also define the IND-CPA experiment as the same as the $\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}$ experiment except that the adversary can ask the oracle $\textsf {APOext}$ several times.

Definition 6

( OT - IND - CPA Advantage). The advantage of the adversary $\mathcal {A}$ against $\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}$ is defined by:

$${\mathsf {Adv}}^{\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}}_{\varPi ,\mathcal {A}}(k) = |\textsf {Pr}[\textsf {Exp}^{\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}}_{\varPi ,\mathcal {A}}(k)=1]-\frac{1}{2}|$$

We define the advantage on OT-IND-CPA experiment by:

$${\mathsf {Adv}}^{\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}}_{\varPi }(k) = \max \{{\mathsf {Adv}}^{\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}}_{\varPi ,\mathcal {A}}(k)\}$$

for all ${\mathcal {A}\in \textsc {poly}(k)}$. The advantages on IND-CPA experiment are similar to those of $\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}$. We say that a $\textsf {APO}\text {-}\textsf {PKE}$ scheme $\varPi $ is $\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}$ (resp. $\textsf {IND}\text {-}\textsf {CPA}$) secure when ${\mathsf {Adv}}^{\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}}_{\varPi }(k)$ (resp. ${\mathsf {Adv}}^{\textsf {IND}\text {-}\textsf {CPA}}_{\varPi }(k)$) is negligible.

Our construction is not $\textsf {IND}\text {-}\textsf {CPA}$ since if a judge has two interval-keys for two different intervals of time given by the same user and computed with the same secret value then he can open all messages between the two extreme dates.

Theorem 1

Let E be an IND-CPA secure RCD-PKE, then G-APO based on E is $\textsf {OT}\text {-}\textsf {IND}\text {-}\textsf {CPA}$ secure in the random oracle model.

Proof idea: To prove the OT-IND-CPA security, we show first that no polynomial adversary wins the experiment with non negligible probability using the oracle $\mathcal {O}^{\textsf {CSPA}}_\textsf {ext}$ in an interval of previous ciphertexts of the challenge. The interval-key allows to open the part $\widehat{C}_{*}$ of the challenge $C_{*}$, but since the $\textsf {PKE}$ is $\textsf {IND}\text {-}\textsf {CPA}$ then the interval-key gives no information about the part of the challenge encrypted in the part $\widetilde{C}_{*}$. Similarly, we then prove that no adversary can win using the oracle in an interval of next ciphertexts of the challenge. Finally, using this two results, we show that our scheme is OT-IND-CPA in any case. $\square $

4.2 IND-CSPA security

A sequence of ciphertexts coupled with an interval-key can be seen as an unique ciphertext that encrypts a sequence of plaintexts because the open algorithm allows a judge to decrypt all the messages of the sequence with the knowledge of any secret key. Thus, we define a security model where the adversary must distinguish the sequence of plaintexts used to produce a challenge sequence of ciphertexts associated to an interval-key. The IND-CSPA security captures this security property. In this model, the adversary is a collusion of users that must distinguish the sequence of plaintexts used to produce a sequence of ciphertexts given the corresponding interval-key generated for the judge.

Definition 7

( IND-CSPA $_\phi $ Experiment). Let $\varPi $ be an $\textsf {APO}\text {-}\textsf {PKE}$, let k be a security parameter, and let $\mathcal {A}=(\mathcal {A}_0,\mathcal {A}_1)$ be a pair of polynomial time algorithms. We define the indistinguishability under chosen sequence of plaintext attack ($\textsf {IND}\text {-}\textsf {CSPA}_\phi $) experiment as follows, where n denotes the number of calls to the encryption oracle during the first phase and $\phi $ denotes the number of calls to the generation oracle:

The adversaries $\mathcal {A}_0$ and $\mathcal {A}_1$ have access to the following oracles:

$\mathcal {O}^{{\mathbf {\mathsf{{CSPA}}}}}_{\mathbf {\mathsf{{gen}}}}$ : At the first call, the oracle creates a keys’ list $\textsf {K}$ that contains $(\textsf {pko}_*,\textsf {sko}_*)$. At each call, it generates values $(\textsf {pk},\textsf {sk})$ from $\textsf {APOgen}(1^k)$ and adds it to $\textsf {K}$. Then it returns $\textsf {pk}$. This oracle can be called only $\phi $ times.
$\mathcal {O}^{{\mathbf {\mathsf{{CSPA}}}}}_{\mathbf {\mathsf{{enc}}}}$ : This oracle takes as inputs a public key $\textsf {pk}$ and a message m. Only in the first phase, it increments the value n that counts the number of calls to the encryption oracle before the generation of the challenge. In the two phases, it returns $\textsf {APOenc}_{\textsf {pk}}^{\textsf {st}_*}(m)$.
$\mathcal {O}^{{\mathbf {\mathsf{{CSPA}}}}}_{\mathbf {\mathsf{{ext}}}}$ : This oracle takes as input two ciphertexts $C_i$ and $C_j$. It returns the interval-key $K_{i\rightarrow j}^{\textsf {pko}_*}=\textsf {APOext}_{\textsf {pko}_*}^{\textsf {st}_*}(C_i,C_j)$.

In the first phase The challenger generates $(\textsf {pko}_*,\textsf {sko}_*)$ from $\textsf {APOgen}(1^k)$ and a state $\textsf {st}_*$ from $\textsf {APOini}(1^k)$. He sends the public key $\textsf {pko}_*$ to the adversary. The challenger initializes a counter n that counts number of calls to the oracle $\mathcal {O}^{\textsf {CSPA}}_\textsf {enc}$ during this phase. Finally, the adversary sends to the challenger values $(q,\{m_x^0\}_{n< x \le (n+q)}, \{m_x^1\}_{n < x \le (n+q)},$ $ \{\textsf {pk}_x\}_{n < x \le n+q},\textsf {state})$.

In second phase, the challenger computes a sequence of ciphertexts from the adversary’s output. He encrypts messages of one of the two sequences. The sequence of produced ciphertexts forms the challenge. More formally, the challenger picks two random bits b and d. Then, $\forall ~ x \in \{n+1,n+2,...,n+q\} $, if $\textsf {pk}_x$ corresponds to an honest user (i.e. $\textsf {pk}_x$ comes from oracle $\mathcal {O}^{\textsf {CSPA}}_\textsf {gen}$) then he computes $C^*_x=\textsf {APOenc}_{\textsf {pk}_x}^{\textsf {st}_*}(m_x^b)$ else if $\textsf {pk}_x$ corresponds to a dishonest user (i.e. $\textsf {pk}_x$ comes from the adversary), he computes $C^*_x=\textsf {APOenc}_{\textsf {pk}_x}^{\textsf {st}_*}(m_x^d)$. Finally, he computes $K^{\textsf {pko}_*}_{(n+1) \rightarrow (n+q)} = \textsf {APOext}_{\textsf {pko}_*}^{\textsf {st}_*}(C_{n+1},C_{n+q})$ and he sends $(\mathsf {state}, \{C^*_x\}_{n < x \le (n+q)},K^{\textsf {pko}_*}_{(n+1) \rightarrow (n+q)})$ to the adversary $\mathcal {A}_1$. During the guess phase, the adversary returns the bit $b'$. If $b'=b$ then $\mathcal {A}$ wins.

Definition 8

( IND - CSPA Advantage). We define the advantage of $\mathcal {A}$ against $\textsf {IND}\text {-}\textsf {CSPA}$ by:

$$ {\mathsf {Adv}}^{\textsf {IND}\text {-}\textsf {CSPA}_\phi }_{\varPi ,\mathcal {A}}(k) = |\textsf {Pr}[\textsf {Exp}^{\textsf {IND}\text {-}\textsf {CSPA}_\phi }_{\varPi ,\mathcal {A}}(k)=1]-\frac{1}{2}| $$

We define by:

$$ {\mathsf {Adv}}^{\textsf {IND}\text {-}\textsf {CSPA}_\phi }_{\varPi }(k) = \max \{{\mathsf {Adv}}^{\textsf {IND}\text {-}\textsf {CSPA}_\phi }_{\varPi ,\mathcal {A}}(k)\} $$

for all ${\mathcal {A}\in \textsc {poly}(k)}$ the advantage on IND-CSPA. We say that an $\textsf {APO}\text {-}\textsf {PKE}$ scheme $\varPi $ is $\textsf {IND}\text {-}\textsf {CSPA}$ secure when the advantage ${\mathsf {Adv}}^{\textsf {IND}\text {-}\textsf {CSPA}_\phi }_{\varPi }(k)$ is negligible for any polynomial $\phi $.

Theorem 2

Let E be a $\textsf {PKE}$ that is $\textsf {RCD}$, then G-APO using E is $\textsf {IND}\text {-}\textsf {CSPA}$ secure in the random oracle model.

Proof idea: In [2] authors prove that any $\textsf {IND}\text {-}\textsf {CPA}$ $\textsf {PKE}$ is still secure in multi-user setting, i.e. where the adversary can ask several challenges for several different public keys. Without interval-key oracle, the $\textsf {IND}\text {-}\textsf {CSPA}$ security of our scheme can be reduced to the $\textsf {IND}\text {-}\textsf {CPA}$ of the $\textsf {PKE}$ in multi-user setting since the challenge corresponds to ciphertexts of several messages from several public keys. Moreover, since the interval-keys from the oracle are encrypted, then the adversary must break the $\textsf {IND}\text {-}\textsf {CPA}$ security of $\textsf {PKE}$ to use it. It is possible to prove that no adversary can efficiently break the $\textsf {IND}\text {-}\textsf {CSPA}$ of our scheme using these two arguments. $\square $

4.3 Integrity

The last security property for $\textsf {APO}\text {-}\textsf {PKE}$ is the integrity. This property is similar to binding property of TRE defined in [11]. The judge must be sure that the messages he decrypts with $\textsf {APOpen}$ algorithm are the sent messages.

Definition 9

(Integrity Experiment). Let $\varPi $ a $\textsf {APO}\text {-}\textsf {PKE}$, let k be a security parameter, and let $\mathcal {A}$ a polynomial time algorithm. We define the integrity experiment as follows:

The challenger generates $(\textsf {pko}_*,\textsf {sko}_*)$ from $\textsf {APOgen}(1^k)$ and sends the public key $\textsf {pko}_*$ to the adversary. The adversary $\mathcal {A}$ sends to the challenger an integer N, an ordered set of N ciphertexts $\{C_x\}_{1 \le x \le N}$ and an ordered set of N public keys $\{\textsf {pk}_x\}_{1 \le x \le N}$. The adversary then sends two integers i and j and the corresponding interval-key $K^{\textsf {pko}_*}_{i\rightarrow j}$. He finally sends the integer l and the secret key $\textsf {sk}_l$ corresponding to $\textsf {pk}_l$. If $(\textsf {pk}_l,\textsf {sk}_l)$ is not a valid key pair then the challenger aborts and returns 0. The challenger then computes $\{m_x\}_{i \le x \le j}\leftarrow \textsf {APOpen}_{\textsf {sko}_*}(K^{\textsf {pko}_*}_{i\rightarrow j}, \{C_x\}_{i \le x \le j} ,\{\textsf {pk}_x\}_{i \le x \le j})$. If $m_l \not = \textsf {APOdec}_{\textsf {sk}_l}(C_l)$ then the challenger returns 1, else he returns 0.

Definition 10

The advantage of $\mathcal {A}$ against integrity is defined by:

$${\mathsf {Adv}}^{\textsf {Integrity}}_{\varPi ,\mathcal {A}}(k) = \textsf {Pr}[\textsf {Exp}^{\textsf {Integrity}}_{\varPi ,\mathcal {A}}(k)=1]$$

The advantage against integrity by:

$${\mathsf {Adv}}^{\textsf {Integrity}}_{\varPi }(k) = \max \{{\mathsf {Adv}}^{\textsf {Integrity}}_{\varPi ,\mathcal {A}}(k)\}$$

for all ${\mathcal {A}\in \textsc {poly}(k)}$. We say that a $\textsf {APO}\text {-}\textsf {PKE}$ scheme $\varPi $ satisfies the integrity property ${\mathsf {Adv}}^{\textsf {Integrity}}_{\varPi }(k)$ is negligible.

Theorem 3

Let E be a $\textsf {RCD}$ and VK $\textsf {PKE}$ that is $\textsf {IND}\text {-}\textsf {CPA}$ secure, then G-APO using this $\textsf {PKE}$ satisfies the integrity property.

Proof idea: Since the judge has all the random coins and all the public keys used to encrypt all the opened messages, he can use them to re-encrypt these messages. Thus, if the ciphertexts that he opens correspond to the ciphertexts that he encrypts by himself, then he can conclude that the opened messages are the same as the messages decrypted by the recipient secret keys. $\square $

5 Conclusion

We introduce the notion of RCD-PKE. Based on this notion, we propose an a posteriori openable PKE (APO-PKE) scheme. Our scheme allows a user to prove his innocence by showing to a judge the content of his encrypted communication with several PKE during a period of time. Our construction preserves the privacy of the others communications, meaning that the judge cannot learn any information concerning the other encrypted messages. Moreover the receivers of the encrypted messages cannot collude in order to learn more information that is contained in the received messages. Our construction is proven secure in the Random Oracle Model and is generic because it only requires RCD-PKE and hash functions.

In the future, we aim at proving that is not possible to have a secure construction that supports several generations of interval key with constant size interval-key and stored data (state). Another future work is to design a security model for chosen-ciphertext security of APO-PKE and to provide a generic construction that achieves this higher security. Finally, it may be interesting to design such a scheme in the standard model.

Notes

1.
https://www.gnupg.org.

References

Abdalla, M., Bellare, M., Rogaway, P.: DHIES: an encryption scheme based on the Diffie-Hellman problem. Contributions to IEEE P1363a, September 1998
Google Scholar
Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000)
Chapter Google Scholar
Blake, I.F., Chan, A.C.-F.: Scalable, server-passive, user-anonymous timed release public key encryption from bilinear pairing. In: ICDS. IEEE Computer Society Press (2005)
Google Scholar
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 213. Springer, Heidelberg (2001)
Chapter Google Scholar
Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 253–273. Springer, Heidelberg (2011)
Chapter Google Scholar
Bultel, X., Lafourcade, P.: A posteriori openable public key encryption. Technical report, University Clermont Auvergne, LIMOS (2015). http://sancy.univ-bpclermont.fr/~lafourcade/APOPKE.pdf
Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 90–104. Springer, Heidelberg (1997)
Chapter Google Scholar
Cathalo, J., Libert, B., Quisquater, J.-J.: Efficient and non-interactive timed-release encryption. In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 291–303. Springer, Heidelberg (2005)
Chapter Google Scholar
Cheon, J.H., Hopper, N.J., Kim, Y.-D., Osipkov, I.: Timed-release and key-insulated public key encryption. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 191–205. Springer, Heidelberg (2006)
Chapter Google Scholar
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Article MathSciNet MATH Google Scholar
Dent, A.W., Tang, Q.: Revisiting the security model for timed-release encryption with pre-open capability. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 158–174. Springer, Heidelberg (2007)
Chapter Google Scholar
Dodis, Y., Katz, J., Xu, S., Yung, M.: Key-insulated public key cryptosystems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 65–82. Springer, Heidelberg (2002)
Chapter Google Scholar
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31, 469–472 (1985)
Article MathSciNet MATH Google Scholar
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. J. Cryptol. 26(1), 80–101 (2013)
Article MathSciNet MATH Google Scholar
Galindoa, D., Herranz, J.: On the security of public key cryptosystems with a double decryption mechanism. Inf. Process. Lett. 108(5), 279–283 (2008)
Article MathSciNet MATH Google Scholar
Goldreich, O., Pfitzmann, B., Rivest, R.L.: Self-delegation with controlled propagation - or - what if you lose your laptop. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 153–168. Springer, Heidelberg (1998)
Chapter Google Scholar
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013)
Chapter Google Scholar
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: 45th ACM STOC, pp. 555–564. ACM Press (2013)
Google Scholar
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)
Article MathSciNet MATH Google Scholar
Hanaoka, G., Weng, J.: Generic constructions of parallel key-insulated encryption. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 36–53. Springer, Heidelberg (2010)
Chapter Google Scholar
Hwang, Y.-H., Yum, D.H., Lee, P.J.: Timed-release encryption with pre-open capability and its application to certified e-mail system. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 344–358. Springer, Heidelberg (2005)
Chapter Google Scholar
Klonowski, M., Kubiak, P., Kutyłowski, M.: Practical deniable encryption. In: Geffert, V., Karhumäki, J., Bertoni, A., Preneel, B., Návrat, P., Bieliková, M. (eds.) SOFSEM 2008. LNCS, vol. 4910, pp. 599–609. Springer, Heidelberg (2008)
Chapter Google Scholar
Libert, B., Quisquater, J.-J., Yung, M.: Parallel key-insulated public key encryption without random oracles. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 298–314. Springer, Heidelberg (2007)
Chapter Google Scholar
May, T.: Time-release crypto. Manuscript (1993)
Google Scholar
Paterson, K.G., Quaglia, E.A.: Time-specific encryption. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 1–16. Springer, Heidelberg (2010)
Chapter Google Scholar
Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)
Chapter Google Scholar
Whitten, A., Tygar, J.D.: Why johnny can’t encrypt: A usability evaluation of PGP 5.0. In: Proceedings of the 8th Conference on USENIX Security Symposium - SSYM 1999, vol. 8, p. 14. USENIX Association, Berkeley (1999)
Google Scholar

Download references

Author information

Authors and Affiliations

CNRS, UMR 6158, LIMOS, 63173, Aubière, France
Xavier Bultel & Pascal Lafourcade
Université Clermont Auvergne, LIMOS, BP 10448, 63000, Clermont-Ferrand, France
Xavier Bultel & Pascal Lafourcade

Authors

Xavier Bultel
View author publications
You can also search for this author in PubMed Google Scholar
Pascal Lafourcade
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xavier Bultel .

Editor information

Editors and Affiliations

Instit. Computing & Information Sciences, Radboud University Nijmegen, Nijmegen, Gelderland, The Netherlands
Jaap-Henk Hoepman
Security Engineering Group, Technische Universität Darmstadt, Darmstadt, Hessen, Germany
Stefan Katzenbeisser

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Bultel, X., Lafourcade, P. (2016). A Posteriori Openable Public Key Encryption. In: Hoepman, JH., Katzenbeisser, S. (eds) ICT Systems Security and Privacy Protection. SEC 2016. IFIP Advances in Information and Communication Technology, vol 471. Springer, Cham. https://doi.org/10.1007/978-3-319-33630-5_2

Download citation

DOI: https://doi.org/10.1007/978-3-319-33630-5_2
Published: 11 May 2016
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-33629-9
Online ISBN: 978-3-319-33630-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics