Keywords

1 Introduction

Currently, the formal way to prove the security of cryptographic primitives is providing a security reduction, i.e., any adversary A breaking the security of a scheme with advantage \(\varepsilon _{A}\) implies an adversary B that can solve the underlying hard problem with advantage \(\varepsilon _{B}\). Specially, we call the quotient \(L=\varepsilon _{A} /\varepsilon _{B}\) the security loss of a reduction. Naturally, we hope that the quotient L is small.

Tight Security Reduction. Standard security notions for public key encryption (PKE) schemes, e.g., IND-CCA security [6], only consider one user and one ciphertext. However, in the reality setting, the adversary can know at most \(n_{u}\) public keys of users and obtain at most \(n_{c^{*}}\) challenge ciphertexts from per user. These two parameters can be very large, e.g., \(n_{u}=n_{c^{*}}=2^{40}\). In general, L will depend on \(n_{u}\) and \(n_{c^{*}}\) [1]. In order to compensate for the security loss, we have to increase the strength of the underlying intractability assumption which worsens the parameters of the encryption scheme and affects the performance of the implementation. For example, for encryption schemes from the Decisional Diffie-Hellman assumption over cyclic groups, we have to increase the size of the underlying groups, which in turn increases the running time of the implementation, as exponentiation in an l-bit group takes time about \(\mathcal {O}(l^{3})\) as stated in [7]. Hence, it is important to study tight security reductions where the security loss L is a small constant that in particular does not depend on parameters under the adversary’s control, such as \(n_{u},n_{c^{*}}\). In the case of CCA security, L should also be independent of the parameter \(n_{c}\), which is the number of queries that the adversary can make to each decryption oracle at most.

Tight Security in Deterministic-PKE. Deterministic-PKE (D-PKE), namely, deterministic public-key encryption, was introduced by Bellare et al. [2], in which the encryption algorithm is deterministic.

Bellare et al. [2] defined a strongest possible security notion for D-PKE, called PRIV, over plaintext distributions with high min-entropy independent of the public key. The definition of PRIV considers a message block containing multi-plaintext. If the size of block is one, then the security definition is called PRIV1. The security notions of D-PKE evolved in a series of literatures [3,4,5, 11]. Many D-PKE constructions have been proposed based on concrete assumptions as depicted in Fig. 1. These D-PKE constructions are all secure in the one-user, multi-ciphertext case. However, all of these constructions have a security loss about \(\mathcal {O}(n_{c^{*}})\).

Fig. 1.
figure 1

The security loss amongst the D-PKE schemes under the concrete assumptions.

Full size image

Our Contributions. It seems that the tight security reduction of D-PKE has not been deliberately studied in literatures. We compare the security loss amongst the D-PKE schemes based on the concrete assumptions in Fig. 1. In this paper, we formally consider the construction of tightly secure D-PKE scheme which is either PRIV-IND-CPA or PRIV-IND-CCA secure for block-sources in the standard model.

We start from [4] which introduced two D-PKE schemes based on lossy TDFs and all-but-one TDFs [10]. One is PRIV1-IND-CPA secure and the other is PRIV1-IND-CCA secure, for block-sources. Initially, we prove that their PRIV1-IND-CPA secure D-PKE scheme is tightly PRIV-IND-CPA secure for block-sources. Our security reduction improves the security loss of this scheme from \(\mathcal {O}(n_{c^*})\) to \(\mathcal {O}(1)\). So we can obtain tightly PRIV-IND-CPA secure D-PKE schemes for block-sources by instantiating D-PKE constructions based on the DDH, s-DCR, LWE assumption.

However, their PRIV1-IND-CCA D-PKE scheme in [4] (The sect. 7.2) is not tightly PRIV-IND-CCA secure for block-sources. In their PRIV1-IND-CCA D-PKE scheme, the ciphertext of a message m contains an item as follows

$$\mathcal {F}_{abo}(ek_{abo},\mathcal {H}_{cr}(k_{cr},\mathcal {H}_{inv}(k_{inv},m)),\mathcal {H}_{inv}(k_{inv},m)),$$

where \(\mathcal {F}_{abo}\) is a collection of all-but-one TDFs, \(\mathcal {H}_{cr}\) is a family of collision-resistant hash functions, \(\mathcal {H}_{inv}\) is a collection of pairwise-independent permutations with invertibility. Let function f be

$$f=\mathcal {F}_{abo}(ek_{abo},\mathcal {H}_{cr}(k_{cr},\cdot ),\cdot )~~\mathrm {and}~~ek_{abo}\overset{R}{\leftarrow }\mathcal {K}_{abo}(\mathcal {H}_{cr}(k_{cr},\cdot )),$$

where \(\mathcal {K}_{abo}\) is the key generation algorithm of \(\mathcal {F}_{abo}\). According to the generalized “Crooked” leftover hash lemma, the statistical distance between \(f(\mathcal {H}_{inv}(k_{inv},m))\) and f(h) is negligible, where \(h\overset{\$}{\leftarrow }U_{inv}\) and \(U_{inv}\) denotes the uniform distribution on the range of \(\mathcal {H}_{inv}\). So that f(h) includes no information of the message m. In order to use the generalized “Crooked” leftover hash lemma, \(\mathcal {H}_{cr}(k_{cr},\mathcal {H}_{inv}(k_{inv},m))\) and \(\mathcal {H}_{cr}(k_{cr},h)\) must belong to the lossy branch of the respective all-but-one TDF \(\mathcal {F}_{abo}\). As a result, the security loss of their scheme is 2 times of the security loss of the all-but-one TDF \(\mathcal {F}_{abo}\). However, the tight security reduction considers \(n_{c^{*}}>1\) challenge ciphertexts in the PRIV-IND-CCA security game for block-sources. Though PRIV1-IND-CCA and PRIV-IND-CCA are proved to be equivalent in [4], there is a security loss of \(2\cdot n_{c^{*}}\) due to the employment of the hybrid technique.

Furthermore, to address this problem, we upgrade the all-but-one TDF in the constructions of [4] to all-but-n TDF [8] whose number of the lossy branches is n. When the number of the lossy branches is two times of the number of the challenge ciphertexts, i.e., \(n=2\,\cdot \,n_{c^{*}}\) (because we additionally need \(\mathcal {H}_{cr}(k_{cr},h)\) to be in the lossy branches of the all-but-n TDF), every challenge ciphertext can be evaluated on the lossy branches in the PRIV-IND-CCA security game for block-sources. In addition, apparently that if the security loss of the all-but-n TDF is independent of n (tightly secure), then the security loss of the D-PKE scheme can also be independent of \(n_{c^{*}}\), i.e., the D-PKE scheme can be tightly PRIV-IND-CCA secure for block-sources. However, because the number of the lossy branches of the all-but-n TDF in the construction is bounded by n, so that the number of the challenge ciphertexts \(n_{c^{*}}\) is bounded by \(\frac{n}{2}\). As a result, our D-PKE schemes are only able to be tightly PRIV-IND-\(\frac{n}{2}\)-CCA secure for block-sources, where PRIV-IND-\(\frac{n}{2}\)-CCA security for block-sources is very similar to PRIV-IND-CCA security for block-sources except with the restriction the number of the challenge ciphertexts is bounded by \(\frac{n}{2}\).

As aforementioned, the most important part of our constructions is to find tightly secure all-but-n TDFs. Finally, we prove that the all-but-n TDF given by Hemenway et al. [8] is tightly secure with a security loss of only 2. This improves their original security reduction which has a security loss of 2n due to the use of the hybrid technique. Applying this result to our constructions, we obtain the first D-PKE scheme which is tightly PRIV-IND-\(\frac{n}{2}\)-CCA secure for block-sources based on the s-DCR assumption.

2 Preliminaries

Notations. For a random variable X, we write \(x\overset{R}{\leftarrow } X\) to denote sampling x according to X’s distribution. For a random variable X, its min-entropy is defined as \(\mathrm {H}_{\infty }(X)=-\log (\mathrm {max}_{x}P_{X}(x))\). Given Y, the worst-case conditional min-entropy of X is \(\mathrm {H}_{\infty }(X|Y)=-\log (\mathrm {max}_{x,y}P_{X|Y=y}(x))\) and the average-case conditional min-entropy of X is \(\mathrm {\widetilde{H}}_{\infty }(X|Y)=-\log (\sum _{y}P_{Y}(y)\cdot \mathrm {max}_{x}P_{X|Y=y}(x))\). A random variable \(X\in \{0,1\}^{l}\) is called a (tl)-source if it satisfies that \(\mathrm {H}_{\infty }(X)\ge t\). And a vector \(\overrightarrow{X}\) is called a (tl)-block-source of length n if it is a list of random variables \((X_{1},\cdots ,X_{n})\) over \(\{0,1\}^{l}\) and satisfies that \(\mathrm {H}_{\infty }(X_{i}|X_{1},\cdots ,X_{i-1})\ge t\) for all \(i\in [n]= \{1,\cdots ,n\}\). The statistical distance between two distributions XY over a finite or countable domain D is \(\bigtriangleup (X,Y)=\frac{1}{2}\sum _{w\in D}|P_{X}(w)-P_{Y}(w)|\). A hash function \(\mathbf {H}=\mathcal {(K,H)}\) with range \(\mathbb {R}\) is pairwise-independent if for all \(x_{1}\ne x_{2}\in \{0,1\}^{l}\) and all \(y_{1},y_{2}\in \mathbb {R}\), \(\Pr [\mathcal {H}(K,x_{1})=y_{1} \wedge \mathcal {H}(K,x_{2})=y_{2}:K\overset{R}{\leftarrow }\mathcal {K}]\le \frac{1}{|\mathbb {R}|^{2}}.\) A hash function \(\mathbf {H}\mathcal {(K,H)}\) is collision resistant if for all probabilistic polynomial-time adversary \(\mathcal {A}\), the advantage \(Adv_{\mathbf {H}}^{\mathrm {cr}}(\mathcal {A})\) is negligible, where

Definition 1

(Invertible Pairwise-Independent Permutation [4]). A pairwise-independent hash function \(\mathbf {H}_{inv}=(\mathcal {K}_{inv},\mathcal {H}_{inv})\) is an invertible pairwise-independent permutation if it satisfies the following two conditions: (1)  Invertible. There exists a PPT algorithm \(\mathcal {I}nv\) such that \(\mathcal {I}nv(k_{inv},\mathcal {H}_{inv}(k_{inv}, m))=m\), where \(m\in \{0,1\}^{l}\) and \(k_{inv}\overset{R}{\leftarrow }\mathcal {K}_{inv}\); (2) Permutable. \(\mathbf {H}_{inv}\) is a permutation.

Definition 2

(Lossy TDF [10]). A collection of \((l,l-r)\)-lossy trapdoor function \(\mathcal {LTDF}\) is defined by four probabilistic polynomial-time algorithms \((\mathcal {K}_{lt},\mathcal {\widetilde{K}}_{lt},\mathcal {F}_{lt},\mathcal {F}_{lt}^{-1})\) satisfying the following properties. (1) \(\mathcal {\widetilde{K}}_{lt}\) induces a lossy function. When algorithm \(\mathcal {\widetilde{K}}_{lt}(1^{k})\) outputs \((\widetilde{ek},\perp )\), \(\mathcal {F}_{lt}\) on inputs \(\widetilde{ek}\), \(x\in \{0,1\}^{l}\) returns \(\mathcal {F}_{lt}(\widetilde{ek},x)\). In addition, we also require that the size of \(\mathcal {F}_{lt}(\widetilde{ek},\cdot )\) is bounded by \(2^{r}\) for all \(\widetilde{ek}\). (2) \(\mathcal {K}_{lt}\) induces an injective function with trapdoor. The key generation algorithm \(\mathcal {K}_{lt}(1^{k})\) outputs (ektk). Then \(\mathcal {F}_{lt}\) takes ek and an input \(x\in \{0,1\}^{l}\) to return an unique value \(c=\mathcal {F}_{lt}(ek,x)\). Finally, on inputs \((tk,\mathcal {F}_{lt}(ek,x))\), \(\mathcal {F}_{lt}^{-1}\) returns x or \(\perp \). (3) Security. Let EK denote the fist random variable output by \(\mathcal {K}_{lt}\), and let \(\widetilde{EK}\) denote the first random variable output by \(\mathcal {\widetilde{K}}_{lt}\). For all probabilistic polynomial-time adversary \(\mathcal {A}\), the advantage of \(\mathcal {A}\) in distinguishing EK from \(\widetilde{EK}\), denoted by \(Adv_{\mathcal {LTDF}}^{\mathrm {ind}}(\mathcal {A})\), is negligible, i.e., \(EK\overset{c}{\approx }\widetilde{EK}\).

Definition 3

(All-But-n TDF [8]). A collection of \((l,l-r)\) all-but-n trapdoor function \(\mathcal {ABN}\) with the branch set \(\mathbb {B}\) is defined by a tuple of 3 probabilistic polynomial-time algorithms \((\mathcal {K}_{abn},\mathcal {F}_{abn},\mathcal {F}_{abn}^{-1})\) satisfying the properties below. (1) \(\mathcal {K}_{abn}\) with a given lossy set \(\mathbb {I}\). For any n-subset \(\mathbb {I}\subseteq \mathbb {B}\), the key generation algorithm \(\mathcal {K}_{abn}(\mathbb {I})\) returns (ektk). It requires that for each \(b\in \mathbb {I}\), the size of \(\mathcal {F}_{abn}(ek,b,\cdot )\) is bounded by \(2^{r}\) for all ek. Additionally, for any branch \(b\in \mathbb {B}\backslash \mathbb {I}\), \(\mathcal {F}_{abn}(ek,b,\cdot )\) is an injective function on \(\{0,1\}^{l}\), and \(\mathcal {F}_{abn}^{-1}(tk,b,\mathcal {F}_{abn}(ek,b,x))\)

\(=x\) for all x. (2) Security. For any two distinct \(n-\)subsets \(\mathbb {I}_{0},\mathbb {I}_{1}\subseteq \mathbb {B}\), let \(EK_{0}\) denote the first random variable generated by \(\mathcal {K}(\mathbb {I}_{0})\) and \(EK_{1}\) denote the first random variable generated by \(\mathcal {K}(\mathbb {I}_{1})\). For all probabilistic polynomial-time adversary \(\mathcal {A}\), the advantage of \(\mathcal {A}\) in distinguishing \(EK_{0}\) from \(EK_{1}\), denoted by \(Adv_{\mathcal {ABN}}^{\mathrm {ind}}(\mathcal {A})\), is negligible, i.e., \(EK_{0}\overset{c}{\approx }EK_{1}\).

If the quotient \(L=Adv_{\mathcal {ABN}}^{\mathrm {ind}}(\mathcal {A})/Adv(\mathcal {A}')\) is a small constant, we say that the all-but-n TDF \(\mathcal {ABN}\) is tightly secure, where \(\mathcal {A}'\) is the adversary who attacks the underlying hard problem.

Definition 4

(\(\mathrm {PRIV}\)-\(\mathrm {IND}\) Security for Block-Sources [4]). We say that an l-bit deterministic public encryption scheme \(\mathcal {AE}=(\mathcal {K,E,D})\) is \(\mathrm {PRIV}\)-\(\mathrm {IND}\) secure for (tl)-block-sources if for any (tl)-block-sources \(\overrightarrow{M_{0}},\overrightarrow{M_{1}}\) of polynomial length \(n_{c^*}\) and all probabilistic polynomial-time adversary \(\mathcal {A}\), the \(\mathrm {PRIV}\)-\(\mathrm {IND}\)-advantage

$$Adv_{\mathcal {AE}}^{\mathrm {priv}-\mathrm {ind}}(\mathcal {A},\overrightarrow{M_{0}},\overrightarrow{M_{1}})=Guess_{\mathcal {AE}}(\mathcal {A},\overrightarrow{M_{0}})- Guess_{\mathcal {AE}}(\mathcal {A},\overrightarrow{M_{1}})$$

of \(\mathcal {A}\) against \(\mathcal {AE}\) is negligible, where for \(\beta \in \{0,1\}\)

When \(n_{c^*}=1\), we call the scheme PRIV1-IND secure for block-sources; when \(\mathcal {O}\) is the encryption oracle \(\mathcal {E}(pk,\cdot )\), we call the scheme PRIV-IND-CPA secure for block-sources; when \(\mathcal {O}\) includes the encryption and decryption oracle \(\mathcal {E}(pk,\cdot )\vee \mathcal {D}(sk,\cdot )^{\lnot \overrightarrow{c}^{*}}\), we call the scheme PRIV-IND-CCA secure for block-sources.

We also define a notion of PRIV-IND-q-CCA security for block-sources which is very similar to PRIV-IND-CCA security for block-sources except with the restriction that the length \(n_{c^*}\) of block-sources is bounded by q.

3 Tightly Secure D-PKE Constructions

Let \(\mathbf {H}_{inv}=(\mathcal {K}_{inv},\mathcal {H}_{inv})\) be an l-bit invertible pairwise-independent permutation with the inversion algorithm \(\mathcal {I}nv\), and \(U_{inv}\) denote the uniform distribution on its range \(\mathbb {R}_{inv}=\{0,1\}^l\). Let \(\mathcal {LTDF}=(\mathcal {K}_{lt},\mathcal {\widetilde{K}}_{lt},\mathcal {F}_{lt},\mathcal {F}_{lt}^{-1})\) be a collection of \((l,l-r_{lt})\) lossy TDF. Let \(\mathcal {ABN}=(\mathcal {K}_{abn},\mathcal {F}_{abn},\mathcal {F}_{abn}^{-1})\) be a collection of \((l,l-r_{abn})\) all-but-n TDF with a branch set \(\mathbb {B}\) and let \(\mathbf {H}_{cr}=(\mathcal {K}_{cr},\mathcal {H}_{cr})\) be an l-bit collision resistant hash function. And the range \(\mathbb {R}_{cr}\subseteq \mathbb {B}\) of \(\mathbf {H}_{cr}\) is bounded by \(2^{r_{cr}}\).

Fig. 2.
figure 2

Tightly secure D-PKE constructions

Full size image

Theorem 1

(1) Let \(\mathcal {AE}_{CPA}=(\mathcal {K,E,D})\) be defined in Fig. 2(a). Then, the decryption algorithm can recover the message correctly. And for any probabilistic polynomial-time adversary \(\mathcal {A}\), any (tl)-block-sources \(\overrightarrow{M_{0}},\overrightarrow{M_{1}}\) of length \(n_{c^*}\), there exists an adversary \(\mathcal {A}_{lt}\) such that

$$\begin{aligned} \begin{aligned} Adv_{\mathcal {AE}_{CPA}}^{\mathrm {priv-ind-cpa}}(\mathcal {A},\overrightarrow{M_{0}},\overrightarrow{M_{1}}) \le 2\cdot Adv_{\mathcal {LTDF}}^{\mathrm {ind}}(\mathcal {A}_{lt})+2n_{c^*}\cdot \epsilon , \end{aligned} \end{aligned}$$
(1)

where \(\epsilon \le 2^{\frac{r_{lt}-2-t}{2}}\). (2) Let the D-PKE scheme \(\mathcal {AE}_{CCA}\) be depicted in Fig. 2(b). Then the decryption algorithm can recover the message correctly. And for any probabilistic polynomial-time adversary \(\mathcal {A}\), any (tl)-block-sources \(\overrightarrow{M_{0}},\overrightarrow{M_{1}}\) of length \(n_{c^*}\le \frac{n}{2}\), there exist adversaries \(\mathcal {A}_{cr}, \mathcal {A}_{lt}, \mathcal {A}_{abn}\) such that

$$\begin{aligned} \begin{aligned}&Adv_{\mathcal {AE}_{CCA}}^{\mathrm {priv-ind}-\frac{n}{2}\mathrm {-cca}}(\mathcal {A},\overrightarrow{M_{0}},\overrightarrow{M_{1}})\\ \le&2\cdot Adv_{\mathbf {H}_{cr}}^{\mathrm {cr}}(\mathcal {A}_{\mathrm {cr}})+2\cdot Adv_{\mathcal {LTDF}}^{\mathrm {ind}}(\mathcal {A}_{lt})+4\cdot Adv_{\mathcal {ABN}}^{\mathrm {ind}}(\mathcal {A}_{abn})+2n_{c^*}\cdot \epsilon , \end{aligned} \end{aligned}$$
(2)

where \(\epsilon \le 2^{\frac{r_{cr}+r_{lt}+r_{abn}-2-t}{2}}\). Additionally, if the all-but-n TDF \(\mathcal {ABN}\) is tightly secure, then the D-PKE construction \(\mathcal {AE}_{CCA}\) is tightly \(\mathrm {PRIV}\)-\(\mathrm {IND}\)-\(\frac{n}{2}\)-\(\mathrm {CCA}\) secure for block-sources. In the above, \(\mathcal {A}_{cr}\) is the adversary who wants to find collisions of \(\mathbf {H}_{cr}\), and \(\mathcal {A}_{lt}\) (respectively, \( \mathcal {A}_{abn}\)) is the adversary who attacks the security of \(\mathcal {LTDF}\) (respectively, \(\mathcal {ABN}\)).

Tightly Secure All-But-n TDF Under the s-DCR Assumption. Look ahead, tightly PRIV-IND-\(\frac{n}{2}\)-CCA secure deterministic public-key encryption construction needs the primitive of tightly secure all-but-n TDF. In this paper, we also prove the all-but-n TDF given by [8] is tightly secure with a security loss of only 2. This improves their original security reduction which has a security loss of 2n due to the use of the hybrid technique. Please see more details in our full version paper.