Int. J. Appl. Math. Comput. Sci, 2015, Vol. 25, No. 2, 415-430

DOI: 10.1515/amcs-2015-0032 cITHCS

SENDER-EQUIVOCABLE ENCRYPTION SCHEMES SECURE AGAINST CHOSEN-CIPHERTEXT ATTACKS REVISITED

Zhengan HUANG a, Shengli LIU a'*, Baodong QIN ab, Kefei CHEN ^

aDepartment of Computer Science and Engineering, Shanghai Jiao Tong University 800 Dongchuan Road, Shanghai, 200240, China e-mail: zhahuang.sjtu@gmail.com, slliu@sjtu.edu.cn

^College of Computer Science and Technology, Southwest University of Science and Technology 59 Qinglong Road, Mianyang, Sichuan, 621010, China e-mail: qinbaodong@sjtu.edu.cn

cSchool of Science, Hangzhou Normal University 16 Xuelin Street, Xisha Higher Education Zone, Hangzhou, 310036, China

dState Key Laboratory of Mathematical Engineering and Advanced Computing 30 Lianze Road, Building #18, Science and Education Industry Park, Binhu District, Wuxi, 214000, China

e-mail: kfchen@sjtu.edu.cn

Fehr et al. (2010) proposed the first sender-equivocable encryption scheme secure against chosen-ciphertext attacks (NC-CCA) and proved that NC-CCA security implies security against selective opening chosen-ciphertext attacks (SO-CCA). The NC-CCA security proof of the scheme relies on security against substitution attacks of a new primitive, the "cross-authentication code". However, the security of the cross-authentication code cannot be guaranteed when all the keys used in the code are exposed. Our key observation is that, in the NC-CCA security game, the randomness used in the generation of the challenge ciphertext is exposed to the adversary. Based on this observation, we provide a security analysis of Fehr et al. 's scheme, showing that its NC-CCA security proof is flawed. We also point out that the scheme of Fehr et al. encrypting a single-bit plaintext can be refined to achieve NC-CCA security, free of the cross-authentication code. Furthermore, we propose the notion of "strong cross-authentication code", apply it to Fehr et al.'s scheme, and show that the new version of the latter achieves NC-CCA security for multi-bit plaintexts.

Keywords: sender-equivocable encryption, chosen-ciphertext attack, cross-authentication code.

1. Introduction

The notion of sender equivocability for a public-key encryption (PKE) scheme was formalized by Fehr et al. (2010). It is an important tool to construct PKE schemes secure against chosen-plaintext/ciphertext selective opening attacks (SO-CPA/CCA). Sender equivocability focuses on the ability of a PKE scheme to generate some "equivocable" ciphertexts which can be efficiently opened arbitrarily. More specifically, a PKE scheme is called sender-equivocable if there is a simulator which can generate non-committing ciphertexts and

* Corresponding author

later open them to any requested plaintexts by releasing some randomness, such that the simulation and real encryption are indistinguishable. This notion is similar to non-committing encryption (Canetti et al., 1996). In fact, Fehr et al. (2010) pointed out that sender-equivocable encryption secure under chosen-plaintext attacks (CPAs) is a variant of non-committing encryption defined by Canetti et al. (1996). Following the notation in the work of Fehr et al. (2010), the security of a sender-equivocable encryption scheme against chosen-plaintext/ciphertext attacks is denoted by NC-CPA/CCA security.

As proved by Fehr et al. (2010), NC-CPA/CCA security implies simulation-based selective opening

security against chosen-plaintext/ciphertext attacks (SIM-SO-CPA/CCA security). This fact suggests an alternative way of constructing PKE secure against selective opening attacks, besides the construction from the lossy encryption proposed by Bellare et al. (2009).

1.1. Discussion and related work. Bellare et al. (2009) formalized the notion of security against selective opening attacks (SOA security) for sender corruptions. This security notion captures a situation that n senders encrypt their own messages and send the ciphertexts to a single receiver. Some subset of the senders can be corrupted by an adversary, exposing their messages and randomness to the latter. SOA security requires that the unopened ciphertexts remain secure.

Bellare et al. (2009) proposed two kinds of SOA security: simulation-based selective opening (SIM-SO) security and indistinguishability-based selective opening (IND-SO) security. The relations between the two notions are figured out by Böhl et al. (2012). Bellare et al. (2012) showed that the standard security of PKE does not imply SIM-SO security. Bellare et al. (2009) proposed that IND-SO-CPA security and SIM-SO-CPA security can be achieved through a special class of encryption named lossy encryption, which can be constructed from lossy trapdoor functions (Peikert and Waters, 2011). Hemenway et al. (2011) showed more constructions of lossy encryption, which achieved IND-SO-CCA security with an a-priori bounded number of challenge ciphertexts. Hofheinz (2012) proposed a new primitive called all-but-many lossy trapdoor functions, which were employed to construct IND-SO-CCA secure and SIM-SO-CCA secure PKE with an unbounded number of challenge ciphertexts. Bellare et al. (2011) extended SOA security from PKE to IBE.

Fehr et al. (2010) presented a totally different way of achieving SIM-SO-CCA security, also with an unbounded number of challenge ciphertexts. They formalized the security notion of sender equivocability under chosen-plaintext/ciphertext attacks (NC-CPA/CCA security), and proved that NC-CPA (resp. NC-CCA) security implies SIM-SO-CPA (resp. SIM-SO-CCA) security. In the work of Fehr et al. (2010), two PKE schemes were proposed. The first one, constructed from trapdoor one-way permutations, is NC-CPA secure, so it is SIM-SO-CPA secure. The second one (denoted as the FHKW scheme) is constructed from an extended hash proof system (Cramer and Shoup, 2002) and a new primitive, the "cross-authentication code". They proved that the FHKW scheme is NC-CCA secure.

With the help of similar techniques as those in the FHKW scheme, Gao et al. (2012) presented a deniable encryption scheme. The CCA security of their scheme was guaranteed mainly by an extended hash proof system (Cramer and Shoup, 2002) and a cross-authentication

code (Fehr etal.,2010).

In this paper, we will analyze the security proof of the FHKW scheme and show that its NC-CCA security cannot be guaranteed by their proof. The GXW scheme suffers from a similar security problem. Then, we will offer a refined version of the FHKW scheme for a single bit with NC-CCA security. To completely fix the problem, we will introduce the strong notion of cross-authentication code, apply it to the FHKW scheme, and show that the new version of the FHKW scheme achieves NC-CCA security for multi-bit plaintexts.

1.2. Our contribution. In this paper, we focus on NC-CCA security. First, we provide an analysis of the security proof of the FHKW scheme (Fehr et al., 2010), and show that the proof of NC-CCA security (Fehr et al., 2010) is flawed by showing an attack. The key observation is that, in the definition of NC-CCA security, the randomness used in the generation of the challenge ciphertext C* is offered to the adversary. The adversary is able to use the randomness to forge a ciphertext and obtain useful information by querying the forged ciphertext to the decryption oracle. Assume that the plaintext consists of L bits. We present a PPT adversary who can always distinguish the real experiment and the simulated experiment for L > l. We also show that the security requirement of "L-cross-authentication codes" is not enough for the NC-CCA security proof in the work of Fehr et al. (2010) for any positive integer L.

Second, we refine the FHKW scheme encrypting one bit. Although we showed that "L-cross-authentication codes" are generally not sufficient to prove NC-CCA security, some specific instances of "l-cross-authentication codes" are helpful to finish the proof of NC-CCA security of the FHKW scheme (Fehr et al., 2010), but limited to encryption of a single bit. We provide a simpler encryption scheme for single-bit plaintexts, free of any cross-authentication code.

Third, we fix the security proof of the FHKW scheme by introducing the strong notion of an L-cross-authentication code and using it to construct the FHKW scheme instead of the original one. Informally, a strong L-cross-authentication code requires the existence of a PPT algorithm to generate another key indistinguishable from the original one. With this property, the randomness in the simulated experiment is different but indistinguishable from that in the real experiment, which helps the L-cross-authentication code's security against substitution attacks work again.

Organization. We start with the notation and definitions in Section 2. We recall the FHKW scheme in Section 3, and then provide its security analysis in Section 4. We present a refined version of the FHKW scheme for single-bit plaintexts in Section 5 and leave the proof

for Appendices. We introduce the notion of a strong cross-authentication code in Section 6, and use it to fix the security proof in Section 7. Finally, we give a summary of our work in Section 8.

2. Preliminaries

2.1. Notation. Let N denote the set of natural numbers. We use k € N as the security parameter throughout the paper. For n € N, let [n] denote the set {1, 2,...,n} and {0,1}" the set of bitstrings of length n. For a finite set S, let s ^ S denote the process of sampling s uniformly at random from S. If A is a probabilistic algorithm, we denote by RA the randomness set of A. Let y ^ A(x1,x2,...,xt) denote the process of running A on inputs {xi,x2,. ..,xt} and inner randomness R ^ RA, and outputting y. If the running time of probabilistic algorithm A is polynomial in k, then A is a probabilistic polynomial time (PPT) algorithm.

2.2. Sender-equivocable encryption schemes. The

notion of sender equivocability was formalized by Fehr et al. (2010). For a public-key encryption scheme n = (Gen, Enc, Dec), let A = (A1,A2) denote a stateful adversary, S = (S1,S2) denote a stateful simulator, and M denote a plaintext. Let state denote some state information output by A1 and then passed to A2. Sender equivocability under adaptive chosen-ciphertext attacks is defined through the following two experiments.

Experiment ExpnCACCA-Real(&):

(pk, sk) ^ Gen(1k) (M, state) ^ A^( )( R ^ REnc

C ^ Encpk (M; R)

return AíDeCsk ( )(M, C, R, state)

Experiment Exp^f^™ (k):

(pk, .sk) ^ Gen(1k)

iDeCsk (•)

(M, state) ^ ADe C ^ Si(pk, 1|MI) R ^ S2 (M)

return ADeCsfc()(M, C, R, state).

In both experiments, A = (A1,A2) is allowed to access a decryption oracle Decsk(•) with the constraint that A2 is not allowed to query C.

The advantage of adversary A is defined as follows:

NC-CCA

A,s(k) := I Pr Exp^A

„NC-CCA-Real

- Pr Exp£CACCA"Sim(k) = 1 |

AdvHAk)

H ^ HGen(1k)

(x, x') ^ a(h)

x = x' A H(x) = H(

AdvsMp,D(k)

A ^ SmpGen(1k)

A ^ SmpGen(1k)

D(X) D(X)

is negligible.

Definition 1. A public-key encryption scheme n = (Gen, Enc, Dec) is said to be sender-equivocable under adaptive chosen-ciphertext attacks (NC-CCA secure) if there is a stateful PPT algorithm S (the simulator), such that for any PPT algorithm A (the adversary) the advantage Adv^CC^k) is negligible.

2.3. Building blocks of the FHKW scheme. Fehr et al. (2010) presented a construction of PKE with NC-CCA security. We will call their scheme FHKW. It was built using the following cryptographic primitives: a collision-resistant hash function, a subset membership problem, an extended version of the hash proof system (Cramer and Shoup, 2002), and a cross-authentication code (Fehr etal., 2010).

Definition 2. A family of collision-resistant hash functions H : D ^ R consists of two PPT algorithms (HGen, HEval). Algorithm HGen(1k) randomly chooses a hash function from the family and outputs the description of the hash function H. Algorithm HEval(H, x) produces the hash value H(x) for all x €D. Furthermore, for any PPT algorithm A, the following function is negligible in k:

Here we do not distinguish a function H from its description output by HGen.

Definition 3. A subset membership problem consists of the following PPT algorithms:

• SmpGen(1k): On input 1k, Algorithm SmpGen outputs a parameter A, which specifies a set XA and its subset LA CXa . Set XA is required to be easily recognizable with A.

• SampleL(LA; W): Algorithm SampleL samples X € La using randomness W € RSampleL.

A subset membership problem SMP is hard if, for any PPT distinguisher D, D's advantage

Definition 4. A subset membership problem SMP has the property of subset sparseness if the probability Pr[A ^ SmpGen(1k), X ^ XA : X € LA] is negligible.

Definition 5. A hash proof system HPS for a subset membership problem SMP associates each A ^ SmpGen(1fc) with an efficiently recognizable key space KA and the following PPT algorithms:

• HashGen(A): On input A, HashGen outputs a public key hpk and a secret key hsk, both containing the parameter A.

• SecEvl(hsk, X): It is a deterministic algorithm. On input a secret key hsk and an element X eXA, Se-cEvl outputs a key K eKA.

• PubEvl(hpk, X, W): It is a deterministic algorithm. On input a public key hpk, an element X e XA and a witness W for X e LA, PubEvl outputs a key K e KA. The correctness requires that PubEvl(hpk, X, W) = SecEvl(hsk,X) for all A ^ SmpGen(1fc), (hpk, hsk) ^ HashGen(A) and X ^ SampleL(LA; W).

An extended hash proof system EHPS is a variation of a hash proof system HPS, extending the sets XA and La by taking the Cartesian product of these sets with an efficiently recognizable tag space TA. Hence, the tuple of the three algorithms (HashGen, SecEvl, PubEvl) of EHPS is changed to (hpk, hsk) ^ HashGen(A), K ^ SecEvl(hsk, X, t) and K ^ PubEvl(hpk, X, W, t), with t eTA.

The public key hpk in a hash proof system HPS uniquely determines the action of algorithm SecEvl for all X e La. However, the action of SecEvl for X e XA \ La is still undetermined by hpk. This is defined by a perfectly 2-universal property.

Definition 6. A hash proof system HPS for SMP is perfectly 2-universal if, for any A ^ SmpGen(1fc), any hpk from HashGen(A), any distinct Xi, X2 eXA \ LA, and any K1,K2 eKA,

Pr[SecEvl(hsk,X2) = K2 | SecEvl(hsk, X1) 1

where the probability is taken over all possible hsk with (hpk, hsk) ^ HashGen(A).

Definition 7. A domain D is efficiently samplable and explainable if there exists two PPT algorithms:

• Sample(D; R): On input a random coin R ^ RSample and a domain D, it outputs an element uniformly distributed over D.

• Explain(D,x): On input D and x e D, this algorithm outputs R that is uniformly distributed over the set {R e RSample | Sample(D; R) = x}.

Definition 8. (Fehr et al., 2010) For any L e N, an L-cross-authentication code XAC, associated with a key space XK and a tag space XT, consists of three PPT algorithms (XGen, XAuth, XVer). Algorithm XGen(1fc) generates a uniformly random key K e XK, XAuth(Ki,...,KL) produces a tag T e XT, and XVer(K, i, T) outputs b e {0,1}. The following properties are required.

Correctness. The function

failXXArCect(k)

:= max Pr[XVer(K4,i, XAuth((K^ )jem)) = 1]

is negligible in k, where the maximum is over all i e [L] and the probability is taken over all possible Ki, ■■■ ,Kl ^ XGen(1fc).

Security against impersonation and substitution attacks. The advantages AdvXAC(k) and AdvXAC(k), defined as follows, are both negligible:

AdvXAC(k)

:= maxP^K ^ XGen(1fc) : XVer(K, i, T') = 1] , where the maximum is over all i e [L] and T' e XT.

AdvXUSC(k)

:= max

i,K=i, Func

" Ki ^ XGen(1fc) Pr T = XAuth ((Kj )je[L]) T' ^ Func(T)

T' = T A XVer(Ki, i, T') = 1

where the maximum is over all i e

[L], all K=i :=

(Kj)j=i e XKL-i and all possibly randomized functions Func : XT ^ XT.

3. Review of the FHKW scheme

With the above cryptographic primitives, we now present the FHKW scheme (Fehr et al., 2010).

Let SMP be a hard subset membership problem that has the property of subset sparseness. Let XA, with A ^ SmpGen(1fc), be efficiently samplable and explainable. Let EHPS be a perfectly 2-universal extended hash proof system for SMP with tag space TA and key space (range) KA, which is efficiently samplable and explainable as well. Let H : (XA)L ^ TA be a family of collision-resistant hash functions, and XAC be an L-cross-authentication code with key space XK = KA and tag space XT.

FHKW scheme:

Gen(1fc): On input 1fc, algorithm Gen runs A ^ SmpGen(1fc), (hpk, hsk) ^ HashGen(A), H ^

H, and outputs (pk, sk), where pk = (hpk, H) and sk = (hsk, H).

Enc(pk,M; R): To encrypt a plaintext

M =(Mi,...,ML) € {0,1}L under a public key pk = (hpk, H) with randomness

R =(Wi,RXA ,RKA )ie[L] € (RSampleL x RSample x RSample)L.

Algorithm Enc runs as follows: For i € [L], set

x I Sample(XA; R i [ SampleL(LA; W,) if M

if Mi = 0, 1.

and t := H(Xi,..., XL). Then for i e [L], set the keys

(Sample^; Rka ) if Mi = 0, PubEvl(hpk,Xi, Wi,t) if Mi = 1,

and the tag T := XAuth(Kb...,KL). Finally, return C = (X1, ••• , XL, T) as the ciphertext.

Dec(sk, C): To decrypt a ciphertext

C = (X1,...,Xl,T) €XL x XT

under a secret key sk = (hsk, H), Algorithm Dec computes t = H(A"i, • • • , XL), for i e [L] se\s_~K~i := SecEvI(hsk,Xi,t) and A I: = XVer(A';, i, T), and returns M = (Mi,..., ML) as the plaintext.

The correctness of the FHKW scheme is proved by Fehr et al. (2010), and omitted here.

4. Security analysis of the FHKW scheme

According to the definition of NC-CCA security, the FHKW scheme is NC-CCA secure, if and only if there exists a simulator S such that for any PPT algorithm A, the two experiments Exp^KWA^^k) and ExpNHKwA/im(k), defined in Section 2, are indistinguishable.

In order to prove NC-CCA security of the FHKW scheme, Fehr et al. (2010) constructed the following simulator S = (S1,S2).

Simulator S:

• S1(pk, 1|M|): ^Parse pk = (hpk, H). For i € [L], choose Wi ^ RSampleL and set Xi := SampleL(LA; Wi). Computet := H(Xu...,Xl). For i € [L], set Ki := PubEvl(hpk, Xi, Wi,t). Set T ^ XAuth(K1,..., Kl). Return the ciphertext C = (X1,..., Xl, T).

S2(M): Parse M = if Mi = 1, set Wi

Wi, and choose R.

Sample,

(Mi,...,Ml). For i e [L],

Sample; otherwise, choose Wi ^ RSampleL, and set RXa ^ Explain (Xa ,Xi), RfA ^ Explain(^A, Ki). Return the randomness

R = (Wi ,RXA ,RKA )iE[L].

With the simulator S, Fehr et al. (2010) proved that the FHKW scheme is NC-CCA secure. However, we will show that this specific simulator S does not guarantee NC-CCA security of the FHKW scheme for any positive integer L.

4.1. Security proof problem. To prove NC-CCA security, it is essential to show that the decryption oracle will not leak any useful information to any PPT adversary. As to the FHKW scheme, given a challenge ciphertext C = (X1,... ,XL,T), an adversary A comes up with a decryption query C' = (X1,...,XL,T'), where T' = T. NC-CCA security expects the decryption of C' by the oracle will not help the adversary to distinguish the two experiments ExpNH]KWCAiReal(k) and ExpNCKwAiSim(k) (see the proof of Lemma 5 in the work of Fehr et al. (2010)). This strongly relies on the security against substitution attacks of the cross-authentication code, which requires that "given T and K=i, it is difficult to output a T' = T such that XVer(Ki, i, T') = 1, where Ki is uniformly distributed".

However, in the NC-CCA game, adversary A KNOWs Ki for any i € [L]! The reason is as follows. Upon returning a plaintext M, adversary A receives not only a challenge ciphertext C, but also some related random coins R which are supposed to have been consumed in the challenge ciphertext generation. With R and M, adversary A can recover Ki for any i € [L]. Then, it is possible for A to output a T' = T such that XVer(Ki,i,T') = 1. Hence, XAC's security against substitution attacks is not sufficient to guarantee the aforementioned property. That is why the security proof proposed by Fehr et al. (2010) fails (more precisely, the proof of Lemma 5 in the work of Fehr et al. (2010) does).

In fact, this kind of adversary, which can output a T' = T such that XVer(Ki, i, T') = 1 given T and Ki for any i € [L], does exist. In Section 4.2, we will present such an adversary A to destroy the security proof of the FHKW scheme for L> 1.

Deniable scheme. Gao et al. (2012) utilized exactly the same technique as that in the FHKW scheme to construct a deniable encryption scheme and "proved" the CCA security. A similar problem we pointed out above also exists in their security proof (more specifically, the proof of Claim 1 in the work of Gao et al. (2012)). As a result,

our attack in Section 4.2 applies to their scheme and ruins their proof, too.

4.2. Security analysis of the FHKW scheme: L > 1.

Before going into a formal statement and its proof, we briefly give a high-level description of our security analysis for L > 1.

With the aforementioned simulator S, for any L > 1, our aim is to construct an adversary A = (A1 ,A2) to distinguish the two experiments Exp^KW^^k) and

Exp^KWa-8™^). The construction of adversary A is as follows.

In an experiment environment (either ExpNmwAf^k) or ExpNHCK£A/m(k)), upon receiving pk, A1 returns M = (0,...,0). Then, upon receiving a ciphertext C = (X1,. ..,XL,T) and randomness R, A2 returns C' = (X1,...,XL,T') as his decryption query, where T' ^ XAuth(K',K2,...,Kl), K[ is uniformly random chosen from KA and K2,..., KL are all recovered from R. Finally, if the decryption oracle returns M' = (0,..., 0), A2 will output b = 1, and otherwise, A2 will output b = 0.

Now, we consider the probabilities that A outputs 1 in the two experiments. In ExpNCKCvAi^k), for i e [L], Xi (resp. Ki) is chosen uniformly random from XA (resp. KA), so the subset sparseness of SMP and the perfect 2-universality of HPS guarantee that for i e [L], A'. = SecEvl(/?sfc, Xi, t) is uniformly random in KA from A's point of view. Due to the security of XAC, the decryption oracle returns M' = (0,0,..., 0) for the queried ciphertext C'. Consequently, A outputs b =1 with an overwhelming probability in Exp^KW^^k).

On the other hand, in ExpNCkwA^™^), for i e [L], Xi is chosen uniformly random from LA and Iu = PubEv\(hpk, Xi,WiLtj, so the property of HPS guarantees that, for i e [L], A'- = SecEvI(hsk, Xi,t) = Ki. Due to the correctness of XAC and the facts that T_ <r- XAuth[K[,K2,... ,KL) and M/ = XVer{I<i,i,T') = 1 for i g {2,3,...,L}, the decryption oracle returns M' = (0,1,...,1) with an overwhelming probability. As a result, A outputs b = 1 with negligible probability in ExpNCKwAi (k). The

two experiments ExpNHKwA^k and ExpNHKCAf1"(k) have been distinguished by A with an overwhelming advantage.

A formal statement of the result and its corresponding proof are as follows.

Theorem 1. With the aforementioned simulator S, the FHKW scheme cannot be proved to be NC-CCA secure for any L > 1. More specifically, there exists an adversary A distinguishing the real and the simulated NC-CCA experiments, with the advantage

.NC-CCA FHKW,A,S

> 1 - 2AdvXAC(k) - failXArCct(k).

Proof. For simplicity, we consider the case of L = 2. We note that this attack is applicable to any L > 1.

Our aim is to construct a specific adversary A = (A1 ,A2) to distinguish the two experiments ExpNeCKwA/eal(k) and Exp^^/1" (k) with a non-negligible advantage.

Specifically, given an experiment environment (either ExpNHCKCWA/eal(k) or ExpNHCKCWA/m(k)), the adversary A = (A1,A2) behaves as follows.

• Upon receiving pk = (hpk, H), A1 returns M = (0,0), i.e., M1 = M2 = 0.

• Upon receiving a ciphertext

C = (X1,X2,T)

and randomness

R = ((W1,R^A ,RfA),

(W2,R%a,rKa)), A2 creates a new ciphertext C' according to C:

- Set X1 := X1, X2 := X2.

- Set K[ ^ Ka, K2 ^ Sample(KA; R'KA).

- Compute T' XAuth(K', K2).

- Check that T' = T. If T' = T, choose another random value for K1' and repeat the above steps, until T' = T.

- Set C' := (X ',X2,T').

Then A2 submits C' to the decryption oracle.

• Let M' ^ Dec(sk, C'). A2 outputs b, where 1 if M' = (0,0),

0 if M' = (0,0).

Now we analyze the probabilities that A2 outputs b = 1 in the real and the simulated experiment,

In both experiments, A2 receives a ciphertext C = (X1,X2,T) and randomness R = ((W1,RXA,RA), (W2, rXXa,R'KA)). The ciphertext created and submitted to the decryption oracle by A2 is C' = (X ',X2 ,T') = (X 1,X2,T'), where T' = XAuth(K ',K2) = XAuth(K ', K2) (due to K2 = K2) and T' = T.

Real experiment. The challenge ciphertext C = (X 1,X2,T) satisfies X 1 ^ Sample^; RfA), X2 ^ Sample(XA; R%A), and T = XAuth(K1,K2),

where K1 ^ Sample^; RKA) and K2 ^ Sample (KA; R^A).

The decryption of C' by the decryption oracle Dec(sk, •) involves the computation of

:= H{X[,X^) = H(A!,A2) = t and K'i := SecEv\(hsk,X!,t') = SecEvI (hsk,Xht), for i G {1,2}.

Due to the perfect 2-universality of EH PS, K- is uniformly random distributed in KA. Hence, for i € {1, 2},

XVer(Щ, г, T') = l|in ExppgK^4Real(к)

< AdvXAC(k). (1)

Let M' = (M1 ,M2) denote the decryption result of C' by the decryption oracle Dec(sk, •). Then for

i € {1, 2},

M' = 1 I in ExpNHKWCAAReal(k)

XVer(K¡,i,T') = 1 I in Ехр^нск™ы(А0

< AdvXAc(k).

The probability that A2 outputs b = 1 in the real experiment is given by

NC-CCA-Real FHKW,A (k) = 1

1 - Pr 1 - Pr

M' = (G, G) I in ExpNHKC<AAReal(k)_

M' = (G, G) I in ExpNHCKwAAReal(k)

NC-CCA-Real

M[ = 1 V M2 = 1 I in ExpNHKwA k

> 1 - 2AdvXAC(k).

Simulated experiment. The ciphertext C = (Xi,X2,T) satisfies X> ^ SampleL(L\; Wi), X2 ^ SampleL^; W2), an£T = XAuth(KbK2), where, for i e {1,2}, Wi ^ RSamplei_ and

Ki = PubEvl(hpk, Xi,Wi,t) with t = H(X1,X2).

The decryption of C' by the decryption oracle Dec(sk, •) involves the computation of

= = H(XbX2) = t and

K'i = SecEvI {hsk,X.;,t') = SecEvI {hsk,Xi,t), for i e {1,2}. On the other hand, we know that K2 = K2 and K2 = PubEvl(hpk,X2,W2,t). Since X2 e Сл, the property of EHPS guarantees that SecEvl(/?sfc,Xj^t) = PubEvl(/?pfc,X2,W2,t),

which means that K2'

K. Note that

Mf> = XVer(Â'ô, 2, T'). Hence, we have

1 I in Exp

NC-CCA-Sim Fhkw,a (k)

XVer(Â'ô, 2, T") = 1 I in ExpNHcKc£fm(A0 XVer(K2, 2,T') = 1 I in ExpNHCKwAiSim(k)

> 1 - failXAACect(k).

The probability that A2 outputs b simulated experiment is given by

ExpNHCKwA/m(k) = 1

M' = (G, G) I in ExpNHCKWAASim(k)

1 - Pr

M' = (G, G) I in Exp^KwA k M2 = 1 I in ExpNHCKCWAiSim(k)'

< failXAACect(k).

The advantage of adversary A is given by

NC-CCA FHKW,A,S

ExpNC-CCA-Real(, ) = , ExpFHKW,A (k) = 1

NC-CCA-Sim

Fhkw,a

(k) = 1

> 1 - 2AdvXAC(k) - failXAArect(k).

1 in the

Note that both AdvXpC(k) and failXACct(k) are negligible. So A's advantage Adv^KwAs(k) is non-negligible (in fact, it is overwhelming), i.e., the security proof of the FHKW scheme (Fehr et al., 2010) is incorrect. ■

4.3. Security analysis of the FHKW scheme: L = 1.

Note that our attack in the previous section does not apply to the case L = 1. There upon receiving the ciphertext C and randomness R, the adversary A recovers K and switches the first element of K with a random one. If L = 1, A will get a new K' = K' and then T' = XAuth(K '). Afterwards, A will return C' = (X 1,T') as his decryption query. Then, A will receive M' = 0 with overwhelming probability in both Exp^KWA^^k) and Exp^KWA8™^). Hence, the two experiments are still indistinguishable for A.

As we have pointed out earlier, the security of the L-cross-authentication code against substitution attacks is not sufficient for the security proof of the FHKW scheme for any value of L. But our attack above only works for L > 1. Therefore, the remaining problem is whether it is possible for the FHKW scheme to achieve

NC-CCA security for L = 1, still with the aforementioned simulator S.

Before solving the problem, we claim that algorithm XAuth of XAC in the FHKW scheme is deterministic (this is not explicitly expressed in the work of Fehr et al. (2010)). That is because R = (Wi, RfA, RfA)ie[L] is the only randomness used in the encryption process. In other words, if XAuth is probabilistic, the inner random number used by XAuth should be contained in the randomness R (and then passed to the adversary, according to the definition of NC-CCA security). On the other hand, if algorithm XAuth of XAC in the FHKW scheme is probabilistic, with the aforementioned simulator S, the FHKW scheme cannot be proved secure in the sense of NC-CCA for any positive integer L. (See Appendix A for the proof.)

In fact, the security proof of the FHKW scheme expected such a property from the L-cross-authentication code: "given (K1,K2,...,KL) and T = XAuth (K1, ...,KL), it is difficult to output a T' = T such that XVer(Ki, i, T') = 1 for some i e [L]". This property generally does not hold for the L-cross-authentication code. However, it is true for some special 1-cross-authentication code, for example, the instance of an L-cross-authentication code given by Fehr et al. (2010) when constricted to L = 1. For that special instance, when L =1, given K = K1 and T = XAuth(K1) (note that XAuth is deterministic), it is impossible to find a T' = T such that XVer(K1,1,T') = 1, since only T = XAuth(K1) itself could pass the verification. Therefore, with the special 1-cross-authentication code instance (or other instance with a similar property) as the ingredient, the FHKW scheme is NC-CCA secure for L = 1.

5. Sender-equivocable encryption scheme for a single bit

In this section, we will refine the FHKW scheme for L = 1. Specifically, we will present a PKE scheme with NC-CCA security for L =1 without any L-cross-authentication code.

Our scheme can be seen as a simplified version of the FHKW scheme instantiated with a special 1-cross-authentication code. As we have pointed earlier, the special property of a 1-cross-authentication code requires that each K determine a unique tag T satisfying XVer(K, T) = 1. In our scheme, the encryption algorithm replaces the tag T by the key K directly. In the decryption, whether the plaintext is 1 or 0 depends on the equality of K in the ciphertext and K computed by SecEvl(hsk, X), while in the FHKW scheme the plaintext bit is determined by whether XVer(K, T') = 1 or not.

Below we describe our scheme =

(GenE, EncE, DecE). It consists of a hard subset membership problem SMP, with subset sparseness, and its corresponding perfectly 2-universal hash proof system HPS. We require that for any A ^ SmpGen(1fc), both XA (with respect to SMP) and KA (with respect to HPS) be efficiently explainable. As suggested by Fehr et al. (2010), the requirement of efficient samplability and explainability on KA imposes no real restriction, and it was shown in the work of Cramer and Shoup (2002) that both of the above ingredients can be constructed based on some standard number-theoretic assumptions, such as the DDH, DCR and QR assumptions.

Scheme E = (Gen£, Enc£, Dec£):

GenE(1fc): On input 1fc, algorithm GenE runs A ^ SmpGen(1fc), (hpk, hsk) ^ HashGen(A), and outputs (pk, sk), where pk = hpk and sk = hsk.

Encf (pk, M; R): To encrypt a plaintext M e {0,1} under a public key pk = hpk with randomness R = (W,RXA ,R!Ca ) e R-SampleL X Sample X Sample, algorithm EncE sets

ÍSample^A; RXa ) if M = 0, [SampleL(£A; W) if M = 1,

[Sample(KA; RKa) if M = 0,

[PubEvl(hpk,X, W) if M = 1,

then returns ciphertext C = (X, K).

Dec^(sk, C): To decrypt a ciphertext C = (X, K) e XA x K.A under a secret key sk = hsk, algorithm Decc sets~K := SecEvI(hsk,X). If K = A', return M = 1; otherwise, return M = 0.

Correctness. On the one hand, if C = (X, K) is a ciphertext of M = 1, then A = SecEvI(hsk,X) = PubEvl(hpk, X,W) = K due to the property of HPS. So Dec^ (sk, C) returns M = 1. On the other hand, if C = (X, K) is_a ciphertext of M = 0, thenXA, A ICA and A = SecEvI(hsk,X). So Pr[A = A] = 1 / |Ka |. Hence, with probability 1 -1 / |Ka |, Dec£ (sk,C) returns M = 0.

Security. As for the security of scheme E, we have the following theorem. The proof is similar to that of the FHKW scheme (Fehr et al., 2010). But the key observation is: Given C = (X, A'), it is impossible to create C = {X, A'), A ± A', such that A' = A7. Note that the security proof of our scheme does not involve any cross-authentication code. Details of the proof are in Appendix B.

Theorem 2. Assuming that SMPis a hard subset membership problem with subset sparseness, and HPS is its corresponding perfectly 2-universal hash proof system, scheme E = (GenE, EncE, DecE) is NC-CCA secure.

6. Strong L-cross-authentication codes

In this section, we will introduce a strong version of L-cross-authentication codes, which will be used to construct a new version of the FHKW scheme achieving NC-CCA security. This primitive may find other cryptographic applications.

The formal definition of a strong L-cross-authentication code is as follows.

Definition 9. For L e N, an L-cross-authentication code XAC is strong if there exists a PPT algorithm ReSamp satisfying the following property: Given K1,..., KL ^ XGen(1fc) and T = XAuth((Kj)je[L]) such that XVer(Kj,j,T) = 1, j e [L], algorithm ReSamp takes as input i e [L], K=i := (Kj)j=i and T, and outputs K', which is statistically indistinguishable from K', i.e.,

Dist(k) 1

- X \pr[K; = K\(iUi,T)}

- Pr[Ki = K\(K=i,T)]\

is negligible, where K[ ^ ReSamp(i, K=i, T) and the probabilities are taken over all possible Ki ^ XGen(1fc) such that T = XAuth ((Kj )je[L]), and the randomness of ReSamp.

Remark 1. Recalling the discussion in Section 4.3, algorithm XAuth is deterministic. The indistinguishability of ReSamp implies that

XAuth(K1,...,Ki,...,KL) = XAuth(Ki,...,Ki,...,KL)

with overwhelming ReSamp(i, T).

probability, where K[

Remark 2. The requirement that ReSamp is efficient is very important. Because this algorithm will be used to construct a simulator S in the next section, and NC-CCA security requires that the simulator should be a PPT algorithm.

Remark 3. This "efficient resampling" property is just a missing element in the security proof of the FHKW scheme. With this particular property, the strong cross-authentication code is able to resist the attack proposed in Section 4, and fill the gap in the security proof of the FHKW scheme.

Example of a strong L-cross-authentication code. Quite interestingly, the instance of an L-cross-authentication code XAC (Fehr et al., 2010) is also strong. Now we recall the instance XAC=(XGen,XAuth,XVer) proposed by Fehr et al. (2010).

security parameter k. Define XK

F; and XT ■■

Pr [Ki = (a, b) | (K=i,T)] =

q - L + 1'

Let Fq be a finite field, where q is determined by the

• XGen(1fc): Generate a random key (a,b) ^ F2.

• XAuth(K1,...,KL): For

K1 = (a1,b1), ...,Kl = (o,l, bL) e F2,

XAuth computes a tag T = (T0,...,Tl-1) satisfying that for i e [L], polyT(a') = b', where polyT(x) = To + T1X + ■■■ + Tl-1xl-1 e Fq [x]. Note that T can be computed efficiently by solving a linear equation system AT = B, where A e FLxL is a Vandermonde matrix and its i-th row is (1, ai, a2, ■■■ , af-1) for i e [L], and B e FL is a column vector with elements b1, ■ ■■ ,bL. If there are more than one or no solution for AT = B, XAuth will output T = ±.

• XVer(K,i,T): For any K = (a,b) e XK, i e [L] and T e XT, XVer outputs 1 if and only if T =1 and polyT (a) = b.

The code XAC has been proved to be correct and secure against impersonation and substitution attacks (Fehr et al., 2010). Here we only show that XAC is strong as well.

Lemma 1. For any L e N, the L-cross-authentication code XAC is strong.

Proof. A PPT algorithm ReSamp is constructed as follows. The input of ReSamp is (i, K=', T), where Kj = (aj,bj) for j e [L]\{i}, and T satisfies XVer(Ki, l, T) = 1 for l e [l]. This implies that A is non-singular. On input (i,K=',T), ReSamp chooses ai F\{a='}, computes bi = polyT(a') and returns K' = (a'i,b'i) as its output. As a result, Pr [K' = (a',bi)] = 1/(q - L + 1).

On the other hand, conditioned on K=' and T = 1, the solution space of K' = (a',b') is given by the set {(a, b) e F2 | polyT(a) = b, a = aj,j e [L]\{i}}. Hence

which has identical probability distribution with A-. ■

Relations between the strong and the normal version of cross-authentication codes. Although the instance XAC proposed by Fehr et al. (2010) is strong, we cannot conclude that every cross-authentication code is such. On the other hand, unfortunately, we cannot provide a counterexample either, i.e., a cross-authentication code example that is not strong. Whether the strong and the normal version are equivalent is still an open question.

7. Fixing the security proof of the FHKW scheme with strong Z-cross-authentication codes

Replacing XAC with a strong one, we get a new version of the FHKW scheme, called the new FHKW scheme. In other words, the new FHKW scheme is identical with the original one, except that its building block XAC has one more algorithm ReSamp which does not appear in neither of the two versions of the FHKW scheme. The description of the new FHKW scheme is the same as that in Section 3, so we will not repeat it again.

Although algorithm ReSamp does not appear in the new FHKW scheme, it is essential for the strongness of XAC (and will be needed in the security proof). The strongness of the cross-authentication code helps its security against substitution attacks work in the security proof of the FHKW scheme (see the proof of Lemma 3). Roughly speaking, when the randomness of a ciphertext is disclosed to an adversary, all Ki,K2,..., KL are known to the adversary. In this case, security against substitution attacks does not hold. However, if we replace the output of ReSamp(i, K=i, T) for Ki and open the corresponding randomness, the adversary can not tell the difference due to the strongness of the cross-authentication code. Consequently, security against substitution attacks works: given K=i and T, the adversary can not forge a T' such that T = T' and XVer(Ki, i, T') = 1 with non-negligible probability.

Details are as follows. With the help of algorithm ReSamp of strong L-cross-authentication code XAC, we construct an NC-CCA simulator S' as follows.

Simulator S':

• Si(pk, 1Ml):_Parse pk = (hpk, H). For i € [L], choose Wi ^ RSampleL and set Xi := SampleL(£A; Wi). Computet := H(Xi,...,Xl). For i € [L], set Ki := PubEvl(hpk, Xi, Wi,t). Set T = XAuth(Ki,..., Kl). Return the ciphertext C = (Xi,..., Xl, T).

• S2(M): Parse M = (M^...,ML). For i € [L], if Mi = 1, set Wi := Wi, R*A ^ Sample and R'KA ^ RSample; if Mi = 0, generate (Wi,RfA) by Wi ^ R-SampleL and RfA ^ Explain(XA,Xi), and generate RKa with the following method:

Run K' ^ ReSamp(i,K=i,T), set RK Explain(KA,Ki') and update Ki := Ki. Finally, return the randomness R = (Wi, RXA ,RfA )i£[L].

With the help of simulator S', we have the following result.

Theorem 3. Let SMP be a hard subset membership problem with subset sparseness, and EHPS be its corre-

sponding perfectly 2-universal extended hash proof system. For any L > 1, assuming that XAC is a strong L-cross-authentication code, the new FHKW scheme is NC-CCA secure.

Before going into the formal proof, we briefly give a high-level description of the following game-based security proof. This proof is similar to that proposed by Fehr et al. (2010), but we utilize the strongness of XAC to help guarantee NC-CCA security, avoiding the problem pointed out in Section 4.

We start with the real experiment ExpNHCKCCAiReal(k), for any PPT adversary A, and let Game -2 denote ExpN£KwAAReal(k). First of all, as in the proof in the work of Fehr et al. (2010), we exclude some collisions from Game -2 to Game 0. It is easy to see that Game -2 and Game 0 are indistinguishable. Then, from Game 0 to Game L, we stepwise replace the challenge ciphertexts C* = (Xx*,...,X*L,T*) and randomness R* = (R*,.. .,R*l) with those generated by simulator S', where R* = (Wi,RfA,RfA) for i € [L]. More specifically, for 0 < m < L, Game m coincides with Game 0 except that X*, K* and R*, for all i < m, are all generated by S'. Note that Game L is identical to the simulated experiment Exp^KW;^™^). Therefore, what remains is to prove that, for m € {0,1, 2,...,L - 1}, Game m and Game m +1 are indistinguishable. We will show that the strongness of XAC is essential to this indistinguishability.

Note that the differences between Game m and Game m + 1 lie in X*m +i, K*^ +i and Rm+i. Similar to the proof of Theorem 3 in the work of Fehr et al. (2010), we proceed with the proof in a series of games. Let Game m. 1 denote Game m. In Game m.2, we modify the decryption oracle Dec(sk, •) such that it does not make any use of hsk, i.e., for a decryption query C, rather than verifying tag T, Dec(sk, •) returns Mi = 0 directly if Xi € La. Two properties, the perfect 2-universality of EHPS and the security of XAC against impersonation attacks, guarantee that Game m.2 and Game m.1 are statistically indistinguishable. Note that Game m.2 is inefficient. In Game m.3, if M**+i = 0, instead of uniformly choosing, set K*+ +i = SecEvl(hsk,X* +i,t*). The subset sparseness of SMP and the perfect 2-universality of EHPS guarantee that Game m.3 and Game m.2 are statistically indistinguishable. In Game m.4, we modify the way of computing K*t+i again, i.e., if M*++i = 0, compute K*m+i ^ ReSamp(m + 1, K=m+i, T*).

The strongness of XAC guarantees that Game m.4 and Game m.3 are statistically indistinguishable. In Game m.5, we modify the decryption oracle Dec(sk, •) such that it works with the original decryption rule. The perfect 2-universality of EHPS and the security of XAC against impersonation attacks and substitution attacks of XAC guarantee that Game m.5 and Game m.4 are

statistically indistinguishable. Note that Game m.5 is efficient. In Game m.6, we modify the way of generating

i.e., choose Xt

no matter whether M*m +1 is 0 or 1

1 uniformly random from La The hardness of SMP guarantees that Game m.6 and Game m.5 are computationally indistinguishable. Game m.6 is identical to Game m + 1. Hence, we have the conclusion that Game m is indistinguishable from Game m +1.

The formal proof is as follows.

Proof. Our aim is to prove that, for any PPT adversary A, the simulated experiment Exp^Kw^™ (k) is computationally indistinguishable from the real experiment ExpNHKWrAReal(k). Technically, we denote the challenge ciphertext and its related plaintext by C* and M*, and write C* := (X*,...,X*,T*) and M* := (M*,..., M*). Denote A's j-th decryption query by Cj := (X j,..., X*, Tj), the corresponding plaintext by Mj = (Mj,..., M*), and define t*, tj, K* and Kj similarly. Define ~K* := SecEv\(hsk,X* ,t*),lCi := SecEvl(hsk, Xj ,tj) and denote the final output of A in Game i by outputAi. Without loss of generality, we assume that A always makes q decryption queries, where q = poly(k).

Game —2: Game —2

ExpNC-CCA-Real ExpFHKW, A

is the (k). Hence

real experiment

Pr [outputa,= 1 = Pr

ExpNC-CCA-Real/k)

ExpFHKW, A (k)

Game —1: Game —1 is the same as Game —2, except that, in the challenge ciphertext generation, the experiment aborts (with A outputting 1) if there exist some distinct i, i' e [L] such that X* = X*. By a union bound, we have that

|Pr [outputa - i = 1 — Pr [outputa -2 = 1 I

L(L — 1)

< —:-- (9)

" 2|£A|

Game 0: Game 0 is the same as Game —1, except for the decryption oracle. In Game 0, if A makes a decryption query Cj with (X j,..., X*) =

(X *,...,X*L) and tj = H(Xj, H(X *,...,X*) = t*, the experiment aborts (without loss of generality, A outputs 1). Since H is a collision-resistant hash function, we have that

|Pr [output a o = 1 — Pr [output a -1 = 1 I

< AdvH.A' (k)

for a suitable PPT algorithm A'.

Lemma 2. Pr[badm

2] < qL ■ AdvXA,C(k)-

With the lemma, we have that

|Pr [outputA,m.2 = 1 — Pr [outputA,m. 1 = 1 1

< Pr [badm.2]

< qL ■ AdvXAc(k)-

In the remainder, we will use a hybrid argument to finish this proof. From Game 0 to Game L, we will replace the challenge ciphertext C* and its related randomness R* with those generated by simulator S' step by step. Specifically, for any 0 < m < L, Game m is identical to Game 0, except that, for any i < m, X*, K* and their related randomness are all generated by simulator S'. Note that, in Game L, the whole challenge ciphertext C* and the whole randomness R* are both generated by simulator S'.

Looking ahead, if we can prove that, for any

0 < m < L — 1, Game m and Game m +

1 are indistinguishable, we will have that Game 0 and Game L are indistinguishable. So Game —2, which is ExpNHKCWAAreal(k), and Game L are indistinguishable. Note that Game L is indistinguishable from ExpNHKWCASim(k). That is because if, in Game L, we reverse the changes from Game 0 and Game —1, we will get ExpNCKWCAASim(k). This finishes the whole proof.

Now we prove that, for any 0 < m < L — 1, Game m and Game m +1 are indistinguishable. This is through a series of indistinguishable games as well.

Game m. 1: Game m.1 is identical with Game m.

Game m.2: Game m.2 is the same as Game m.1, except for the decryption oracle. In Game m.2, for any decryption query Cj = (X j,..., X*, Tj) and for any i e [L], the challenger will return Mj = 0 directly if Xj e La, and behave just as in Game m.1, otherwise compute K? = SecEv\(hsk, Xj, P), and return M{ = X\lex(K~i ,i,Tj). Note that the decryption oracle in Game m.2 is inefficient and it does not leak any information on hsk beyond hpk.

Let badm.2 (resp. badm. 1) denote the event that, in Game m.2 (resp. Game m.1), A makes some decryption query Cj such that there is an Xj e La butXVer(K^i,^) = 1. Note that Pr[badm.2] = Pr[badm.1] and that Game m.2 and Game m.1 are identical unless badm.2 or badm.1 occurs. We present the following lemma with a postponed proof.

Game m.3: Game m.3 is the same as Game m.2, except for the generation of Kt+1 in

the challenge ciphertext. In this game, set K* +i := SecEvl(hsk,Xm+i,t*) if M**+i = 0, and the randomness of K +i is opened as Explain(Ka, K* +i). When M*m +i = 0, X*+1 is chosen from XA. If X*+i € LA, the perfect 2-universality of EHPS implies K* +i is uniformly distributed over KA, which is exactly like Game m.2. Let subm,3 (resp. subm.2) denote the event that X* +i € La given M*+i =0 in Game m.3 (resp. Game m.2). Note that Pr[subm.3] = Pr[subm.2] and that Game m.3 and Game m.2 are the same unless subm.3 or subm.2 occurs. So we have that

|pr [outputA*n.3 = ^ - pr [ou-tputA*n 2 = ^ | < Pr [subm.2]

_ |La|

|Хл |'

Game m.4: Game m.4 is the same as Game m.3, except for the generation of K ^ +1 in the challenge ciphertext. In this game, the way of computing

is modified again. If M

compute K*++i ^ ReSamp(m + 1,K= m+i,T*). The randomness of K* +i is still opened as Explain(KA,K* +i). The strongness of XAC guarantees that K*m +i in Game m.4 and K*m +i in Game m.3 are statistically indistinguishable. Hence,

|Pr [outputA*mA = ^ - Pr [outputA,m.3 = 1 1

< Dist(k), (13)

where Dist(k) is the statistical distance between K*+i in Game m.4 and K*+i in Game m.3.

Game m.5: Game m.5 is the same as Game m.4, except that the decryption oracle works with the original decryption rule. In Game m.5, for any decryption query Cj = (Xj,...,XjL,Tj), the challenger

computes A'/ = SecEv\(hsk, Xf, P), and returns

Mf = XVer(A? ,i,Ti). Note that the decryption oracle in Game m.5 is efficient again. Similarly, let badm.5 (resp. badm.4) denote the event that, in Game m.5 (resp. Game m.4), A makes some decryption query Cj such that there is an Xj € LA but XVer(Af', i, T?) = 1. Note that Pr[badm.5] = Pr[badm.4] and that Game m.5 and Game m.4 are identical unless badm.5 or badm.4 occurs. We present the following lemma with a postponed proof.

Lemma 3. We have

Pr[badm .4]

< qL • max{AdvXAC(k), AdvXAck)}. (14)

With this lemma, we have that

|Pr [outputAm.5 = 1 - Pr [outputAm.4 = 1 I

< Pr [badm.4]

< qL ■ max{AdvXAC(k), AdvXSC(k)}.

Game m.6: Game m.6 is the same as Game m.5, except that, in the challenge ciphertext generation, the challenger chooses X ^+1 ^ CA no matter whether M^ +1 is 0 or 1, and X ^+1 is opened as

Explain^, X*k+l), if M,

0. Now the subset

membership problem SMP can be reduced to the problem of efficiently distinguishing Game m.6 from Game m.5. We have that

|Pr [outputAim.e = 1 - Pr [outPutA,m.5 = 1 | < AdvSMP.A" (k) (16)

for a suitable PPT algorithm A''.

Combining the above results, we have that Game m.1 and Game m.6 are indistinguishable. Now that Game m.6 is identical to Game m + 1, we have that Game m and Game m +1 are indistinguishable. What remains is to prove Lemmas 2 and 3.

Proof. (Lemma 2) Let badm.2., j-th decryption query

denote the event that A's

cj = (xj ,...,xl , Tj )

satisfies that Xf £ CA but XVer(K?,i,Ti) = 1 in Game m.2. In Game m.2, A has no information on hsk beyond hpk. For arbitrary (j, i) G [g] x [L] and Xj G La, the perfect 2-universality of EHPS implies that AT = SecEv\(hsk, Xf,P) is uniformly random in Ka from A's point of view. Therefore,

badj .2.i

< AdvXAC(k).

Note that

bad .2 =

(j,i)e[q]x[L]

By a union bound, we have that Pr [badm.2

badj .2.i.

] ^ E Pr

(j,i)e[q]x[L]

< qL • AdvXAC(k).

badj .2.i

Proof. (Lemma 3) Let badm.4i denote the event that A's j-th decryption query Cj = (Xj ,...,X*, Tj) satisfies that Xj i CA but XVer(K? ,i,Ti) = 1 in Game m.4. Let Kh+1 denote the random variable SecEvl(hsk,Xm +1,t*).

For arbitrary fixed (j, i) e [q] x [L], we only consider Xij e La (otherwise there is nothing to prove). If (Xj,tj) = (Xt+1,t*), the perfect 2-universality of EHPS implies that A? = SecEvl(/?sfc,Xj,P) is uniformly random in Ka from A's point of view. Hence,

Pr [badt.4.i | (Xj,tj) = (Xt+1,0

< AdvXAC(k). (18)

If (Xj,tj) = (X*+1,t*), then (Xj,...,X*) = (X*,... ,X*), since Game 0 excludes hash collisions. The decryption query Cj is not equal to the challenge ciphertext, so Tj = T*. Note that, in this case, Kij = K^v What the adversary knows is given by (K*,..., Km, Km +1, Km+2,...,K*) and T *.

However, K*m +1 = ReSamp(m + 1, K= m+1,T*), which means that A's information can be characterized by K*m+1 and T*. The security against substitution attack of XAC guarantees that, given K*m+1 and T*, A produces a Tj = T* such that

XVeri, Tj) = XVer(K?,i, Tj) = 1 with probability at most AdvXJbC(k), i.e.,

badm.4.i I (Xj,tj)

(Xm +1,t*)

Therefore, we have that

badm.4.i

< AdvXSC(k).

< max{AdvXApc(k), AdvXAc(k)}.

Lemma 3 follows from a union bound. ■

Remark 4. Recall that Game m.4 is missing in the original security proof of the FHKW scheme (Fehr et al, 2010). Without the employment of algorithm ReSamp in Game m.4, we will have K*m+1 = SecEvl(hsk, X* +1,t*). Then the simulator has to present the adversary the randomness corresponding to Km* +1. Consequently, the adversary is able to recover K*m+1 = SecEvl(hsk,X*+1,t*) from the randomness. But security against substitution attacks of the L-cross-authentication code assumes that the adversary knows nothing about K * +1 except for (K*m+1,T*). That is why the original security proof (Fehr et al., 2010) fails, and why ours can go through.

8. Conclusion

We provided a security analysis of the FHKW scheme (Fehr et al., 2010), and showed that the original simulator constructed by Fehr et al. (2010) is not sufficient to prove NC-CCA security. We provided a refined version of the FHKW scheme for a single bit and proved its NC-CCA security. Our scheme does not involve any cross-authentication code, avoiding the security problem that annoys the FHKW scheme. To fix the security proof of the FHKW scheme, we introduced the notion of strong cross-authentication code, applied it to the FHKW scheme, and proved that the new version of the FHKW scheme is NC-CCA secure for multi-bit plaintexts.

Open questions:

(i) The failure of the simulator proposed by Fehr et al. (2010) does not rule out the existence of other simulators working properly for the NC-CCA security proof of the FHKW scheme. Therefore, it is still open whether the original version of the FHKW scheme is NC-CCA secure or not.

(ii) Even if the original version of the FHKW scheme is not NC-CCA secure, it might still possess SIM-SO-CCA security. Hence, another question is whether it is SIM-SO-CCA secure or not.

(iii) It can be interesting to construct an NC-CCA secure PKE encrypting multiple bits from an NC-CCA secure PKE encrypting single bits. This question in the relaxed setting of IND-CCA2 has been answered by Myers and Shelat (2009). But the selective opening scenario is much more complicated, and we believe that the problem is much harder.

(iv) The last open question is whether every cross-authentication code is also a strong one, as discussed in Section 6.

Acknowledgment

This work is supported by NSFC (Nos. 61170229, 61133014, 61373153), Innovation Project (No.12ZZ021) of the Shanghai Municipal Education Commission, Specialized Research Fund (No. 20110073110016) for the Doctoral Program of Higher Education, and the Open Project Program (No.2013A01) of the State Key Laboratory of MEAC.

This is a full paper combining two conference papers, one featured in Public-Key Cryptography (PKC2013) and the other in Intelligent Networking and Collaborative Systems (INCoS 2013).

References

Bellare, M., Dowsley, R., Waters, B. and Yilek, S. (2012). Standard security does not imply security against

fsli!» 4

Z. Huang et al.

selective-opening, in D. Pointcheval and T. Johansson (Eds.), Advances in Cryptology—EUROCRYPT 2012, Springer, Berlin/Heidelberg, pp. 645-662.

Bellare, M., Hofheinz, D. and Yilek, S. (2009). Possibility and impossibility results for encryption and commitment secure under selective opening, in A. Joux (Ed.), Advances in Cryptology—EUROCRYPT 2009, Springer, Berlin/Heidelberg, pp. 1-35.

Bellare, M., Waters, B. and Yilek, S. (2011). Identity-based encryption secure against selective opening attack, in Y. Ishai (Ed.), Theory of Cryptography, Springer, Berlin/Heidelberg, pp. 235-252.

Bohl, F., Hofheinz, D. and Kraschewski, D. (2012). On definitions of selective opening security, in M. Fischlin, J. Buchmann and M. Manulis (Eds.), Public Key Cryptography—PKC 2012, Springer, Berlin/Heidelberg, pp. 522-539.

Canetti, R., Friege, U., Goldreich, O. and Naor, M. (1996). Adaptively secure multi-party computation, Technical report, Massachusetts Institute of Technology, Cambridge, MA.

Cramer, R. and Shoup, V. (2002). Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption, in L.R. Knudsen (Ed.), Advances in Cryptology—EUROCRYPT 2002, Springer, Berlin/Heidelberg, pp. 45-64.

Fehr, S., Hofheinz, D., Kiltz, E. and Wee, H. (2010). Encryption schemes secure against chosen-ciphertext selective opening attacks, in H. Gilbert (Ed.), Advances in Cryptology—EUROCRYPT 2010, Berlin/Heidelberg, Springer, pp. 381-402.

Gao, C.-z., Xie, D. and Wei, B. (2012). Deniable encryptions secure against adaptive chosen ciphertext attack, in M.D. Ryan, B. Smyth and G. Wang (Eds.), Information Security Practice and Experience, Springer, Berlin/Heidelberg, pp. 46-62.

Hemenway, B., Libert, B., Ostrovsky, R. and Vergnaud, D. (2011). Lossy encryption: Constructions from general assumptions and efficient selective opening chosen ciphertext security, in D.H. Lee and X. Wang (Eds.), Advances in Cryptology—ASIACRYPT 2011, Springer, Berlin/Heidelberg, pp. 70-88.

Hofheinz, D. (2012). All-but-many lossy trapdoor functions, in D. Pointcheval and T. Johansson (Eds.), Advances in Cryptology—EUROCRYPT 2012, Springer, Berlin/Heidelberg, pp. 209-227.

Myers, S. and Shelat, A. (2009). Bit encryption is complete, 50th Annual IEEE Symposium on Foundations of Computer Science, FOCS09, Atlanta, GA, USA, pp. 607-616.

Peikert, C. and Waters, B. (2011). Lossy trapdoor functions and their applications, SIAM Journal on Computing 40(6): 1803-1844.

Zhengan Huang received his B.Sc. and M.Sc. degrees from the Department of Mathematics, Sun Yat-sen University, in 2009 and 2011, respectively. Currently, he is a Ph.D. candidate at Shanghai Jiao Tong University, Shanghai, China. His research interests include public-key cryptography and information security.

Shengli Liu obtained her Bachelor's, Master's and Ph.D. degrees from Xidian University in 1995, 1998 and 2000, respectively. From 2000 till 2002, she continued her research on cryptography and received another Ph.D. degree at Technische Universiteit Eindhoven, the Netherlands. In 2002, she joined the Department of Computer Science and Engineering, Shanghai Jiao Tong University. She is now a professor and her research interests include ID-based cryptography, pairing-based cryptosystems, and information-theoretic security.

Baodong Qin received the M.Sc. degree in 2007 from Shandong University, China. He now is a Ph.D. student at Shanghai Jiao Tong University, China. His research interests include theoretic cryptography and information security, particularly the construction of provably secure public-key cryptosystems.

Kefei Chen received the B.Sc. and M.Sc. degrees in applied mathematics from Xidian University, Xi'an, in 1982 and 1985, respectively, and the Ph.D. degree from Justus-Liebig University, Giessen, Germany, in 1994. From 1996 to 2013, he served as a professor at Shanghai Jiao Tong University. He is now a professor of Hangzhou Normal University. His fields of interest are public key cryptography, cryptographic protocol analysis and automatic verifying, as well

as network security.

Appendix A When algorithm XAuth is probabilistic

In Section 4.3, we claimed that, if algorithm XAuth of XAC in the FHKW scheme is probabilistic, with the aforementioned simulator S in Section 4, the FHKW scheme cannot be proved NC-CCA secure for any positive integer L. Now we show the reason.

Firstly, a slight modification to XAuth is needed. Because XAuth is probabilistic, there exists an inner random number RXAuth used by XAuth during the encryption process (i.e., T ^ XAuth (ki ,...,Kl ; rxauth)). Note that the aforementioned simulator S should output randomness R = ((wi,RXA,RfA)ig[l], rxauth) according to

Brought to you by | Yale University

Authenticated Download Date | 7/23/15 7:25 PM

the ciphertext C and its related plaintext M. In the mean time, the original simulator S can recover (Wi,RfA,RfA)ie[L]. Therefore, S should generate RXAuth according to T and (Ki,...,KL), which can be recovered from R = (Wi,R?A,R'KA)ie[L]. Now we make a modification to XAuth: we require that XAuth be efficiently "explainable", which means that there is an efficient algorithm ExplainXAuth such that RXAuth ^ ExplainXAuth((Ki,..., Kl), T). For simplicity, we still use the original notation S and XAuth after this modification.

Secondly, with the above modification, consider our main conclusion of this appendix. As the proof of Theorem 1, our aim is to construct an adversary A = (Ai,A2) to distinguish the two experiments ExpNeCKwAReal(k) and ExpNHKwA-8™ (k)- The adversary A is the same as the one in the proof of Theorem 1, except that, in the decryption query stage, instead of choosing a random Ki, the adversary A uses the original Ki, which can be recovered from randomness R = ((Wi,RXa,R'KA)ie[L],RXAuth). More specifically, in the first stage, Ai returns M = (0, ••• , 0) to the challenger, and in the second stage, upon receiving the ciphertext C = (Xi,...,XL,T) and randomness R, A2 recovers (Ki,...,KL) from R, computes T' ^ XAuth(Ki,...,Kl;RXAuth), where RXAuth is uniformly random chosen from RXAuth, and returns C' = (Xi,. ..,XL,T') as his decryption query. Because XAuth is probabilistic, it is very easy for A to get a T' = T with the above method. As a result, with an overwhelming probability, A2 will receive M' = (0, ••• , 0) as the decryption result of C' in ExpNHKwAReal(k), and receive M' = (1, ••• , 1) in ExpNHKwAfm (k). Hence, A can distinguish

ExpNHKWCAnk) and ExpNSWA^k).

Appendix B Proof of Theorem 2

Proof. First, we construct a simulator SE for scheme E = (GenE, EncE, DecE).

Simulator SE:

• Sei(pk, 1): Withpk = hpk, choose W ^ ^-SampleL and set X := SampleLL; W). Then set K := PubEvl(hpk, X, W). Return the ciphertext C = (X, K).

• S£2(M): If M = 1, set W := W and choose

^ ^-Sample, Rka ^ ^-Sample; otherwise choose W ^ ^SampleL, and set Rxa ^ Explain(^A,X), Rka ^ Explain (Кл ,K). Return the randomness R = (W, Rxa , Rka ).

With simulator SE, we will show that, for any PPT adversary A, the two experiments ExpNCACCA"Real(k) and ExpNCACCA"Sim(k) are computationally indistinguishable through a series of indistinguishable games. Technically, we denote the challenge ciphertext and its corresponding plaintext by C* and M*, and write C* := (X*,K*). Without loss of generality, we assume that A always makes q decryption queries, where q = poly(k). For j e [q], denote A's j-th decryption query by Cj := (Xj ,Kj) and let its corresponding plaintext be Mj. At the same time, we define K* := SecEv\(hsk, X*), A'J := SecEv\(hsk, Xj) for j e [q\, and denote the final output of A in Game i by output A i.

Game О: Game 0

Exp^CCA-Real

is the real experiment (k). By our notation above,

Pr [outputA 0 = 1] = Pr

ExpfACCA"Real(k)

Game 1: Game 1 is the same as Game 0, except for the decryption oracle. In Game 1, for any decryption query Cj = (Xj,Kj) made by A, if Xj e La, the challenger will return Mj = 0 directly, and if Xj e £a, the challenger will answer the query as in Game 0: compute A'J = SecEv\(hsk, Xj), and if A'J = A'J , return MJ = 1, otherwise return Mj = 0. Note that the decryption oracle in Game 1 is inefficient and it doesn't leak any information on hsk beyond hpk. Let badi denote the event that in Game i, A makes some decryption query & = (XJ, A'J) such that X^ i CA and Kj = I<i. Note that Pr[bad1] = Pr[bad0] and that Game 1 and Game 0 are identical unless events bad1 or bado occurs. By the perfect 2-universality of HPS and a union bound, Pr[bad1] = Pr[bad0] < q/|KA|. So we have

|Pr [output a i = 1 — Pr [output a о = 1 |

< Pr [badi]

Game 2: Game 2 is the same as Game 1, except that, in the challenge ciphertext generation, set K* = SecEvl(hsk,X*) for M* = 0, and then the randomness of K* is opened as Explain(K^,K*). In Game 1, if M* = 0, K* also can be seen as being opened by Explain (Кл, K*). In Game 2, since the only information on hsk beyond hpk is released in the computation of K*, the perfect 2-universality of HPS implies that, if X* ф Сл, K* is uniformly distributed in Кл. Let subi denote the event that in Game i, when M* = 0, X* ф Сл. Note that Pr[sub2] = Pr[subi] and that Game 2 and Game 1

are the same unless events sub2 or subi occurs. So we have

|Pr [outputA 2 = 1 — Pr [outputA 1 = 1 | < Pr [sub2] 1£a|

Game 3: Game 3 is the same as Game 2, except that the decryption oracle works with the original decryption rule. In Game 3, for any decryption query Cj = (Xj,Kj), the challenger sets I<i = SecEvI(h.sk,Xi), then returns NP = 1 if ~Ki = or returns hP = 0 if ~K~i ^ I<i. Note that the decryption oracle in Game 3 is efficient. Similarly, badi denotes the event that in Game i, A makes some decryption query Cj = (Xj,Kj) such that Xi £ CA and I\i = ~Ki. Note that Pr[bad3] = Pr[bad2] and that Game 3 and Game 2 are identical unless events bad3 or bad2 occurs. Since the only information on hsk beyond hpk is released in the computation of K*, by the perfect 2-universality of HPS and a union bound, Pr[bad3] = Pr[bad2] = q/|KA|. So

|Pr [output A 3 = 1 — Pr [output A 2 = 1 |

< Pr [bad3]

~ I^aI'

Game 4: Game 4 is the same as Game 3, except that, in the challenge ciphertext generation, the challenger chooses X* ^ La if M* = 0. That is to say, choose X * ^ La no matter whether M* is 0 or 1, and X * is opened as Explain(AA,X*) if M* = 0. Since SMP is hard,

|Pr [outputA 4 = 1 — Pr [output A 3 = 1 |

< AdvSMP,A(fc). (B5)

Combining all the above results, we have |Pr [outputA 0 = 1 — Pr [outputA 4 = 1 |

Note that Game 4 is just the experiment ExpfACCA-Sim(k). So we have

NC-CCA

£,A,S

| Pr Exp

NC-CCA-Real £ ,A

ExpNc4CCA"Sim(k) = 1 |

Received: 3 January 2014 Revised: 10 June 2014