Hedging Public-Key Encryption in the Real World

Hedged PKE schemes are designed to provide useful security when the per-message randomness fails to be uniform, say, due to faulty implementations or adversarial actions. A simple and elegant theoretical approach to building such schemes works like this: Synthesize fresh random bits by hashing all of the encryption inputs, and use the resulting hash output as randomness for an underlying PKE scheme. The idea actually goes back to the Fujisaki-Okamoto transform for turning CPA-secure encryption into CCA-secure encryption, and is also used to build deterministic PKE schemes. In practice, implementing this simple construction is surprisingly difficult, as the high- and mid-level APIs presented by the most commonly used crypto libraries (e.g. OpenSSL and forks thereof) do not permit one to specify the per-encryption randomness. Thus application developers are forced to piece together low-level functionalities and attend to any associated, security-critical algorithmic choices. Other approaches to hedged PKE present similar problems in practice. We reconsider the matter of building hedged PKE schemes, and the security notions they aim to achieve. We lift the current best-possible security notion for hedged PKE (IND-CDA) from the CPA setting to the CCA setting, and then show how to achieve it using primitives that are readily available from high-level APIs. We also propose a new security notion, MM-CCA, which generalizes traditional IND-CCA to admit imperfect randomness. Like IND-CCA, and unlike IND-CDA, our notion gives the adversary the public key. We show that MM-CCA is achieved by RSA-OAEP in the random-oracle model; this is significant in practice because RSA-OAEP is directly available from high-level APIs across all libraries we surveyed. We sort out relationships among the various notions, and also develop new results for existing hedged PKE constructions

CCA-Secure Deterministic Identity-Based Encryption Scheme

Deterministic public-key encryption, encrypting a plaintext into a unique ciphertext without involving any randomness, was introduced by Bellare, Boldyreva, and O'Neill (CRYPTO 2007) as a realistic alternative to some inherent drawbacks in randomized public-key encryption. Bellare, Kiltz, Peikert and Waters (EUROCRYPT 2012) bring deterministic public-key encryption to the identity-based setting, and propose deterministic identity-based encryption scheme (DIBE). Although the construc- tions of chosen plaintext attack (CPA) secure DIBE scheme have been studied intensively, the construction of chosen ciphertext attack (CCA) secure DIBE scheme is still challenging problems. In this paper, we introduce the notion of identity-based all-but-one trapdoor functions (IB-ABO-TDF), which is an extension version of all-but-one lossy trapdoor function in the public-key setting. We give a instantiation of IB-ABO-TDF under decisional linear assumption. Based on an identity-based lossy trapdoor function and our IB-ABO-TDF, we present a generic construction of CCA-secure DIBE scheme