selective opening chosen ciphertext security directly from the ddh assumption

Chosen-ciphertext security has been well-accepted as a standard security notion for public key encryption. But in a multi-user surrounding, it may not be sufficient, since the adversary may corrupt some users to get the random coins as well as the plaintexts used to generate ciphertexts. The attack is named "selective opening attack". We study how to achieve full-fledged chosen-ciphertext security in selective opening setting directly from the DDH assumption. Our construction is free of chameleon hashing, since tags are created for encryptions in a flexible way to serve the security proof. © 2012 Springer-Verlag.Chosen-ciphertext security has been well-accepted as a standard security notion for public key encryption. But in a multi-user surrounding, it may not be sufficient, since the adversary may corrupt some users to get the random coins as well as the plaintexts used to generate ciphertexts. The attack is named "selective opening attack". We study how to achieve full-fledged chosen-ciphertext security in selective opening setting directly from the DDH assumption. Our construction is free of chameleon hashing, since tags are created for encryptions in a flexible way to serve the security proof. © 2012 Springer-Verlag

Simulation-based Receiver Selective Opening CCA Secure PKE from Standard Computational Assumptions

In the situation where there are one sender and multiple receivers, a receiver selective opening (RSO) attack for a public key encryption (PKE) scheme considers adversaries that can corrupt some of the receivers and get their secret keys and plaintexts. Security against RSO attacks for a PKE scheme ensures confidentiality of ciphertexts of uncorrupted receivers. Simulation-based RSO security against chosen ciphertext attacks (SIM-RSO-CCA) is the strongest security notion in all RSO attack scenarios. Jia, Lu, and Li (INDOCRYPT 2016) proposed the first SIM-RSO-CCA secure PKE scheme. However, their scheme used indistinguishablility obfuscation, which is not known to be constructed from any standard computational assumption. In this paper, we give two contributions for constructing SIM-RSO-CCA secure PKE from standard computational assumptions. Firstly, we propose a generic construction of SIM-RSO-CCA secure PKE using an IND-CPA secure PKE scheme and a non-interactive zero-knowledge proof system satisfying one-time simulation soundness. Secondly, we propose an efficient and concrete construction of SIM-RSO-CCA secure PKE based on the decisional Diffie-Hellman (DDH) assumption. Moreover, we give a method for efficiently expanding the plaintext space of the DDH-based construction. By applying this method to the construction, we obtain the first DDH-based SIM-RSO-CCA secure PKE scheme supporting a super-polynomially large plaintext space with compact ciphertexts