KDM-CCA Security of the Cramer-Shoup Cryptosystem, Revisited
Jinyong Chang
1,2
and Rui Xue
1
1
State Key Laboratory of Information Security, Institute of Information Engineering,
Chinese Academy of Sciences, Minzhuang Road 89#, Beijing, China
2
Department of Mathematics, Changzhi University, Changzhi, China
{changjinyong, xuerui}@iie.ac.cn
Keywords:
Key-dependent Message Security, CCA Security, DDH Assumption, Public Key Encryption.
Abstract:
An encryption scheme is key-dependent message chosen plaintext attack (KDM-CPA) secure means that it
is secure even if an adversary obtains encryptions of messages that depend on the secret key. However,
there are not many schemes that are KDM-CPA secure, let alone key-dependent message chosen ciphertext
attack (KDM-CCA) secure. So far, only two general constructions, due to Camenisch, Chandran, and Shoup
(Eurocrypt 2009), and Hofheinz (Eurocrypt 2013), are known to be KDM-CCA secure in the standard model.
Another scheme, a concrete implementation, was recently proposed by Qin, Liu and Huang (ACISP 2013),
where a KDM-CCA secure scheme was obtained from the classic Cramer-Shoup (CS) cryptosystem w.r.t. a
new family of functions. In this paper, we revisit the KDM-CCA security of the CS-scheme and prove that, in
two-user case, the CS-scheme achieves KDM-CCA security w.r.t. richer ensembles, which covers the result of
Qin et al.. In addition, we present another proof about the result in (QLH13) by extending our approach used
in two-user case to n-user case, which achieves a tighter reduction to the decisional Diffie-Hellman (DDH)
assumption.
1 INTRODUCTION
Secure encryption is the most basic task in cryptog-
raphy, and significant works have gone into defining
and attaining it. Many commonly accepted defini-
tions for secure encryption (GM84; RS91; RALS11)
assume that the plaintext messages to be encrypted
cannot depend on the secret decryption keys them-
selves. Over the last few years, it was observed that
in some situations the plaintext messages do depend
on the secret keys. Such situations may arise in hard-
disk encryption (BHHO08), computational soundness
results in formal methods (BRS02), or specific proto-
cols (CL01). Security in this more demanding setting
was termed KDM-CPA security (BRS02).
1
KDM-CPA security does not follow from stan-
dard security (CGH12), and there are indications
that KDM-CPA security (at least in its most general
form) cannot be proven using standard techniques
(BHHI10). For this reason, KDM-CPA security has
also received much attention in other settings, includ-
ing symmetric key encryption(BPS08), identity-based
encryption (GHV12).
1
A specific notion, called circular security, was defined
by Camenisch and Lysyanskaya in (CL01).
In this paper, we mainly focus on the KDM secu-
rity in public key encryption (PKE) setting. There-
fore, firstly, let us recall the classic definition of
KDM-CPA security w.r.t. an efficiently computable
function ensemble F , proposed by Black et al. in
(BRS02). In particular, an adversary is given n pub-
lic keys pk
1
,··· , pk
n
and can access an oracle O that
upon receiving a query (i, f ), where f is a function
in F , and i ∈ [n] is an index, returns an encryption
of f (sk
1
,··· ,sk
n
) under the public key pk
i
. Then the
scheme is KDM-CPA secure w.r.t. F if the adversary
cannot distinguish between the oracle O and an ora-
cle O
0
that always returns an encryption of (say) the
(same length) all-zero string.
When considering an active adversary, we re-
quire a stronger form of KDM-CPA security, namely,
KDM-CCA security. In short, KDM-CCA security
requires the scheme is secure against an adversary
who has access to an additional decryption oracle.
Naturally, to avoid a trivial notion, the adversary is not
allowed to submit any of those given from encryption
oracle to its decryption oracle.
So far, only two general constructions, due to
Camenisch et al. (CCS09) and Hofheinz (H13),
are known to be KDM-CCA secure in the standard
299