Abstract
With the rise of cloud computing, multi-user scenarios have become a common setting for data sharing nowadays. The conservative security notion might not be sufficient for such a data sharing model. As a response to this challenge, there has been significant research targeting security against receiver selective-opening (RSO) attacks. However, we found that none of these studies discuss RSO security specifically for predicate encryption (PE)—an encryption mechanism naturally designed for multi-user data sharing. This manuscript first formalizes the RSO security for PE. We then present a generic PE construction that achieves RSO security based on the simulation-based definition. Our work also features several instantiations for various predicate families, including attribute-based encryption for the monotone span program, which is known as one of the most expressive PE.
Similar content being viewed by others
Data availability
Not applicable.
Code Availability
Not Applicable.
Notes
The BE, a practical one-to-many encryption mechanism, has been studied primarily in terms of SSO security [37].
There are several equivalent definitions for PE. Here we adopt the syntax defined in [4].
After this, we use SE as an abbreviation for spatial encryption.
The master public key \(\textsf{mpk}\) will be an implicit input to other algorithms.
The subscript \(\kappa \) would be omitted in the description below for the simplicity.
References
Attrapadung N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen P.Q., Oswald E. (eds.) Advances in Cryptology—EUROCRYPT 2014, pp. 557–577. Springer, Berlin (2014).
Attrapadung N., Libert B.: Functional encryption for inner product: achieving constant-size ciphertexts with adaptive security or support for negation. In: Nguyen P.Q., Pointcheval D. (eds.) Public Key Cryptography—PKC 2010, pp. 384–402. Springer, Berlin (2010).
Attrapadung N., Libert B., De Panafieu E.: Expressive key-policy attribute-based encryption with constant-size ciphertexts. In: Public Key Cryptography–PKC 2011: 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, March 6–9, 2011. Proceedings 14, pp. 90–108. Springer, Berlin (2011).
Attrapadung N., Hanaoka G., Yamada S.: Conversions among several classes of predicate encryption and applications to ABE with various compactness tradeoffs. In: Iwata T., Cheon J.H. (eds.) Advances in Cryptology—ASIACRYPT 2015, pp. 575–601. Springer, Berlin (2015).
Bellare M., Hofheinz D., Yilek S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 1–35. Springer, Berlin (2009).
Bellare M., Waters B., Yilek S.: Identity-based encryption secure against selective opening attack. In: Theory of Cryptography Conference, pp. 235–252. Springer, Berlin (2011).
Bellare M., Dowsley R., Waters B., Yilek S.: Standard security does not imply security against selective-opening. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 645–662. Springer, Berlin (2012).
Benhamouda F., Gentry C., Gorbunov S., Halevi S., Krawczyk H., Lin C., Rabin T., Reyzin L.: Can a public blockchain keep a secret? In: Theory of Cryptography: 18th International Conference, TCC 2020, Durham, NC, USA, November 16–19, 2020, Proceedings, Part I 18, pp. 260–290. Springer, Berlin (2020).
Boneh D., Hamburg M.: Generalized identity based and broadcast encryption schemes. In: Pieprzyk J. (ed.) Advances in Cryptology—ASIACRYPT 2008, pp. 455–470. Springer, Berlin (2008).
Boneh D., Waters B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan S.P. (ed.) Theory of Cryptography, pp. 535–554. Springer, Berlin (2007).
Boneh D., Gentry C., Waters B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Annual International Cryptology Conference, pp. 258–275. Springer, Berlin (2005).
Boyen X., Li Q.: All-but-many lossy trapdoor functions from lattices and applications. In: Annual International Cryptology Conference, pp. 298–331. Springer, Berlin (2017).
Chen J., Wee H.: Doubly spatial encryption from DBDH. Theor. Comput. Sci. 543, 79–89 (2014).
Fehr S., Hofheinz D., Kiltz E., Wee H.: Encryption schemes secure against chosen-ciphertext selective opening attacks. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010, pp. 381–402. Springer, Berlin, Heidelberg (2010).
Fiat A., Naor M.: Broadcast encryption. In: Advances in Cryptology-CRYPTO’93: 13th Annual International Cryptology Conference Santa Barbara, California, USA August 22–26, 1993 Proceedings 13, pp. 480–491. Springer, Berlin (1994).
Gentry C., Silverberg A.: Hierarchical ID-based cryptography. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 548–566. Springer, Berlin (2002).
Goyal V., Pandey O., Sahai A., Waters B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 89–98 (2006).
Hara K., Kitagawa F., Matsuda T., Hanaoka G., Tanaka K.: Simulation-based receiver selective opening CCA secure PKE from standard computational assumptions. Theor. Comput. Sci. 795, 570–597 (2019).
Hara K., Matsuda T., Tanaka K.: Receiver selective opening chosen ciphertext secure identity-based encryption. In: Proceedings of the 8th ACM on ASIA Public-Key Cryptography Workshop, pp. 51–59 (2021).
Hazay C., Patra A., Warinschi B.: Selective opening security for receivers. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 443–469. Springer, Berlin (2015).
Hemenway B., Libert B., Ostrovsky R., Vergnaud D.: Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security. In: Lee D.H., Wang X. (eds.) Advances in Cryptology—ASIACRYPT 2011, pp. 70–88. Springer, Berlin, Heidelberg (2011).
Heuer F., Poettering B.: Selective opening security from simulatable data encapsulation. In: Cheon J.H., Takagi T. (eds.) Advances in Cryptology—ASIACRYPT 2016, pp. 248–277. Springer, Berlin (2016).
Heuer F., Jager T., Schäge S., Kiltz E.: Selective opening security of practical public-key encryption schemes. IET Inf. Secur. 10(6), 304–318 (2016).
Hoang V.T., Katz J., O’Neill A., Zaheri M.: Selective-opening security in the presence of randomness failures. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 278–306. Springer, Berlin (2016).
Hofheinz D., Rao V., Wichs D.: Standard security does not imply indistinguishability under selective opening. In: Theory of Cryptography Conference, pp. 121–145. Springer, Berlin (2016).
Huang Z., Liu S., Mao X., Chen K., Li J.: Insight of the protection for data security under selective opening attacks. Inf. Sci. 412–413, 223–241 (2017).
Huang Z., Lai J., Chen W., Li T., Xiang Y.: Data security against receiver corruptions: SOA security for receivers from simulatable DEMs. Inf. Sci. 471, 201–215 (2019).
Huang Z., Lai J., Chen W., Raees-ul-Haq M., Jiang L.: Practical public key encryption with selective opening security for receivers. Inf. Sci. 478, 15–27 (2019).
Huang Z., Lai J., Chen W., Au M.H., Peng Z., Li J.: Simulation-based selective opening security for receivers under chosen-ciphertext attacks. Des. Codes Cryptogr. 87(6), 1345–1371 (2019).
Huang Z., Lai J., Zeng G., Mu X.: Receiver selective opening security for identity-based encryption in the multi-challenge setting. Des. Codes Cryptogr. 91, 1–27 (2022).
Jia D., Lu X., Li B.: Constructions secure against receiver selective opening and chosen ciphertext attacks. In: Handschuh H. (ed.) Topics in Cryptology—CT-RSA 2017, pp. 417–431. Springer, Cham (2017).
Katz J., Sahai A., Waters B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart N. (ed.) Advances in Cryptology—EUROCRYPT 2008, pp. 146–162. Springer, Berlin (2008).
Katz J., Maffei M., Malavolta G., Schröder D.: Subset predicate encryption and its applications. In: Capkun S., Chow S.S.M. (eds.) Cryptology and Network Security, pp. 115–134. Springer, Cham (2018).
Kitagawa F., Tanaka K.: Key dependent message security and receiver selective opening security for identity-based encryption. In: IACR International Workshop on Public Key Cryptography, pp. 32–61. Springer, Berlin (2018).
Libert B., Sakzad A., Stehlé D., Steinfeld R.: All-but-many lossy trapdoor functions and selective opening chosen-ciphertext security from LWE. In: Katz J., Shacham H. (eds.) Advances in Cryptology—CRYPTO 2017, pp. 332–364. Springer, Cham (2017).
Prasolov V.V.: Problems and Theorems in Linear Algebra. Translations of Mathematical Monographs. American Mathematical Society, Providence (1996).
Sun J., Hu Y.-P.: Identity-based broadcast encryption scheme against selective opening attack. J. Electron. Inf. Technol. 33(12), 2929–2934 (2011).
Waters B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. In: Catalano D., Fazio N., Gennaro R., Nicolosi A. (eds.) Public Key Cryptography—PKC 2011, pp. 53–70. Springer, Berlin (2011).
Yang R., Lai J., Huang Z., Au M.H., Xu Q., Susilo W.: Possibility and impossibility results for receiver selective opening secure PKE in the multi-challenge setting. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 191–220. Springer, Berlin (2020).
Acknowledgements
The authors thank the anonymous reviewers for their insightful suggestions on this work. This research is partially supported by the National Science and Technology Council, Taiwan (ROC), under Grant Numbers NSTC 111-2221-E-004-005-, NSTC 112-2221-E-004-004-, NSTC 112-2634-F-004-001-MBK, NSTC 109-2221-E-004-011-MY3, NSTC 110-2221-E-004-003, NSTC 110-2622-8-004-001, and NSTC 111-2218-E-004-001-MBK.
Author information
Authors and Affiliations
Contributions
Conceptualization: YFT; Methodology: YFT; Formal analysis and investigation: YFT; Writing—original draft preparation: YFT; Writing—review and editing: YFT, ZYL; Funding acquisition: YFT, RT; Supervision: YFT.
Corresponding author
Ethics declarations
Conflict of interest
All authors declare that they have no conflicts of interest.
Ethics approval
Not applicable.
Consent to participate
All the authors have given their consent to participate the work.
Consent for publication
All the authors have given their consent for the publication.
Additional information
Communicated by C. Weinert.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A: Details of the embedding relationships
In this section, we show the details of the embedding relationships between IP and several predicate families.
1.1 A.1: Hidden vector encryption
A HVE scheme is a PE scheme supporting the following predicate family:
-
\(\kappa = (\ell _1, \ell _2),\) for some \(\ell _1, \ell _2 \in \mathbb {N}\).
-
\(\mathbb {X}_\kappa = (\Sigma )^{\ell _1}, \mathbb {Y}_\kappa = (\Sigma _*)^{\ell _1}\), where \(\Sigma \) is an alphabet set with \(\ell _2\) elements, \(\Sigma _* = \Sigma \cup \{*\}\), and \(*\) is the wildcard character. Here we note that, in most papers, \(\Sigma \) is chosen to be \(\{0, 1\}\), i.e., \(\ell _2 = 2\).
-
\(R_\kappa ^{\textsf{HV}}(X, Y) = 1 \Longleftrightarrow \forall i \in [\ell _1], (X[i]= Y[i]) \vee (Y[i] = *)\), where X[i], Y[i] denote the ith element in X, Y, respectively.
Katz et al. [32] have shown that
with \(\Sigma = \mathbb {Z}_p, g_P((\ell _1, \ell _2)) = (2\ell _1, \ell _2), g_C(X) = X' \in \Sigma ^{2\ell _1}, g_K(Y) = Y' \in \Sigma _*^{2\ell _1}\), where for \(i \in [\ell _1]\),
and
Besides, since \(\textsf{Dual}(R^{\textsf{IP}}) = R^{\textsf{IP}}\), by switching the roles of \(g_C, g_K\), we can further obtain
Therefore, by applying Lemma 2 and Corollary 1, we can obtain SIM-RSO-CPA secure PE schemes for \(R^{\textsf{HV}}, \textsf{Dual}(R^{\textsf{HV}}), \textsf{Neg}(R^{\textsf{HV}})\), and \(\textsf{Neg}(\textsf{Dual}(R^{\textsf{HV}}))\).
1.2 A.2: Broadcast encryption
A BE scheme is a PE scheme supporting the following predicate family:
-
\(\kappa = (\ell ),\) for some \(\ell \in \mathbb {N}\).
-
\(\mathbb {X}_\kappa = 2^{[\ell ]}\).
-
\(\mathbb {Y}_\kappa = [\ell ]\)
-
\(R_\kappa ^{\textsf{Br}}(X, Y) = 1 \Longleftrightarrow Y \in X\).
We can embed such membership predicate into inner-product predicate as follows. Define \(f_X(z) = \prod _{i \in X}(z - i)\) for a set X, and define
This works since
and hence we have
Such implication has been used to construct KPABE [3] under certain restrictions.
1.3 A.3: Subset predicate encryption and its variants
A SPE scheme is a PE scheme supporting the following predicate family:
-
\(\kappa = (\ell ),\) for some \(\ell \in \mathbb {N}\).
-
\(\mathbb {X}_\kappa = \mathbb {Y}_\kappa = 2^{[\ell ]}\).
-
\(R_\kappa ^{\textsf{SP}}(X, Y) = 1 \Longleftrightarrow Y \subseteq X\).
We use characteristic string representation for a set. That is, for a set \(S \in 2^{[\ell ]}\), we interpret S as a vector with length \(\ell \), such that, for \(i \in [\ell ]\), \(S[i] = 1\) if \(i \in S\). According to [33], we can embed subset predicate into inner-product predicate. Thus, by Lemma 2 and Corollary 1. we have
where
Besides, it is easy to see that
and
where
Appendix B: Maps \(F = (f_P, f_C, f_K)\) for various predicate families
In this section, we present methods for designing maps tailored to various predicate families. Using the generic construction described in Sect. 4, we can obtain several cryptographic primitives with SIM-RSO-CPA security. This approach serves as an alternative to obtain these primitives, rather than acquiring them through the SIM-RSO-CPA secure CPABE scheme detailed in Sect. 5.
1.1 B.1: Inner-product encryption
An inner-product encryption scheme is a PE scheme supporting the following predicate family:
-
\(\kappa = (\ell ),\) for some \(\ell \in \mathbb {N}\).
-
\(\mathbb {X}_\kappa = \mathbb {Y}_\kappa = \mathbb {Z}_p^{\ell }\).
-
\(R_\kappa ^{\textsf{IP}}(X, Y) = 1 \Longleftrightarrow \langle X, Y \rangle = 0\), where \(\langle \cdot , \cdot \rangle \) denotes the inner product operation.
We then define the maps \(F^{\textsf{IP}} = (f_P, f_C, f_K)\) for inner-product predicate as follows:
Following the definition of \(F^{\textsf{IP}}\), we have
For \(\alpha , r \in \{0,1\}\), since
we have
and thus \( R_{f_P(\kappa )}^{\textsf{IP}}(f_C(X, \alpha ), f_K(Y, r)) = R^{\textsf{IP}}(X,Y)\). Besides, when \(\alpha \ne r\), i.e., \(\alpha = 1 \oplus r\), we have that
Since either \(r \cdot r = 1\) or \((1\oplus r) \cdot (1\oplus r) = 1\), we have that
We can see that, since \(\mathbb {X}_\kappa = \mathbb {Y}_\kappa = \mathbb {Z}_p^{\ell }\),
Moreover, we have that \(\Pr [\langle X, Y \rangle = p-1] = \textsf{negl}(\lambda )\) when X, Y are uniformly distributed in \(\mathbb {Z}_p^{\ell }\). To achieve the uniform randomness, we can choose \(\alpha , \beta \xleftarrow {\$} \mathbb {Z}_p\), and set \(X' \leftarrow \alpha X, Y' \leftarrow \beta Y\). It is easy to verify that \(\langle X, Y \rangle = 0\) if and only if \(\langle X', Y' \rangle = 0\).
According to [32], we can embed several primitives into inner-product encryption, e.g., IBE. By using Lemma 2, we can immediately obtain those primitives with SIM-RSO-CPA security.
1.2 Non-zero inner-product encryption
A non-zero inner-product encryption scheme is a PE scheme supporting the predicate family \(R^{\textsf{NIP}} = \textsf{Neg}(R^{\textsf{IP}})\). We can define the maps \(F^{\textsf{NIP}} = (f_P, f_C, f_K)\) as follows:
Following the definition of \(F^{\textsf{NIP}}\), we have
For \(\alpha , r \in \{0, 1\}\), we have
Therefore, we have
Moreover, by applying Lemma 2 and Corollary 1, we can obtain negated IBE, negated BE, etc., with SIM-RSO-CPA security.
1.3 B.3: Hidden vector encryption
We have already detailed the embedding relationships in Appendix A.1, in this section, we further propose a more efficient map \(F^{\textsf{HV}}=(f_P, f_C, f_K)\) for hidden vector predicate:
In particular, we require that \(\{0, 1\} \subset \Sigma \). Following the relation for HVE, one can easily see that \(F^{\textsf{HV}}\) satisfies the requirements defined in Sect. 4.1. Note that our maps are more efficient than those proposed by Katz et al. in terms of the vector length, which may usually affect the ciphertext length or private key size.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Tseng, YF., Liu, ZY. & Tso, R. Predicate encryption with selective-opening security for receivers: formal definition, generic construction, and concrete instantiations for several primitives. Des. Codes Cryptogr. (2024). https://doi.org/10.1007/s10623-023-01354-x
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10623-023-01354-x
Keywords
- Receiver selective-opening attack
- Predicate encryption
- Attribute-based encryption
- Expressive access control
- Data privacy