A conceptually simple and generic construction of plaintext checkable encryption in the standard model

Abstract

Plaintext-checkable encryption (PCE) can support searches over ciphertext by directly using plaintext. The functionality of a search is modeled by a specific check algorithm that takes a pair of target plaintext and ciphertext as input and returns 1 if the correct decryption result of the ciphertext is identical to the target plaintext. A trivial solution is to use an existing scheme (e.g., deterministic RSA) to achieve this, but there is no security guarantee with this method. Previous rigorous works have either relied on some mathematical structures to build PCE that can proven in the standard model or can be generic, as in the random oracle model. Hence, in this work, we aim to construct PCE that can be proven in the standard model by using standard primitives in a modular way in two steps. The first step is to present a warm-up construction of PCE from hash garbling and hash functions whose security is only proven in the random oracle model. The second step is to provide a full-fledged construction based on the warm-up, with slight modifications for achieving security in the standard model. Finally, we show the feasibility of the proposed construction through experiments.

Appendix A: Missing proofs

Proof of Lemma 3

Suppose \(\mathcal {A}\) is the adversary with non-negligible probability to distinguish \(\textsf {Hyb}_0\) and \(\textsf {Hyb}_{0,1}\), then we can create another algorithm \(\mathcal {B}\) which runs \(\mathcal {A}\) as a subroutine to break the weak security of HG.

Following the hybrid, \(\mathcal {A}\) receives a challenge as \((\textsf {Enc}' (pk',m_0),\widetilde{\textsf {P}},\widetilde{\textsf {y}})\). \(\widetilde{\textsf {y}}\) can be parsed as (t, r) such that \(\widetilde{\textsf {y}_{m_0}} = t \oplus H(m_0||r)\). The pair of \((\widetilde{\textsf {P}},\widetilde{\textsf {y}_{m_0}})\) is \((\widetilde{P}_{m_0},\widetilde{y}_{m_0})\) or \((\widetilde{P}_{\textsf {Sim}},\widetilde{y}_{\textsf {Sim}})\) where \(\widetilde{P}_{\textsf {Sim}},\widetilde{y}_{\textsf {Sim}}\) is generated by \(\textsf {Sim}(hk,m_0, 1^{|P_{m_0}|}, \bot )\). Note that \(\bot \) by the previous argument for \(\textsf {HIT}\). Accordingly, \(\mathcal {A}\) can transform parts of the challenge into \(\mathcal {B}\)’s input. \(\mathcal {A}\) directly sets \(\widetilde{\textsf {P}},\widetilde{\textsf {y}_{m_0}}\) as the input of \(\mathcal {B}\), and waits for the output of \(\mathcal {B}\). Finally, \(\mathcal {A}\)’s output (one bit) is set to be identical to \(\mathcal {B}\)’s, and thus it implies that \(\Pr [\mathcal {A}(\textsf {Enc}' (pk',m_0),\widetilde{\textsf {P}},\widetilde{\textsf {y}})=1] = \Pr [\mathcal {B}(\widetilde{\textsf {P}},\widetilde{\textsf {y}_{m_0}})]=1\). Weak security of HG offers \(|\Pr [\mathcal {B}(\widetilde{P}_{m_0},\widetilde{y}_{m_0})=1] - \Pr [\mathcal {B}(\widetilde{P}_{\textsf {Sim}},\widetilde{y}_{\textsf {Sim}})=1]| \le \textsf {negl}(n)\), so we obtain

$$\begin{aligned}{} & {} |\Pr [\mathcal {A}(\textsf {Enc}' (pk',m_0),\widetilde{P}_{m_0},(\widetilde{y}_{m_0}\oplus H(m_0||r), r))=1]\\{} & {} - \Pr [\mathcal {A}(\textsf {Enc}' (pk',m_0),\widetilde{P}_{\textsf {Sim}},(\widetilde{y}_{\textsf {Sim}}\oplus H(m_0||r), r))=1]|\le \textsf {negl}(n) \end{aligned}$$

as well as \(\textsf {Hyb}_0\) and \(\textsf {Hyb}_{0,1}\) are computationally indistinguishable. The proof of this lemma is done. \(\square \)

Proof of Lemma 5

Before we prove the lemma, we quickly remark the proof intuition of the main theorem. Our final goal is from \(\textsf {Hyb}_0\) to \(\textsf {Hyb}_1\) to replace \(\textsf {Enc}(pk',m_0)\) with \(\textsf {Enc}(pk',m_1)\). However, it cannot be directly replaced, since \((\widetilde{\textsf {P}},\widetilde{\textsf {y}})\) in \(\textsf {Hyb}_0\) includes the information of \(m_0\). However, Lemma 3 is used to eliminate the underlying \(m_0\) for \((\widetilde{P}_{m_0},\widetilde{y}_{m_0})\) by the power of the random oracle.

Let go back to this proof. Suppose \(\mathcal {A}\) is the adversary with non-negligible probability to distinguish \(\textsf {Hyb}_{0,2}\) and \(\textsf {Hyb}_{1,2}\), then we can create another algorithm \(\mathcal {B}\) that runs \(\mathcal {A}\) as a subroutine to break the CPA security of public key encryption. Following \(\textsf {Hyb}_{\beta ,2}, \mathcal {A}\) receives a challenge as \((\textsf {Enc}' (pk',m_\beta ),\widetilde{\textsf {P}},\widetilde{\textsf {y}})\) where \(\widetilde{\textsf {P}},\widetilde{\textsf {y}} \leftarrow U_{|\widetilde{P}|+|\widetilde{y}|}\). Consequently, \(\mathcal {A}\) can transform parts of the challenge into \(\mathcal {B}\)’s input. \(\mathcal {A}\) directly sets \(\textsf {Enc}' (pk',m_\beta )\) as the input of \(\mathcal {B}\), and waits for the output of \(\mathcal {B}\). Similarly to the proof of the above lemma, it implies that \(\Pr [\mathcal {A}(\textsf {Enc}' (pk',m_\beta ),\widetilde{\textsf {P}},\widetilde{\textsf {y}})] = \Pr [\mathcal {B}(\textsf {Enc}' (pk',m_\beta ))]\). The CPA security says \(|\Pr [\mathcal {B}(\textsf {Enc}' (pk',m_0))=1] - \Pr [\mathcal {B}(\textsf {Enc}' (pk',m_1))=1]| \le \textsf {negl}(n)\). We finally obtain

$$\begin{aligned} | \Pr [\mathcal {A}(\textsf {Enc}' (pk',m_0),\widetilde{\textsf {P}},\widetilde{\textsf {y}})=1] - \Pr [\mathcal {A}(\textsf {Enc}' (pk',m_1),\widetilde{\textsf {P}},\widetilde{\textsf {y}})=1] | \le \textsf {negl}(n) \end{aligned}$$

as well as \(\textsf {Hyb}_{0,2}\) and \(\textsf {Hyb}_{1,2}\) are computationally indistinguishable. The proof of this lemma is done. \(\square \)