Tightly-Secure Encryption in the Multi-user, Multi-challenge Setting with Improved Efficiency

Abstract

We construct a compact public-key encryption with tight CCA security in the multi-user, multi-challenge setting, where the reduction loss is a constant. Our scheme follows the Hofheinz-Jager framework but is compressed in the sense that only one of the underlying two-tier signatures needs to be committed. Considering the virtually unbounded simulations, e.g., \(2^{80}\), the ciphertext size of our scheme decreases to about 256 group elements, whereas the best known solution provided by Blazy et al. required about 625 group elements under the same standard assumptions. In particular, we formalize a new notion called simulatable two-tier signature, which plays a central role in the construction of our tree-based signature and public-key encryption. Combining simulatable two-tier signatures with additional “ephemeral” signatures, we provide a method of constructing commitments to a tree-based signature, where most parts of the tree-based signature can be simulated and sent in the clear. Our method can reduce the length of the commitments and the related proofs of knowledge in previous works by 60%.

Appendices

A Examples of Simulatable Two-Tier Signatures

In this section, we briefly describe some examples of simulatable two-tier signatures based on schemes in [10]. The validity proof of the corresponding SimTTSign algorithms is easy to check and thus omitted.

• Simulatable two-tier signatures based on f -CDHI [10]

  \(\bullet \) :

  \(\textsf {PriGen}(1^{\lambda },d)\): \(g\mathop {\leftarrow }\limits ^{R}\mathbb {G}\), \((x_0,\dots ,x_c)\mathop {\leftarrow }\limits ^{R}\mathbb {Z}_p\), \(\textsf {psk}=(x_0,\dots ,x_c)\), \(\textsf {ppk}=(g,(h_0,\dots ,h_c))\), where \(c\cdot f=d\) and \(h_i=g^{x_i}\) for \(i=0,\dots ,c\).

  \(\bullet \) :

  SecGen(ppk, psk): \(k\mathop {\leftarrow }\limits ^{R}\mathbb {G}\), \(\textsf {spk}=k\), \(\textsf {ssk}\) is empty.

  \(\bullet \) :

  TTSign(psk, ssk, m, j): \(j=\alpha f+\beta \), where \(j\in \{1,\dots ,d\}, \alpha \in \{0,\dots ,c\}\) and \(\beta \in \{0,\dots ,f-1\}\). Output \(\sigma =(g^mk)^{1/(x_{\alpha }+\beta )}\).

  \(\bullet \) :

  TTVrfy(ppk,spk,\(m,\sigma ;j\)): Check if \(e(\sigma ,h_{\alpha }g^{\beta })=e(g^{m}k,g)\).

  \(\bullet \) :

  \(\textsf {SimTTSign}(\textsf {ppk}, m)\): \(r\mathop {\leftarrow }\limits ^{R}\mathbb {Z}_p\), \(\sigma '\leftarrow g^r\) and \(\textsf {spk}'=(h_{\alpha }g^{\beta })^rg^{-m}\), where \(j=\alpha f+\beta \). Output \((\textsf {spk}',\sigma ')\).

• Simulatable two-tier signatures based on DLOG [10]

  \(\bullet \) :

  \(\textsf {PriGen}(1^{\lambda })\): \(x\mathop {\leftarrow }\limits ^{R}\mathbb {Z}_p\), \(g\in \mathbb {G}\), \(\textsf {psk}=x\), \(\textsf {ppk}=y=g^x\).

  \(\bullet \) :

  SecGen(ppk, psk): \(r\mathop {\leftarrow }\limits ^{R}\mathbb {Z}_p\), \(\textsf {ssk}=r\), \(\textsf {spk}=y^0g^r\).

  \(\bullet \) :

  TTSign(psk, ssk, m): Output \(\sigma =r-xm\).

  \(\bullet \) :

  TTVrfy(ppk, spk, \(m,\sigma \)): Check if \(y^mg^{\sigma }=\textsf {spk}\).

  \(\bullet \) :

  \(\textsf {SimTTSign}(\textsf {ppk}, m)\): \(\sigma '\mathop {\leftarrow }\limits ^{R}\mathbb {Z}_p\) and \(\textsf {spk}'=y^mg^{\sigma '}\). Output \((\textsf {spk}',\sigma ')\).

Fig. 1.

Structure of TreeSig. \((\widehat{\textsf {spk}_{v_i||0}},\widehat{\textsf {spk}_{v_i||1}})\) are authenticated by signature \(\sigma _{v_i}\) that verifies under \(\textsf {spk}_{v_i}\), and \(\textsf {spk}_{v_{i+1}}\) with \(v_{i+1}=v_i||\beta _ij_i\) is authenticated by signature \(\widehat{\sigma _{v_i||\beta _i}}\) that verifies under \(\widehat{\textsf {spk}_{v_i||\beta _i}}\).

B Illustration of TreeSig

C Proof of Theorem 1

Proof

Suppose \(\mathcal {A}\) is a PPT adversary that \((\epsilon _{\textsf {Tree}},t_{\textsf {Tree}},q_{\textsf {Tree}})\)-breaks the EUF-NCMA security of TreeSig. We show how to construct a PPT algorithm \(\mathcal {B}\) that \((\epsilon _{\textsf {TTSig}},t_{\textsf {TTSig}},q_{\textsf {TTSig}})\)-breaks the EUF-NCMA security of TTSig or a PPT algorithm \(\hat{\mathcal {B}}\) that \((\epsilon _{\widehat{\textsf {TTSig}}},t_{\widehat{\textsf {TTSig}}},\) \(q_{\widehat{\textsf {TTSig}}})\)-breaks the EUF-NCMA security of \(\widehat{\textsf {TTSig}}\). Construction of \(\mathcal {B.}\) When receiving \((m^{(1)},\dots ,m^{(q)})\), \(\mathcal {B}\) computes \((\widehat{\textsf {ppk}},\widehat{\textsf {psk}})\leftarrow \widehat{\textsf {PriGen}}(1^{\lambda })\) and generates the signature \(\sigma ^{(j)}\) on \(m^{(j)}\) as below, for \(j=1,\dots ,q\).

• Authentication for and nodes generation. Choose the leftmost unused leaf \(N_{v_h}\). For \(i=0,1,\dots ,h-1\), if the related keys associated to \(N_{v_{i}}\) have not been defined, compute \((\widehat{\textsf {spk}_{v_i||0}},\widehat{\textsf {ssk}_{v_i||0}})\leftarrow \widehat{\textsf {SecGen}}(\widehat{\textsf {ppk}},\) \(\widehat{\textsf {psk}})\) and \((\widehat{\textsf {spk}_{v_i||1}},\widehat{\textsf {ssk}_{v_i||1}})\leftarrow \widehat{\textsf {SecGen}}(\widehat{\textsf {ppk}},\widehat{\textsf {psk}})\), query the signing oracle \(\mathcal {O}_{\textsf {TTSig}}(\cdot )\) with message \(\widehat{\textsf {spk}_{v_i||0}}||\widehat{\textsf {spk}_{v_i||1}}||\widehat{\textsf {ppk}}\) and get \((\textsf {spk}_{v_i},\sigma _{v_i})\). For the leaf \(N_{v_h}\), query the signing oracle \(\mathcal {O}_{\textsf {TTSig}}(\cdot )\) with message \(m^{(j)}\), and get \((\textsf {spk}_{v_h^{(j)}},\sigma _{v_h^{(j)}})\).

• Authentication for For \(i=0,1,\dots ,h-1\), if \(\textsf {spk}_{v_{i+1}}\) has not been authenticated, compute \(\widehat{\sigma _{v_{i}||\beta _i}}\leftarrow \widehat{\textsf {TTSign}}(\widehat{\textsf {psk}},\widehat{\textsf {ssk}_{v_{i}||\beta _i}},\) \(\textsf {spk}_{v_{i+1}};j_i),\) where \(v_{i+1}=v_i||\beta _ij_i\).

Hence the signature \(\sigma ^{(j)}\) on message \(m^{(j)}\) can be generated without knowing \(\textsf {sk}_{tree}\). Return \(\textsf {vk}_{tree}=(\textsf {ppk},\textsf {spk}_{v_0})\) and \((\sigma ^{(1)},\dots ,\sigma ^{(q)})\) to \(\mathcal {A}\). Note that \(\mathcal {B}\) perfectly simulates the signing oracle of TreeSig and the resulting distribution is identical to that of the real one. Suppose \(\mathcal {A}\) outputs a forgery \((m^*,\sigma ^{(*)})\) and \(\delta \) is the largest index such that \(\textsf {spk}_{v_\delta ^{(*)}}=\textsf {spk}_{v_\delta ^{(i)}}\) for some (i). Here, variables with \((*)\) (or (i)) denote the corresponding parts of \(\sigma ^{(*)}\) (or \(\sigma ^{(i)}\)). Consider the following cases.

• If \(\widehat{\textsf {ppk}}^{(*)}\ne \widehat{\textsf {ppk}}\), \(\mathcal {B}\) outputs \((\widehat{\textsf {spk}_{v_{0}||0^{(*)}}}||\widehat{\textsf {spk}_{v_{0}||1^{(*)}}}||\widehat{\textsf {ppk}}^{(*)}, \sigma _{v_{0}^{(*)}}, i_{v_{0}})\), where \(i_{v_{0}}\) denotes the \(i_{v_{0}}\)-th query to \(\mathcal {O}_{\textsf {TTSig}}\) and corresponds to the secondary public key \(\textsf {spk}_{v_{0}}\).

• If \(\widehat{\textsf {ppk}}^{(*)}= \widehat{\textsf {ppk}}\),

  • \(\delta =h\). \(\mathcal {B}\) outputs \((m^*,\sigma _{v_h^{(*)}},i_{v_h^{(i)}})\), where \(i_{v_h^{(i)}}\) denotes the \(i_{v_h^{(i)}}\)-th query to \(\mathcal {O}_{\textsf {TTSig}}\) and corresponds to \(\textsf {spk}_{v_h^{(i)}}\).

  • \(\delta <h\).

    • * \(\beta _{\delta }^{(*)}\ne \beta _{\delta }^{(i)}\) and \(\widehat{\textsf {spk}_{v_\delta || \beta _{\delta }^{(*)}}}\ne \widehat{\textsf {spk}_{v_\delta || (\beta _{\delta }^{(i)}\oplus 1)}}\). \(\mathcal {B}\) outputs \((\widehat{\textsf {spk}_{v_{\delta }||0^{(*)}}}||\) \(\widehat{\textsf {spk}_{v_{\delta }||1^{(*)}}}||\widehat{\textsf {ppk}}^{(*)}, \sigma _{v_\delta ^{(*)}},i_{v_\delta ^{(i)}})\), where \(i_{v_\delta ^{(i)}}\) denotes the \(i_{v_\delta ^{(i)}}\)-th query to \(\mathcal {O}_{\textsf {TTSig}}\) and corresponds to \(\textsf {spk}_{v_\delta ^{(i)}}\).

    • * \(\beta _{\delta }^{(*)}= \beta _{\delta }^{(i)}\) and \(\widehat{\textsf {spk}_{v_\delta || \beta _{\delta }^{(*)}}}\ne \widehat{\textsf {spk}_{v_\delta || \beta _{\delta }^{(i)}}}\). \(\mathcal {B}\) outputs \((\widehat{\textsf {spk}_{v_{\delta }||0^{(*)}}}||\widehat{\textsf {spk}_{v_{\delta }||1^{(*)}}}\) \(||\widehat{\textsf {ppk}}^{(*)}, \sigma _{v_\delta ^{(*)}},i_{v_\delta ^{(i)}})\).

    • * Otherwise, \(\mathcal {B}\) aborts. More precisely, \(\mathcal {B}\) aborts if \(((\beta _{\delta }^{(*)}\ne \beta _{\delta }^{(i)})\wedge (\widehat{\textsf {spk}_{v_\delta || \beta _{\delta }^{(*)}}}= \widehat{\textsf {spk}_{v_\delta || (\beta _{\delta }^{(i)}\oplus 1)}}))\) or \(((\beta _{\delta }^{(*)}= \beta _{\delta }^{(i)}) \wedge (\widehat{\textsf {spk}_{v_\delta || \beta _{\delta }^{(*)}}}= \widehat{\textsf {spk}_{v_\delta || \beta _{\delta }^{(i)}}}))\). Denote this event as Bad.

By the perfect simulation of \(\mathcal {B}\),

$$\begin{aligned} \Pr [\textsf {Exp}_{\textsf {TreeSig},\mathcal {A},q_{\textsf {Tree}}}^{\textsf {EUF-NCMA}}(\lambda )=1\wedge \lnot \textsf {Bad}]= \Pr [\textsf {Exp}_{\textsf {TTSig},\mathcal {B},q_{\textsf {TTSig}}}^{\textsf {TT-EUF-NCMA}}(\lambda )=1\wedge \lnot \textsf {Bad}], \end{aligned}$$

where \(q_{\textsf {Tree}}=q\). So we have

$$\begin{aligned}&\Pr [\textsf {Exp}_{\textsf {TreeSig},\mathcal {A},q_{\textsf {Tree}}}^{\textsf {EUF-NCMA}}(\lambda )=1]\nonumber \\\le & {} \Pr [\textsf {Exp}_{\textsf {TreeSig},\mathcal {A},q_{\textsf {Tree}}}^{\textsf {EUF-NCMA}}(\lambda )=1\wedge \textsf {Bad}]+ \Pr [\textsf {Exp}_{\textsf {TTSig},\mathcal {B},q_{\textsf {TTSig}}}^{\textsf {TT-EUF-NCMA}}(\lambda )=1]. \end{aligned}$$

(8)

Construction of \(\mathcal {\hat{B}.}\) Next, we will show that \(\Pr [\textsf {Exp}_{\textsf {TreeSig},\mathcal {A},q_{\textsf {Tree}}}^{\textsf {EUF-NCMA}}(\lambda )=1\wedge \textsf {Bad}]\le \epsilon _{\widehat{\textsf {TTSig}}}\) by constructing a PPT algorithm \(\hat{\mathcal {B}}\), which breaks the security of \(\widehat{\textsf {TTSig}}\). \(\mathcal {\hat{B}}\) takes as input \(\widehat{\textsf {ppk}}\) and simulates \(\textsf {Exp}_{\textsf {TreeSig},\mathcal {A},q_{\textsf {Tree}}}^{\textsf {EUF-NCMA}}(\lambda )\) as follows. Upon receiving \(m^{(1)},\ldots ,m^{(q)}\), \(\hat{\mathcal {B}}\) compute \((\textsf {vk}_{tree},\textsf {sk}_{tree}) \leftarrow \textsf {TreeSig.Gen}(1^{\lambda })\) where \(\textsf {vk}_{tree}=(\textsf {ppk},\textsf {spk}_{v_0})\) and \(\textsf {sk}_{tree}=(\textsf {psk},\textsf {ssk}_{v_0})\).

1. 1.

   Authentication for and nodes generation. Choose the leftmost unused node \(N_{v_h}\). For \(i=1,\ldots ,h\), if the related keys associated to the node \(N_{v_i}\) have not been defined, run \(\textsf {SecGen}(\textsf {ppk},\textsf {psk})\) 2d times to generate \((\textsf {spk}_{v_{i-1}||01},\) \(\textsf {ssk}_{v_{i-1}||01}),\) ...,\((\textsf {spk}_{v_{i-1}||0d},\textsf {ssk}_{v_{i-1}||0d})\) and \((\textsf {spk}_{v_{i-1}||11},\textsf {ssk}_{v_{i-1}||11})\), ..., \((\textsf {spk}_{v_{i-1}||1d},\) \(\textsf {ssk}_{v_{i-1}||1d})\), query \(\mathcal {O}_{\widehat{\textsf {TTSig}}}(\cdot )\) with \((\textsf {spk}_{v_{i-1}||01},\ldots , \textsf {spk}_{v_{i-1}||0d})\) and \((\textsf {spk}_{v_{i-1}||11},\ldots ,\) \(\textsf {spk}_{v_{i-1}||1d})\) respectively, and get \((\widehat{\textsf {spk}_{v_{i-1}||0}};\widehat{\sigma _{v_{i-1}||01}}^1,\ldots ,\) \(\widehat{\sigma _{v_{i-1}||0d}}^d)\) and \((\widehat{\textsf {spk}_{v_{i-1}||1}};\) \(\widehat{\sigma _{v_{i-1}||11}}^1,\ldots ,\) \(\widehat{\sigma _{v_{i-1}||1d}}^d)\). Then, \((\textsf {spk}_{v_{i-1}||01},\ldots ,\) \(\textsf {spk}_{v_{i-1}||0d})\) and \((\textsf {spk}_{v_{i-1}||11},\ldots ,\textsf {spk}_{v_{i-1}||1d})\) are assigned to nodes \(N_{v_{i-1}||01},\dots ,\) \(N_{v_{i-1}||0d}\) and \(N_{v_{i-1}||11},\) \(\dots , N_{v_{i-1}||1d}\), respectively. For message \(m^{(j)}\), compute \(\sigma _{v_h} \leftarrow \textsf {TTSign}(\textsf {psk},\textsf {ssk}_{v_h},\) \(m^{(j)})\).

2. 2.

   Authentication for and . For \(i=0,1,\ldots ,h-1\), if \(\widehat{\textsf {spk}_{v_i||0}}\) and \(\widehat{\textsf {spk}_{v_i||1}}\) has not been authenticated, compute \(\sigma _{v_i} \leftarrow \textsf {TTSign}(\textsf {psk},\) \(\textsf {ssk}_{v_i},\) \(\widehat{\textsf {spk}_{v_i||0}}||\widehat{\textsf {spk}_{v_i||1}}||\widehat{\textsf {ppk}})\).

So the signature \(\sigma ^{(j)}\) on message \(m^{(j)}\) can be generated for \(j=1,\dots ,q\). Note that, for simplicity, we denote \(\widehat{\sigma _{v_i}}\) as the corresponding signature of \(N_{v_i}\), where \(v_i=v_{i-1}||\beta _{i-1}j_{i-1}\). \(\hat{\mathcal {B}}\) returns \(\textsf {vk}_{tree}=(\textsf {ppk},\textsf {spk}_{v_0})\) and \((\sigma ^{(1)},\ldots ,\sigma ^{(q)})\) to \(\mathcal {A}\).

Finally, \(\mathcal {A}\) outputs a forgery \((m^*,\sigma ^{(*)})\). Suppose \(\delta \) is the largest index such that \(\textsf {spk}_{v_\delta ^{(*)}}=\textsf {spk}_{v_\delta ^{(i)}}\) for some \(i\in \{1,\dots ,q\}\). \(\hat{\mathcal {B}}\) outputs \((\textsf {spk}_{v_{\delta +1}^{(*)}},\widehat{\sigma _{v_\delta ||\beta _{\delta }^{(*)}}}, i_{v_\delta ||\beta _{\delta }^{(*)}},\) \(j_{\delta }^{(*)})\) if either one of the following conditions holds:

• \((\beta _{\delta }^{(*)}\ne \beta _{\delta }^{(i)})\wedge (\widehat{\textsf {spk}_{v_\delta || \beta _{\delta }^{(*)}}}= \widehat{\textsf {spk}_{v_\delta || (\beta _{\delta }^{(i)}\oplus 1)}})\),

• \((\beta _{\delta }^{(*)}= \beta _{\delta }^{(i)}) \wedge (\widehat{\textsf {spk}_{v_\delta || \beta _{\delta }^{(*)}}}= \widehat{\textsf {spk}_{v_\delta || \beta _{\delta }^{(i)}}})\),

where \(i_{v_\delta ||\beta _{\delta }^{(*)}}\) denotes the \(i_{v_\delta ||\beta _{\delta }^{(*)}}\)-th query to \(\mathcal {O}_{\widehat{\textsf {TTSig}}}\) and corresponds to \(\widehat{\textsf {spk}_{v_\delta ||\beta _{\delta }^{(*)}}}\). Otherwise, \(\hat{\mathcal {B}}\) aborts. Note that the above conditions correspond to the event Bad. Since \(\hat{\mathcal {B}}\) perfectly simulates Exp\(_{\textsf {TreeSig},\mathcal {A},q_{\textsf {Tree}}}^{\textsf {EUF-NCMA}}(\lambda )\), we have

$$\begin{aligned} \Pr [\textsf {Exp}_{\textsf {TreeSig},\mathcal {A},q_{\textsf {Tree}}}^{\textsf {EUF-NCMA}}(\lambda )=1\wedge \textsf {Bad}] =\Pr [\textsf {Exp}_{\widehat{\textsf {TTSig}},\hat{\mathcal {B}},q_{\widehat{\textsf {TTSig}}}}^{\textsf {TT-EUF-NCMA}}(\lambda ,d)=1], \end{aligned}$$

(9)

where \(q_{\textsf {Tree}}=q\). By (8) and (9), we have \(\epsilon _{\textsf {Tree}}\le \epsilon _{\textsf {TTSig}}+\epsilon _{\widehat{\textsf {TTSig}}}\). Since \(\mathcal {B}\) has to make at most \(h+1\) queries to \(\mathcal {O}_{\textsf {TTSig}}(\cdot )\) for each \(m^{(j)}\), we have \(t_{\textsf {Tree}}= t_{\textsf {TTSig}}-O(hq_{\textsf {Tree}})\), \(q_{\textsf {Tree}}\le q_{\textsf {TTSig}}\). Similarly, for the construction of \(\hat{\mathcal {B}}\), \(t_{\textsf {Tree}}= t_{\widehat{\textsf {TTSig}}}-O(hq_{\textsf {Tree}})\), \(q_{\textsf {Tree}}\le q_{\widehat{\textsf {TTSig}}}\). Therefore, \(t_{\textsf {Tree}}=\max \{ t_{\textsf {TTSig}},t_{\widehat{\textsf {TTSig}}}\}-O(hq_{\textsf {Tree}})\) and \(q_{\textsf {Tree}}\le \max \{q_{\textsf {TTSig}},q_{\widehat{\textsf {TTSig}}}\}\).