Adaptively-Secure,Non-InteractivePublic-KeyEncryptionRanCanetti1,ShaiH - PDF document

Adaptively-Secure,Non-InteractivePublic-KeyEncryptionRanCanetti1,ShaiHalevi1,andJonathanKatz2?1IBMT.J.WatsonResearchCenter,NY,USA.2DepartmentofComputerScience,UniversityofMaryland.Abstract.Adaptively-secureencryptionschemesensuresecrecyeveninthepresenceofanadversarywhocancorruptpartiesinanadaptivemannerbasedonpublickeys,ciphertexts,andsecretdataofalready-corruptedparties.Ideally,anadaptively-secureencryptionschemeshould,likestandardpublic-keyencryption,allowarbitrarily-manypartiestouseasingleencryptionkeytosecurelyencryptarbitrarily-manymessagestoagivenreceiverwhomaintainsonlyasingleshortdecryptionkey.How-ever,itisknownthattheserequirementsareimpossibletoachieve:nonon-interactiveencryptionschemethatsupportsencryptionofanun-boundednumberofmessagesandusesasingle,unchangingdecryptionkeycanbeadaptivelysecure.Impossibilityholdsevenifsecuredataerasureispossible.Weshowthatthislimitationcanbeovercomebyupdatingthedecryptionkeyovertimeandmakingsomemildassumptionsaboutthefrequencyofcommunicationbetweenparties.Usingthisapproach,weconstructadaptively-secure,completelynon-interactiveencryptionschemessup-portingsecureencryptionofarbitrarily-manymessagesfromarbitrarily-manysenders.Ourschemesadditionallyprovideforwardsecurityandsecurityagainstchosen-ciphertextattacks.1IntroductionImagineabandofpoliticaldissidentswhoneedtogointohidingfromanoppres-siveregime.Whileinhiding,theonlyformofcommunicationwiththeoutsideworldisviathepublicmedia.Beforegoingintohiding,eachindividualwantstopublishakeythatwillallowanyone(evenpartiesnotcurrentlyknowntothisindividual)topublishencryptedmessagesthatonlythisindividualcande-cipher.Sinceitisnotknowninadvancehowlongthesememberswillneedtobeinhiding,reasonablyshortpublickeysmustsuceforencryptinganunboundednumberofmessages.Furthermore,messagesencryptedtoeachdissidentmustremainsecretevenifotherdissidentsarecaughtandtheirsecretsareextractedfromthem.Doencryptionschemessatisfyingtheserequirementsexist?Atrstglance,astandardpublic-keyencryptionschemeseemstosuce.In-deed,apublic-keyencryptionschemesallowsareceivertopublishakeythatcan?ThisworkwassupportedbyNSFTrustedComputingGrant#0310751. thenbeusedbyanyonetosendencryptedmessagestothereceiver.Thepub-lickeyisshort(i.e.,ofxedpolynomiallength)andcanbeusedbyarbitrarysenders(potentiallyunknowntothereceiveratthetimethekeyispublished)tosecurelysendarbitrarily-manymessagestothereceiverwithoutfurtherinterac-tion.Furthermore,sendersneednotmaintainanystateotherthanthereceiver'spublickey,andthereceiversimilarlyneednotmaintainanystateexceptforhissecretkey.However,standardpublic-keyencryptionschemesdonotprovidethedesiredlevelofsecurity.Standarddenitionsofsecurity,includingsemanticsecurityagainstpassiveattacks[gm84]aswellasvariousnotionsofsecurityagainstactiveattacks[ny90,rs91,ddn00,bdpr98],onlyconsiderthecasewherethead-versaryneverlearnsanysecretkey.However,whenanadversarycancompromiseplayersandlearntheirinternalstatesinanadaptivemanner,possiblydepend-ingonpreviously-observedciphertextsandinformationlearnedduringpreviouscorruptions,thestandardnotionsnolongerapply.Inparticular,intheadaptivesettingencryptingwithaCCA-secureencryptionschemeisnotknowntoprovidesecurecommunication.Toobtainprovablesecurityagainstadaptiveadversaries,onemustensurethattheinformationgatheredbytheadversarywhencompromisingparties(namely,theirsecretkeys)doesnotgivetheadversaryanyadditionaladvantagetowardcompromisingthesecurityoftheyet-uncorruptedparties.Thestandardwayofformulatingthisisbyrequiringtheexistenceofasimulatorthatcangenerate\dummyciphertexts"whichcanbelater\opened"(i.e.,byrevealinganappropriatesecretkey)asencryptionsofanymessage;see,e.g.,[cfgn96].Aschemesatisfyingthisadditionalconditionissaidtobeadaptivelysecure.Severalmethodsareknownforachievingadaptively-secureencryptedcom-munication,butnonecanbeusedinthebasicsettingexempliedbytheabovetoyproblem.BeaverandHaber[bh92]proposeanadaptivelysecureencryp-tionprotocolinwhichthesenderandreceivermustinteractbeforetheycansecurelycommunicateforthersttime.Furthermore,thepartiesmustmain-tainasharedsecretkeyperconnection.Thiskeymustbecontinuallyupdated,withtheoldkeybeingerased,asmoremessagesareencrypted.Non-committingencryptionschemes[cfgn96,b97,dn00]morecloselymimicthefunctionalityofstandardpublic-keyencryption,andinparticulardonotrequiremaintenanceofper-connectionstate.(Inaddition,thesesolutionsalsoremovetheneedforsecuredataerasure.)Intheseschemes,however,boththepublicandsecretkeysareatleastaslongastheoverallnumberofbitstobeencrypted.Infact,asnotedbyNielsen[n02],anyadaptively-secureschemewithnon-interactiveen-cryptionmusthaveadecryptionkeywhichisatleastaslongasthenumberofbitstobedecryptedunderthiskey.Inanutshell,thisisbecausethesimulatormust\open"the\dummyciphertexts"asencryptionsofanygivensequenceofmessagesbypresentinganappropriatesecretkey;therefore,thenumberofpos-siblesecretkeysmustbeatleastthenumberofpossiblemessage-sequences.Theunfortunateconclusionisthatapublic-keyencryptionschemethatcanencryptanunboundednumberofmessageswithshortandunchangingkeyscannotbe adaptivelysecure.Thisholdsevenifsecuredataerasuresarepossible,andeveninaweakersettingwhereonlyreceiverscanbecorrupted.Wealsocommentthatpreviousworkonadaptively-secureencryptiondidnotaddressresistancetochosen-ciphertextattacks.OurContributions.ThisworkdemonstratesthatwecancircumventNielsen'snegativeresultifthesecretdecryptionkeyisallowedtoperiodicallychange,andsomemildassumptionsaboutthefrequencyofcommunicationbetweenpartiesaremade.Thatis,understandardhardnessassumptions,thereexistadaptively-secure,non-interactivepublic-keyencryptionschemeswithshortkeysthatcanhandlearbitrarily-manymessagesandsenders.Inparticular,ourschemessolvethetoyexamplefromaboveinawaythatisessentiallythebestpossibleunderthegivenconstraints.Thisisdonebyconsideringkey-evolvingencryptionschemes[chk03]inwhichthesecretkeyislocallyupdatedbythereceiveraccordingtoaglobally-knownschedule(say,attheendofeveryday),whilethepublickeyremainsxed.Thesecretkeyforthepreviousperiodissecurelyerasedonceitisnolongerneeded.Usingthisapproach,weconstructadaptively-secure,non-interactiveencryptionschemesthatcanbeusedtoencryptarbitrarily-manybitsaslongasthenumberofencryptedbits(foranyparticularkey)isboundedpertimeperiod.Asdiscussedabove,anassumptionofthissortisessentialtocircumventNielsen'snegativeresults.Also,thisassumptionisreasonableinmanycases:forinstance,onemayeasilypositsomeknownupperboundonthenumberofincominge-mailsprocessedperday.Inadditiontobeingadaptivelysecure,ourschemesalsoprovidebothforwardsecurity[a97,chk03]andsecurityagainstchosen-ciphertextattacks.(Wecom-mentthatalthoughforwardsecurityisreminiscentofadaptivesecurity,neithersecuritypropertyimpliestheother.)Accordingly,werefertoschemessatisfy-ingoursecurityrequirementsasadaptively-andforward-secureencryption(AFSE)schemes.WeformalizetherequirementsforAFSEschemeswithintheUCframe-work[c01].Thatis,wepresentanfunctionalityFafsethatcapturesthedesiredpropertiesofAFSEschemes.Thisfunctionalityisanaturaladaptationofthe\standard"public-keyencryptionfunctionalityof[c01,ckn03]tothecontextofkey-evolvingencryption.Asinthenon-adaptivecase,Fafseguaranteessecurityagainstactiveadversaries,whichinparticularimpliessecurityagainstchosen-ciphertextattacks.UsingthecomposabilitypropertiesoftheUCframework,ourconstructionsareguaranteedtoremainsecureinanyprotocolenvironment.Indeed,theformulationofFafse,whichblendstogetherthenotionsofforwardsecurity,chosen-ciphertextsecurity,andadaptivesecurityofpublic-keyencryp-tionschemes,isanothercontributionofthiswork.TechniquesandConstructions.Werstnotethatdealingwithcorruptionofsendersiseasy,sinceasendercansimplyeraseitslocalstateuponcompletingtheencryptionalgorithm.Wethusconcentrateonthemoredicultcaseofreceivercorruption.WethenshowthatitsucestoconsiderAFSEforthecasewhenonlyasinglemessageisencryptedpertimeperiod,sinceanysuchconstruction canbeextendedinagenericmannertogiveaschemewhichcanbeusedtoen-cryptanyboundednumberofmessagespertimeperiod.Withthisinmind,ourrstconstructionusestheparadigmofNaor-YungandSahai[ny90,s99]tocon-structanAFSEschemebasedonanyforward-secureencryption(FSE)schemeandanysimulation-soundnon-interactivezero-knowledge(NIZK)proofsystem[ddops01].Recallthat,undertheNaor-Yung/Sahaiparadigm,thesenderen-cryptsmessagesbyessentiallyusingtwoindependentcopiesofasemantically-secureencryptionschemetogetherwithanNIZKproofofconsistency.Tode-crypt,thereceiververiestheproofandthendecryptseitheroneofthecom-ponentciphertexts.NaorandYungprovethatthisprovidessecurityagainst\lunch-time"(i.e.,non-adaptive)chosen-ciphertextattackswhenanarbitraryNIZKproofsystemisused,andSahailatershowedthatthistechniqueachievesfull(i.e.,adaptive)CCA-securityifaone-timesimulation-soundNIZKproofsys-temisused.Weshowthatifasemantically-secureFSEschemeisusedastheunderlyingencryptionscheme,andtheNIZKproofsystemis\fully"simulationsound(asdenedin[ddops01]),theresultingconstructionisalsoanAFSEscheme.ThisapproachcanbeextendedtoencryptapolynomialnumberofbitsperciphertextusingonlyasingleNIZKproof.(Weremarkthat,asopposedtothecaseofstandardCCA-secureencryption[s99],hereitisnotenoughthattheunderlyingNIZKisone-timesimulationsound.)Whiletheaboveapproachisconceptuallysimple,itishighlyimpracticalduetotheineciencyofknownNIZKs.Wethusproposeanalternateapproachthatleadstomoreecientsolutionsbasedonspecic,number-theoreticassump-tions.Aspartofthisapproach,werstdeneandconstruct\standard"(i.e.,nonkey-evolving)encryptionschemeswhicharesecureagainstlunch-timechosen-ciphertextattacksandareadaptively-secureforencryptionofasinglemessage(intotal).Wecallsuchschemesreceivernon-committingencryption(RNCE)schemes.1OurconstructionofanAFSEschemeproceedsbyrstencryptingthemessageusinganyRNCEscheme,andthenencryptingtheresultingciphertextusinganyCCA-secureFSEscheme.Informally,thisconstructionachievesadap-tivesecurityforanunboundednumberofmessages(aslongasonlyonemessageisencryptedpertimeperiod)becausethesecretkeyoftheouterFSEschemeisupdatedaftereveryperiodandsothesimulatoronlyneedsto\open"oneci-phertext(i.e.,theonecorrespondingtothecurrenttimeperiod)asanarbitrarymessage.Itcanaccomplishthelatterusingthe\inner"RNCEscheme.Obtaininganecientschemeusingthisapproachrequiresecientinstan-tiationofbothcomponents.RelativelyecientCCA-secureFSEschemes(inparticular,schemeswhichavoidtheneedforNIZKproofs)arealreadyknown[chk04,bb04].Therefore,wefocusonconstructingecientRNCEschemesbasedonspecicnumber-theoreticassumptions.OurrstRNCEschemeisbasedontheCramer-Shoupencryptionscheme[cs98](andadaptstechniquesof[jl00])anditssecurityispredicatedonthedecisionalDie-Hellman(DDH)assump-1Indeed,thisisarelaxationofthenotionofnon-committingencryptionfrom[cfgn96].ItissimilartotherelaxationstudiedbyJareckiandLysyanskaya[jl00],exceptthatwealsorequiresecurityagainstlunch-timechosen-ciphertextattacks. tion.However,thisschemeallowsencryptionofonlyalogarithmicnumberofbitsperciphertext.WealsoshowasecondRNCEschemebasedontheschemesof[gl03,cs03](which,inturn,buildon[cs02]),whosesecurityreliesonthede-cisionalcompositeresiduosityassumptionintroducedbyPaillier[p99]andwhichcanbeusedtoencryptapolynomialnumberofbitsperciphertext.Organization.TheAFSEfunctionalityisdenedandmotivatedinSection2.OurconstructionofAFSEusingtheNaor-Yung/SahaiparadigmisdescribedinSection3.InSection4,wepresentdenitionsforRNCEandshowtwocon-structionsofRNCEschemesbasedonspecicnumber-theoreticassumptions.Finally,inSection5weconstructanAFSEschemefromanyRNCEschemeandanyCCA-secureFSEscheme.InAppendixA,weincludedenitionsofkey-evolvingandforward-secureencryption,whileabriefoverviewoftheUCframeworkanditsapplicationtosecureencryptionisprovidedinAppendixB.Inthisabstractweomitallproofsduetolackofspace.Theproofscanbefoundinthefullversionofthispaper[chk05].2DenitionofAFSEWedeneAFSEbyspecifyinganappropriateidealfunctionalityintheUCsecurityframework(cf.AppendixB).Thisfunctionality,denotedFafseandpresentedinFigure1,isobtainedbyappropriatelymodifyingthe\standard"public-keyencryptionfunctionalityFpke[c01,ckn03]whichisreviewedinAp-pendixB.1.Intuitively,FafsecapturesthesamesecuritynotionsasFpkeexceptthatitalsoprovidesamechanismbywhichthereceivercan\update"itssecretkey;Fafseguaranteessecurityonlyaslongasaboundednumberofmessagesareencryptedbetweenkeyupdates.Infact,forsimplicity,thefunctionalityasde-nedonlyguaranteessecuritywhenasingleciphertextisencryptedbetweenkeyupdates.Sayaciphertextencryptedwithrespecttoaparticulartimepe-riodtisoutstandinguntilthereceiverhasupdateditssecretkeyatotaloft+1times.Then,ifmorethanoneoutstandingciphertextisrequested,thefunctionalityguaranteesnosecuritywhatsoeverforthisciphertext.(Formally,thisiscapturedbyhandingthecorrespondingplaintexttotheadversary.)Sec-tion2.1discusseshowFafsecanbeextendedtoallowanyboundednumberofoutstandingciphertexts,whichcorrespondstoensuringsecurityaslongasatmostthismanymessagesareencryptedbetweenkeyupdates.Italsopresentsagenerictransformationfromprotocolssecureforasingleoutstandingciphertexttoprotocolssecureforthegeneralcase.Forconvenience,wehighlightsomedierencesbetweenFafseandFpke.First,anadditionalparameter|atimeperiodt|isintroduced.Anencryptionrequestnowadditionallyspeciesatimeperiodfortheencryptioncalledthe\sendertime",andthefunctionalitymaintainsavariabletcalledthe\receivertime".Thereceivertimeisinitializedto0,andisincrementedbythereceiverRusinganUpdaterequest.Aciphertextgeneratedforsendertimetisonly FunctionalityFafseFafseproceedsasfollows,whenparameterizedbymessagedomainensembleD=fDkgk2andsecurityparameterk.KeyGeneration:Uponreceivingarequest(KeyGen;sid)frompartyR,do:Verifythatsid=(sid0;R)(i.e.,thattheidentityRisencodedinthesessionID).Ifnot,thenignorethisinput.Ifyes:1.Hand(KeyGen;sid)totheadversary.2.Receiveavaluepkfromtheadversary,andhandpktoR.Initializet 0andmessages-outstanding 0.Encryption:UponreceivingfromsomepartyPatuple(Encrypt;sid;pk;t;m)proceedasfollows:1.Ifm2Dk,pk=pk,andeitherttormessages-outstanding=0,thensend(Encrypt,sid;pk;t;P)totheadversary.Inallothercases,send(Dummy-Encrypt;sid;pk;t;m;P)totheadversary(i.e.,revealtheplaintexttotheadversary).2.Receiveareplycfromtheadversaryandsend(ciphertext,c)toP.Inaddition,ifm2Dk,pk=pk,andtt,thendo:(a)Ifmessages-outstanding=0,setmessages-outstanding 1and\rag outstanding.Else,set\rag dummy.(b)recordthetuple(m;t;c;\rag)inthelistofciphertexts.Decryption:Uponreceivingatuple(Decrypt;sid;c)fromplayerP,ifP6=Rthenignorethisinput.Otherwise:1.Ifthelistofciphertextscontainsatuple(m;t;c;?)withthegivencipher-textcandt=t,thenreturnmtoR.2.Otherwisesendamessage(Decrypt;sid;t;c)totheadversary,receiveareplym,andforwardmtoR.Update:Uponreceiving(Update;sid)fromplayerP,ifP=Rdo:1.Sendamessage(Update;sid)totheadversary.2.Removefromthelistofciphertextsallthetuples(m;t;c;\rag)withthecurrenttimet.Ifanyofthesetuplehas\rag=outstanding,thenresetmessages-outstanding 0.3.Sett t+1.Corruptions:UponcorruptionofpartyP,ifP=Rthensendtotheadversaryalltuples(m;t;c;?)inthelistofciphertextswithtt.(IfP6=Rthendonothing.)Fig.1.TheAFSEfunctionality,Fafse. decryptedbyFafse(uponrequestoftheappropriatereceiver)whenthecurrentreceivertimeist=t.Second,Fafselimitstheinformationgainedbytheadversaryuponcor-ruptionofpartiesinthesystem.WhencorruptingpartiesotherthanR,theadversarylearnsnothing.WhencorruptingRatsome\receivertime"t,theadversarydoesnotlearnanyinformationaboutmessagesthatwereencryptedat\sendertimes"tt.(Thisisakintothelevelofsecurityprovidedbyforward-secureencryptionschemes,andinfactstrengthenstheusualnotionofadaptivesecuritywhichpotentiallyallowsanadversarytolearnallpastmessagesuponcorruptionofaparty.)Inaddition,adaptivesecurityisguaranteedforasin-glemessageencryptedatsomesendertimett(i.e.,asingleoutstandingmessage).Thefactthatsecurityisguaranteedonlyforasingleoutstandingmessageiscapturedviathevariablemessages-outstanding,whichisinitializedto0andissetto1whenamessageisencryptedfortimeperiodtwithtt.Whenthereceiver'stimeunittadvancesbeyondthetimeunittoftheoutstandingciphertext,thevariablemessages-outstandingisresetto0.Ifanotherencryptionrequestarriveswithtimeperiodttwhilemessages-outstandingisequalto1,thenFafsedisclosestheentireplaintexttotheadversary(andthusdoesnotensureanysecrecyinthiscase).WeremarkthatFafsecanbeusedinanaturalwaytorealizeavariantofthe\securemessagetransmissionfunctionality"[c01,af04]insynchronousnetworkswithrespecttoadaptiveadversaries.Weomitfurtherdetails.2.1HandlingMultipleOutstandingCiphertextsWhilethefunctionalityFafseandalltheconstructionsinthisworkarede-scribedassumingaboundofatmostoneoutstandingciphertext,boththefunc-tionalityandtheconstructionscanbegeneralizedtothecaseofanyboundednumberofoutstandingciphertexts(correspondingtoaboundednumberofmes-sagesencryptedpertimeperiod).Generalizingthefunctionalityisstraightfor-ward,sowedonotdescribeithere.Asforconstructions,anyAFSEschemewhichissecureforthecaseofasingleoutstandingciphertextcanbeextendedgenericallysoastobesecureforanyboundednumber`ofoutstandingciphertextinthefollowingway:Thepublickeyofthenewschemeconsistsof`indepen-dentkeyspk1;:::;pk`generatedusingtheoriginalscheme.Toencryptamessagem,thesendercomputesthe\nestedencryption"Epk1(Epk2(


Epk`(m)


))andsendstheresultingciphertexttothereceiver.OnecanshowthatthisindeedrealizesFafseforatmost`outstandingciphertexts.Theformalproof,however,ismoreinvolvedandisomitted.2.2RealizingFafseUsingKey-EvolvingEncryptionSchemesWepresentourconstructionsaskey-evolvingencryptionschemes(i.e.,asacol-lectionofalgorithms)ratherthanasprotocols(astechnicallyrequiredbytheUC framework).Forcompleteness,wedescribethe(obvious)transformationfromkey-evolvingencryptionschemestoprotocolsgearedtowardrealizingFafse.Recallthatakey-evolvingencryptionschemeconsistsoffouralgorithms(Gen;Upd;Enc;Dec),where(Gen;Enc;Dec)arethekeygeneration,encryption,anddecryptionroutines(asinastandardencryptionscheme,exceptthattheencryptionanddecryptionroutinesalsotakeasinputatimeperiodt),andUpdisthesecret-keyupdatealgorithmthattakesasinputthecurrentsecretkeyandtimeunit,andoutputsthesecretkeyforthenexttimeunit.ThedenitionisreviewedinAppendixA.GivenakeyevolvingencryptionschemeS=(Gen;Upd;Enc;Dec),onemayconstructtheprotocolSasfollows:AnactivationofSwithinputmessageKeyGen,Update,Encrypt,orDecryptisimplementedviacallstothealgorithmsGen;Upd;Enc;orDec,respectively.TheonlystatemaintainedbySbetweenactivationsisthesecretkeythatwasgeneratedbyGen(andthatismodiedineachactivationofUpdate),andthecurrenttimeperiod.Anyotherlocalvariablesthataretemporarilyusedbyanyofthealgorithmsareerasedassoonastheactivationcompletes.WiththistransformationwecannowdeneanAFSEscheme:Denition1.Akey-evolvingencryptionschemeSisanadaptively-andforward-secureencryption(AFSE)schemeiftheprotocolSresultingfromthetransfor-mationabovesecurelyrealizesFafsewithrespecttoadaptiveadversaries.3AFSEBasedonForward-SecureEncryptionInthissectionweshowhowtoconstructanAFSEschemefromanyFSEschemesecureagainstchosen-plaintextattacksalongwithanysimulation-soundNIZKproofsystem.(SeeAppendixAfordenitionsofkey-evolvingencryptionandforwardsecurity,bothagainstchosen-plaintextandchosen-ciphertextattacks.)Wedescribeindetailaconstructionthatallowsencryptionofonlyasinglebitperciphertextandthendiscusshowthismaybegeneralizedtoallowforencryptionofanypolynomialnumberofbitsperciphertext.OurconstructionusesasimpletwistoftheNaor-Yung/Sahaitransformation[ny90,s99];whenappliedtotwoFSEschemes,theresultingschemeyieldsnotonlyCCAsecuritybutalsosecurityagainstadaptivecorruptions.Wecommentthat,asopposedtothecaseofnon-adaptiveCCAsecurity,\one-time"simulationsoundNIZKproofsarenotsucienttoachievesecurityagainstadaptivecorruptions;instead,werequireNIZKproofssatisfyingthestrongernotionofunboundedsimulationsoundness[ddops01].Theconstruction.LetE0=(G0;U0;E0;D0)beakey-evolvingencryptionscheme,andletP=(`;P;V)beanNIZKproofsystem(where`(k)isthelengthofthecommonrandomstringforsecurityparameterk)forthefollowingNPlanguageLE0def=f(t;pk0;c0;pk0;c0):9m;r0;r1s:t:c0=E0(pk0;t;m;r0);c0=E0(pk0;t;m;r1)g: Weconstructanewkey-evolvingencryptionschemeE=(G;U;E;D)asfollows:Keygeneration,G.Onsecurityparameter1k,runtwoindependentcopiesofthekeygenerationalgorithmofE0toobtain(pk0;sk00) G0(1k)and(pk0;sk01) G0(1k).Choosearandombitb2f0;1gandarandom`(k)-bitstringcrs2f0;1g`(k).Thepublickeyisthetriple(pk00;pk01;crs),andthesecretkeyis(b;sk0).Erasetheotherkeysk0b.Keyupdate,U.Keyupdateisunchanged,namelyU(t;(b;sk0))=(b;U0(t;sk0)).Encryption,E.Toencryptabitm2f0;1gattimet,rstpicktwoinde-pendentrandomstringsr0;r1asneededfortheencryptionalgorithmE0andcomputec0 E0(pk0;t;m;r0),c0 E0(pk1;t;m;r1),andaproofthat(t;pk0;c0;pk0;c0)2LE0;namely P(crs;t;pk0;c0;pk0;c0;m;r0;r1).Theciphertextisthetriplec=(c0;c01;).Decryption,D.Todecryptaciphertextc=(c00;c01;)attimet,rstruntheverierV(crs;t;pk0;c0;pk0;c0).IfVrejects,theoutputis?.Otherwise,therecipientuses(b;sk0)torecoverm D0(sk0b;c0).Weclaimthefollowingtheorem:Theorem1.IfE0isforward-secureagainstchosen-plaintextattacks(fs-CPA,cf.Denition4)andif(P;V)isanunboundedsimulation-soundNIZKproofsystem[ddops01,Def.6],thenEisanAFSEscheme.Theproofappearsinthefullversion,butweprovidesomeintuitionhere.Under-lyingouranalysisistheobservationthatasimulator(whocangenerateproofsforfalseassertions)cancomeupwithavalid-looking\dummyciphertext"whosecomponentciphertextsencryptdierentmessages(i.e.,both0and1).Thesimu-lator,whoalsoknowsbothunderlyingdecryptionkeys,canthusopenthedummyciphertextasanencryptionofeither0or1,dependingonwhichdecryptionkeyispresentedtoanadversary.(NotefurtherthattheadversarywillbeunabletogeneratedummyciphertextsofthisformduetothesimulationsoundnessoftheNIZKproofsystem.)Theaboveargumentdemonstratesadaptivesecurityforasingleencryptedbit.Adaptivesecurityforanunboundednumberofbits(aslongasonlyoneciphertextisoutstanding)holdssincethesecretkeysoftheunderlyingFSEschemesevolveaftereachencryption.Weremarkthatone-timesimulationsoundnessfor(P;V)wouldnotbesucienthere,sincethesimulatormustgeneratemultiple\fakeciphertexts"andthehybridargumentthatworksinthenon-adaptivecase(see[s99])doesnotworkhere.AFSEforlongermessages.ToobtainaconstructionofanAFSEschemeforn-bitmessages,onecansimplyusenpairsofpublickeysgeneratedusingE0(thereceivernowchoosesatrandomonesecretkeyfromeachpairtostore,whiletheotheriserased).Therestisanobviousextensionoftheproofintuitionfromabove,withtheonlysubtlepointbeingthattheresultingciphertextcontainsasingleNIZKproofcomputedovertheentirevectorofnciphertextpairs(withthelanguagebeingdenedappropriately). 4ReceiverNon-CommittingEncryptionThissectiondenesandconstructsreceivernon-committingencryption(RNCE)thatissecureagainst\lunch-timeattacks"(akaCCA1-secure).WenotethatRNCEwasconsideredin[jl00]forthemorebasiccaseofchosen-plaintextattacks.Section5showshowtocombineanyRNCEschemewithanyFSEschemesecureagainstchosen-ciphertextattackstoobtainasecureAFSEscheme.SinceourproposedconstructionsofRNCEschemesarequiteecient(andsincerelatively-ecientconstructionsofFSEschemessecureagainstchosen-ciphertextattacksareknown[chk03,chk04,bb04]),weobtain(relatively)ecientAFSEschemes.Onahighlevel,areceivernon-committingencryptionschemeisoneinwhichasimulatorcangenerateasingle\fakeciphertext"andlater\open"thiscipher-text(byshowinganappropriatesecretkey)asanygivenmessage.These\fakeciphertexts"shouldbeindistinguishablefromrealciphertexts,evenwhenanadversaryisgivenaccesstoadecryptionoraclebeforethefakeciphertextisknown.4.1DenitionofRNCEFormally,areceivernon-committingencryption(RNCE)schemeconsistsofvepptalgorithms(G;E;D;~F;~R)suchthat:{G;E,andDarethekey-generation,encryption,anddecryptionalgorithms.Thesearedenedjustasforastandardencryptionscheme,exceptthatthekeygenerationalgorithmalsooutputssomeauxiliaryinformationzinadditiontothepublicandsecretkeyspkandsk.{Thefakeencryptionalgorithm~Ftakesasinput(pk;sk;z)andoutputsa\fakeciphertext"~c.{Therevealalgorithm~Rtakesasinput(pk;sk;z),a\fakeciphertext"~c,andamessagem2D.Itoutputsa\secretkey"esk.(Intuitively,~skisasecretkeyforwhich~cdecryptstom.)Wemakethestandardcorrectnessrequirement;namely,foranypk;sk;zoutputbyGandanym2D,wehaveD(sk;E(pk;m))=m.Ourdenitionofsecurityrequires,informally,thatforanymessagemanadversarycannotdistinguishwhetherithasbeengivena\real"encryptionofmalongwitha\real"secretkey,ora\fake"ciphertextalongwitha\fake"secretkeyunderwhichtheciphertextdecryptstom.Thisshouldholdevenwhentheadversaryhasnon-adaptiveaccesstoadecryptionoracle.Wenowgivetheformaldenition.Denition2(RNC-security).LetE=(G;E;D;~F;~R)beanRNCEscheme.WesaythatEisRNC-secure(orsimply\secure")iftheadvantageofanypptalgorithmAinthegamebelowisnegligibleinthesecurityparameterk.1.ThekeygenerationalgorithmG(1k)isruntoget(pk;sk;z). 2.ThealgorithmAisgiven1kandpkasinput,andisalsogivenaccesstoadecryptionoracleD(sk;
).Itthenoutputsachallengemessagem2D.3.Abitbischosenatrandom.Ifb=1thenaciphertextc E(pk;m)iscom-puted,andAreceives(c;sk).Otherwise,a\fake"ciphertext~c ~F(pk;sk;z)anda\fake"secretkey~sk ~R(pk;sk;z;~c;m)arecomputed,andAre-ceives(~c;~sk).(Afterthispoint,Acannolongerqueryitsdecryptionoracle.)Aoutputsabitb0.TheadvantageofAisdenedas2
Pr[b0=b]12.ItiseasytoseethattheRNC-securityof(G;E;D;~F;~R)accordingtoDef-inition2impliesinparticularthattheunderlyingscheme(G;E;D)issecureagainstnon-adaptivechosen-ciphertextattacks.ItispossibletoaugmentDe-nition2soastogranttheadversaryaccesstothedecryptionoracleevenaftertheciphertextisknown,butwedonotneedthisstrongerdenitionforourintendedapplication(Section5).WealsocommentthattheNaor-Yungcon-struction[ny90]isRNC-securefor1-bitmessages(ifthesecretkeyischosenatrandomfromthetwounderlyingsecretkeys);aproofcanbederivedfrom[ny90]aswellasourproofofTheorem1.4.2ASecureRNCESchemeforPolynomial-SizeMessageSpacesHere,weshowthattheCramer-Shoupcryptosystem[cs98]canbemodiedtogiveasecureRNCEschemeforpolynomial-sizemessagespaces.Interestingly,becauseourdenitionofsecurityonlyinvolvesnon-adaptivechosen-ciphertextattacks,wecanbaseourconstructiononthesimplerandmoreecient\Cramer-Shouplite"scheme.Infact,theonlydierenceisthatweencodeamessagembythegroupelementgm,ratherthanencodingitdirectlyastheelementm.(Thisencodingisessentialfortherevealalgorithm~R.2)Inwhatfollows,weletG=f
kgk2beafamilyofnite,cyclicgroups(writtenmultiplicatively),whereeachgroup
khas(known)primeorderqkandjqkj=k.Forsimplicity,wedescribeourRNCEschemeforthemessagespacef0;1g;however,wewillcommentbrie\ryafterwardhowtheschemecanbeextendedforanypolynomial-sizemessagespace.Keygeneration,G.Giventhesecurityparameter1k,let
denote
kandqdenoteqk.Chooseatrandomg1
nf1g,andalsochooserandom;x1;x2;y1;y2 q.Setg2=g1;h=gx11gx22;andd=gy11gy22.Thepub-lickeyispk=(g1;g2;h;d),thesecretkeyissk=(x1;x2;y1;y2),andtheauxiliaryinformationisz=.Encryption,E.Givenapublickeypk=(g1;g2;h;d)andamessagem2f0;1g,choosearandomr2q,computeu1=gr1u2=gr2,e=gm1hrandv=dr.Theciphertextishu1;u2;e;vi.2Lookingahead,itisforthisreasonthatthepresentconstructiononlyhandlespolynomial-sizemessagespaces:thereceiveronlydirectlyrecoversgm,andmustsearchthroughthemessagespacetondthecorrespondingmessagem. Decryption,D.Givenaciphertexthu1;u2;e;viandsecretkeysk=(x1;x2;y1;y2),proceedasfollows:Firstcheckwhetheruy11uy22=v.Ifnot,thenoutput?.Otherwise,computew=e=ux11ux22.Ifw=1(i.e.,thegroupidentity),output0;ifw=g1,output1.(Ifw=2f1;g1gthenoutput?.)Fakeencryption,~F.Givenpk=(g1;g2;h;d)andsk=(x1;x2;y1;y2),chooseatrandomr2q.Thencompute~u1=gr1,~u2=g1gr2,~e=gx21hrand~v=~uy11~uy22,andoutputthe\fake"ciphertext~c=h~u1;~u2;~e;~vi.Revealalgorithm,~R.Givenpk=(g1;g2;h;d),sk=(x1;x2;y1;y2),z=,a\fake"ciphertexth~u1;~u2;~e;~vi,andamessagem2f0;1g,setx0=x2mandx0=x1+m(bothinq)andoutputthe\fake"secretkey~sk=(x0;x02;y1;y2).Onecancheckthatthesecretkey~skmatchesthepublickeypk,sincegx01gx022=gx1+m1gx2m2=(gx11gm2)gx2m2=gx11gx22=h;moreover,~skdecryptsthe\fake"ciphertexth~u1;~u2;~e;~vitom,sincee~ux01~ux022=gx21(gx01gx022)r(gr1)x0(g1gr2)x02=gx2+rx01grx022grx0+x021grx022=gx2x01=gm1:Theaboveschemecanbeimmediatelyextendedtosupportanypolynomial-sizemessagespace:encryption,fakeencryption,andrevealwouldbeexactlythesame,anddecryptionwouldinvolvecomputationofw,asabove,followedbyanexhaustivesearchthroughthemessagespacetodeterminemdef=logg1w.Aproofofthefollowingappearsinthefullversion:Theorem2.IftheDDHassumptionholdsforG,thentheaboveschemeisRNC-secure.4.3ASecureRNCESchemeforExponential-SizeMessageSpacesTheRNCEschemeintheprevioussectioncanbeusedonlyformessagespacesofsizepolynomialinthesecurityparameter,asthedecryptionalgorithmworksintimelinearinthesizeofthemessagespace.Wenowshowaschemethatsupportsmessagespacesofsizeexponentialinthesecurityparameter.Justasintheprevioussection,weconstructourschemebyappropriatelymodifyinga(standard)cryptosystemsecureagainstchosen-ciphertextattacks.Here,webaseourconstructiononschemesdevelopedindependentlybyGennaroandLindell[gl03]andCamenischandShoup[cs03],buildingonearlierworkbyCramerandShoup[cs02].Securityofourscheme,asintheseearlierschemes,ispredicatedonthedecisionalcompositeresiduosity(DCR)assumption[p99].Letp;q;p0;q0bedistinctprimeswithp=2p0+1andq=2q0+1(i.e.,p;qarestrongprimes).Letn=pqandn0=p0q0,andobservethatthegroup2canbedecomposedasthedirectproduct
n

n0

2
T,whereeach
iisacyclicgroupoforderiandTistheorder-2subgroupofn2generatedby(1modn2). Thisimpliesthatthereexisthomomorphismsn;n0;2;Tfrom2onto
n,
n0,
2,andT,respectively,andeveryx22isuniquelyrepresentedbythe4-tuple(n(x);n0(x);2(x);T(x)).Weusealsothefactthattheelement\rdef=(1+n)modn2hasordernin2(i.e.,itgeneratesagroupisomorphicto
n)andfurthermore\ramodn2=1+an,forany0an.LetPndef=fxnmodn2:x22gdenotethesubgroupofn2consistingofallnthpowers;notethatPnisisomorphictothedirectproduct
n0

2
T.TheDCRassumption(informally)isthat,givenn,itishardtodistinguisharandomelementofPnfromarandomelementofn2.OurRNCEschemeisdenedbelow.Inthisdescription,weletGbeanalgorithmthatoninput1krandomlychoosestwoprimesp0;q0asabovewithjp0j=jq0j=k.Also,forapositiverealnumberrwedenoteby[r]thesetf0;:::;brc1g.Keygeneration,G.Giventhesecurityparameter1k,useG(1k)toselecttworandomk-bitprimesp0;q0forwhichp=2p0+1andq=2q0+1arealsoprime,andsetn=pqandn0=p0q0.Chooserandomx;y2[n2=4]andarandomg02n2,andcomputeg=(g0)2n,h=gx,andd=gy.Thepublickeyispk=(n;g;h;d),thesecretkeyissk=(x;y),andtheauxiliaryinformationisz=n0.Encryption,E.Givenapublickeyasaboveandamessagem2[n],chooserandomr2[n=4],computeu=gr,e=\rmhr,andv=dr(allin2),andoutputtheciphertextc=hu;e;vi.Decryption,D.Givenaciphertexthu;e;viandsecretkey(x;y),checkwhetheru2y=v2;ifnot,output?.Then,set^m=(e=ux)n+1.If^m=1+mnforsomem2[n],thenoutputm;otherwise,output?.Correctnessfollows,sinceforavalidciphertexthu;e;viwehaveu2y=(gr)2y=d2r=v2,andalso(e=ux)n+1=(\rmhr=grx)n+1=(\rm)n+1=\rm=1+mn(usingforthethirdequalitythefactthattheorderof\risn).Fakeencryption,~F.Givenpk=(n;g;h;d)andsk=(x;y),chooseatrandomr2[n=4],compute~u=\r
gr,~e=~ux,and~v=~uy(allinn2),andoutputthe\fake"ciphertext~c=h~u;~e;~vi.Revealalgorithm,~R.Givenpk=(n;g;h;d),sk=(x;y),z=n0,a\fake"ciphertexth~u;~e;~viasabove,andamessagem2[n],proceedasfollows:UsingtheChineseRemainderTheoremandthefactthatgcd(n;n0)=1,ndtheuniquex02[nn0]satisfyingx0=xmodn0,andx0=xmmodn,andoutputthesecretkey~sk=(x0;y).Itcanbeveriedthatthesecretkey~skmatchesthepublickeypkandalsodecryptsthe\fake"ciphertexttotherequiredmessagem:Forthesecondcomponentythisisimmediateandsowefocusontherstcomponentx0.First,theorderofgdividesn0andsogx0=gx0modn0=gxmodn0=gx=h.Furthermore,usingalsothefactthattheorderof\rinn2isn,wehave~e~ux0n+1=\rxgrx\rx0grx0n+1=\rxx0modnn+1=\rm: Inthefullversionwedenethedecisionalcompositeresiduosityassumption(DCR)withrespecttoG(cf.[p99]),andshow:Theorem3.IftheDCRassumptionholdsforG,thentheaboveschemeisRNC-secure.5AFSEBasedonReceiverNon-CommittingEncryptionWedescribeaconstructionofanAFSEschemebasedonanysecureRNCEschemeandanyFSEschemesecureagainstchosen-ciphertextattacks.LetE0=(G0;E0;D0;~F;~R)beanRNCEscheme,andletE00=(G00;U00;E00;D00)beakey-evolvingencryptionscheme.ThemessagespaceofE0isD,andweassumethatciphertextsofE0belongtothemessagespaceofE00.Weconstructanewkey-evolvingencryptionschemeE=(G;U;E;D)withmessagespaceDasfollows:Keygeneration,G.Onsecurityparameter1k,runthekey-generationalgo-rithmsofbothschemes,setting(pk0;sk0;z) G0(1k)and(pk00;sk00) G00(1k).Thepublickeyis(pk0;pk00)andtheinitialsecretkeyis(sk0;sk00).(Theextrainformationzisignored.)Keyupdate,U.Thekey-updateoperationisderivedasonewouldexpectfromE00;namely:U(t;sk0;sk00t)=(sk0;U00(t;sk00t)).Encryption,E.Toencryptamessagem2Dattimet,rstcomputec0 E0(pk0;m)andthenc E00(pk00;t;c0).Theresultingciphertextisjustc.Decryption,D.Todecryptaciphertextc,setc0 D00(sk00;c)andthencom-putem D0(sk0;c0).Theorem4.IfE0isRNC-secure,andifE00isforward-secureagainstchosen-ciphertextattacks,thenthecombinedschemegivenaboveisanAFSEscheme.Weprovidesomeinformalintuitionbehindtheproofoftheabovetheorem.Themostinterestingscenariotoconsideriswhathappensuponplayercorrup-tion,whentheadversaryobtainsthesecretkeyforthecurrenttimeperiodt.Wemayimmediatelynotethatmessagesencryptedforpriortimeperiodsttre-mainsecret;thisfollowsfromtheFSEencryptionappliedatthe\outer"layer.Next,consideradaptivesecurityforthe(atmostone)outstandingciphertextwhichwasencryptedforsometimeperiodtt.Eventhoughtheadversarycan\stripo"theouterlateroftheencryption(becausetheadversarynowhasthesecretkeyfortimeperiodt),RNCsecurityoftheinnerlayerensuresthatasimulatorcanopentheinnerciphertexttoanydesiredmessage.Themainpointhereisthatthesimulatoronlyneedsto\fake"theopeningofoneinnercipher-text,andthusRNCsecuritysuces.(Still,sincethesimulatordoesnotknowinadvancewhatciphertextitwillneedtoopen,itactually\fakes"allinnerci-phertexts.)Chosen-ciphertextattacksaredealtwithusingthechosen-ciphertextsecurityoftheouterlayer,aswellasthedenitionofRNCsecurity(where\lunch-timesecurity"attheinnerlayerissucient).Also,wenotethatrevers-ingtheorderofencryptionsdoesnotwork:namely,usingRNCE(FSE(m))doesnotyieldadaptivesecurity,eveniftheRNCEschemeisfullyCCAsecure. Referencesaf04]M.AbeandS.Fehr.AdaptivelySecureFeldmanVSSandApplicationstoUniversally-ComposableThresholdCryptography.Crypto2004,LNCSvol.3152,pp.317{334,2004.Fullversionavailableateprint.iacr.org/2004/119.[a97]R.Anderson.TwoRemarksonPublicKeyCryptol-ogy.Invitedlecture,givenatACMCCCS'97.Availableathttp://www.cl.cam.ac.uk/ftp/users/rja14/forwardsecure.pdf.[b97]D.Beaver.PlugandPlayEncryption.Crypto1997,LNCSvol.1294,pp.75{89,1997.[bh92]D.BeaverandS.Haber.CryptographicProtocolsProvablySecureAgainstDynamicAdversaries.Eurocrypt1992,LNCSvol.658,pp.307{323,1992.[bdpr98]M.Bellare,A.Desai,D.Pointcheval,andP.Rogaway.RelationsamongNotionsofSecurityforPublic-KeyEncryptionSchemes.Crypto1998,LNCSvol.1462,pp.26{45,1998.[bb04]D.BonehandX.Boyen.EcientSelective-IDSecureIdentityBasedEncryp-tionWithoutRandomOracles.Eurocrypt2004,LNCSvol.3027,pp.223{238,2004.[cs03]J.CamenischandV.Shoup.PracticalVeriableEncryptionandDecryptionofDiscreteLogarithms.Crypto2003,LNCSvol.2729,pp.126{144,2003.[c01]R.Canetti.UniversallyComposableSecurity:ANewParadigmforCrypto-graphicProtocols.42ndIEEESymposiumonFoundationsofComputerSci-ence(FOCS),pp.136{145,2001.AlsoavailableasECCCTR01-16,orfromhttp://eprint.iacr.org/2000/067.[cfgn96]R.Canetti,U.Feige,O.Goldreich,andM.Naor.AdaptivelySecureCom-putation.28thACMSymposiumonTheoryofComputing(STOC),pp.639{648,1996.FullversioninMIT-LCS-TR#682,1996.[chk03]R.Canetti,S.Halevi,andJ.Katz.AForward-SecurePublic-KeyEncryptionScheme.Eurocrypt2003,LNCSvol.2656,pp.255{271,2003.Fullversionavailableathttp://eprint.iacr.org/2003/083.[chk04]R.Canetti,S.Halevi,andJ.Katz.Chosen-CiphertextSecurityfromIdentity-BasedEncryption.Eurocrypt2004,LNCSvol.3027,pp.207{222,2004.Fullversionavailableathttp://eprint.iacr.org/2003/182.[chk05]R.Canetti,S.Halevi,andJ.Katz.Adaptively-Secure,Non-InteractivePublic-KeyEncryption.Fullversionavailableathttp://eprint.iacr.org/2004/317.[ckn03]R.Canetti,H.Krawczyk,andJ.B.Nielsen.RelaxingChosenCiphertextSe-curity.Crypto2003,LNCSvol.2729,pp.565{582,2003.Fullversionavailableathttp://eprint.iacr.org/2003/174.[cs98]R.CramerandV.Shoup.APracticalPublicKeyCryptosystemProvablySe-cureAgainstChosenCiphertextAttack.Crypto1998,LNCSvol.1462,pp.13{25,1998.[cs02]R.CramerandV.Shoup.UniversalHashProofsandaParadigmforAdap-tiveChosenCiphertextSecurePublic-KeyEncryption.Eurocrypt2001,LNCSvol.2332,pp.45{63,2001.[dn00]I.DamgardandJ.B.Nielsen.ImprovedNon-CommittingEncryptionSchemesBasedonGeneralComplexityAssumptions.Crypto2000,LNCSvol.1880,pp.432{450,2000.[ddops01]A.DeSantis,G.DiCrescenzo,R.Ostrovsky,G.Persiano,andA.Sahai.RobustNon-InteractiveZeroKnowledge.Crypto2001,LNCSvol.2139,pp.566{598,2001. [ddn00]D.Dolev,C.Dwork,andM.Naor.Non-MalleableCryptography.SIAM.J.Computing30(2):391-437,2000.[gl03]R.GennaroandY.Lindell.AFrameworkforPassword-BasedAuthenticatedKeyExchange.Eurocrypt2003,LNCSvol.2656,pp.524{543,2003.Fullversionavailableathttp://eprint.iacr.org/2003/032.[gm84]S.GoldwasserandS.Micali.ProbabilisticEncryption.J.ComputerSystemSciences28(2):270-299,1984.[hms03]DennisHofheinz,JoernMueller-Quade,andRainerSteinwandt.OnModelingIND-CCASecurityinCryptographicProtocols.Availableathttp://eprint.iacr.org/2003/024.[jl00]S.JareckiandA.Lysyanskaya.AdaptivelySecureThresholdCryptography:IntroducingConcurrency,RemovingErasures.Eurocrypt2000,LNCSvol.1807,pp.221{242,2000.[ny90]M.NaorandM.Yung.Public-KeyCryptosystemsProvably-SecureagainstChosen-CiphertextAttacks.22ndACMSymposiumonTheoryofComputing(STOC),pp.427{437,1990.[n02]J.B.Nielsen.SeparatingRandomOracleProofsfromComplexityTheoreticProofs:TheNon-CommittingEncryptionCase.Crypto2002,LNCSvol.2442,pp.111{126,2002.[p99]P.Paillier.Public-KeyCryptosystemsBasedonCompositeDegreeResiduosityClasses.Eurocrypt1999,LNCSvol.1592,pp.223{238,1999.[rs91]C.RackoandD.Simon.Non-InteractiveZero-KnowledgeProofofKnowledgeandChosenCiphertextAttack.Crypto1991,LNCSvol.576,pp.433{444,1991.[s99]A.Sahai.Non-MalleableNon-InteractiveZeroKnowledgeandAdaptiveChosen-CiphertextSecurity.40thIEEESymposiumonFoundationsofComputerScience(FOCS),pp.543{553,1999.AKey-EvolvingandForward-SecureEncryptionWereviewthedenitionsofkey-evolvingandforward-secureencryptionschemesfrom[chk03].Denition3.A(public-key)key-evolvingencryption(ke-PKE)schemeisa4-tupleofpptalgorithms(Gen;Upd;Enc;Dec)suchthat:{ThekeygenerationalgorithmGentakesasinputasecurityparameter1kandthetotalnumberoftimeperiodsN.Itreturnsapublickeypkandaninitialsecretkeysk0.{ThekeyupdatealgorithmUpdtakesasinputpk,anindextNofthecurrenttimeperiod,andtheassociatedsecretkeyskt.Itreturnsthesecretkeyskt+1forthefollowingtimeperiod.{TheencryptionalgorithmEnctakesasinputpk,anindextNofatimeperiod,andamessageM.ItreturnsaciphertextC.{ThedecryptionalgorithmDectakesasinputpk,anindextNofthecurrenttimeperiod,theassociatedsecretkeyskt,andaciphertextC.ItreturnsamessageM.WerequirethatDec(skt;t;Enc(pkt;t;M))=Mholdsforall(pk;sk0)outputbyGen,alltimeperiodstN,allcorrectlygeneratedsktforthist,andallmessagesM. Denition4.Ake-PKEschemeisforward-secureagainstchosenplaintextat-tacks(fs-CPA)ifforallpolynomially-boundedfunctionsN(
),theadvantageofanypptadversaryinthefollowinggameisnegligibleinthesecurityparameter:Setup:Gen(1k;N(k))outputs(PK;SK0).TheadversaryisgivenPK.Attack:Theadversaryissuesonebreakin(i)queryandonechallenge(j;M0;M1)query,ineitherorder,subjectto0jiN.Thesequeriesareansweredasfollows:{Onquerybreakin(i),keySKiiscomputedviaUpd(PK;i1;


Upd(PK;0;SK0)


).Thiskeyisthengiventotheadversary.{Onquerychallenge(j;M0;M1),arandombitbisselectedandtheadversaryisgivenC=Enc(PK;j;Mb).Guess:Theadversaryoutputsaguessb02f0;1g;itsucceedsifb0=b.Theadversary'sadvantageistheabsolutevalueofthedierencebetweenitssuccessprobabilityand1=2.Forwardsecurityagainst(adaptive)chosen-ciphertextattacks(fs-CCAsecu-rity)isdenedbythenaturalextensionoftheabovedenitioninwhichthead-versaryisgivendecryptionoracleaccessduringboththe\Attack"and\Guess"stages.TheUCFramework,AbridgedWeprovideabriefreviewoftheuniversallycomposablesecurityframework[c01].Theframeworkallowsfordeningthesecuritypropertiesofcryptographictaskssothatsecurityismaintainedundergeneralcompositionwithanun-boundednumberofinstancesofarbitraryprotocolsrunningconcurrently.De-nitionsofsecurityinthisframeworkarecalleduniversallycomposable(UC).IntheUCframework,thesecurityrequirementsofagiventask(i.e.,thefunctionalityexpectedfromaprotocolthatcarriesoutthetask)arecapturedviaasetofinstructionsfora\trustedparty"thatobtainstheinputsofthepar-ticipantsandprovidesthemwiththedesiredoutputs(inoneormoreiterations).Informally,aprotocolsecurelycarriesoutagiventaskifrunningtheprotocolwitharealisticadversaryamountsto\emulating"anidealprocesswherethepartieshandtheirinputstoatrustedpartywiththeappropriatefunctionalityandobtaintheiroutputsfromit,withoutanyotherinteraction.ThenotionofemulationintheUCframeworkisconsiderablystrongerthanthatconsideredinpreviousmodels.Traditionally,themodelofcomputationin-cludesthepartiesrunningtheprotocolandanadversaryAthatcontrolsthecommunicationchannelsandpotentiallycorruptsparties.\Emulatinganidealprocess"meansthatforanyadversaryAthereshouldexistan\idealprocessadversary"(orsimulator)Sthatcausestheoutputsofthepartiesintheidealprocesstohavesimilardistributiontotheoutputsofthepartiesinanexecutionoftheprotocol.IntheUCframeworktherequirementonSismorestringent.Specically,anadditionalentity,calledtheenvironmentZ,isintroduced.Theenvironmentgeneratestheinputstoallparties,readsalloutputs,andinaddition interactswiththeadversaryinanarbitrarywaythroughoutthecomputation.AprotocolissaidtosecurelyrealizefunctionalityFifforany\real-life"ad-versaryAthatinteractswiththeprotocolandtheenvironmentthereexistsan\ideal-processadversary"S,suchthatnoenvironmentZcantellwhetheritisinteractingwithAandpartiesrunningtheprotocol,orwithSandpartiesthatinteractwithFintheidealprocess.Inasense,Zservesasan\interactivedistinguisher"betweenarunoftheprotocolandtheidealprocesswithaccesstoF.Thefollowinguniversalcompositiontheoremisprovenin[c01].ConsideraprotocolthatoperatesintheF-hybridmodel,wherepartiescancommunicateasusualandinadditionhaveidealaccesstoanunboundednumberofcopiesofthefunctionalityF.LetbeaprotocolthatsecurelyrealizesFassketchedabove,andletbeidenticaltowiththeexceptionthattheinteractionwitheachcopyofFisreplacedwithaninteractionwithaseparateinstanceof.Then,andhaveessentiallythesameinput/outputbehavior.Inparticular,ifsecurelyrealizessomefunctionalityIintheF-hybridmodelthensecurelyrealizesIinthestandardmodel(i.e.,withoutaccesstoanyfunctionality).B.1ThePublic-KeyEncryptionFunctionalityFpke(Thissectionistakenalmostverbatimfrom[ckn03].)WithintheUCframework,public-keyencryptionisdenedviathepublic-keyencryptionfunctionality,de-notedFpkeandpresentedinFigure2.FunctionalityFpkeisintendedtocapturethefunctionalityofpublic-keyencryptionand,inparticular,iswritteninawaythatallowsrealizationsconsistingofthreenon-interactivealgorithmswithoutanycommunication.(Thethreealgorithmscorrespondtothekeygeneration,encryption,anddecryptionalgorithmsintraditionaldenitions.)ReferringtoFigure2,wenotethatsidservesasauniqueidentierforaninstanceoffunctionalityFpke(thisisneededinageneralprotocolsettingwhenthisfunctionalitycanbecomposedwithothercomponents,orevenwithotherinstancesofFpke).Italsoencodestheidentityofthedecryptorforthisinstance.The\publickeyvalue"pkhasnoparticularmeaningintheidealscenariobeyondservingasanidentierforthepublickeyrelatedtothisinstanceofthefunction-ality,andthisvaluecanbechosenarbitrarilybytheattacker.Also,intheidealsettingciphertextsserveasidentiersortagswithnoparticularrelationtotheencryptedmessages(andassucharealsochosenbytheadversarywithoutknowl-edgeoftheplaintext).Still,rule1ofthedecryptionoperationguaranteesthat\legitimateciphertexts"(i.e.,thoseproducedandrecordedbythefunctionalityunderanEncryptrequest)aredecryptedcorrectly,whiletheresultantplaintextsremainunknowntotheadversary.Incontrast,ciphertextsthatwerenotlegiti-matelygeneratedcanbedecryptedinanywaychosenbytheideal-processad-versary.(Sincetheattackerobtainsnoinformationaboutlegitimately-encryptedmessages,weareguaranteedthatillegitimateciphertextswillbedecryptedtovaluesthatareindependentfromthesemessages.)Notethatthesameillegiti-mateciphertextcanbedecryptedtodierentvaluesindierentactivations.This FunctionalityFpkeFpkeproceedsasfollows,whenparameterizedbymessagedomainensembleD=fDkgk2Nandsecurityparameterk.KeyGeneration:Uponreceivingavalue(KeyGen;sid)fromsomepartyR,verifythatsid=(sid0;R).Ifnot,thenignoretheinput.Otherwise:1.Hand(KeyGen;sid)totheadversary.2.Receiveavaluepkfromtheadversary,andhandpktoR.3.IfthisistherstKeyGenrequest,recordRandpk.Encryption:UponreceivingfromsomepartyPavalue(Encrypt;sid;pk;m)proceedasfollows:1.Ifm=2DkthenreturnanerrormessagetoP.2.Ifm2Dkthenhand(Encrypt;sid;pk;P)totheadversary.(Ifpk6=pkorpkisnotyetdenedthenhandalsotheentirevaluemtotheadversary.)3.Receivea\ciphertext"cfromtheadversary,recordthepair(c;m),andsend(ciphertext,c)toP.(Ifpk6=pkorpkisnotyetdenedthendonotrecordthepair(c;m).)Decryption:Uponreceivingavalue(Decrypt;sid;c)fromR(andRonly),proceedasfollows:1.Ifthereisarecordedpair(c;m)thenhandmtoR.(Ifthereismorethanonesuchpairthenusetherstone.)2.Otherwise,handthevalue(Decrypt;sid;c)totheadversary.Whenre-ceivingavaluem0fromtheadversary,handm0toR.Fig.2.Thepublic-keyencryptionfunctionality,Fpkeprovisionallowsthedecryptionalgorithmtobenon-deterministicwithrespecttociphertextsthatwerenotlegitimatelygenerated.AnothercharacteristicofFpkeisthat,whenactivatedwithaKeyGenrequest,italwaysrespondswithan(adversarially-chosen)encryptionkeypk0.Still,onlytherstkeytobegeneratedisrecorded,andonlymessagesthatareencryptedwiththatkeyareguaranteedtoremainsecret.Messagesencryptedwithotherkeysaredisclosedtotheadversaryinfull.Thismodelingrepresentsthefactthatasinglecopyofthefunctionalitycapturesthesecurityrequirementsofonlyasingleinstanceofapublic-keyencryptionscheme(i.e.,asinglepairofencryptionanddecryptionkeys).Otherkeysmayprovidecorrectencryptionanddecryption,butdonotguaranteeanysecurity(see[ckn03]forfurtherdiscussionaboutpossiblealternativeformulationsofthefunctionality).