Paper 2009/101

Encryption Schemes Secure under Selective Opening Attack

Mihir Bellare and Scott Yilek


We provide the first public key encryption schemes proven secure against selective opening attack (SOA). This means that if an adversary obtains a number of ciphertexts and then corrupts some fraction of the senders, obtaining not only the corresponding messages but also the coins under which they were encrypted then the security of the other messages is guaranteed. Whether or not schemes with this property exist has been open for many years. Our schemes are based on a primitive we call lossy encryption. Our schemes have short keys (public and secret keys of a fixed length suffice for encrypting an arbitrary number of messages), are stateless, are non-interactive, and security does not rely on erasures. The schemes are without random oracles, proven secure under standard assumptions (DDH, Paillier’s DCR, QR, lattices), and even efficient. We are able to meet both an indistinguishability (IND-SOA-C) and a simulation-style, semantic security (SS-SOA-C) definition.

Note: Updated full version.

Available format(s)
Publication info
Published elsewhere. A preliminary version of this paper appears as part of our Eurocrypt 2009 paper with Dennis Hofheinz
encryptionselective openinglossy trapdoor functionsDDH
Contact author(s)
syilek @ stthomas edu
2012-09-23: last of 2 revisions
2009-03-02: received
See all versions
Short URL
Creative Commons Attribution


      author = {Mihir Bellare and Scott Yilek},
      title = {Encryption Schemes Secure under Selective Opening Attack},
      howpublished = {Cryptology ePrint Archive, Paper 2009/101},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.