In this work, we explore the possibility of achieving PKE schemes with receiver selective opening security in the multi-challenge setting. Our contributions are threefold. First, we demonstrate that PKE schemes with RSO security in the single-challenge setting are not necessarily RSO secure in the multi-challenge setting. Then, we show that it is impossible to achieve RSO security for PKE schemes if the number of challenge ciphertexts under each public key is a priori unbounded. In particular, we prove that no PKE scheme can be RSO secure in the k-challenge setting (i.e., the adversary can obtain k challenge ciphertexts for each public key) if its secret key contains less than k bits. On the positive side, we give a concrete construction of PKE scheme with RSO security in the k-challenge setting, where the ratio of the secret key length to k approaches the lower bound 1.
Category / Keywords: public-key cryptography / Public Key Encryption, Selective Opening Security, Receiver Selective Opening Original Publication (with minor differences): IACR-ASIACRYPT-2020 Date: received 8 Sep 2020 Contact author: orbbyrp at gmail com Available format(s): PDF | BibTeX Citation Version: 20200909:064717 (All versions of this report) Short URL: ia.cr/2020/1080