Summary: The key-dependent message (KDM) security requires that an encryption scheme remains secure, even if an adversary has access to encryptions of messages that depend on the secret key. In a multi-user surrounding, a key-dependent message can be any polynomial-time function \(f(sk _{1}, sk _{2}, \cdots , sk _{n })\) in the secret keys of the users. The key-dependent message chosen-ciphertext (KDM-CCA2) security can be similarly defined if the adversary is also allowed to query a decryption oracle. To date, KDM security has been obtained by a few constructions. But most of them are limited \(f(sk _{1}, sk _{2}, \cdots , sk _{n })\) to affine functions. As to KDM-CCA2 security, there are only two constructions available. However, neither of them has comparable key sizes and reasonable efficiency, compared to the traditional KDM-free but CCA2 secure public key encryption schemes. This article defines a new function ensemble, and shows how to obtain KDM-CCA2 security with respect to this new ensemble from the traditional Cramer-Shoup (CS) cryptosystem. To obtain KDM security, the CS system has to be tailored for encryption of key-dependent messages. We present an efficient instantiation of the Cramer-Shoup public-key encryption (CS-PKE) scheme over the subgroup of quadratic residues in \(\mathbb{Z}_p^*\), where \(p\) is a safe prime, and prove the CS-PKE to be KDM-CCA2 secure with respect to the new function ensemble. We show that our proposed ensemble covers some affine functions, as well as other functions that are not contained in the affine ensemble. At the same time, the CS-PKE scheme with respect to our proposed function ensemble finds immediate application to anonymous credential systems. Compared to other KDM-CCA2 secure proposals, the CS scheme is the most practical one due to its short ciphertext size and computational efficiency.
For the entire collection see [Zbl 1264.94003].