1 Introduction

Threshold publickey encryption. TPKE [1, 2, 3, 4] can distribute the decryption power among many servers in order to ensure threshold servers can decrypt ciphertexts, while any probabilistic polynomialtime (PPT) adversary corrupting less than threshold servers is unable to obtain the message. TPKE itself provides useful functionalities, and it is also an important building block for other cryptographic primitives, such as mixnet (anonymous channel) [5], public key encryption with noninteractive opening [6, 7].
Designing generic construction of TPKE has proved to be a highly nontrivial task. Dodis and Katz [8] gave a generic construction of TPKE from multiple encryption technique. Wee [9] introduced a new primitive called threshold extractable hash proofs and presented a generic construction of TPKE from it. However, both of above constructions are only secure under the static corruption model where the adversary fixes the servers that will be corrupted before the scheme is set up. Following the work of Wee [9], Libert and Yung [10] introduced a primitive named allbutone perfectly sound threshold hash proof systems, from which they gave a generic construction of TPKE under adaptive corruption model where the adversary can corrupt servers at any time. The results are important since it is known that the adaptive adversary is strictly stronger than the static one [11, 12]. But they only showed concrete instantiations under numbertheoretic assumptions in bilinear groups which are vulnerable to quantum attacks. Recently, lattices have been recognized as a viable foundation for quantumresistant cryptography. Bendlin and Damgård [13] gave the first latticebased TPKE based on a variant of Regev’s scheme [14]. Xie et al. [15] designed the first chosenciphertext secure (INDCCA) TPKE under the LWE assumption. However, both of above TPKEs are only statically secure, and the size of the public key and the ciphertext is at least linear in the number of servers. Bendlin et al. [16] converted Identity Based Encryption (IBE) [17] into threshold one, which can be transformed into a TPKE via the generic transformation in [18]. However, in an offline phase, their scheme needs the parties to perform lots of interactive precomputation. In summary, the stateoftheart TPKE is not entirely satisfactory. On one hand, existing generic constructions of TPKE are designed in the limited static corruption model which fails to capture realistic attacks. On the other hand, most existing TPKE schemes are based on numbertheoretic assumptions which are insecure against quantum attacks.

Revocation publickey encryption. RPKE [19, 20, 9] enables a sender to broadcast ciphertexts and all but some revoked users can do the decryption. It is a special kind of broadcast encryption [21] which enables a sender to encrypt messages and transmit ciphertexts to users on a broadcast channel in order to the chosen users can decrypt ciphertexts. RPKE has numerous applications, including payTV systems, streaming audio/video and many others.
Naor and Pinkas [19] considered the following scenario: a group controller (GC) controls the decryption capabilities of users. If a subgroup of users is disallowed to do the decryption, the GC needs to generate a new key which should be known to other users and be used to encrypt in the further group communication. Then they constructed a RPKE scheme under the DDH assumption. Unlike the scenario of [19], Dodis and Fazio [20] designed a RPKE in which every user who knows the revoked identities can encrypt messages and every nonrevoked user can decrypt ciphertexts. Then, they constructed INDCCA RPKE under the DDH assumption. Wee [9] presented a generic construction of RPKE in static corruption model and instantiated the construction under the DDH assumption and factoring assumption respectively. However, all of aforementioned schemes are designed under the numbertheoretic assumptions which are insecure against quantum attack.
1.1 Motivations
A central goal in cryptography is to construct cryptosystems in strong security models which can resist lots of possible attacks. Another goal is to build cryptosystems under intractability assumptions which are as general as possible; in this way, we can replace the underlying assumption, if some assumption is vulnerable to a new attack or if another yields better performance. Therefore, generic constructions of TPKE and RPKE in stronger adaptive corruption model are advantageous. Meanwhile, with the development of quantum computer, designing the quantumresistant TPKE and RPKE is also necessary. Last but not least, constructing cryptosystems based on the same cryptographic primitive brings additional advantages such as reducing the footprint of cryptographic code and easily embedding into systems.
Motivated by above discussions, we ask the following challenging questions:
Can we construct TPKE and RPKE under adaptive corruption model from one cryptographic primitive? Can we instantiate this primitive based on quantumresistant assumptions?
1.2 Our Contributions
We introduce a cryptographic primitive named TTDF, and derive generic constructions of TPKE and RPKE under adaptive corruption model from it. Along the way to instantiate TTDF, we propose a notion called threshold lossy trapdoor function (TLTDF) and prove that TTDF is implied by TLTDF, while the latter can be instantiated based on the DDH assumption and the LWE assumption. Moreover, we show a relaxation of TTDF called threshold trapdoor relation (TTDR), which enables the same applications of TPKE and RPKE, and admits more efficient instantiation based on the DDH assumption. An overview of the contructions of this work is given in Figure 1.

Threshold Trapdoor Function. Informally, TTDF is a threshold version of trapdoor function. It is parameterized by the threshold value and the number of identities . TTDF splits the master trapdoor into shared trapdoors which can be transmited to users securely. Every user who holds shared trapdoor can compute a piece of inversion share. Then, by collecting more than inversion shares, the combiner can recover the preimage. Especially, it can even compute any other inversion shares (threshold shares mean all shares). We formalize security notion for TTDF, namely threshold onewayness, which requires that the function is hard to invert, even if the adversary can adaptively obtain less than shared trapdoors.

TPKE from TTDF. TTDF gives rise to a simple construction of TPKE. The public key consists of an injective trapdoor function index , and the master secret key consists of the master trapdoor . The sharing algorithm splits the master secret key into shared secret keys. Given a message , the encryption algorithm chooses a random input and outputs the ciphertext , where is a hardcore function. The decryption algorithm uses the shared secret key to compute a decryption share. The combining algorithm retrieves upon receiving at least decryption shares, and then extracts the message . Moreover, threshold onewayness prevents any PPT adversary who can adaptively obtain less than shared secret keys from decrypting ciphertext.

RPKE from TTDF. TTDF also gives rise to a simple construction of RPKE. The public key consists of an injective trapdoor function index , and the master secret key consists of the master trapdoor . The sharing algorithm splits the master secret key into shared secret keys. To encrypt a session key , the encryption algorithm chooses a random input and computes , , where , , are revoked secret keys, then outputs the ciphertext . The decryption algorithm takes in any nonrevoked secret key and computes , to retrieve , and then extracts the session key . Moreover, threshold onewayness ensures that no PPT adversary can decrypt ciphertext without the nonrevoked secret key.

Instantiation. Along the way to instantiate TTDF, we introduce the notion of TLTDF, which is a threshold version of the lossy trapdoor function (LTDF) [22]. Informally, the LTDF has two modes. In the injective mode, it is an injective trapdoor function. In the lossy mode, it statistically loses a significant amount of information about its input. The two modes are computationally indistinguishable. However, in both modes of TLTDF, the master trapdoor can be split into many shared trapdoors and every shared trapdoor can be used to compute an inversion share. Especially, in the injective mode any threshold inversion shares can be used to recover preimage. Moreover, any PPT adversary cannot distinguish both modes, even if the adversary can adaptively obtain less than threshold shared trapdoors.
We prove that TTDF is implied by TLTDF, while the latter can be instantiated under the DDH assumption and the LWE assumption respectively. DDHbased TLTDF is easy to design, while building LWEbased TLTDF is a nontrivial task. Intuitively, we transform the inversion algorithm of LTDF into threshold version by using threshold secret sharing scheme [23]. Every user gets a shared trapdoor , , and computes the inversion share . Then the combiner obtains inversion shares to compute the Lagrangian coefficients for any identity set of size and recombines the by computing
Unfortunately, choosing identities in a large identity space causes the norm of errors out of control and prevents correct inversion. To resolve this problem, we take advantage of the technique of “clearing out the denominator” [24, 25, 26]. Note that since the Lagrangian coefficients are rational numbers and the identity is chosen in , we can scale them to be integers by computing . By instantiating appropriate parameters, we prove that the quantity of errors preserves bounded, which does not affect the correctness of inversion.

Optimization. We show a relaxation of TTDF called TTDR. Informally, TTDR replaces the evaluation algorithm of TTDF with a relation sampling algorithm which can generate a random input with its image of a function, while the function need not be efficiently computable. We also formalize security notion for TTDR, namely threshold onewayness, which requires that the function is hard to invert, even if the adversary can adaptively obtain less than threshold shared trapdoors.
Similar to instantiating TTDF from TLTDF, we instantiate TTDR by introducing the notion of threshold lossy trapdoor relation (TLTDR), which is a threshold version of lossy trapdoor relation (LTDR) ^{1}^{1}1We give a refined definition of LTDR in Section 8, which is more simple and intuitive than the one introduced in [27]. [27]. We prove TTDR is naturally implied by TLTDR. Moreover, we instantiate TLTDR based on the DDH assumption to obtain an instantiation of TTDR, which is more efficient than TTDF.
2 Preliminaries
2.1 Notations
We denote the natural numbers by , the integers by , the real numbers by
. We use lowercase bold letters and uppercase bold letters to denote vectors and matrices (e.g.
and ). Let and denote transpositions of vector and matrix . For , denotes the string of ones, and denotes the set . We use standard asymptotic notation to denote the growth of positive functions. We denote a negligible function by , which is an such that for every fixed constant , and we let denote an unspecified function for some constant . If is a set then denotes the operation of sampling an element of uniformly at random.Let and
be two random variables over some countable set
. The statistical distance between X and Y is defined as2.2 Assumptions

DDH Assumption. The generation algorithm Gen takes in a security parameter and outputs , where is a prime, is a cyclic group of order and is a generator of .
The DDH assumption [28] is that the ensemble and are computationally indistinguishable, where , and .

LWE Assumption. Let be the dimension of lattice, an integer and all operations be performed in . For an error distribution , an integer dimension and a vector . is the distribution on of the variable where and .
The LWE assumption is that independent samples from the LWE distribution for some secret
, and independent samples from the uniform distribution on
are computationally indistinguishable. For normal error distributions, the LWE problem is as hard as the worstcase lattice problem [14].
2.3 Randomness Extraction
We use the notion of average minentropy [29], that captures the remaining unpredictability of conditioned on the value of :
We review the following useful lemmas from [29].
Lemma 1
If takes at most values and is any random variable, then .
Lemma 2
Let , be random variables such that and . Let be a family of pairwise independent hash functions from to . Then for , we have
as long as .
2.4 Threshold Secret Sharing
We now recall the threshold secret sharing scheme [23]. Let be a finite field, . Let be distinct, nonzero elements that are fixed and publicly known. The scheme works as follows:

: On input a secret , and any identity . It chooses , and defines the polynomial . This is a uniform degree polynomial with constant term . The share of user is .

: On input any identities , and associated shares
. Using polynomial interpolation, it computes the unique degree
polynomial for which . The combining algorithm outputs the secret .

Correctness. It is clear that the combining algorithm works since the secret can be constructed from any shares.
By the Lagrange interpolation formula, given any points , ,
we can compute any other points (threshold points mean all points) , , , where the secret is a special point .

Security. The sharing algorithm has perfect privacy, that is, any users learn nothing of secret from their shares. For any users corresponding to identities and for any secret (namely, ), the distributions of shares of are perfectly indistinguishable from independently uniform distributions.
Lemma 3
([26], Lemma 2.2). For any identities , the product is an integer, and .
2.5 Threshold Encryption
We now recall the definition of TPKE from [9]. A TPKE consists of four algorithms as follows:

: On input the security parameter , the key generation algorithm outputs a public key and a secret key .

: On input the public key and a message , the encryption algorithm outputs a ciphertext .

: On input a shared secret key and the ciphertext , the decryption algorithm outputs a decryption share .

: On input any decryption shares and the ciphertext , the combining algorithm outputs the message .

Correctness. For any message , , and any decryption shares , we have .

Security. Let be a PPT adversary against INDCPA security of TPKE scheme with adaptive corruption. Its advantage function is defined as
Here, denotes an oracle that given an input of any identity , computes a fresh ciphertext using and returns a decryption share . This captures that the adversary may obtain decryption shares of fresh encryptions of known messages. The TPKE scheme is INDCPA secure, if for all PPT adversary the advantage function is negligible.
2.6 Revocation Encryption
We recall the definition of RPKE from [19]. A RPKE consists of four algorithms as follows:

: On input the security parameter , and the revocation threshold , the key generation algorithm outputs a public key and a master secret key .

: On input the master secret key and a new identity associated with the user, the registration algorithm outputs the shared secret key .

: On input the public key , a set ^{2}^{2}2The set contains the identities and shared secret keys of revoked users. of revoked users (with ) and a session key , the encryption algorithm outputs a ciphertext .

: On input a shared secret key of user and the ciphertext , the decryption algorithm outputs the session key , if is a legitimate user when is constructed.

Correctness. For any , , , any , and any set , , we require that for any nonrevoked secret key , .

Security. Let be a PPT adversary against INDCPA security of RPKE scheme with adaptive corruption. Its advantage function is defined as
If for all PPT adversary the advantage function is negligible, the RPKE scheme is INDCPA secure.
3 Threshold Trapdoor Function
We give the definition and the security of TTDF as follows.
Definition 1
A collection of TTDFs is a tuple of polynomialtime algorithms defined as follows:

: On input the security parameter , the generation algorithm outputs a function index and a master trapdoor .

: On input the master trapdoor and any identity , the sharing algorithm outputs the shared trapdoor .

: On input the function index and , the evaluation algorithm outputs .

: On input any shared trapdoor and the value , the partial inversion algorithm outputs the inversion share .

: On input , , any inversion shares of the image of , and identity , the combining inversion algorithm outputs the inversion share of identity .

: On input any inversion shares and the value , the combining algorithm outputs .
Note that the generation algorithm is a probabilistic algorithm, while the rest five algorithms are deterministic algorithms, and we require that in the partial inversion algorithm and the combining algorithm, if a value is not in the image, the behavior of the algorithms are unspecified.

Correctness. For any , , , , , we require that for any shared trapdoors , , , we have

Security. Let be a PPT adversary against TTDF and define its advantage function as
If for any PPT adversary the advantage function is negligible, TTDF is threshold oneway.
3.1 Connection to Function Sharing
De Santis et al. [2] introduced the notion of function sharing (FS) parameterized by the threshold value and the number of identities . FS can split the master trapdoor into shared trapdoors, where is a fixed polynomial of the security parameter. The function is easy to invert when given threshold (at least out of ) shared trapdoors, while any PPT adversary cannot invert the function even if it obtains any shared trapdoors and a history tape with partial inversion shares of polynomial many random images. Then they constructed threshold cryptosystems based on FS and instantiated it under the RSA assumption. However, the number of identities of their FS and TPKE is limited in a fixed polynomial of security parameter.
In this paper, we propose the notion of TTDF that differs from FS of the number of identities. In TTDF, the generation algorithm and the sharing algorithm are independent of the number of identities, and the total number of identities could be an exponential number. Therefore, TTDF implies FS. TTDF has an additional combining inversion algorithm that given the function index , any preimage and any inversion shares of the image of , can compute the inversion share of any other identity. Therefore, TTDF can be used to construct the TPKE scheme [9] which supports adhoc groups (i.e., exponential number of identities and the generation algorithm is independent of the total number of identities), the reason is that the reduction algorithm who holds any shared trapdoors can answer the oracle of all identities.
4 Threshold Encryption from TTDF
Let be a TTDF and be a hardcore function. We construct a TPKE as follows:

: On input the security parameter , the generation algorithm runs and outputs a public key and a master secret key .

: On input the master secret key and any identity , the sharing algorithm runs and outputs the shared secret key .

: On input the public key and a message , the encryption algorithm chooses , computes , , and outputs the ciphertext .

: On input a secret key and a ciphertext , the decryption algorithm computes , and outputs a decryption share .

: On input any decryption shares and the ciphertext , the combining algorithm computes , . It outputs the message .
Theorem 4.1
If the TTDF is threshold oneway, then the TPKE is INDCPA secure.
Proof
We define two hybrid experiments , .

: The game is identical to the INDCPA experiment. At the beginning, the challenger runs to obtain and . The challenger sends to . chooses any identities to corrupt. Then the challenger runs the sharing algorithm to obtain and sends them to . can choose any message and any identity to query the oracle many times, and obtain the decryption share , where is shared secret key of identity . Upon receiving the messages , from , the challenger chooses at random and returns to . is still able to have access to the oracle . At the end of the game, outputs as the guess of . If , wins this game, otherwise fails.

: The game is identical to , except that when the challenger generates the challenge ciphertext , it replaces with .
For , let
be the probability that
outputs the bit when executed in . We claim that if there is an adversary against the TPKE such that is nonnegligible, we can construct a distinguisher against the hardcore function. On input , where is a function index, with and is either or a random string, works as follows:
runs on input and gets identities output by .

chooses these identities to corrupt, and obtains associated shared trapdoors , then returns these shared trapdoors to . can choose any message and any identity to query the oracle . chooses in domain at random and computes , , , , , , , , , , then returns to . Upon receiving two messages , from , chooses at random, let , , and returns to . is still able to have access to the oracle . can also simulate the oracle. At last outputs what outputs.

if , returns “1” to denote is the output of the hardcore function, otherwise returns “0” to denote is a random string.
The distinguisher can give a perfect simulation of either or . The advantage of is nonnegligible, which is a contradiction of the threshold onewayness. Therefore, .
Finally, in the output of hardcore function has been replaced with a random string, so . We have:
Therefore, the TPKE is INDCPA secure.
5 Revocation Encryption from TTDF
Let be a TTDF and be a hardcore function. We construct a RPKE as follows:

: On input the security parameter , the generation algorithm runs and outputs a public key and a master secret key .

: On input the master secret key and any identity , the registration algorithm runs and outputs the shared secret key .

: On inputs the public key , a set of revoked secret keys and a session key , the encryption algorithm chooses , computes , and . It outputs the ciphertext .

: On inputs a secret key and a ciphertext , the decryption algorithm computes , , , , , and . It outputs the session key .
Theorem 5.1
If the TTDF is threshold oneway, then the RPKE is INDCPA secure.
Proof
We define two hybrid experiments , .

: The game is identical to the INDCPA experiment. At the beginning, the challenger runs and gives the to the adversary , can choose any identities to corrupt. The challenger runs the registration algorithm to generate and gives them to . Upon receiving two session keys , from , the challenger chooses at random and returns to . At the end of the game, outputs as the guess of . If , wins this game, otherwise fails.

: The game is identical to , except when the challenger generates the challenge ciphertext , it replaces with , where is a random string.
For , let be the probability that outputs the bit when executed in . We claim that if there is an adversary such that is nonnegligible, we can construct a distinguisher against the hardcore function. On input , where is a function index, with and is either or a random string, works as follows:

runs on input and gets identities output by .

chooses these identities to corrupt and obtains associated trapdoors, then runs on input these associated trapdoors and obtains two session keys , . chooses at random, let , , computes , returns to and gets a bit output by .

if , returns “1” to denote is the output of the hardcore function, otherwise returns “0” to denote is a random string.
The distinguisher can give a perfect simulation of either or . The advantage of is nonnegligible, which is a contradiction of the threshold onewayness. Therefore, .
Finally, in the output of hardcore function has been replaced with a random string, so . We have:
Therefore, the RPKE is INDCPA secure.
6 Threshold Lossy Trapdoor Function
Let denote the input length of the function, and denote the lossiness and the residual leakage. We often omit the dependence on .
Definition 2
A collection of TLTDFs is a tuple of polynomialtime algorithms defined as follows. For notational convenience, define the sampling algorithm samples injective mode and samples lossy mode.

: On input the security parameter , the sampling algorithm outputs a function index and a master trapdoor .

: On input the security parameter , the sampling algorithm outputs a function index and a master trapdoor .

: On input the master trapdoor and any identity , in both modes the sharing algorithm outputs the shared trapdoor .

: On input the function index and , in both modes the evaluation algorithm outputs , but in the lossy mode the image has size at most .

: On input any shared trapdoor , and the value , the partial inversion algorithm outputs an inversion share .

: On input , , any inversion shares of the image of , and identity , the combining inversion algorithm outputs the inversion share of identity .

Comments
There are no comments yet.