Simulation-Based Receiver Selective Opening CCA Secure PKE from Standard Computational Assumptions

In the situation where there are one sender and multiple receivers, a receiver selective opening (RSO) attack for a public key encryption (PKE) scheme considers adversaries that can corrupt some of the receivers and get their secret keys and plaintexts. Security against RSO attacks for a PKE scheme ensures confidentiality of ciphertexts of uncorrupted receivers. Simulation-based RSO security against chosen ciphertext attacks (SIM-RSO-CCA) is the strongest security notion in all RSO attack scenarios. Jia, Lu, and Li (INDOCRYPT 2016) proposed the first SIM-RSO-CCA secure PKE scheme. However, their scheme used indistinguishability obfuscation, which is not known to be constructed from any standard computational assumption. In this paper, we propose two constructions of SIM-RSO-CCA secure PKE from standard computational assumptions. First, we propose a generic construction of SIM-RSO-CCA secure PKE using an IND-CPA secure PKE scheme and a non-interactive zero-knowledge proof system satisfying one-time simulation soundness. Second, we propose an efficient concrete construction of SIM-RSO-CCA secure PKE based on the decisional Diffie-Hellman assumption.