6

There exist public-key encryption (PKE) schemes where any well-formed ciphertext can be decrypted if the random coins used during encryption are known. For instance, in ElGamal encryption, the public key is $pk = (G, q, g, h = g^x)$ and the secret key is $x$. To encrypt a message $m \in G$, one selects a random $y \in \mathbb{Z}_q$ and produces the ciphertext $(c_0 = g^y, c_1 = m \cdot h^y)$. Here, the random value $y$ is the only randomness used, and knowing $y$ allows one to easily recover $m$.

Such schemes are used in the literature. For example, Koppula and Waters (see page 3) starts with a CPA-secure scheme that has this extraction property and uses it to construct a CCA-secure PKE scheme.

My question is: Are there provably CPA-secure PKE schemes that do not have such extraction property?

Mahesh S R
  • 1,786
  • 1
  • 5
  • 22

1 Answers1

3

You can compose a trapdoor one-way permutation (TDP) with PKE to obtain a new PKE without this extraction property.

Consider

$$\textsf{Enc}^*\Bigl( (PK_1, PK_2), M \Bigr) = \textsf{Enc}\bigl( PK_2, F( PK_1, M) \bigr),$$

where $\textsf{Enc}$ is a standard PKE and $F$ is a TDP. It's not hard to see that $\textsf{Enc}^*$ inherits CPA security from $\textsf{Enc}$.

Suppose for sake of contradiction that there is a way to extract from $\textsf{Enc}^*$:

$$\textsf{Extract}\Bigl( \textsf{Enc}^*\bigl( (PK_1,PK_2), M; R \bigr), R \Bigr) \leadsto M$$

Then I could use that extractor to break the security of the TDP, as follows:

Given $Y = F(PK_1, X)$ for an unknown, random $X$, I compute

$$ C = \textsf{Enc}(PK_2, \underline{Y}; R)$$

and give $(C,R)$ to the extractor. Since $C$ is a correct encryption (under $\textsf{Enc}^*$) of $X$ with randomness $R$, the extractor is bound to output $X$. Thus I have inverted the TDP.

Mikero
  • 14,908
  • 2
  • 35
  • 58