Key-Dependent Message Security for Division Function: Discouraging Anonymous Credential Sharing

摘要

Key-dependent message (KDM) security means that the encryption scheme remains secure even encrypting f(sk), where f is an efficient computable function chosen by the adversary and sk = sk_1,..... , sk_n are private keys. We concentrate on a special case that the function f is a division function. Namely, the messages of the form ski/skj are encrypted. We prove that if a public key encryption (PKE) scheme is IND-CPA (chosen plaintext attacks) secure and has the properties of public-key blinding and secret-key homomorphism, then it is KDM secure for division function (KDM-div secure). For concrete scheme, we show that the hybrid ElGamal scheme is KDM-div secure based on the decisional Dime-Hellman (DDH) assumption in the standard model. We show that KDM-div secure scheme is useful in the design of anonymous credential systems.