IACR News item: 19 April 2016
Georg Fuchsbauer, Zahra Jafargholi, Krzysztof Pietrzak
ePrint Report
Generalized Selective Decryption (GSD), introduced by Panjwani [TCC07], is a game for a symmetric encryption scheme Enc that captures the difficulty of proving adaptive security of certain protocols, most notably the Logical Key Hierarchy (LKH) multicast encryption protocol. In the GSD game there are n keys k1, . . . , kn, which the adversary may adaptively corrupt (learn); moreover, it can ask for encryptions Enc_ki (kj ) of keys under other keys. The adversarys task is to distinguish keys (which it cannot trivially compute) from random. Proving the hardness of GSD assuming only IND-CPA security of Enc is surprisingly hard. Using complexity leveraging loses a factor exponential in n, which makes the proof practically meaningless.
We can think of the GSD game as building a graph on n vertices, where we add an edge i → j when the adversary asks for an encryption of kj under ki. If restricted to graphs of depth l, Panjwani gave a reduction that loses only a factor exponential in l (not n). To date, this is the only non-trivial result known for GSD.
In this paper we give almost-polynomial reductions for large classes of graphs. Most importantly, we prove the security of the GSD game restricted to trees losing only a quasi-polynomial factor n^(3 log n+5). Trees are an important special case capturing real-world protocols like the LKH protocol. Our new bound improves upon Panjwanis on some LKH variants proposed in the literature where the underlying tree is not balanced. Our proof builds on ideas from the nested hybrids technique recently introduced by Fuchsbauer et al. [Asiacrypt14] for proving the adaptive security of constrained PRFs.
Additional news items may be found on the IACR news page.