Standard versus Selective Opening Security: Separation and Equivalence Results

Suppose many messages are encrypted using a public-key encryption scheme. Imagine an adversary that may adaptively ask for openings of some of the ciphertexts. Selective opening (SO) security requires that the

unopened

ciphertexts remain secure, in the sense that this adversary cannot derive any nontrivial information about the messages in the unopened ciphertexts.

Surprisingly, the question whether SO security is already implied by standard security notions has proved highly nontrivial. Only recently, Bellare, Dowsley, Waters, and Yilek (Eurocrypt 2012) could show that a strong form of SO security,

simulation-based

SO security, is not implied by standard security notions. It remains wide open, though, whether the potentially weaker (and in fact comparatively easily achievable) form of

indistinguishability-based

SO (i.e., IND-SO) security is implied by standard security. Here, we give (full and partial) answers to this question, depending on whether active or passive attacks are considered.

Concretely, we show that:

(a) For active (i.e., chosen-ciphertext) security, standard security does

not

imply IND-SO security. Concretely, we give a scheme that is IND-CCA, but not IND-SO-CCA secure.

(b) In the case of passive (i.e., chosen-plaintext) security, standard security

does

imply IND-SO security, at least in a generic model of computation and for a large class of encryption schemes. (Our separating scheme from (a) falls into this class of schemes.)

Our results show that the answer to the question whether standard security implies SO security highly depends on the concrete setting.