Selective-Opening Security for Public-Key Encryption in the Presence of Parameter Subversion

In public-key encryption (PKE), ciphertexts received by a receiver may be possibly correlated and the security of a PKE relies on honestly generated system parameters. Security against selective opening attacks (SOA) for PKE guarantees that even when an attacker has broken into a subset of honestly generated ciphertexts and opened them (i.e., seeing plaintexts and random bits), the unopened ciphertexts remain secure. While security against parameter subversion attacks (PSA) for PKE requires that even when the public system parameters are maliciously generated, a PKE scheme should be secure. In this paper, we initiate the study of PKE secure against both SOA and PSA. To capture SOA and PSA simultaneously, we formulate a new security notion called indistinguishability under selective opening attacks and parameter subversion attacks (IND-SO-PSA). Further, we define the lossy trapdoor function and all-but-many lossy trapdoor function in the presence of PSA (LTF-PSA and ABM-LTF-PSA correspondingly) and propose an instantiation with the efficiently-embeddable group (EG). Applying these new primitives, we construct a PKE scheme that is proven to be IND-SO-PSA secure.