Standard versus Selective Opening Security: Separation and Equivalence Results

Suppose many messages are encrypted using a public-key encryption scheme. Imagine an adversary that may adaptively ask for openings of some of the ciphertexts. Selective opening (SO) security requires that the unopened ciphertexts remain secure, in the sense that this adversary cannot derive any nontrivial information about the messages in the unopened ciphertexts. Surprisingly, the question whether SO security is already implied by standard security notions has proved highly nontrivial. Only recently, Bellare, Dowsley, Waters, and Yilek (Eurocrypt 2012) could show that a strong form of SO security, simulation-based SO security, is not implied by standard security notions. It remains wide open, though, whether the potentially weaker (and in fact comparatively easily achievable) form of indistinguishability-based SO (i.e., IND-SO) security is implied by standard security. Here, we give (full and partial) answers to this question, depending on whether active or passive attacks are considered. Concretely, we show that: (a) For active (i.e., chosen-ciphertext) security, standard security does not imply IND-SO security. Concretely, we give a scheme that is IND-CCA, but not IND-SO-CCA secure. (b) In the case of passive (i.e., chosen-plaintext) security, standard security does imply IND-SO security, at least in a generic model of computation and for a large class of encryption schemes. (Our separating scheme from (a) falls into this class of schemes.) Our results show that the answer to the question whether standard security implies SO security highly depends on the concrete setting.