On the Security of Generalized Selective Decryption

Generalized Selective Decryption (GSD) is an easy to define game based on a symmetric encryption scheme Enc. It was introduced by Panjwani [TCC’07] to capture the difficulty of proving adaptive security of certain protocols. In the GSD game there are n keys k1, . . . , kn, which the adversary may adaptively corrupt (i.e., learn); moreover, it can ask for encryptions Encki(kj) of keys under other keys. The adversary’s task is to distinguish keys (which it cannot trivially compute) from random. Proving the hardness of GSD assuming only IND-CPA security of the encryption scheme is surprisingly hard. One can prove security using “complexity leveraging”, but this reduction loses a factor exponential in n, which makes the proof basically useless. We can think of the GSD game as building a graph on n vertices, where we add an edge i→ j when the adversary asks for an encryption of kj under ki. If restricted to graphs of depth `, Panjwani gave an improved reduction that lost only a factor exponential in ` (not n). To date, this is the only non-trivial result known for GSD or related problems. In this paper we give almost polynomial reductions for large classes of graphs. Most importantly, we show that the security of the GSD game restricted to trees (which is an important special case abstracting some real-world protocols like the Logical Key Hierarchy protocol) can be proven losing only a quasi-polynomial factor n . Our proof borrows ideas from the “nested hybrids” technique recently introduced by Fuchsbauer at al. [Asiacrypt’14] for proving the adaptive security of constrained PRFs.