• public-key encryption;
  • selective opening security;
  • chosen-ciphertext attack


Chosen-ciphertext security has been well-accepted as a standard security notion for public-key encryption. But in a multi-user surrounding, it may not be sufficient, because the adversary may corrupt some users to obtain the random coins as well as the plaintexts used to generate ciphertexts. The attack is named ‘selective opening attack’. We study how to achieve full-fledged chosen-ciphertext security in selective opening setting directly from the Decisional Diffie–Hellman assumption. Our construction is actually a tag-based public-key encryption scheme free of chameleon hashing and has a tight security reduction to the Decisional Diffie–Hellman assumption and the collision-resistant assumption of hash functions. The tag for each ciphertext is generated in a flexible way to serve the chosen-ciphertext security proof in selective opening settings. Copyright © 2013 John Wiley & Sons, Ltd.