Fixing the Sender-Equivocable Encryption Scheme in Eurocrypt 2010

There are two main approaches to achieve selective opening chosen-cipher text security (SO-CCA security): lossy encryption (including all-but-many lossy trapdoor functions) and sender-equivocable encryption. The second approach was proposed in Eurocrypt 2010 by Fehr et al., who proved that sender equivocability under chosen-cipher text attacks (NC-CCA security) implies SO-CCA security. They also proposed a new primitive called ``cross-authentication code'', and used it to construct a public-key encryption (PKE) scheme (the FHKW scheme) achieving NC-CCA security. However, recently in PKC 2013, Huang et al. pointed out that the properties of cross-authentication code cannot guarantee the NC-CCA security of the FHKW scheme, i.e., the security proof of the FHKW scheme is flawed. In this paper, we propose the notion of ``strong cross-authentication code'', which helps to fix the security proof of the FHKW scheme. This strong notion captures the ability of a cross-authentication code to efficiently generate a new key, based on all the other keys and the cross-authentication tag, such that the new key is statistically indistinguishable from the original key. With this code as a building block, we construct a new version of the FHKW scheme, and prove it to be NC-CCA secure for multi-bit plaintexts. Our work makes possible the instantiation of simulation-based SO-CCA secure PKE with a multi-bit message space from NC-CCA secure PKEs.