Information Processing Letters 108 (2008) 279–283

Contents lists available at ScienceDirect

Information Processing Letters

www.elsevier.com/locate/ipl

On the security of public key cryptosystems with a double decryptionmechanism

David Galindo a,∗, Javier Herranz b

a Computer Science Department, University of Malaga, Spainb IIIA—Artificial Intelligence Research Institute, CSIC—Spanish National Research Council, Bellaterra, Spain

a r t i c l e i n f o a b s t r a c t

Article history:Received 20 July 2007Received in revised form 12 March 2008Accepted 22 May 2008Available online 26 June 2008Communicated by D. Pointcheval

Keywords:CryptographyPublic key encryptionEscrowed systems

In public key encryption schemes with a double decryption mechanism (DD–PKE),decryption can be done in either of two ways: by the user owning the secret/publickey pair corresponding to the ciphertext, or by a trusted party holding a sort of mastersecret-key. In this note we argue that the classical security notion for standard public keyencryption schemes does not suffice for DD–PKE schemes, and propose a new naturaldefinition. Additionally, we illustrate the usefulness of the new security definition byshowing that a DD–PKE scheme presented in the workshop Selected Areas in Cryptography2005 is insecure under this augmented security notion.

© 2008 Elsevier B.V. All rights reserved.

1. Introduction

Encryption is the most suitable and employed crypto-graphic tool to achieve confidentiality of sensitive digitalinformation. There are two wide families of encryptionschemes. On the first place there are symmetric schemes,which enjoy efficiency, but require each pair of users to se-curely generate and store a common secret key. Asymmet-ric (or public key) encryption schemes are less efficient,but they have an easier key management than symmet-ric schemes. In a public key encryption scheme, each usergenerates a pair consisting of a secret key and a match-ing public key. The first one is privately stored, while thesecond one is made public. Knowledge of the public key isenough to encrypt a message for this user; on the otherhand, only the user holding the secret key is able to de-crypt and recover the plaintext from the ciphertext.

However, this level of full confidentiality is not alwaysconsidered acceptable by some agents. They prefer systemswhere some master authorities (e.g., judges) have the right

* Corresponding author.E-mail addresses: dgalindo@lcc.uma.es (D. Galindo),

jherranz@iiia.csic.es (J. Herranz).

0020-0190/$ – see front matter © 2008 Elsevier B.V. All rights reserved.doi:10.1016/j.ipl.2008.05.017

to efficiently decrypt any ciphertext, in case of legal dis-putes or suspicion of crime, for example. This functionalitycan be useful also in small networks, for example, if thehead of a company wants to be able to decrypt all thee-mails sent to his workers. It can also be used in systemswhere people want to be able to decrypt the received sen-sitive information even in the case they loose their secretkey. These systems can be referred to as escrowed systems.

A first and naive solution to implement this function-ality is by forcing each user to give a copy of his secretkey to the master authorities. Of course, this solution isnot scalable and becomes impractical for large networks.An alternative solution is provided by public key encryp-tion schemes with a double decryption mechanism (DD–PKEschemes, from now on). In such schemes, there exists asingle master secret key which allows the master authori-ties to decrypt any ciphertext, without having to store thesecret keys corresponding to every user.

Several DD–PKE schemes can be found in the literature[4,3,12]. Furthermore, identity-based encryption schemes[11,2] are related to DD–PKE schemes, with the differ-ence that identity-based schemes the master secret keyis needed to generate the secret keys of the users. Thisfact leads to a necessary interaction between the master

280 D. Galindo, J. Herranz / Information Processing Letters 108 (2008) 279–283

authority and the users, which is not required in the defi-nition of DD–PKE schemes.

Previous works [3,12] advocating for the use of DD–PKEschemes in escrowed systems, analyze the security of theresulting systems in the standard security model for pub-lic key encryption [5,8,10] (referred to as IND-CCA): thegoal is to prevent the success of an adversary who wantsto distinguish between the encryptions, under some chal-lenge public key, of two plaintexts that he chooses. To dothis, the adversary is allowed to make decryption queriesfor ciphertexts of his choice. However, the situation in anescrowed system is not the same as in a standard pub-lic key encryption scheme, because the master entity maybe required to decrypt some ciphertexts, in the real imple-mentation of such a system. For this reason, the securitymodel for DD–PKE schemes should capture this fact, bygiving to the adversary access to a master decryption ora-cle: the adversary chooses a pair ciphertext/public key ofhis choice, and he must obtain the plaintext which wouldresult from the master decryption procedure applied tothis pair.

In this work we define a security model for DD–PKE schemes capturing the adversarial behavior describedabove, referred to as IND-DD-CCA security. We show thenthat a DD–PKE scheme proposed in [12] gives a separationbetween the two security notions IND-CCA and IND-DD-CCA, because it was proved to achieve the standard secu-rity goal for public key encryption schemes, but we give asuccessful attack against this scheme under the new (andstronger) security notion for DD–PKE schemes.

Finally, we note that the new security notion bearssome similarities to the standard security notion foridentity-based encryption schemes, but they are not equiv-alent. In the latter, an adversary is allowed to make secretkey extraction queries for users (identities) of his choice,obtaining in this way the secret keys of these users. Thisadversarial capability is not included in our DD–PKE secu-rity model. One could of course extend the model to allowadversaries making secret key queries for previously hon-est users. For simplicity, and also for consistency with thestandard security notions for public key encryption, wehave chosen the weaker (but simpler) notion where theDD–PKE adversary cannot make secret key queries.

2. Public key encryption with a double decryptionmechanism

A public key encryption scheme with a double decryp-tion mechanism, denoted as DD–PKE, consists of the fol-lowing probabilistic algorithms:

Setup. It takes as input a security parameter k and re-turns, on the one hand, the system public parameters PK(which include in particular a description of the sets ofmessages M and ciphertexts C ) and, on the other hand,the master secret key SK , which is known only to themaster entity. We note an execution of this protocol as(PK, SK) ← DD-PKE.Setup(1k).

Key generation. This protocol takes as inputs PK and re-turns a secret key sk and a public key pk. The value of

pk is made public, whereas sk is kept secret by the userwho executes the protocol. We use the notation (pk, sk) ←DD-PKE.KeyGen(PK) to refer to one execution of thisprotocol.

Encryption. The encryption algorithm takes as inputs PK ,a message m ∈ M and a public key pk, and returns a ci-phertext c ∈ C for the message m. We use notation c ←DD-PKE.Encrypt(PK, pk,m) to refer to one execution ofthis protocol.

User decryption. This protocol takes as input PK , c ∈ C anda secret key sk; it returns a message m ∈ M or the specialmessage “reject”. We note as m ← DD-PKE.UsDecrypt(PK, sk, c) one execution of this protocol.

Master entity decryption. Finally, the master entity de-cryption algorithm takes as inputs PK , c ∈ C , a public keypk and the master secret key SK; it returns a messagem ∈ M or the special message “reject”. We use the nota-tion m ← DD-PKE.MasterDecrypt(PK, SK, pk, c) to re-fer to one execution of this protocol.

A DD–PKE scheme is said to be correct if the twofollowing requirements are satisfied for any (PK, SK) ←DD-PKE.Setup(1k) and (pk, sk) ← DD-PKE.KeyGen(PK):

m ← DD-PKE.UsDecrypt(PK, sk,

DD-PKE.Encrypt(PK, pk,m)),

m ← DD-PKE.MasterDecrypt(PK, SK, pk,

DD-PKE.Encrypt(PK, pk,m)).

2.1. Redefining security for DD–PKE schemes

The basic security notion for an encryption scheme isthat of one-wayness: an adversary who is given the pub-lic parameters of the scheme and a valid ciphertext, musthave a negligible probability, in the security parameter k,to obtain the corresponding plaintext in polynomial time.

A stronger security requirement, which is considered asthe standard one for public key encryption, is that of in-distinguishability of ciphertexts against chosen ciphertextattacks, also known as IND-CCA (or IND-CCA2) security.The adversary is given the public parameters, he choosestwo messages and receives the (challenge) encryption ofone of these messages; his goal is to guess which mes-sage has been encrypted. During the attack, the adver-sary is allowed to ask for the decryption of ciphertextsof his choice, as long as the challenge ciphertext is notqueried.

This definition of IND-CCA security must be adapted tothe scenario of DD–PKE schemes, because these kind ofschemes present some differences with respect to standardpublic key encryption schemes. In particular, the adver-sary must be given access to the master decryption ora-cle, which depends on the master secret key. Security ofthe system as a whole relies on the master secret key, somaybe an adversary can try to obtain some informationabout the master secret key, for example, by asking the

D. Galindo, J. Herranz / Information Processing Letters 108 (2008) 279–283 281

master entity to decrypt some pairs (ciphertext, public key)chosen by the adversary.

Now we formally define the resulting notion of indis-tinguishability of ciphertexts against chosen ciphertext at-tacks, for public key encryption schemes with a doubledecryption mechanism. We denote this notion as IND-DD-CCA security, which is defined by considering the followinggame that an adversary A plays against a challenger:

Setup. The challenger takes a security parameter k andruns (PK, SK) ← DD-PKE.Setup(1k). The challenger givesto the adversary the resulting PK , and keeps the mas-ter secret-key SK . Furthermore, the challenger executes(sk�, pk�) ← DD-PKE.KeyGen(PK), and gives pk� to theadversary A.

Phase 1. The adversary is allowed to execute the followingactions:

1. A can run (ski, pki) ← DD-PKE.KeyGen(PK).2. A can make master decryption queries for pub-

lic keys and ciphertexts of his choice. That is, hesends (ci, pki) to the challenger, who executes mi ←DD-PKE.MasterDecrypt(PK, SK, pki, ci) and sendsm back to A.

3. A can make user decryption queries for public keypk� and ciphertexts of his choice. That is, he sendsc j ∈ C to the challenger, who executes m j ← DD-PKE.UsDecrypt(PK, sk�, c j) and sends m j back to A.

All these queries can be done in an adaptive way; thatis, each action of A may depend on the answers obtainedin the previous actions.

Challenge. The adversary A chooses two plaintexts m0,

m1 ∈ M with the same length, and send these messages tothe challenger. The challenger picks a random bit b ∈ {0,1}and sets c� ← DD-PKE.Encrypt(PK,mb, pk�). The re-sulting challenge ciphertext c� is sent to A.

Phase 2. The adversary can execute the same actions as inPhase 1, with the restriction that the pair (c�, pk�) cannotbe queried as a master decryption query (action 3) andthe challenge ciphertext cannot be queried as a user de-cryption query (action 4).

Guess. The adversary outputs a guess b′ ∈ {0,1}.

The advantage of such an IND-DD-CCA adversary is de-fined as

AdvAIND-DD-CCA(k) = ∣∣2 Pr[b′ = b] − 1

∣∣.

Definition 1. A DD–PKE scheme has the indistinguishabilityproperty against chosen ciphertext attacks (IND-DD-CCAsecure) if, for any polynomial time IND-DD-CCA adversaryA against the scheme, the function AdvA

IND-DD-CCA(k) isnegligible as a function of k.

Trivially, the notion of IND-DD-CCA-security is at leastas strong as the standard IND-CCA security notion.

3. Attack to a scheme in SAC’05

In this section we show that the new notion of IND-DD-CCA-security for DD–PKE schemes is actually strictlystronger than the standard notion of IND-CCA security forpublic key encryption. To do this, we construct an explicitattack against the augmented DD–PKE security of a schemeproposed in [12] for its use in escrowed systems. Since thisscheme was proved secure in the standard security notionfor public key encryption, it provides a separation betweenthe two security notions.

3.1. The scheme

Youn et al. propose in Section 4 of [12] a new publickey encryption scheme with a double decryption mecha-nism. It is inspired in the original version of EPOC, dueto Okamoto and Uchiyama [9]. We describe the completescheme, which results from applying to their basic schemethe generic transformation by Kiltz and Malone-Lee [7] toachieve CCA security.

Setup. If the input is a security parameter k, the mas-ter entity chooses two prime numbers p,q with k bits(that is, 2k−1 < p,q < 2k). It defines N = p2q and thenchooses a random element g ∈ Z

�N such that the order

of gp := g p−1 mod p2 is p. Next, it picks hash functionsH : {0,1}∗ → Z2k−1 and G : ZN → {0,1}M × {0,1}k−1, forsome positive integer M . The sets of plaintexts and cipher-texts are defined as M := {0,1}M and C := Zn × {0,1}M ,respectively. The master secret key is SK = (p,q), whereasthe public common parameters are PK = (N, g, H, G).

Key generation. Each user takes as input PK , then choosesa random k − 1 bit integer sk ∈ {0,1, . . . ,2k−1 − 1} andcomputes pk = gsk mod N . The secret key of the user issk, and his public key is pk.

Encryption. To encrypt a message m ∈ {0,1}M to a userwith public key pk, one first chooses a random k − 1bit integer r ∈ Z2k−1 . The ciphertext is then c = (A, B),where A = g H(m||r) mod N and B = κ ⊕ (m||r), where κ =G(pkH(m||r) mod N) is a one-time symmetric encryptionkey.

User decryption. The user who knows the matching secretkey sk can decrypt a ciphertext c = (A, B) by computingm||r = B ⊕ G(Ask mod N). Finally, it checks whether A =g H(m||r) mod N and outputs m if so; otherwise it outputs“reject”.

Master entity decryption. Let us first introduce some no-tation: if Γ = {x ∈ Zp2 | x = 1 mod p}, then we can define

the function L :Γ → Zp as L(x) = x−1p . Note that, since p

is prime, we have that g p−1 = 1 mod p; that is, we canwrite g p−1 = 1 + wp for some integer w . If we calculatethe integer division between w and p, we find integers αand β such that w = αp + β , with β < p. Therefore, wehave that g p−1 = 1 + αp2 + βp = 1 + βp mod p2. Since

282 D. Galindo, J. Herranz / Information Processing Letters 108 (2008) 279–283

gp = g p−1 mod p2 = 1 + βp has been chosen in such away that its order is p, we have in particular β �= 0; fur-thermore, for any integer a ∈ {0,1, . . . , p − 1}, we have1 �= ga

p mod p2 = 1 + aβp mod p2. If we calculate againthe integer division between aβ and p, we find integersδ and γ such that aβ = δp + γ , with γ < p. This impliesin particular that γ β−1 = a mod p. Putting all together, weconclude that 1 �= ga

p mod p2 = 1 + aβp mod p2 = 1 + γ p.

Now we have

L(gap mod p2)

L(gp)mod p = L(1 + γ p)

L(1 + βp)mod p

= γ

βmod p = a,

and so this provides a method to compute the discrete log-arithm a of ga by knowing the factorization of N , provideda < p.

The master entity, which knows the factorization of N ,can use this method to decrypt ciphertexts c = (A, B) ad-dressed to any public key pk = gsk , because sk < p. Ineffect, first the master entity computes the user’s secret

key sk = L(pkp−1 mod p2)L(gp)

mod p. Then it decrypts the ci-

phertext as if it was the user, by computing m||r = B ⊕G(Ask mod N). Finally, it checks whether A = g H(m||r) andoutputs m if so; otherwise it outputs “reject”.

The scheme was claimed to withstand adaptive chosen-ciphertext attacks in the Random Oracle Model [1] underthe hardness of solving the so-called p-DH problem (seeTheorem 7 in [12]).

Definition 2 (p-DH problem). Let P (k) be the set of primenumbers of length k. Choose two primes p and q inP (k) and let n = p2q. Let Gp = {x ∈ Zn | the order ofxp−1 mod p2 is p}. The p-DH problem is defined as fol-lows: given a,b ∈ Zp, g ∈ Gp taken uniformly at randomin their respective sets, compute gab mod n.

Their security theorem and proof only consider chosen-ciphertext attacks by adversaries having access to a userdecryption oracle, but do not consider that adversariesmay have access to a master decryption oracle, as it is nat-ural in a DD–PKE scheme. Next, we show an IND-DD-CCAattack against Youn et al. scheme [12], that recovers themaster secret key in polynomial time, and so renders thescheme completely insecure.

3.2. The attack

Joye, Quisquater and Yung [6] pointed out a chosen ci-phertext attack against the original version of EPOC, by ex-ploiting the answers of the decryption oracle when queriedwith invalid ciphertexts. In this section we show that bytweaking invalid ciphertexts to invalid public keys an attackagainst the DD–PKE scheme from the previous section isobtained.

The key point of the attack is that, in the real life, anadversary can maliciously generate invalid public keys, andthen ask to the master entity for decryptions of ciphertexts

under these public keys. With the obtained answers, as weshow now with more detail, the adversary can factorizeN and so break the whole system. The intuitive idea isthat the master entity decryption protocol works correctlywhen the corresponding user’s secret key is less than p,but does not work correctly when this secret key is biggerthan p. In effect, if the secret key is sk ∈ (2k−1, p), thenthe master entity decryption protocol works exactly in thesame way as described in previous section. However, if thesecret key is sk ∈ (p,2k), then the master entity obtainsL(pkp−1 mod p2)

L(gp)mod p = sk mod p = z, where sk = z + p.

When computing Ask mod N , the master entity will obtaina one-time encryption key κ ′ = κ A p different from theoriginal key κ with overwhelming probability, and so arethe couple plaintext/randomness m′||r′ one would obtain,leading to an invalid ciphertext which will be rejected.

This fact can be exploited by an adversary in order tofind the value of p, by querying the master entity withpairs (ciphertext, public key) where the corresponding se-cret keys are picked up from the interval (2k−1,2k). Thespecific attack is described by the following factoring algo-rithm:

Factorize(k, N, g)

1. Define p0 := 2k−1 and p1 := 2k .2. While p0 + 1 < p1 do:

• define sk := p0+p12 and compute pk = gsk mod N;

• choose at random a message m ∈ {0,1}M and arandom integer r ∈ (0,2k−1); compute the cipher-text c = (A, B) = (gr mod N, (m||r) ⊕ κ), where κ =G(pkH(m||r) mod N);

• send the query (c, pk) to be decrypted by the mas-ter entity;

• if the obtained answer is m (which means that sk <

p), then p0 := sk;• otherwise, if the obtained answer is m′ �= m (which

means that p < sk), then p1 := sk.3. Check which pi , between p0 and p1, divides N . Return

pi as a factor of N .

This is a typical bisection algorithm to search some el-ement in an interval. The number of steps of such an al-gorithm is logarithmic with respect to the length of theinterval. In this specific case, the length of the interval is2k−1, thus the number of steps (and so the time cost of thealgorithm and the required number of decryption queries)is O (k). Therefore, we obtain an algorithm which factorsN in polynomial time with respect to the security param-eter k.

3.3. Preventing the attack

A slight modification of the scheme of Youn et al. [12],described in Section 3.1, fixes this security problem. It isenough to add a small check step in the protocol for themaster entity decryption. Namely, when the master entity

computes sk = L(pkp−1 mod p2)L(gp)

mod p, it must check if the

obtained secret key is less than 2k−1. If this is the case,then the master entity proceeds as described there and

D. Galindo, J. Herranz / Information Processing Letters 108 (2008) 279–283 283

outputs the corresponding plaintext. However, if sk � 2k−1,the master entity outputs the special message “reject”.

With this small modification, the attack described inprevious section is trivially avoided, since the decryptionqueries that such an adversary sends are all answered withthe special message “reject”, due to the fact that the cor-responding secret keys are bigger than 2k−1.

Acknowledgements

This work is partially supported by the Spanish Ministe-rio de Educación y Ciencia, under projects ARES (ConsoliderIngenio 2010 CSD2007-00004), CRISIS (TIN2006-09242)and eAEGIS (TSI2007-65406-C03-02), and by the Gene-ralitat de Catalunya (grant 2005-SGR-00093).

References

[1] M. Bellare, P. Rogaway, Random oracles are practical: a paradigm fordesigning efficient protocols, in: Proceedings of 1st Conference onComputer and Communications Security, ACM, 1993, pp. 62–73.

[2] D. Boneh, M.K. Franklin, Identity-based encryption from the Weilpairing, SIAM Journal on Computing 32 (3) (2003) 586–615.

[3] E. Bresson, D. Catalano, D. Pointcheval, A simple public-key cryp-tosystem with a double trapdoor decryption mechanism and its ap-plications, in: Proceedings of Asiacrypt’03, in: Lecture Notes in Com-puter Science, vol. 2894, Springer-Verlag, 2003, pp. 37–54.

[4] R. Cramer, V. Shoup, Universal hash proofs and a paradigm for adap-tive chosen ciphertext secure public-key encryption, in: Proceedingsof Eurocrypt 2002, in: Lecture Notes in Computer Science, vol. 2332,Springer-Verlag, 2002, pp. 45–64.

[5] S. Goldwasser, S. Micali, Probabilistic encryption, Journal of Computerand Systems Sciences (Special issue) 28 (2) (1984) 270–299.

[6] M. Joye, J.J. Quisquater, M. Yung, On the power of misbehaving ad-versaries and security analysis of the original EPOC, in: Proceed-ings of CT-RSA’01, in: Lecture Notes in Computer Science, vol. 2020,Springer-Verlag, 2001, pp. 208–222.

[7] E. Kiltz, J. Malone-Lee, A general construction of IND-CCA2 securepublic key encryption, in: Proceedings of Cryptography and Coding2003, in: Lecture Notes in Computer Science, vol. 2898, Springer-Verlag, 2003, pp. 152–166.

[8] M. Naor, M. Yung, Public-key cryptosystems provably secure againstchosen ciphertext attacks, in: Proceedings of STOC 1990, 1990,pp. 427–437.

[9] T. Okamoto, S. Uchiyama, A new public-key cryptosystem as secureas factoring, in: Proceedings of Eurocrypt’98, in: Lecture Notes inComputer Science, vol. 1403, Springer-Verlag, 1998, pp. 308–318.

[10] C. Rackoff, D.R. Simon, Non-interactive zero-knowledge proof ofknowledge and chosen ciphertext attack, in: Proceedings of CRYPTO1991, in: Lecture Notes in Computer Science, vol. 576, Springer-Verlag, 1992, pp. 433–444.

[11] A. Shamir, Identity-based cryptosystems and signature schemes, in:Proceedings of Crypto’84, in: Lecture Notes in Computer Science,vol. 196, Springer-Verlag, 1984, pp. 47–53.

[12] T.Y. Youn, Y.H. Park, C. Han Kim, J. Lim, An efficient public key cryp-tosystem with a privacy enhanced double decryption mechanism,in: Proceedings of SAC’05, in: Lecture Notes in Computer Science,vol. 3897, Springer-Verlag, 2006, pp. 144–158.