Receiver selective opening security for identity-based encryption in the multi-challenge setting

Receiver selective opening (RSO) security requires that in a situation where there are one sender and multiple receivers, even if an adversary has access to all ciphertexts and adaptively corrupts some fraction of the receivers to obtain their secret keys, the (potentially related) ciphertexts of the uncorrupted receivers remain secure. All of the existing works construct RSO secure identity-based encryption (IBE) in the single-challenge setting, where each identity is used only once for encryption. This restriction makes RSO security for IBE unrealistic in practice. It is preferable to have IBE schemes with RSO security in the multi-challenge setting in practice, where each identity can be used to encrypt multiple messages. In this paper, we initiate the study of RSO security in the multi-challenge setting (which we call RSOk security) for IBE. Concretely, we show that the conclusion of lower bound, proposed by Yang et al. (in: ASIACRYPT 2020, Springer, 2020), on the secret key size of RSO secure public-key encryption also holds in the IBE setting (i.e., an IBE scheme cannot be RSOk secure if the length of its secret key is not k times larger than the length of message). For construction, we propose a generic construction of IBE achieving RSOk security. Through our generic construction, we can obtain RSOk secure IBE schemes based on decisional linear (DLIN) assumption and learning with error (LWE) assumption. Furthermore, we show that the well-known Fujisaki-Okamoto transformation can be applied to construct a practical IBE scheme achieving RSOk security.