A chameleon encryption scheme resistant to known-plaintext attack

From a ciphertext and a secret key assigned to a user, the decryption of a Chameleon encryption scheme produces a message which is the plaintext embedded with a watermark associated to the user. Most existing constructions of Chameleon encryption scheme are LUT (lookup table)-based, where a secret LUT plays the role of the master key and each user has a noisy version of the secret LUT. LUT-based methods have the limitation that the secrecy of the master key, under known-plaintext attack (KPA), relies on the difficulty in solving large linear system. In other words, with some knowledge of the plaintext, a dishonest user is able to derive the LUT, or an approximation of the LUT by solving a linear system. Resistance to such attack is crucial in the context of multimedia encryption since multimedia objects inherently contain high redundancies. Furthermore, for efficiency in decryption, the underlying linear system is likely to be sparse or not overly large, and hence can be solved using reasonable computing resource. In our experiment, a desktop PC is able to find a LUT (with 216 entries) within 2 hours. We propose a scheme that is resistant to KPA. The core of the scheme is a MUTABLE-PRNG (Pseudo Random Number Generator) whereby different but similar sequences are generated from related seeds. We generate such sequence from multiple pseudo random sequences based on majority-vote, and enhance its performance using error-correcting code. The proposed scheme is very simple and it is easy to show that it is resistant to KPA under reasonable cryptographic assumptions. However, it is not clear how much information on the original plaintext is leaked from the watermarked copies. We analyze the scheme and quantify the information loss using average conditional entropy.