We introduce the notion of a conditional encryption scheme as an extension of public key encryption. In addition to the standard public key algorithms ($\mathsf{KG}$, $\mathsf{Enc}$, $\mathsf{Dec}$) for key generation, encryption and decryption, a conditional encryption scheme for a binary predicate $P$ adds a new conditional encryption algorithm $\mathsf{CEnc}$. The conditional encryption algorithm $c=\mathsf{CEnc}_{pk}(c_1,m_2,m_3)$ takes as input the public encryption key $pk$, a ciphertext $c_1 = \mathsf{Enc}_{pk}(m_1)$ for an unknown message $m_1$, a control message $m_2$ and a payload message $m_3$ and outputs a conditional ciphertext $c$. Intuitively, if $P(m_1,m_2)=1$ then the conditional ciphertext $c$ should decrypt to the payload message $m_3$. On the other hand if $P(m_1,m_2) = 0$ then the ciphertext should not leak any information about the control message $m_2$ or the payload message $m_3$ even if the attacker already has the secret decryption key $sk$. We formalize the notion of conditional encryption secrecy and provide concretely efficient constructions for a set of predicates relevant to password typo correction. Our practical constructions utilize the Paillier partially homomorphic encryption scheme as well as Shamir Secret Sharing. We prove that our constructions are secure and demonstrate how to use conditional encryption to improve the security of personalized password typo correction systems such as TypTop. We implement a C++ library for our practically efficient conditional encryption schemes and evaluate the performance empirically. We also update the implementation of TypTop to utilize conditional encryption for enhanced security guarantees and evaluate the performance of the updated implementation.

翻译：我们引入条件加密方案的概念，作为公钥加密的扩展。除了用于密钥生成、加密和解密的标准公钥算法（$\mathsf{KG}$、$\mathsf{Enc}$、$\mathsf{Dec}$）外，针对二元谓词$P$的条件加密方案新增了一个条件加密算法$\mathsf{CEnc}$。条件加密算法$c=\mathsf{CEnc}_{pk}(c_1,m_2,m_3)$以公钥$pk$、未知消息$m_1$的密文$c_1 = \mathsf{Enc}_{pk}(m_1)$、控制消息$m_2$和有效载荷消息$m_3$为输入，输出条件密文$c$。直观上，若$P(m_1,m_2)=1$，则条件密文$c$应解密得到有效载荷消息$m_3$；反之，若$P(m_1,m_2)=0$，即使攻击者已拥有秘密解密密钥$sk$，该密文也不应泄露关于控制消息$m_2$或有效载荷消息$m_3$的任何信息。我们形式化定义了条件加密保密性概念，并为与密码拼写错误纠正相关的一组谓词提供了具体高效的构造方案。我们的实用构造利用了Paillier部分同态加密方案以及Shamir秘密共享机制。我们证明了构造的安全性，并展示了如何利用条件加密改进TypTop等个性化密码拼写错误纠正系统的安全性。我们为实用高效的条件加密方案实现了C++库，并通过实验评估了性能。我们还更新了TypTop的实现以利用条件加密增强安全保证，并评估了更新后实现的性能。