Theorem 6 Our Construction1 of witness encryption achieves extractable security with t=poly(t·λ)andε=εand q≤q in the generic model of multilinear maps.
Proof of Theorem6 Assume an adversaryA=(A0,A1)that run in timet, and an instance x ∈ {0,1}∗ 2Pr ⎡ ⎢ ⎣ (m0,m1,St)←$ AO0 1λ,x b← {$ 0,1};c←$ WE.Enc1λ,x,mb b←$ AO1 1λ,x,m0,m1,c,St :b=b ⎤ ⎥ ⎦−1> ε
Then we shall prove there exists an extractorEthat run in timeΘ(t·λ2)such that
Pr w $ ←EO1λ,x:(x, w)∈RL > ε
To ease the discussion, we consider the instances of the specialSubset- Sumproblem defined in Definition15, rather than the original SAT problem.
We construct an extractorEby usingAas subroutine to extract a witness.Equeries to the oracleOand forwards the responses to the adversary whenever the adversary queries to
O.EgivesxtoA.Achooses(m0,m1)and sends them toE. Letxbe the instance of special
Subset- Sum: given a multi-set ofd-vectorsΔ = {(vi:i)}i∈I of positive integers and a
target sum vectorsof positive integers such that(i+1)vi sfor eachi ∈I.
Echoosesb←$ (0,1)uniformly at random. Eencodes the instancexaccording to our witness encryption scheme as
gvαvi i i∈I ∪
gsαswhereαis chosen uniformly at random. E chooses d fresh formal symbols X = (X1, . . . ,Xd) and creates an initial list L :=
hi →[yi]Vi i∈I∪ h→[y]T,h→yT,h→yTwhere – Vi :=Xvi andT :=Xs.
– The handleshi,hare chosen uniformly at random.
– yi,yare fresh variables.
Intuitively,yirepresentsαvi,yrepresentsmb+αs,yrepresentsm0andyrepresentsm1.
Those variables are used to keep track of adversary’s computation.E gives those handles
{hi}i∈I ∪
h,h,hto A. E answers the multilinear maps oracle queries for addition, subtraction and multiplication as defined in Appendix E. To answer the zero-test queries,E instantiates those variables with its real values and test whether the results are zeros.
Note that our proof also works when the handles for group generatorsh → [1]T and
hi →[1]Vi)fori ∈ Iare given to the adversary, although our scheme itself does not need
We define an extraction functionextover the polynomialszproduced by the adversary. Theext(z)returns an|I|-vector of integers as follows:
Fori∈I,ext(yi)=uwithua|I|-vector of 0 except a 1 on itsi-th element
ext(y)=exty=exty=0
ext(z1·z2)=ext(z1)+ext(z2) ext(z1+z2)= ext(z1) ifext(z1)=0 ext(z2) otherwise ext(z1−z2)= ext(z1) ifext(z1)=0 ext(z2) otherwise
Apparently this extraction function can be efficiently computed for any polynomialz. Lemma 2 For any formal polynomials z produced byAat an index level U := Xuwith U⊆T for some d-vectoru(u≤s). Letext(z)=δ1, . . . , δ|I|
. (1) ext(z)=0iff z is constructed by only using variable y,y,y. (2) Ifext(z)=0, theni∈Iδivi =uand0≤δi ≤ifor each i ∈I .
Proof The proof of the two results goes by induction on the structure ofz.
(1) ifz=yi, its index level isXvi andext(z)=(δ1, . . . , δ|I|)withδi =1 andδj =0 for
j=i. Clearly we havej∈Iδjvj =vi.
(2) ifzisy,y, ory, we haveext(z)=0.
(3) ifz=z1+z2, according to the definition ofM, we knowz1,z2are both the polynomials
of the same index levelXu. By induction hypothesis,ext(z1)=0(ext(z2)=0) iffz
1
(z2) is constructed by only using y. By definition ofext, forext(z)to be0, it must be ext(z1)andext(z2)are both0, i.e., bothz1andz2are constructed by only usingy,y,y.
That is to sayext(z)=0iffzis constructed by only usingy,y,y. Hence the first result holds.
W.l.o.g., assumeext(z1)=0. Letext(z1)=δ1, . . . , δ|I|
. By induction hypothesis, we havei∈Iδivi =u, andδi ≤i for eachi∈ I. By definition,ext(z)=(δ1, . . . , δ|I|),
and hence the second result holds. (4) ifz=z1−z2, simiar as above.
(5) ifz = z1·z2, by definition ofext, forext(z)to be0, it must beext(z1)andext(z2)
are both0, i.e., bothz1 andz2 are constructed by only using y,y,y. That is to say ext(z)=0iffzis constructed by only usingy,y,y. Hence the first result holds. Letext(z1)= δ 1, . . . , δ|I| andext(z2)= δ 1, . . . , δ|I| . Assumez1is a polynomial
on index levelXuandz2is a polynomial on index levelXw. Thenzis a polynomial on
index levelXu+w. By induction hypothesis, we know that
i∈Iδivi = uandδi ≤i
for each i ∈ I, and i∈Iδivi = w andδi ≤ i for eachi ∈ I. Sinceext(z) =
δ
1+δ1, . . . , δ|I|+δ|I|
, we havei∈I(δi+δi)vi=u+w.
We are now left to show that for anyi ∈ I,δi+δi ≤ i. Assume for somei ∈ I, δ
i +δi > i. We shall show thatU T. From the conditionivi s, we know that (u1, . . . ,ud)s. But this multiplication will be rejected by the multilinear map oracle.
This contradicts the assumption.
Lemma 3 A formal polynomial z produced by the adversaryAon the top index levelscan be rewritten into z= f(y1, . . . ,y|I|)+a·y+a·y+a·yfor some integers a,a,aby
only collecting the like terms of y,y,y. Moreover the polynomial f(y1, . . . ,y|I|)is on the
top index level and does not contain y,y,yand can also be computed by the adversary. Proof The initial top index level elementsh→[y]T,h→yT,h→yTcan only be added and subtracted. No multiplication is allowed on the top level. Even if the polynomial only containsz−zwith zon the top index level, this polynomial cannot be multiplied sincez−zis a zero on the top index level. That is to say y,y,ydo not occur inside of any multiplication operations. Hence we can separatey,y,yby using communicative and associative rules on+. After collecting the like terms ofy(no expansion or cancellation of the other terms),zcan be rewritten asz = f(y1, . . . ,y|I|)+ay+ay+ayfor some
polynomial f (which does not containy,y,y) and some integersa,a,a. Clearly for any polynomial produced byA, its communicative and associative equivalence can also be computed efficiently byAby simply changing the order of addition and subtraction on the
top level.
LetGoodbe an event that the adversary can construct such az = f(y1, . . . ,y|I|)+
ay+ay+ay with f(y1, . . . ,y|I|) = 0 (note that we didn’t cancel terms in f. So
f(y1, . . . ,y|I|)can only be 0 when it does not exist at all. Even if f only contains terms
likez−z, f is not 0). IfGoodoccurs, by definitionextf(y1, . . . ,y|I|)
=0. Assume
extf(y1, . . . ,y|I|)
= (δ1, . . . , δ|I|), then from Lemma2, we have
i∈Iδivi = sand
0≤δi≤ifori∈I. In other words, we get a subset sum fors. IfGooddoes not occur, this
means the adversary is not able to construct any polynomial that contains elements from both
y1, . . . ,y|I|
andy,y,y, hence the adversary can only constructs the polynomial of the form f1 y1, . . . ,y|I| and f2
y,y,y. Recall thatyrepresentsmb+αs,yrepresentsm0
andyrepresentsm1. In any polynomial f2(mb+αs,m0,m1), the distribution ofmb+αsis
exactly the same as any uniform random in the ring becauseαis chosen uniformly at random. Hence the adversary can only guess the value ofband we have
Prb=b=Prb=b∧Good+Prb=b∧ ¬Good≤PrGood+1
2Pr ¬Good =1 2 + 1 2Pr Good
Since 2·Prb=b−1> ε, we havePrGood>2ε−1. And the eventGoodis in fact the event the extractor can extract a witness for the instance ofSubset- Sum.
The extractor initialises the multilinear map oracle and it takes timepoly(λ). The extrac- tor performs the group operations of addition, subtraction, multiplication and zero-testing queried by the adversary and it takest·poly(λ)time since the addition, subtraction and multiplication take timepoly(λ)and zero-testing is in timet ·poly(λ) since polynomial produced by the adversary is of depth at mostΘ(t). The extraction algorithm is in timeΘ(t). Hence it takes the extractorpoly(t·λ)times in total. This concludes the proof.