Level system

Thelevel system, mentioned in earlier sections of this paper, is a primitive introduced in this work that is a critical building block of our deniable encryption protocol. This subsection provides detailed intuition about the level system primitive followed by a formal definition (the latter being a prerequisite to formally stating the security guarantees of our main construction). This subsection’s scope is purely definitional; see Section 7 for a construction and security proof.

Motivation and overview. The idea of a level system is to have an encryption scheme which allows to increment ciphertexts and compare them homomorphically. However, in order for this encryption to be useful in our construction of deniable protocol, we require the following properties of this "encryption scheme":25

• There should be two types of ciphertexts, which we callsingle-tag levelsanddouble-tag levels;

• A single-tag level is an encryption of numberibetween0and upper boundT, together with some stringm1 ∈M1, which we calla tag. (In our construction of deniable encryption, we use the first

message of the deniable protocol as a tag. This is done to “tie” the level to the instance of the protocol).

• A double-tag level is an encryption of numberibetween0and upper boundT, together with two tags

m1 ∈ M1, m2 ∈ M2. (In our construction of deniable encryption, we use the first and the second

messages of the deniable protocol as tags. This, again, is done to “tie” the level to the instance of the protocol).

• It should be possible to perform the following operations: 1. Sample a single-tag level0for any tagm1;

2. Homomorphically increment the value inside any single-tag level (keeping its tag the same); 3. Transform any single-tag level into a double-tag level, for any second tagm2 (the value and the

first tag remain the same);

25

4. Compare two double-tag levels, as long as their both tags are the same; 5. Given any level, retrieve its tag(s).

Notation. We use notation[i, m1]to denote a single-tag level with valueiand tagm1. We also use`i to

denote a single-tag level with valuei, when the tag is clear from the context.

We use notation[i, m1, m2]to denote a double-tag level with valueiand tagsm1, m2. We also useLi to

denote a double-tag level with valuei, when its tags are clear from the context.

Security property.The security requirement of a level system is that it should be hard to distinguish between

`∗<sub>0</sub>= [0, m∗<sub>1</sub>], L<sub>0</sub>∗ = [0, m∗<sub>1</sub>, m∗<sub>2</sub>]and`∗₁= [1, m∗₁], L₀∗ = [0, m∗₁, m∗₂], even given (limited) ability to perform homomorphic operations described above.

This will be used in the proof of security of deniable encryption scheme as follows. Recall that in that proof we need to start with the real transcript and real randomnesss, r(having levelsL∗₀, `∗<sub>0</sub>, L∗<sub>0</sub>, respectively) and eventually switch to the (same) real transcript but fake randomnesss0, r0(with levelsL∗<sub>0</sub>, `∗₁, L∗₀). We can use security of the level system in the proof of deniable encryption as follows: given challenge`∗_b, L∗₀ (where

`∗<sub>b</sub> = [b, m∗<sub>1</sub>],b∈ {0,1},L∗<sub>0</sub> = [0, m∗<sub>1</sub>, m∗<sub>2</sub>]), we use`∗_b inside fakesand we useL∗₀inside the transcript and faker. Since security of levels only holds when programs are punctured, in the proof of deniable encryption we first move to a hybrid with only punctured level programs, and then invoke security of the level system.

DefinitionWe start with describing the syntax of a level system for tag spaceM and upper boundT:

• Setup(1λ;T;GenZero,Increment,Transform,isLess,RetrieveTag,RetrieveTags;rSetup) → PP =

(PGenZero,PIncrement,PTransform,PisLess,PRetrieveTag,PRetrieveTags) is a randomized algorithm which takes as input security parameter, the largest allowed levelT, description of programs, and randomness. It uses random coins to sample all necessary keys for each program26, and outputs those programs obfuscated underiO.

• GenZero(m1)→`is a deterministic algorithm which takes messagem1∈M as input and outputs a

string`= [0, m1], which is a single-tag level with tagm1and value0. We also require that there exists

a punctured version of this algorithm denotedGenZero[m∗₁](m1)which outputs0fail0on inputm∗1.

• Increment(`) → `0is a deterministic algorithm which takes a single-tag level`= [i, m1]for some

0≤i≤T −1, m1 ∈M, and outputs a single-tag level with the same tag and incremented value, i.e.

`0= [i+ 1, m1]. Ifi≥T, it instead outputs0fail0.

• Transform(`, m2)→`is a deterministic algorithm which takes a single-tag level`= [i, m1]for some

0≤i≤T, m1 ∈M, and some messagem2 ∈M, and outputsL= [i, m1, m2], which is a double-tag

level with tagsm1, m2, and valuei. We also require that there exists a punctured version of this

algorithm denotedTransform[(`∗, m∗<sub>2</sub>)](`, m2)which outputs0fail0on input(`∗, m∗2).

• isLess(L0, L00)→out∈ {true,false}is a deterministic algorithm which takes as input two double-tag levels L0 = [i0, m0₁, m₂0]and L00 = [i00, m00₁, m₂00]. If (m0₁, m0₂) = (6 m00₁, m00₂), then it outputs 0fail0. Otherwise it outputstrueifi0 < i00andfalseifi0 ≥i00.

• RetrieveTag(`)→m1is a deterministic algorithm which takes a single-tag level`and outputs its tag.

• RetrieveTags(L) → (m1, m2) is a deterministic algorithm which takes a double-tag level L and

outputs both tags.

26

We emphasize that all programs exceptSetupare deterministic.

Definition 10. A tuple of parametrized, deterministic27algorithms

(GenZero,Increment,Transform,isLess,RetrieveTag,RetrieveTags,GenZero[m∗₁],Transform[l∗, m∗₂])

is alevel systemfor tag spaceM, if algorithms have syntax described above, and the correctness and security properties described below hold.

Notation: LetT be superpolynomial inλ, andPP= (PGenZero,PIncrement,PTransform,PisLess,PRetrieveTag,

PRetrieveTags) ← Setup(1λ;T;GenZero,Increment,Transform,isLess,RetrieveTag,RetrieveTags;rSetup)

for randomly chosenrSetup.

Next, let m∗₁ ∈ M, m∗₂ ∈ M, and let `∗ be an arbitrary string (not necessarily a level). Let

PP0 = (P0_GenZero,P0_Increment,P0_Transform,P0_isLess,P0_RetrieveTag,P0_RetrieveTags) ← Setup(1λ, T,GenZero[m∗₁], Increment, Transform[(`∗, m∗₂)],isLess, RetrieveTag, RetrieveTags;rSetup) with the same randomness

rSetup as above.

For any fixedrSetupconsider the following notation:

• For everym1 ∈Mdenote[0, m1] =PGenZero(m1);

• For everym1 ∈M,1≤i≤T denote[i, m] =PIncrement([i−1, m]);

• For every m2 ∈ M and every [i, m1], where 0 ≤ i ≤ T, m1 ∈ M, denote [i, m1, m2] =

PTransform([i, m1], m2).

Correctness: The following properties should hold, except with negligible probability over the choice of

rSetup:

• Uniqueness of levels:

– For all` /∈ {[i, m1] : 0≤i≤T, m1 ∈M}:

∗ PIncrement(`) =0fail0;

∗ PTransform(`, m2) =0fail0 for anym2 ∈M;

∗ PRetrieveTag(`) =0fail0.

– For allL /∈ {[i, m1, m2] : 0≤i≤T, m1 ∈M, m2 ∈M}:

∗ PisLess(L, L0) =0fail0,PisLess(L0, L) =0fail0, for any stringL0;

∗ PRetrieveTags(L) =0fail0.

• Upper bound is respected: For everym1 ∈MPIncrement([T, m1]) =0fail0.

• Correctness of comparison: For everym1, m2∈M and for every0≤i, j≤T:

– PisLess([i, m1, m2],[j, m1, m2]) =truefori < j,

27

We prefer to use the notion of parametrized, deterministic algorithms to keep the definition simple. To formally define this notion, consider a randomized Turing machine with the restriction that the number of random bits written on its random tape is fixed and independent of the input (only dependent on security parameterλ). Such a Turing machine can first use these random coins to generate all necessary parameters (e.g., keys) and then run the actual code of the algorithm using generated parameters. In particular, we assume that this TM has the code of all necessary generation algorithms.

– PisLess([i, m1, m2],[j, m1, m2]) =falsefori≥j.

• Comparison is possible only on matching levels: If (m0₁, m0₂) 6= (m00₁, m00₂), then

PisLess([i, m01, m02],[j, m001, m002]) =0fail0for alli, j.

• Correctness of tags retrieval: For everym1, m2 ∈Mand for every0≤i≤T:

– PRetrieveTag([i, m1]) =m1,

– PRetrieveTags([i, m1, m2]) = (m1, m2).

• Functionality is preserved under puncturing:

– PGenZero(m) =P0GenZero(m)for allm∈M,m6=m∗1;

– PIncrement(`) =P0Increment(`)for all strings`;

– PTransform(`, m2) =P0<sub>Transform</sub>(`, m2)for all stringsland for allm2 ∈M, except(`∗, m∗2);

– PisLess(L0, L00) =P0isLess(L

00_{, L}00_{)for all stringsL}0_{, L}00_; – PRetrieveTag(`) =P0RetrieveTag(`)for all strings`;

– PRetrieveTags(L) =P0_RetrieveTags(L)for all stringsL.

Note that it follows from the correctness properties that[i, m1] = [i0, m01]if and only(i, m1) = (i0, m01), and

[i, m1, m2] = [i0, m01, m02]if and only(i, m1, m2) = (i0, m01, m02).

Security:For anym∗₁∈M, m∗₂ ∈M, the following distributions are computationally indistinguishable:

(`∗<sub>0</sub>, L∗<sub>0</sub>,PP0)≈(`∗1, L∗0,PP1),

whererSetupis randomly chosen,PP= (PGenZero,PIncrement,PTransform,PisLess,PRetrieveTag,PRetrieveTags)←

Setup(GenZero,Increment,Transform,isLess,RetrieveTag,RetrieveTags;rSetup),

`∗<sub>0</sub>←PGenZero(m1∗),`∗1←PIncrement(`∗0),L∗0←PTransform(`∗0, m∗2),

PPb ←Setup(GenZero[m∗1],Increment,Transform[(`∗b, m ∗

2)],isLess,RetrieveTag,RetrieveTags;rSetup).