We show that for allz0,z1∈ZQ:
From this, equivalence (6) easily follows, because Pr[(AkP7→1),X|Q] =
∑
z0∈ZQ Pr[z0|Q]·Pr[(AkP7→1),X|z0] =negPr[(AkP7→1),X|z]·∑
z0∈Z Q Pr[z0|Q] =Pr[(AkP7→1),X|z],Hence, to complete the proof, we need to prove (15).
Let us first notice thatzisubsumesQ. Therefore (15) is equivalent to
Pr[(AkP7→1),IL|z0] =negPr[(AkP7→1),IL|z1]. (16)
LetTbe the simulator ofAkP, given by Lemma3, which extracts, with an overwhelming probability, permutations π0, . . . , π2m that satisfy Condition (c) of semi-honest runs. Note that the permutations of the honest mix server do not have to be extracted by the simulator; the simulator simply knowns them, as they are generated using the (simulation of the) honest mix server program. For convenience, however, we will also call these permutations extracted. Byπ∗we will denote the compositionπ2m−1◦ · · · ◦π0of all the
permutations extracted in a simulated run (where the operator◦denotes composition of functions ((f◦g)(x) =g(f(x))).
One can easily see that in the systemT, with an overwhelming probability (more precisely, for all those runs where the extraction works correctly), thei-th entry in the decrypted output of the mix net is the same as theπ∗(i)-th input entry (after the proof check and duplicate elimination). We will use this fact later.
Now, because the simulation is faithful, forp∈ {0,1}we have
Pr[(AkP7→1),IL|zp] =Pr[(T7→1),IL|zp] (17) where the set of indicesILis interpreted as an event for the systemT in the same way as for the system(AkP).
LetTp0, fori∈ {0,1}, be defined as the systemT, but with the following differences. First,Tp0useszpas the (unencrypted) input of the senders inIL. Second, it outputs 1 if
(AkP)outputs 1 and the eventILis true in the run (which can be easily checked byTp0). It is easy to see that
Pr[(T 7→1),IL|zp] =Pr[Tp07→1]. (18) Simulating NIZKPs and Extracting LetQp, for p∈ {0,1}, be the program works exactly likeT0, which includes simulation of the systemAkP, and diverges from the faithful simulation (as done in T0) only in the following points. Note that we must simulateAin a black-box manner, while the honest component (P) is known and does not need to be simulated as a black-box.
Q1. Instead of using the (honest) setup algorithm to generate common reference strings
σkfor NIZKPs of knowledge of the secret key shares corresponding to the published public key shares of the dishonest mix servers,Qpuses (the first component of) an extractor algorithm (that exists by the computational knowledge extraction property) to generateσk(which is given to the adversary) along with a trapdoorτk.
Q2. Instead of using the (honest) setup algorithm to generate common reference strings
σefor NIZKPs of knowledge of the plaintexts to be used by the dishonest senders (subsumed by the adversary),Qpuses (the first component of) an extractor algorithm (that exists by the computational knowledge extraction property) to generateσe (which is given to the adversary) along with a trapdoorτe.
Q3. Instead of using the (honest) setup algorithm to generate common reference strings
σILfor NIZKPs of knowledge of the plaintexts to be used by the honest senders in IL,Qpuses a simulator algorithm (that exists by the computational zero-knowledge property) to generate these CRSsσILalong with a trapdoorτIL.
These CRSs and the trapdoors are then used to generate (simulated) NIZKP of knowledge of the plaintexts by the honest senders inIL.
Q4. Instead of using the (honest) setup algorithm to generate common reference strings
σdfor NIZKPs of correct decryption share of the honest mix serverMj,Qpuses a simulator algorithm (that exists by the computational zero-knowledge property) to generateσdalong with the trapdoorτd.
These CRSs and the trapdoors are then used byQpto generate (simulated) proofs of correct decryption of the honest mix server (so that the private key is not used in this step).
By the construction of Qp and by the properties of the interactive zero-knowledge proofs used in the system (computational zero-knowledge and computational knowledge extraction) we obtain:
Pr[Tp07→1] =negPr[Qp7→1], (19) Note that, as is necessary for use of the zero knowledge property, the systemQponly produces simulated proofs for true statements (honest sender produce ciphertexts of plaintexts they know and the honest mix serverMjproduces a valid decryption share).
Moreover, the permutationπ∗computed byQpis still “correct” in that, with an overwhelming probability, thei-th entry in the decrypted output is the same as theπ∗(i)- th input entry (after the proof check and duplicate elimination), as otherwise, because this is true forT andT0, and can be easily tested by the simulator, one could easily construct a distinguisher breaking zero-knowledge or extraction properties.
CPA Game Simulator. Givenz0,z1as above, letSp, forp∈ {0,1}, be the system that
uses a CPA challengerCencas an oracle, defined as follows:
S1. Spgenerates all the common reference strings to be used in the system in the same way as this is done in the systemQp(hence, some of the these CRSs are generated by simulators / extractors).
S2. Spfirst calls the encryption oracleCenc(|z0|=|z1|times) to obtain the encrypted
inputyIL of senders inIL, that is encryptedzb, wherebis the secret bit used by the oracle (the CPA challenger). Then, as it was done in Q3,Spuses the simulator algorithm and the trapdoorτILto produce (simulated) NIZKP of knowledge of the plaintexts for the obtained vectoryIL(without knowing which plaintexts have been encrypted and without knowing the used randomness).
S3. It then simulates honest senders not inILto generate their unencrypted inputxhand then their encrypted inputyhalong with the required ZK proofs (note that “real” zero knowledge proofs are produced here, using honestly generated CRSs).
S4. Spgives the encrypted entries produced so far to the adversaryAand simulatesA up to the point where it produces its (dishonest) inputyd.
S5. With the ciphertextsyIL,yh, andyd,Spnow first performs the input validation phase of the mix net. As a result, some entries of the proofs provided by the adversary might be dropped, because the adversary might have provided invalid proofs. (Honest senders provide valid proofs only.) So, we will have a subset of entries fromyd. We denote the new set of entries of the adversary byy0d. Also, some ciphertexts provided by the adversary might coincide with those provided by the honest senders, i.e., with those inyIL,yh. (Since the encryption scheme used is IND-CPA secure, the probably that their are duplicate ciphertexts among those provided by the honest senders is negligible.) So, some more of the ciphertexts iny0dmight be dropped.12
Hence, the ciphertexts inyILandyhwill all make it to the actual mixing phase. Only some of the entries inydmight be dropped, and hence, only a subsety00dmay actually make it to the mixing phase. For simplicity of notation, we will, instead of referring to these ciphertexts byy00d, still refer to them byyd.
After having simulated the input validation phase,Spuses the knowledge extractor from Q2with the trapdoorτeto extract the vector of plaintextsxdfromyd. (Note that by now all the entries have valid NIZKPs of knowledge of plaintexts.) At this point the simulatorSphas—up the to choices of the senders inIL—complete knowledge of the input of each of the senders (honest and dishonest), except for the exact order of plaintexts for the honest senders inIL. The simulator knows that it is zoorz1. Letxpdenote the vector of plaintexts consisting of the vectorszp,xhand xd. Hence,x0andx1differ only at positions corresponding to the honest senders in
IL. The simulator also knows the corresponding ciphertexts, which we denote by the vectory, consisting of the elements ofyIL,yhandyd.
S6. Sp then simulates the mixing phase on the input y. Doing this, Sp extracts the permutations used by the mix nets in the same way, as this is done inT and inQp. As previously, we will denote byπ∗the composition of these permutations. S7. Finally,Spsimulates the decryption process in such a way that it outputsπ∗{xp}, by
which we denote the vectorvsuch thatv[i] =xp[π∗(i)]. This is the output vector one would obtain by shufflingxpaccording to the extracted permutations used by the mix servers. (Note, however, that this is not necessarily the “correct” output vector, as the bitbused by the CPA challengerCencmight not coincide withp.)
To this end, the simulator, using the trapdoor and the (second component of the) extractor algorithm from Q1, extracts the private keys of the dishonest mix servers. Then the simulator manipulates the decryption share of the honest mix server in the following way. Using the private keys of all the dishonest mix server and the property of decryption share extractability, the simulator, for each output target entry
˜
mit wants to output, produces the appropriate ˜hjthat together with the decryption shares of the remaining mix servers yields ˜m(more precisely, it yields ˜mwith overwhelming probability, that is for those runs where the adversary is semi-honest
12Since in the rest of the mix net the NIZKPs in the entries are no longer used (only the actual
ciphertexts are used), it does not matter whether a ciphertext iny0dor its duplicate inyILoryh
and produces correct decryption shares). The simulator also outputs simulated ZK proofs of correctness of ˜hj, using the trapdoor from Q4.
S8. Finally, after the output is produced,Spcomputes its decision asT0does. One can see that, by construction, the systemsQpandSC
enc(p)
P , whereCenc(p)is the encryption oracle (the CPA challenger for the used encryption scheme) with the challenge bit fixed top, coincide, except for the decryption step. Because this step does does not affect the computation ofπ∗, we know that the permutationπ∗as computed by SCpenc(p)is the same asπ∗computed byQp.
By the above, with overwhelming probability (for all those runs whereπ∗is correct, as defined for the systemQp), thei-th entry output byQp(obtained by decrypting thei-th encrypted output) is the same as theπ∗(i)-th input entryxp[π∗(i)]which, by construction, is thei-th entry output bySCpenc(p). Hence, the decrypted output ofSC
enc(p)
p andQpis the same. Therefore, the output of the decryption inSCpenc(p)is correct.
Now, because we consider risk-avoiding adversaries, that is adversaries that behave semi-honestly with overwhelming probability (Lemma2), we know that, again with overwhelming probability, the decryption shares produced by the dishonest mix servers are correct. Furthermore, because in this case ˜hjyields, along with the remaining decryp- tion shares, the correct plaintext, by decryption share extractability, the faked decryption share ˜hjproduced inS
Cenc(p)
p is the same as the honest decryption sharehjproduced in Qp. Altogether, we can conclude that these two systems coincide also in the decryption step and, therefore, coincide completely. Hence we have
Pr[Qp7→1] =Pr[S Cenc(p)
p 7→1], (20)
By the IND-CPA property of the used encryption scheme, we immediately obtain
Pr[SC1enc(0)7→1] =negPr[SC enc(1)
1 7→1]. (21)
Therefore, to complete the proof, it suffices to show that
Pr[SC0enc(0)7→1] =negPr[SC enc(0)
1 7→1]. (22)
Re-encryption Game Simulator. To prove (22), we will use the semantic security of the used encryption scheme under re-encryption. LetRbe the system that uses a re-encryption oracleCreand works as follows
R1. Rgenerates all the common reference strings to be used in the system, as it is done inQ(and hence inSp).
R2. Rtakesz0as the plaintext input of senders inIL, encrypts these plaintext to obtain encrypted inputyILand produces a simulated NIZKP of knowledge of plaintexts for these ciphertexts (asSpdoes in S2).
R3. It simulates the honest senders not inILasSpdoes in S3. R4. It produces the input of the adversary asSpdoes in S4.
R5. Rsimulates the input validation steps asSpdoes in Step S5.Ralso extracts the plaintexts from the ciphertexts provided by the adversary asSpdoes in S5.
Note that the unencrypted input, after validation, produced byRis the same as the unencrypted inputx0produced bySC
enc(0)
0 andS
Cenc(0)
1 .
R6. Rsimulates the mixing phase (including permutation extraction) in the same way asSpin Step S6, with the exception of the second mixing step of the honest mix serverMjwhich is simulated in the following way:
Lety0be the input to the second mixing step ofMj. By this point,Rhas extracted some permutationsπ0, . . . , π2j−1(from dishonest mix server beforeMj). Also,R has chosen a permutationπ2jfor the first mixing step ofMj itself. Letπ1∗be the
composition of these permutations.
Letρbe the permutation (on the set of input indices) that mapsx1intox0, that is
x1[i] =x0[ρ(i)]. Such a permutation exists, because of the wayx0andx1are con-
structed (they are the same as multisets). Moreover, this permutation only permutes indices corresponding to the senders inIL (where the elements ofz0are located)
and keeps intact the remaining indices, that is, fori6∈ILwe haveρ(i) =ρ−1(i) =i. To simulate the second mixing step of the honest mix server,Rpicks a random permutationπ2j+1(asMj would do). Additionally,Rcomputes the permutation
˜
ρ=π∗1◦ρ−1◦(π∗1)−1, and ˜π2j+1=π2j+1◦ρ˜. The simulator Rthen uses the re-
encryption oracle to obtainy00=Cre(π2j+1{y0},π˜2j+1{y0}).
Notice that, for all indicesisuch thatπ∗1(i)∈/IL, these two permutations work in exactly the same way, that isπ−2j1+1(i) =π˜−2j1+1(i). Let us denote the set of such indicesibyIL0 (this set, intuitively, contains indices at the point of the input to the second mixing step ofMjthat do not map (viaπ1∗) to indices inIL).
Now,Rcomputes a vectory000fromy00by substituting every element ofy00that does not map toIL(that is, every element at positionksuch that ˜π2j+1[k] =π2j+1[k]∈IL0) by a (freshly obtained) re-encryption ofy0[π2j+1(k)].
This vectory000is output as the resulting ciphertexts of the second mixing step of Mj. In addition,Rcommits toπ2j+1(note that this commitment may be wrong if
the used permutation was ˜π2j+1).
We can now see that, if the eventILholds true, which implies that no index required in the audit phase forMj to be opened to the right is mapped viaπ∗1toIL, then Rcan easily output the required proofs of correct re-encryption, as it wasRwho generated the re-encryptions. Otherwise,Rdoes not output the required ZK proofs (this is, however, not important for the property we prove).
Let us observe that, altogether,R, for the second mixing step ofMj, outputs a re-encryption ofπ2j+1{y0}if the challenge bit of the re-encryption oracle is 0, or a
re-encryption of ˜π2j+1{y0}if this bit is 1. Jumping ahead, the whole system, again
depending on the bitb, uses the permutation π∗=π2∗◦π2j+1◦π∗1 or ˜π∗=π2∗◦
˜
π2j+1◦π∗1, withπ2∗being the composition of all the permutations applied after the
second mixing step ofMj. Let us also observe that ˜ρis constructed in such a way that ˜
π∗(i) =ρ−1(π∗(i))and thereforeπ∗{x0}=π˜∗{x1}(that isx0[π∗(i)] =x1[π˜∗(i)]).
R7. Rsimulates the decryption step, similarly to S7, to produceπ∗{x0}.
Note that in the systemT the extraction of permutations succeeds (that is produces some permutation) with an overwhelming probability. This property carries over through all the systems, to the systemR, as it is easily checkable by each simulator. Therefore all the operations in the above definition are well defined with overwhelming probability.
One can see that, by construction ofRandS,
Pr[SC0enc(0)7→1] =Pr[RCre(0)7→1]. (23)
(It is in fact easy to construct a bijection between the runs in the two events, and hence, the probabilities are equal.)
Let ˜S1be the system that works asS1, but when it simulates the second mixing step
of the honest mix serverMj, it uses the permutation ˜π2j+1, as defined in Step R6and it
also commits to this permutation. Because ˜π2j+1has the same distribution as a random
permutation, we immediately have that
Pr[SC1enc(0)7→1] =Pr[S˜C1enc(0)7→1]. (24) Let ˜Rbe the system that works asRbut instead of committing to the permutationπ2j+1,
it commits to ˜π2j+1. Using our assumption that the commitment scheme is perfectly
hiding (recall that, for runs inIL,R/ ˜Ris not required to open commitments which are wrong), it easily follows that
Pr[R˜Cenc(1)7→1] =Pr[RCre(1)7→1]. (25)
Now, using the observation we have already made, namely that ˜π∗{x1}(the output of the
system ˜SC1enc(0)) is the same asπ∗{x0}(the output ofRC
re(1)
, and hence, ˜RCre(1)), we have
Pr[S˜C1enc(0)7→1] =Pr[R˜Cre(1)
7→1]. (26)
Therefore, we obtain
Pr[SC1enc(0)7→1] =Pr[(RCre(1)7→1]. (27) Finally, by the hiding property of re-encryption, we have
Pr[RCre(0)7→1] =negPr[RC re(1)
7→1], (28)