Proof of Security - New Methods for Indistinguishability Obfuscation: Bootstrapping and

In this section, we provide the proof of security. The proof is nearly identical to that in Section 4, generalised withEvalPK and EvalCT.

Theorem 6.2. Let NLinFE and CNG be instantiated as described in Section 6.4. Assume the noisy linear FE scheme NLinFEsatisfies semi-adaptive indistinguishability based security as in Definition 3.4 and that Gis a secure CNG as defined in Definition5.1. Then, the construction FeNC1 achieves

semi-adaptive indistinguishability based security in the single key game described in Definition 2.4.

Proof. We will prove the theorem via a sequence of hybrids, where the first hybrid is the real world with challenge x0 and the last hybrid is the real world with challengex1.

The Hybrids. Our Hybrids are described below.

Hybrid 0. This is the real world with message x0. In hybrid 0, the element keyf in the

FeNC1.KeyGenprocedure is picked as follows: samplet0, . . . , tLd ←Rp1 and denotet= (t0, . . . , tLd). Let

key_f =hLinf,ti −Gf(β)

Hybrid 1. In this hybrid, the only thing that is different is that the challenger picks key_f to depend on the challenge ciphertext. In more detail,

1. Samplet0, . . . , tLd ←Rpd−1 and compute Gf(β) as in Hybrid 0. Denote t= (t0, . . . , tLd). 2. Set

key_f =f(x)−Poly_f(C1, . . . ,Cd−1)− hLinf,ti −Gf(β)

Hybrid 2. In this hybrid, we change the input for NLinFE.Enc to (t0, t1, . . . , tLd,1) where ti for

i∈[Ld], are chosen as in Hybrid 1.

Hybrid 3. In this hybrid, we change the message vector in ∪ k∈[d−1]

Ck _to_x

Hybrids 4 and 5. In Hybrid 4 we change the input to NLinFE.Enc to (Md_{) as in Hybrid 1. In} Hybrid 5, we changekey_f to be chosen independent of the ciphertext as in Hybrid 0. This is the real world with messagex1.

Indistinguishability of Hybrids.

Lemma 6.3. Hybrid 0 and Hybrid 1 are indistinguishable by the security of CNG.

Proof. In Hybrid 0, we set

key_f_i =hLinfi,ti −Gfi(β), ∀i∈[`] In Hybrid 1, we set

key_f_i =fi(x)−Polyfi(C

1_{, . . . ,}_Cd−1₎_{− h}_Lin

fi,ti −Gfi(β) We have by Theorem 6.1that

hLinfi,M

d_i₊_Poly fi(C

1_{, . . . ,}_Cd−1_{) =}_f

i(x) +µfi(x) Hence,fi(x)−Poly_f_i(C1, . . . ,Cd−1) =hLinfi,M

d_{i −}_µ fi(x) Hence, we have in Hybrid 1,

key_f_i =hLinfi,M d_{i −}_µ fi(x)− hLinfi,ti −Gfi(β) =hLinfi,M d₋_t_{i −}₍_µ fi(x)+Gfi(β)) =hLinfi,t 0_{i −}₍_µ fi(x)+Gfi(β))

Above we set t0 =Md₋_t_{. Since} _t_{is chosen randomly, we have that}_t0 _{is distributed uniformly over} Rpd−1.

Next, we claim for CNG instantiated as in Section6.4, we haveµfi(x)+Gfi(β) c

≈Gfi(β) by the security of CNG. Formally, given an adversaryAdvwho distinguishes between Hybrid 0 and 1, we construct an adversaryAdvCNG againstCNG 5as follows:

1. AdvCNG expressesµfi(x)= ˆfi M

1_,_Nse₍_C1₎_{, . . . ,}_Md_,_Nse₍_Cd₎

as described in Section6.4 for all i∈[`] (corresponding to`output bits) and sends ( ˆfi, µfi(x) to theCNG challenger. 2. The CNG challenger chooses CNG Gfi for i∈ [`] and seed β ← D

seed, a random bit b and

returnszi =Gfi(β) if b= 0 andzi=Gfi(β) +µfi(x) ifb= 1. 3. AdvCNG computeskeyfi =hLinfi,t

0_{i −}_z

i. It computes all other elements as in Hybrid 0 and returns this toAdv.

4. It outputs whatever Advoutputs.

Note that the reduction AdvCNG is a valid adversary against the CNG. Additionally, ifb= 0,

we are in Hybrid 0, else in Hybrid 1, hence the advantage of AdvCNG translates to an advantage of

Adv.

Indistinguishability of remaining Hybrids is exactly as in Section 4.3. In more detail, Hybrid 1 and Hybrid 2 are indistinguishable by the security ofNLinFEbecause the challenge decryption in both Hybrids is equal up to an additive error with the appropriate distribution. To see this, note that in Hybrid 1,NLinFE decryption gives:

and in Hybrid 2, NLinFEdecryption gives:

hLinf,ti+keyf =hLinf,ti+ f(x)−Polyf(C1, . . . ,Cd−1)− hLinf,ti −Gf(β)

=f(x)−Poly_f(C1, . . . ,Cd−1)−Gf(β)

=hLinf,Mdi −µf(x)−Gf(β) by Theorem6.1 =hLinf,Mdi − µf(x)+Gf(β)

Thus, the challenge message evaluation on the requested key differs by an additive term of

µf(x)+Gf(β)

(6.5) which, for our choice of parameters (see Section 6.4) and by guarantee of NLinFE implies indistinguishability of NLinFEciphertexts in Hybrids 1 and 2. The formal reduction is exactly as in Claim4.4.

Indistinguishability of Hybrids 2 and 3 follows exactly as in Claim 4.5. Intuitively, now that the NLinFEmessage is independent of the encodings ∪

i∈[d−1]

Ck_{, we may switch the message in the} encodings to x1 by the semantic security of Regev encodings. Note that decryption still works

correctly because the termkey_f_i fori∈[`] in the functional key compensates for theNLinFEmessage, exactly as in Section 4.3.

In document New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation (Page 43-45)