Secure
Notation. In our sequence of games, we use c∗ = (nonce∗, e∗, σ∗) to denote the challenge ciphertext. In particular, nonce∗ denotes the value to which the PPRF is applied in order to generate the mask w∗, and e∗ denotes the “one time pad” encryption of the challenge message with the generated mask (e∗ = (m∗+w∗) modp).
We use −→pv to denote a vector of public values. −→pv is always assumed to be ordered lexicographically (that is, all programs implicitly reject vectors of public values which are out of order).
Proof. We show a sequence of indistinguishable games between a super-static semantic security challengerChaland an adversaryA. The sequence starts with EXP(A, λ, n, t, R) from Definition 10 (that is, a challenger who always usesb=
R), and ends withEXP(A, λ, n, t, L) (that is, a challenger who always usesb=L). We summarize this sequence of games in Figure 16. Instead of showing all of the games, we show that the first game is indistinguishable from a game where the challenge ciphertext encrypts a random message; to get to the last game, the shown sequence of games is reversed withmL instead ofmR.
For the sake of simplicity, we assume that the number of corrupt challenge ciphertext recipients |R∗∩ C|is always t; security in this case trivially implies
security for smallerR∗∩ C.
Game 4 This isEXP(A, λ, n, t, R) as described in Definition 13 and Figure 13. Game 5 In this game, when creating the sender’s public key (specifically, the sender’s signature verification keySIG.pk), the challenger Chal generates a constrained verification key instead of a regular one. The constraint is de- signed to ensure that the challenge noncenonce∗ on which the PPRFs are called can only ever be associated with the challenge recipient set. That is, the challenger picks nonce∗ at random when generating the sender public key, and sets the signature constraint to be
C(−pv,→ nonce) =
(
0, ifnonce=nonce∗ andpv→− 6={pvi}i∈R∗ 1, otherwise
When computing the challenge ciphertextc∗, Chaluses the noncenonce∗. Game 5 is indistinguishable from Game 4 by the security of constrained signatures. Since the challenger chooses each new nonce at random, and with overwhelming probability will never sign anything not satisfying the constraint (since no nonce other than the challenge nonce will be equal to nonce∗), then if the adversary can distinguish Game 5 from Game 4, then the challenger can use that adversary to distinguish between a constrained and unconstrained public verification key.
Game 6.i for i∈[1, . . . , n−t]
In this game, when choosing the ith honest party’s public value pv, the challenger chooses it at random from {0,1}2λ, so that with overwhelming probability it has no preimages relative to the pseudorandom generatorPRG. Game 6.1 is indistinguishable from Game 5, and Game 6.iis indistinguishable from Game 6.(i−1) for i∈[2, . . . , n−t], by the security of pseudorandom generators.
We let Game 6 denote Game 6.(n−t).
Game 7 In this game, the challenger Chal changes the way encryption takes place in the obfuscated program, as shown in Algorithm 2. In particular, instead of computing [m]idx = (m+Pj∈[1,...,t]coefjidxj) modp, the pro- gram now computes [−w]idx = (−w+Pj∈[1,...,t]coefjidxj) modp, followed by [m]idx = ([−w]idx+e) modp. Note that this gives the exact same share
as computing [m]idx directly; in fact, the only reason we did not use these
instructions explicitly to begin with is clarity.
Algorithm 2 fGame7
kDec,kShare,SIG.pk(
− →
pv,idx, sv, c)
if (−→pv[idx] =PRG(sv)) and (SIG.Verify(SIG.pk,(−→pv,nonce), σ))then
w←PPRFkDec(nonce)
m= (e−w) modp
forj∈[1, . . . , t]do
coefj=PPRFkShare,j(nonce)
[−w]idx= (−w+Pj∈[1,...,t]coefjidx
j) modp{This gives theidxth Shamir share of
−w}
[m]idx= ([−w]idx+e) modp{This gives theidxth Shamir share ofm}
return [m]idx
Game 7 is indistinguishable from Game 6 by the security of indistinguisha- bility obfuscation; the programs have identical input-output behavior. Game 8 In this game, when creating the sender’s public key (specifically, the
keyskDec andkShare,j for all j ∈[1, . . . , t] atnonce∗. To preserve the input- output behavior of the program,Chalcomputesw∗=PPRFkDec(nonce
∗) and
coef∗j =PPRFkShare,j(nonce
∗) forj∈[1, . . . , t], and modifies the program to set w=w∗ andcoefj =coef∗j whennonce=nonce∗, as shown in Algorithm 3.
Algorithm 3 fkGame8
Dec{nonce∗},kShare{nonce∗},SIG.pk,nonce∗,w∗,coef∗1,...,coef∗t(
− →
pv,idx, sv, c) if (−→pv[idx] =PRG(sv)) and (SIG.Verify(SIG.pk,(−→pv,nonce), σ))then
if nonce=nonce∗then
w=w∗ forj∈[1, . . . , t]do coefj=coef∗j else w←PPRFkDec(nonce) forj∈[1, . . . , t]do
coefj=PPRFkShare,j(nonce)
[−w]idx= (−w+Pj∈[1,...,t]coefjidx j
) modp{This gives theidxth Shamir share of
−w}
[m]idx= ([−w]idx+e) modp{This gives theidxth Shamir share ofm}
return [m]idx
Game 8 is indistinguishable from Game 7 by the security of indistinguisha- bility obfuscation; the programs have identical input-output behavior. Game 9.j for j∈[1, . . . , t]
In this game, the challengerChalchooses coef∗j truly at random.
Game 9.1 is indistinguishable from Game 8, and Game 9.j is indistinguish- able from Game 9.(j−1) for j ∈ [2, . . . , t], by the security of puncturable PRFs.
We let Game 9 denote Game 9.t.
Game 10 In this game, the challengerChalchoosesw∗ truly at random. Chalalso computes the one time pad component of the challenge ciphertext
e∗as e∗= (mR+w∗) modp.
Game 10 is indistinguishable from Game 9 by the security of puncturable PRFs.
Game 11 In this game, the challengerChal modifies the obfuscated program to hardcode the secret shares {[−w∗]idx}idx∈[n] for the challenge ciphertext,
instead of w∗ and coef∗1, . . . ,coef∗t, as described in Algorithm 4. To pre- serve the input-output behavior of the program,Chal computes the shares {[−w∗]idx}idx∈[n] exactly as they would have been computed in Algorithm 3.
Algorithm 4 fGame11
kDec{nonce∗},kShare{nonce∗},SIG.pk,[−w∗]1,...,[−w∗]n(
− →
pv,idx, sv, c) if (−→pv[idx] =PRG(sv)) and (SIG.Verify(SIG.pk,(−→pv,nonce), σ))then
if nonce=nonce∗then
[−w]idx= [−w∗]idx
else
w←PPRFkDec(nonce)
forj∈[1, . . . , t]do
coefj=PPRFkShare,j(nonce)
[−w]idx= (−w+Pj∈[1,...,t]coefjidxj) modp{This gives theidxth Shamir share
of−w}
[m]idx= ([−w]idx+e) modp{This gives theidxth Shamir share ofm}
return [m]idx
Game 11 is indistinguishable from Game 10 by the security of indistinguisha- bility obfuscation; the programs have identical input-output behavior. Game 12 In this game, the challengerChalpicks{[−w∗]idx}idx∈[n] at random.
Game 12 is indistinguishable from Game 11 by the security of indistinguisha- bility obfuscation.
– On noncenonce6=nonce∗, the program behavior is unchanged.
– We guarantee that the program returns nothing in both games fornonce∗ and −→pv 6= {pvi}i∈R∗ since no signatures exist on (−pv,→ nonce∗) for −→pv 6= {pvi}i∈R∗.
– We guarantee that the program returns nothing in both games onnonce∗
and indicesidxcorresponding to honestpvi,i∈ R∗\C since no valuessv exist such thatpvi=PRG(sv) for honest partiesi.
– Finally, considernonce∗ and corruptpvi (i∈ R∗∩ C).
Let [idx1, . . . ,idxt] be the indices in the lexicographic ordering of{pvi}i∈R∗ corresponding to corruptpvi, and let
A= idxt1 idx t−1 1 . . . idx 2 1 idx1
idxt2 idxt2−1. . . idx22 idx2 . . .
idxtt−1idxtt−−11. . .idx2t−1idxt−1
idxtt idxtt−1. . . idx2t idxt
.
Previously, the shares of−w∗ were computed as follows:
[−w∗]idx1 [−w∗]idx2 . . . [−w∗] idxt−1 [−w∗] idxt =A coef∗t coef∗t−1 . . . coef∗2 coef∗1 + −w∗ −w∗ . . . −w∗ −w∗
Choosing the coefficients as well as w∗ at random and computing the shares of −w∗ as above is equivalent to choosing the shares of−w∗ as well as w∗ at random and computing the coefficients as A−1 times the
Game 13 In this game, the challenger switches to using a random messagem∗. Game 13 is indistinguishable from Game 12 because the distributions do not change at all;e∗ is still uniformly random, and the obfuscated program, which no longer contains any information aboutw∗, is unaffected.
The rest of the games are what we did before, but in reverse, with
mL instead of mR.
Game Justification SIG.pk Honest
pvi
Obfuscated Program c∗ m∗
4 real real real real mR
5 Constrained Signatures constrained to only verify on (−pk,→ nonce∗) when−pk→= {pvj}j∈R∗ 6 PRG no match- ing secrets 7 iO semantic changes
8 iO puncturekDecandkShareatnonce∗;
hardcode correct valuesw∗and
{coef∗
j}j∈[1,...,t]
9 PPRF hardcode random{coef∗
j}j∈[1,...,t]
10 PPRF hardcode random maskw∗ compute
e∗
using the random
mask
11 iO hardcode shares of−w∗instead ofw∗
and{coef∗
j}j∈[1,...,t]
12 iO hardcode random values as shares of
−w∗
13 identical distribu- tions
random
Fig. 15: Summary of Hybrids in Proof of Theorem 4
F.2 Proof that Obfuscation-Based Homomorphic Ad Hoc Threshold Encryption Share-and-Encrypt is Super-Partial Decryption Simulatable
SimPartDecis simply the Shamir secret sharingSimSharesalgorithm. An adver- sary who distinguishes such simulated shares from real shares can be used to break the super-static semantic security of the scheme.
G
Additively Server-Aided Homomorphic
Obfuscation-Based HATE
In this appendix, we describe the additively server-aided homomorphic obfuscation- based HATE scheme. The program each sender must obfuscate and include in their public key is described in Algorithm 5. The obfuscation-based HATE is described in Construction 5.
Algorithm 5 fkDec,kShare,kEnc,SIG.pk(
−→
pk={EG.pkj}j∈R,idx, c) The following values are hardcoded in the program:
– params= (λ,paramsEG, t), where
• λis the security parameter,
• paramsEG= (G, p, g) consists of ap-order groupG with generatorg(where
pis large prime and the range of the puncturable pseudorandom function
PPRFis inZp), and
• tis the threshold
– A secretPPRFkeykDecthat is used to recover the message from the ciphertext
c
– SecretPPRFkeyskShare= (kShare,1, . . . , kShare,t) that are used to produce random-
ness for sharing the message
– SecretPPRFkeyskEnc= (kEnc,1, . . . , kEnc,n) that are used to produce randomness
for encrypting the shares
– A signature verification keySIG.pk
The following values are expected as input:
– public encryption keys−pk→={EG.pkj}j∈R
– an indexidx
– ciphertextc= (nonce, e, σ)
if SIG.Verify(SIG.pkSndr,( − → pk,nonce), σ)then w←PPRFkDec(nonce) m= (e−w) modp forj∈[1, . . . , t]do
coefj=PPRFkShare,j(nonce)
[m]idx=g(
P
j∈[1,...,t]coefjidxj)+m{This gives theidxth exponential Shamir share of
m}
ridx=PPRFkEnc,idx(nonce)
c=EG.Enc(paramsEG,pk→−idx,[m]idx;ridx)
{This returns an ElGamal encryption of theidxth exponential Shamir share ofm. Encryption uses randomnessridx.}
Let the public parametersparams= (λ,paramsEG= (G, p, g), t) consist of the secu- rity parameterλ, a large p-order groupG with generatorg (such thatpis prime and the range of the puncturable pseudorandom functionPPRFis inZp), and the
thresholdt. For simplicity we omitparamsas input from the algorithms below.
KeyGen(t):
This is exactly as in Construction 2, except that the sender generatesn ad- ditionalPPRFkeyskEnc,1, . . . , kEnc,n, and instead of obfuscatingf from Algo-
rithm 1 to getObfFunc, the sender obfuscatesf from Algorithm 5
Enc(skSndr= (SIG.sk, kDec), −→
pk={EG.pkj}j∈R,|R|≥t, m):
This is exactly as in Construction 2
PartDec(ObfFuncSndr,{EG.pkj}j∈R,EG.ski, c):
if the ciphertextcis an output of a homomorphic evaluationthen
c0=c
else
Let idxbe the index of the public key corresponding to the secret key
EG.skin a lexicographic ordering of−→pk={EG.pkj}j∈R
c0=ObfFuncSndr({EG.pkj}j∈R,idx, c) [m]idx←EG.Dec(paramsEG,EG.ski, c0)
di= (idx,[m]idx)
return di
FinalDec({di}i∈R0⊂R):
Perform exponential Shamir reconstructionEShamir.Reconstruct({di}i∈R0) as
described in Figure 10 to recoverm
Eval({pkSndr}Sndr∈S, − →
pk={pki}i∈R,[c1, . . . , cl],+):
{Note that this algorithm receives the public keys for all sendersSndr(and thus their obfuscated programs). Without loss of generality, let ciphertext
cq be from senderPq(and therefore requiring the use ofObfFuncq).} forciphertext indices q∈[1, . . . , l]do
forreceiversi∈ Rdo
Letidxbe the index ofEG.pkiin a lexicographic ordering of
−→ pk ci,q←ObfFuncq( − → pk,idx, cq))
c∗i =EG.Eval(paramsEG,EG.pki,[ci,1, . . . , ci,l],+) return c∗={c∗i}i∈R
Theorem 13 (Restated from Theorem 5). The modified obfuscation-based ATE (Construction 5) is (n, t)-super-statically secure (Definition 12) for any polynomialn, t, as long asiOis a secure indistinguishability obfuscator,PPRFis a secure puncturablePRFwith rangeZp,SIG is a constrained signature scheme,
and EG is a secure public-key encryption scheme. Moreover, it is additively server-aided homomorphic for a polynomial-size message space.
Proof. In order to prove Theorem 4, we must show the modified obfuscation- based Homomorphic Ad Hoc Threshold Encryption construction is super-statically semantically secure and super-statically partial decryption simulatable. We prove super-static semantic security below, by showing a sequence of indistinguishable games starting atEXP(A, λ, n, t, R) and ending at a message-independent game. The proof of partial decryption simulatability is the same as for Theorem 4. The server-aided homomorphism follows from the homomorphism of ElGamal encryption and exponential Shamir secret sharing.
Game 1 This is the same as Game 4 in the proof of Theorem 4. That is, this isEXP(A, λ, n, t, R) as described in Definition 13 and Figure 13.
Game 2 This is the same as Game 5 in the proof of Theorem 4. That is, in this game, when creating the sender’s public key (specifically, the sender’s sig- nature verification keySIG.pk), the challenger Chalgenerates a constrained verification key instead of a regular one. The constraint is designed to ensure that the challenge noncenonce∗on which thePPRFs are called can only ever be associated with the challenge recipient set.
Game 2 is indistinguishable from Game 1 by the security of constrained signatures.
Game 3 In this game, the challenger Chal changes the way encryption takes place in the obfuscated program, as shown in Algorithm 6. In particular, instead of computing c = EG.Enc(EG.pki,[m]i;ri), the program now com- putes (c1, c2) =EG.Enc(EG.pki,[−w]i;ri), followed byc= (c1, c2×ge). Note
that this gives the exact same ciphertext as encrypting [m]idirectly; in fact, the only reason we did not use these instructions explicitly to begin with is clarity.
Algorithm 6 fGame3
kDec,kShare,kEnc,SIG.pk(
−→
pk,idx, c) if SIG.Verify(SIG.pkSndr,(
− →
pk,nonce), σ)then
w←PPRFkDec(nonce)
forj∈[1, . . . , t]do
coefj=PPRFkShare,j(nonce)
[−w]idx=g(
P
j∈[1,...,t]coefjidxj)−w {This gives theidxth Shamir share of−w}
ridx=PPRFkEnc,idx(nonce)
(cidx,1, cidx,2) =EG.Enc(paramsEG, −→
pkidx,[−w]idx;ridx) = (gridx, −→
pkridx idx[−w]idx)
{This returns an ElGamal encryption of theith exponential Shamir share of−w. Encryption uses randomnessri.}
c = (ci,1, ci,2ge) {This returns an ElGamal encryption of the ith exponential
Shamir share ofm= (e−w) modp.}
return c
Game 3 is indistinguishable from Game 2 by the security of indistinguisha- bility obfuscation; the programs have identical input-output behavior. Game 4 This is the same as Game 8 in the proof of Theorem 4, except that in
addition to puncturing thePPRFkeyskDec andkShare,j for allj ∈[1, . . . , t], the challengerChalalso punctureskEnc,ifor alli∈ R∗. To preserve the input- output behavior of the program, Chal computes r∗i = PPRFkEnc,i(nonce∗), and modifies the program to setri=ri∗ whennonce=nonce∗, as shown in Algorithm 7.
Algorithm 7fGame4
kDec{nonce∗},kShare{nonce∗},kEnc{nonce∗},SIG.pk,nonce∗,w∗,coef∗1,...,coef∗t,r∗1,...,r∗n(
− →
pk, i, c) if SIG.Verify(SIG.pkSndr,(
− →
pk,nonce), σ)then if nonce=nonce∗then
w=w∗
forj∈[1, . . . , t]do
coefj=coef∗j
ridx=r∗idx
else
w←PPRFkDec{nonce∗}(nonce)
forj∈[1, . . . , t]do
coefj=PPRFkShare,j{nonce∗}(nonce)
ridx=PPRFkEnc,idx{nonce∗}(nonce)
[−w]idx=g(
P
j∈[1,...,t]coefjidxj)−w {This gives theidxth Shamir share of−w}
(cidx,1, cidx,2) =EG.Enc(paramsEG, −→
pkidx,[−w]idx;ridx) = (gridx, −→
pkridx idx[−w]idx)
{This returns an ElGamal encryption of the idxth exponential Shamir share of
−w. Encryption uses randomnessridx.}
c= (cidx,1, cidx,2ge){This returns an ElGamal encryption of theidxth exponential
Shamir share ofm= (e−w) modp.}
Game 4 is indistinguishable from Game 3 by the security of indistinguisha- bility obfuscation; the programs have identical input-output behavior. Game 5 This game is the same as Game 9 in the proof of Theorem 4. That is, in
this game, the challengerChalchoosescoef∗jtruly at random forj∈[1, . . . , t]. (Note that this game really requirest hybrids that we are skipping in the interest of brevity.)
Game 5 is indistinguishable from Game 4 by the security of puncturable PRFs.
Game 6 This game is the same as Game 10 in the proof of Theorem 4. That is, in this game, the challengerChalchooses w∗ truly at random.
Game 6 is indistinguishable from Game 5 by the security of puncturable PRFs.
Game 7.idx for idx∈[1, . . . , n]
In this game, the challengerChalmodifies the obfuscated program to choose the encryption randomness uniformly at random for the idxth party. That is,Chalsetsr∗idxat random (instead of setting it tokEnc,idx(nonce∗)).
Game 7.1 is indistinguishable from Game 6, and Game 7.idx is indistin- guishable from Game 7.(idx−1) for idx ∈[2, . . . , n−t], by the security of puncturablePRFs.
We let Game 7 denote Game 7.n.
Game 8 In this game, the challenger Chal modifies the obfuscated program to hardcode the ciphertexts (c∗idx,1, c∗idx,2) for idx ∈[1, . . . , n] instead of w∗, coef∗1, . . . ,coef∗t andr∗1, . . . , rn∗, as described in Algorithm 8. To preserve the input-output behavior of the program, Chalcomputes (c∗idx,1, c∗idx,2) exactly as they would have been computed in Algorithm 7.
Algorithm 8fGame8
kDec{nonce∗},kShare{nonce∗},kEnc{nonce∗},SIG.pk,nonce∗,(c∗1,1,c∗1,2),...,(c∗n,1,c∗n,2)(
−→
pk,idx, c) if SIG.Verify(SIG.pkSndr,({EG.pkj}j∈R,nonce), σ)then
if nonce=nonce∗then
(cidx,1, cidx,2) = (c∗idx,1, c
∗ idx,2) else
w←PPRFkDec{nonce∗}(nonce)
forj∈[1, . . . , t]do
coefj=PPRFkShare,j{nonce∗}(nonce)
ridx=PPRFkEnc,idx{nonce∗}(nonce)
[−w]idx=g(
P
j∈[1,...,t]coefjidxj)−w {This gives theidxth Shamir share of−w}