G Proof of Theorem - Fully Secure Functional Encryption for Inner Products, from Standa

Proof. The proof proceeds similarly to the proof of Theorem 5 and uses the same sequence of games. The only modification is in the argument to argue that the adversary’s view is independent ofβ ∈ {0,1}in the final game.

For eachi, we denote bySi the event that the adversary wins in Gamei. We first recall the final game of the sequence:

Game30: At the beginning of the game, the challenger setsg=g02N modN2_, whereg0←-_Z∗_N2, and pickss= (s1, . . . , s`)T ←- DZ`,σ before defining the public parameters hi = gsi modN2 for each i ∈ {1, . . . , `}. The master public key

mpk= (N, g,{hi}`i=1) is given to the adversary A. In the challenge phase, A chooses two distinct vectors y0,y1 ∈ Z`N. The challenger flips a random coin

β ←-{0,1} and encryptsyβ by choosingaz ←-ZN,rz ←-{0, . . . ,bN/4c}and setting

C0= (1 +N)az ·grz modN2,

Ci= (1 +N)yβ,i+az·si·hriz modN

2 _∀_i_{∈ {}₁_{, . . . , `}_}_.

Note that any vectorx∈Z`N queried by Ato the private key generation oracle must satisfy hx,y0i=hx,y1imodN. At each query, the adversaryAis given a secret key (x,zx) exactly as in the real scheme. When A halts, it outputs

β0 ∈ {0,1}and wins in the event that β0=β.

Let us definey=y1−y0∈Z`N and letxi∈Z`pbe the vectors corresponding to the secret key queries made by A. Since A is a legitimate adversary, we know that hxi,yi = 0 modN for each secret key query xi ∈ Z`N. Note that

non-zero both modulop and moduloq (otherwise, the reduction has found a non-trivial factor ofN).

We have to show that A’s view is statistically independent of β ∈ {0,1}

in Game 30. To this end, we use a similar analysis to that of Theorem 3. In particular, we cannot use the same matrix Xtopas in (4.1) since, if we define X to be the matrix formed by that matrixXtop andyT, we cannot guarantee that the determinant ofXXT _{is not a multiple of}_N_{. One option would be to} defineXas the`×`matrix formed by the_ZN-independent private key queries andyT_{. One difficulty is that such an}_X _{may not be invertible (we may have}

hy,yi= 0 modN). Further, after the challenge phase, we cannot immediately rule out that the queried vectorsxi somehow depend onβ ∈ {0,1}. To avoid a circularity, we use an inductive argument as in the proof of Theorem 3.

For eachj from 0 to`−1, we consider the adversary’s view after exactlyj

private key queries for linearly independent vectors over_ZN. SinceA’s view is trivially independent ofβ ∈ {0,1}before the challenge phase, we only need to worry about post-challenge queries and we assume that the challenge ciphertext has been generated when the jth query occurs. By induction, we will show that, for anyj ∈ {1, . . . , `−1}, the view of the adversary remains statistically independent of β after the first j queries. In particular, the (j+ 1)th linearly independent private key query will be statistically independent ofβ as well. It will also ensure that, forj=`−1,A’s view will remain statistically independent ofβ in Game 30, which is exactly what we have to show.

Our induction hypothesis thus considers a counter valuej ∈ {0, . . . , `−1}

and assumes that, at this pointst, is independent ofβ. At this stage,stcontains

j tuples (xi,xi,zi). Thesexi’s generate subspaces of both y⊥p_:=_{_x_∈

Z`p:hx,yi= 0 modp} and y⊥q:={x∈Z `

q :hx,yi= 0 modq}. We deterministically extend the {xi}ji=1 into{xi}`i=1−1 so as to have a basis of bothy⊥p andy⊥q which is statistically independent ofβ. This is achieved by linear algebra moduloN, and, if any Gaussian elimination step fails becauseZ/NZis not a field, the reduction succeeds as it has found a factor ofN. This extension of

{xi} j

i=1into{xi}`i=1−1can be seen as having the challenger making dummy private key queries for itself and creating the correspondingxi’s inZ` so as to get a full basis of bothy⊥p _and_y⊥q_{. Note that we may assume that the challenger knows}

y as we only need to apply the inductive argument to post-challenge queries. We define Xtop ∈ Z(`−1)×` as the matrix whose ith row is xi, for all i ∈

{1, . . . , `−1}(including the genuine and dummy private key queries). Via private key queries, the information obtained by the adversary amounts to a subset of the coordinates ofXtop·s∈Z(`−1).

Letx0∈Z`Nbe a vector outsidey⊥pandy⊥qwhich is chosen as a deterministic function of{xi}

i=1 andyand letXbot∈Z

1×`_{be the canonical lift of (}_x0₎T _over the integers. By construction of Xbot∈Z1×`, we haveXbot·y6= 0 modN. Now, let us define the matrix

X= Xtop Xbot ∈Z`×`.

By construction, this matrixXis invertible moduloN. Moreover, by induction and construction, it is statistically independent ofβ∈ {0,1}.

In Game 30, the challenge ciphertext information-theoretically reveals zβ = yβ,1+az·s1modN, . . . , yβ,`+az·s`modN

∈_Z` N =yβ+az·smodN

and it thus suffices to prove that zβ is almost independent of β ∈ {0,1} conditionally on {hi = gsimodN2}`i=1 and Xtop·s ∈ Z`−1. Since the rows ofXare known toAin the information theoretic sense, it is sufficient to prove that X·zβ∈Z`N is statistically independent ofβ.

Since Xtop·(y0−y1) = 0modN, we remark that Xtop ·zβ ∈ Z`N−1 is necessarily independent ofβ∈ {0,1}and it suffices to consider the distribution of Xbot·zβmodN. Lets0= (s0,1, . . . , s0,`)T ∈Z`be an arbitrary vector satisfying the equalitieshi=gs0,i modN2 andXtop·s0=Xtop·s(overZ). Conditionally on the adversary’s view, the distribution ofs∈Z`iss0+DΛ,σ,−s0, where

Λ={t∈_Z`_|_X

top·t=0∈Z`−1, t=0modp0q0}, which is a one-dimensional lattice in_Z`_{. We have}

Λ=y0·_Z∩(p0q0·_Z)`= (p0q0)·y0·_Z

for some y0 ∈Z`. Note that, by the Chinese Remainder Theorem, there exists an invertible α∈Z∗N such thaty0=α·ymodN as, if we hadα= 0 modpor

α= 0 modq, it would contradict the definition ofy0.

If we defineΛ0 to be the lattice generated by the rows of Xtop∈Z(`−1)×`, we haveky0k= det(Λ/(p0q0))≤detΛ0 and Hadamard’s bound impliesky0k ≤

(√`N)`−1_{. Since (}_p0_q0₎_·k_y0_{k ≤}₍√_`N₎`_{, the smoothing parameter of the sublattice} (N ·Λ) must be bounded by (√`N)`+1_{. By choosing} _{σ >} √_λ₍√_`N₎`+1_{, we}

obtain that the distribution DΛ,σ,−s0mod (N·Λ)

is within 2−λ _{distance from} the uniform distribution overΛ/(N·Λ) which is isomorphic toy·ZN because gcd(p0q0, N) = 1 andy0 =α·ymodN for someα∈Z∗N. SinceXbot·y6= 0 modp and Xbot·y 6= 0 modq, we find that Xbot·smodp and Xbot·smodq are statistically close to the uniform distribution overZp andZq, respectively.

Since gcd(az, N) = 1 with overwhelming probability, this implies that the productXbot·zβmodN does not carry any significant information aboutβ, as claimed.

Putting the above altogether, the adversary’s advantage in the initial game can be bounded as

|Pr[S0]−1/2]| ≤AdvDCRB (λ) + 2−λ+1.

u t

In document Fully Secure Functional Encryption for Inner Products, from Standard Assumptions (Page 39-41)