F Proof of Theorem - Fully Secure Functional Encryption for Inner Products, from Standa

Proof. The proof uses a sequence of games that begins with a game where the adversary is given a real encryption ofyβ, for some random bitβ ∈ {0,1}, and ends with a game whereβ∈ {0,1} is statistically independent of the adversary’s view. For eachi, we denote bySi the event that the adversary wins in Game i. Game 0: This is the actual security game. The adversary A is given the master public key mpk = N, g,{hi}`i=1, Y

, where hi = gsi modN2 and s= (s1, . . . , s`)T ←D`_Z,σ is a discrete Gaussian vector. In the challenge phase,A chooses two vectorsy0= (y0,1, . . . , y0,`),y1= (y1,1, . . . , y1,`)∈Z` of norms≤Y and obtains an encryption ofyβ, for some randomβ ∈ {0,1}. At the end of the game,Aoutputsβ0∈ {0,1} and we denote byS0 the event thatβ0 =β. For any vectorx∈Z` submitted by the adversary to the secret key extraction oracle, we must have the equalityhx,y0i=hx,y1ioverZ.

Game 1: We modify the generation of the challenge Cyβ = (C0, C1, . . . , C`).

Namely, the challengerB first choosesz=z₀N modN2, for a randomly drawn

z0←-Z∗N and computes

C0=z2modN2. (F.1)

Then, it usesmsk:= ({si}`i=1, X) to compute

Ci = (1 +N)yβ,i·C0simodN 2_,

∀i∈ {1, . . . , `}.

The ciphertextCyβ has almost the same distribution as in Game 1 asC0 is now

perfectly (instead of statistically) uniform in the subgroup of (2N)th residues. We have |Pr[S1]−Pr[S0]| ≤2−λ.

Game 2: We modify again the generation of Cyβ = (C0, C1, . . . , C`) in the

challenge phase. Namely, instead of computing C0 by first choosing a random

Nth residue z in Z∗N2, the challenger rather samples z ←- Z∗_N2 at random, computes C0 as in as in (F.1) (so that C0 is a square in Z∗N2 but not a Nth residue, except with negligible probablity) and sets

Ci = (1 +N)yβ,i·C0simodN

2_, _∀_i_{∈ {}₁_{, . . . , `}_}_.

Under the DCR assumption, this modification is not noticeable to A, which implies that|Pr[S2]−Pr[S1]| ≤AdvDCR_B (λ).

Game3: We modify the generation of C0 in the challenge ciphertext. Instead of choosing it uniformly in QRN2, the challenger picks az ←- Z∗N and rz ←-

{1, . . . ,bN/4c}and computes

The generation of{Ci}`i=1 remains unchanged. The statistical distance between the distribution of C0 in Game 3 and Game 2 is smaller than 2−λ. We have

|Pr[S3]−Pr[S2]| ≤2−λ.

In Game 3, we haveC0= (1 +N)az ·grz modN2and we claim that (C1, . . . , C`) = (1 +N)yβ,1+az·s1modN ·hr1z modN 2_, . . . , (1 +N)yβ,`+az·s`modN_·_hrz ` modN 2 (F.2) statistically hides β∈ {0,1}so that |Pr[S3]−1/2| ≤2−λ. To prove this, we use a similar argument to the one in the proof of Theorem 2.

Namely, if we consider the vectory= (y1, . . . , y`) = 1_g(y1−y0)∈Z`, where

g = gcd(y0,1−y1,1, . . . , y0,`−y1,`), we know that any legal private key query x ∈ Z` must be in the lattice {x ∈ Z` : hx,yi = 0} for which the rows of the matrix Xtop ∈Z(`−1)×` defined in (4.1) form a basis. We also know that

kyk2_{< N} _{and we may assume that gcd(}_k_y_k2_{, N}_{) = 1 since the reduction would} be able to compute a non-trivial factor of N otherwise. We may also assume that the information that the adversary can infer abouts= (s1, . . . , s`)∈Z` via private key queries is completely determined by Xtop·s∈Z`−1. Let us define the matrix X= Xtop yT ∈Z`×`.

Sincekyk2_{< N}_{, the same arguments as in the proof of Theorem 2 ensure that} the matrix X is invertible in ZN unless its determinant reveals a non-trivial factor ofN.

Recall that the challenge ciphertext (F.2) information-theoretically reveals zβ = yβ,1+az·s1modN, . . . , yβ,`+az·s`modN

∈_Z` N =yβ+az·smodN,

so that we have to show that zβ is statistically independent of β ∈ {0,1} conditionally onA’s view. Since X∈Z`×` is invertible over ZN and does not depend on β ∈ {0,1}, it suffices to show that X·zβ ∈ Z`N is statistically independent ofβ ∈ {0,1}. Given thatXtop·(y0−y1) = 0 (over the integers), Xtop·zβ∈ZN`−1 is clearly independent ofβ ∈ {0,1}and we only need to worry about the last row ofX·zβ ∈Z`N, which can be written

yT ·zβmodN=hyβ,yi+az· hs,yimodN. (F.3) Lets0= (s0,1, . . . , s0,`)∈Z` denote an arbitrary vector satisfying

Xtop·s0=Xtop·s∈Z`−1, and hi=gs0,i modN2 ∀i∈[1, `]. FromA’s view, the distribution of the master secret keys∈_Z` _is_s

0+DΛ,σ,−s0, where

which is the latticeΛ=_Z·y∩(p0q0·_Z)`_{= (}_p0_q0₎_·

Z·y. Conditionally on{hi}`i=1 andXtop·s, the distribution of hs,yiis thus

hs0,yi+D(p0_q0₎_k_y_k2_·_Z_,_k_y_k_σ,₋_c,

wherec =hs0,yi ∈Z. We consider the distribution obtained by reducing the distributionD(p0_q0₎_k_y_k2_·_Z_,_k_y_k_σ,₋_c overΛ₀= (p0q0)kyk2·_Zmodulo the sublattice

Λ0₀ = (p0q0)kyk2_·₍_N

Z). By Lemma 8, given that |(p0q0)kyk2·N| < N2kyk2, gcd(p0q0kyk2_{, N}_{) = 1 and} _k_y_k _< √_N_{, choosing} _{σ >} √_λ_·_N5/2 _{suffices to} ensure thaths,yimodN is within distance 2−λ_{from the uniform distribution} over Λ0/Λ00 ' ZN when {hi}`i=1 and Xtop·s ∈ Z`−1 are given. Since az is invertible inZN with all but negligible probability, the termhyβ,yimodN is thus statistically hidden in the right-hand-side member of (F.3).

When counting probabilities, we find thatA’s advantage in the real game can be bounded as

|Pr[S0]−1/2| ≤AdvDCRB (λ) + 2−λ+1,

which is thus negligible if theDCRassumption holds. ut

In document Fully Secure Functional Encryption for Inner Products, from Standard Assumptions (Page 37-39)