In this section, we give the detailed security model for IND-CCA-BLT secure PKE tol- erating post-challenge leakage and tampering attacks.
Definition 13. (Split state IND-CCA-BLT secure PKE). A 2-split state IND- CCA-BLT secure PKE schemeBLT = (BLT.Setup,BLT.Gen,BLT.Enc,
BLT.Dec) consists of the following algorithms:
– BLT.Setup(1κ): The setup algorithm takes as input the security parameter, and out-
put the public parameters params, which is taken as input by all the algorithms.
– BLT.Gen(params): The key generation algorithm comprises of two subroutines namely,
BLT.Gen1 and BLT.Gen2. The subroutine BLT.Geni (i∈ {1,2}) generates the ith
public-secret key pair, i.e,(pk0
i, ski0)← BLT.Geni(params, ri)whereri∈ {0,1}∗. The
public key consists of the pair pk0 = (pk01, pk20)and the secret key consists of the pair
– BLT.Encpk0(m): The (randomized) encryption algorithm takes as input a message
m, a public key pk0= (pk01, pk20), and outputs a ciphertext C.
– BLT.Dec(C, sk0= (sk10, sk20)): The decryption consists of two partial decryption sub- routines BLT.Dec1, BLT.Dec2, and a combining subroutine BLT.Comb. The de- cryption subroutineBLT.Deci (i∈ {1,2})takes as input the ciphertextC, the secret
key splitsk0iand outputs a partial decryptiont0i, i.e.,ti0 ← BLT.Deci(C, sk0i). Finally, BLT.Comb takes the ciphertext C and the pair (t01, t02) to recover the plaintext m, i.e., m← BLT.Comb(C, t0 = (t01, t02)).
We want the usualcorrectnessrequirement to hold forBLT, i.e.,∀params← BLT.Setup(1κ), (pk0i, ski0) ← BLT.Geni(params) (i ∈ {1,2}),∀m ∈ M, we require that BLT.Dec sk0= (sk0
1, sk02), C =BLT.Encpk0(m)=mholds with probability 1.
We now define the notion of CCA security of PKE schemes in the presence of after-the- fact split-state memory leakage and tampering attacks.
Definition 14. (Post-Challenge IND-CCA-BLT security in split-state) Let κ ∈ N be
the security parameter. Let λpre(κ) and λpost(κ) be the upper bound on the amounts of
memory leakage before and after the challenge phase respectively. Also, let tpre(κ) and
tpost(κ)be the bounds on the number of pre- and post-challenge tampering queries asked
by the adversary before and after the challenge phase respectively. A2-split-state PKE schemeBLT = (BLT.Setup,BLT.Gen,
BLT.Enc,BLT.Dec)is post-challenge IND-CCA- k,(λpre, λpost),(tpre, tpost)
-BLT secure if for all PPT adversaries B, the advantage AdvAFLB,BLT-IND-CCA-BLT(κ) defined below is at most 12+negl(κ).
1. Key Generation:The challenger choosesr1, r2 $
←− {0,1}∗, and compute (pk0
i, ski0)← BLT.Geni(1κ, ri)(i∈ {1,2}) and sendspk0= (pk10, pk02) to the adversary, and keeps
sk0 = (sk01, sk20) to itself. Also, it initializes two lists L1
pre = L2pre = 0, where Lipre denotes the random variable quantifying the amount of leakage from theithsplitsk0 i of the secret keysk0 (i∈ {1,2}).
2. Pre-Challenge Leakage: The adversary makes an arbitrary number of leakage queries (f1pre,i, f2pre,i) adaptively, where f1pre,i and f2pre,i acts independently on the secret key components sk01 and sk02 respectively. Upon receiving the i-th leakage query the challenger sends back (f1pre,i(sk01), f2pre,i(sk20)), providedL1
pre+|f pre 1,i(sk10)| ≤λpre(κ) and L2 post+|f pre
2,i(sk02)| ≤ λpre(κ). It updates L1pre = L
1 pre+|f pre 1,i(sk10)|, and L 2 post = L2 post+|f pre 2,i(sk02)|.
3. Pre-Challenge Tampering:The adversary is allowed to make at mosttprenumber of pre-challenge tampering queries (T1pre,i, T2pre,i) for i ∈ [tpre], where T1pre,i and T
pre
2,i acts independently on the secret key componentssk01 andsk20 respectively. In more
detail, for each of the tampering queryTi= (T pre
1,i, T pre
2,i), the adversaryBgets access to the tampered decryption oraclesBLT.Dec(skf
0
1,ψ,·) andBLT.Dec(fsk 0
2,ψ,·), where f
sk0j,ψ=Tj,ψpre(sk0j) (where 1≤ψ≤i, andj ∈ {1,2}). In other words, the decryption oracle may be queried with any of the tampered keys obtained till this point. We assume that, the total number of queries on the decryption oracles are polynomial.
Note that, when (T1pre,ψ(sk10), T2pre,ψ(sk20)) = (sk1, sk2), B gets access to the (normal)
decryption oracle in the pre-challenge phase.
4. Challenge:In this phase, Bgives two challenge messages m0 andm1, and the the
challenger choosesb←− {$ 0,1}, computesC∗=BLT.Encpk(mb) and gives it toB.
5. Post-Challenge Leakage: The adversary makes an arbitrary number of leakage queries (f1post,j , f2post,j ) adaptively, wheref1post,j andf2post,j act independently on the secret key components sk10 andsk20 respectively. Upon receiving thejthleakage query, the challenger sends back (f1post,j (sk01), f2post,j (sk02)), providedL1
post+|f post 1,j (sk10)| ≤λpost(κ) andL2 post+|f post
2,j (sk02)| ≤λpost(κ). It updatesL1post=L1post+|f post 1,j (sk01)|, andL2post= L2 post+|f post 2,j (sk02)|.
6. Post-Challenge Tampering:The adversary is allowed to make at mosttpostnum- ber of pre-challenge tampering queries (T1post,j , T2post,j ) for j ∈ [tpost], where T
post
1,j and
T2post,j act independently on the secret key components sk10 and sk02 respectively. In more detail, for each of the tampering query Tj = (T1post,j , T
post
2,j ), the adversaryB is allowed to ask polynomial number of decryption queries, in which caseBgets access to the tampered decryption oracles BLT.Dec(fsk
0
1,ς, .) andBLT.Dec(fsk 0
2,ς, .) respec- tively (1 ≤ ς ≤ j), as before. However, in the post-challenge phase, an additional restriction is imposed on the tampering functionsTς: When the adversary asks tam- pering functions Tς, and gets access to the decryption oracles BLT.Dec(fsk
0
1,ς, C∗) andBLT.Dec(fsk
0
2,ς, C∗) with respect to the challenge ciphertextC∗, it should hold that fsk
0
1,ς 6=sk1 andfsk 0
2,ς 6=sk2.
7. Guess: Finally, the adversary outputs a bit b0 for a guess of the bit b chosen the challenger. Ifb0=b, output 1, else output 0.
We define the advantage of the adversaryBin the above experiment as: AdvAFLB,BLT-IND-CCA-BLT(κ) =Pr[b0 =b]−
1 2 .
D
Proof of Theorem
5
Theorem 6.The encryption scheme BLT is post-challenge IND-CCA- k,(λ00pre, λ00post),
(t00pre, t00post)
-BLTsecure as long as the parameters satisfies:
λ00pre≤λpre0, λ00post≤λpost0 and t00pre≤t 0 pre, t 00 post≤t 0 post.
Proof. We need to show that the advantage of any PPT adversaryB in the AFL-IND- CCA-BLT secure game for the PKE schemeBLT is negligible. For this, we introduce an intermediate hybrid experimentHyb1, and show that if the adversaryBcan distinguish the real game fromHyb1, then it can break the AFL-IND-CCA-BLT security of the KEM scheme KEM. Finally, we show that the advantage of the adversary inHyb1 is upper bounded by the advantage of an adversaryBSKE against the symmetric-key encryption schemeϕ.
Hyb1 : In this hybrid,the challenger proceeds as in the real game, except for two main differences: Firstly, the challenger generates the challenge ciphertext c∗ = (c∗0, c∗1) as (c∗0, k∗) ← KEM.Encap(pk0), and encrypting the message mb in c∗1 using a randomly
chosen encapsulation keyk∈ {0,1}u. Secondly, when the adversary submits a ciphertext of the formc = (c∗0, c1) to the decryption oracle or the tampering oracle, ifc 6=c∗, the
challenger does not run theKEM.Decapalgorithm to obtain the encapsulated symmetric key; instead, it uses the keykto decrypt. Let us denote the adversary forKEMbyBKEM
Claim. Adv
AFL-IND-CCA-BLT
B,BLT (κ)−Adv
AFL-IND-CCA-BLT B,Hyb1 (κ)
≤negl(κ)
Proof. Suppose, for contradiction, there exists some polynomial p(κ), and κ ∈ Nsuch
that the advantage ofBin distinguishing the real game from Hybrid 1 is at least 1/p(κ). We then show that the adversaryBKEMcan break AFL-IND-CCA-BLT security of KEM with non-negligible advantage usingBas a black-box. The adversaryBKEMproceeds as shown below:
1. In the key generation phaseBKEMreceives as input the public key pk0 = (pk10, pk02)
from the external challengerC of the KEM scheme. It then returnspk0 to B. 2. In the pre-challenge phase, when B makes leakage queries fi = (f1pre,i, f
pre
2,i), BKEM forwardsfi to C. It then gets the answer fromC and forwards it toB.
3. When B makes a tampering queryTi = (T1pre,i, T pre
2,i), forward Ti to C, and get the tampered keyeki.
4. When B asks decryption queries c = (c0, c1) with respect to the ith tampered key
(say),BKEM first checks if i∈ [t]. If so, it checks if it has the ith tampered key. If not, it makes theithtampering query toCto geteki. It then runsSKE.Dec(eki, c1) to
return the resulting message toB.
5. WhenBasks a decryption queryc= (c0, c1) with respect to the original secret key,
BKEMforwardsc0to the challengerC, gets the answerk. It then runsSKE.Dec(k, c1),
and returns back the resulting message toB.
6. In the challenge phase, whenBsubmits two messagesm0, m1of equal length,BKEM asks the external challenger C for a ciphertext-key pair (c∗0, k∗). It then randomly chooses a bit b, and computes the ciphertext c∗1 =SKE.Enc(k∗, mb). It then sends
c∗= (c∗0, c∗1) toB.
7. In the post-challenge phase, the leakage, tampering and decryption queries are han- dled identically as in pre-challenge phase, except that when B asks a decryption query on c= (c∗0, c∗1),BKEMuses the keyk∗ to decrypt.
8. FinallyBKEMoutputs whateverBoutputs.
For the analysis, note that, when the external challenger C generates a ciphertext-key pair using (c∗0, k∗)← KEM.Encap(pk0), BKEM acts identically as in real game. On the other hand, ifC chooses the encapsulation keyk∗uniformly at random, this corresponds to hybrid Hyb1. Also, note that, since k∗ is uniformly and randomly chosen from the distribution of encapsulation key space (bit strings of length u), the min-entropy of
k∗ even given the tampered keys ek = (ek1,· · ·,ekt) is He∞(k∗|(pk0, c∗,ek)) = He∞(k∗) = −log(2−u) =u. Hence by Lemma3, we have:
e
H∞(k∗|(pk0, c∗,Dec(ke1,·),· · · ,Dec(ekt,·))) =He∞(k∗|(pk0, c∗,ek= (ek1,· · ·,ekt))) =u Thus, we get:
AdvAFLBKEM,-INDBLT-CCA-BLT(κ) =1 2 Adv
AFL-IND-CCA-BLT
B,BLT (κ)−Adv
AFL-IND-CCA-BLT B,Hyb1 (κ)
≥
1 2p(κ). In the next claim we show that the advantage of any PPT adversary inHyb1is negligible. Claim. AdvAFLB,Hyb-IND-CCA-BLT
1 (κ)≤Adv
SKE ϕ,B (κ)
Proof. We now describe an adversaryASKEfor the symmetric key encryption schemeϕ. ASKEproceeds identically as inHyb
1, except that all of the symmetric key operations are
forwarded to the external SKE challengerϕ. In more detailsASKE proceeds as follows: 1. In the key generation phase,ASKEgenerates two key pairs (pk
1, sk1) and (pk2, sk2) by
invoking the algorithmKEM.Gen. It then forwardspk0 = (pk1, pk2) to the adversary
B.
2. In the pre-challenge phase, when B makes leakage queries fi = (f pre
1,i, f pre
2,i), ASKE computes (f1pre,i(sk1), f1pre,i(sk2)) and returns the answers toB, as long as the leakage
bounds are respected.
3. When B makes a tampering query Ti = (T pre
1,i, T pre
2,i), compute the tampered secret keysfski = (T
pre
1,i(sk1), T
pre
2,i(sk2). On input a decryption queryc= (c0, c1) under the
tampered keyfski(say),ASKE decryptsc0 underfski to get an encapsulation keyeki, and then it runs SKE.Dec(eki, c1), returning the result toB.
4. WhenB asks a decryption queryc= (c0, c1) with respect to the original secret key
sk0,ASKEdecryptsc
0itself to get an encapsulated keyk, and then runsSKE.Dec(k, c1),
returning the result to B.
5. In the challenge phase, when B submits two messages m0, m1, ASKE generates a
ciphertext-key pair (c∗0, k). It then submits m0, m1 to the challenger of ϕ and get
back the ciphertextc1∗(under some keyk∗).ASKE then returnsc∗= (c∗0, c∗1) toB.
6. In the post-challenge phase, the leakage, tampering and decryption queries are han- dled identically as in pre-challenge phase, except that ifB asks a decryption query
c= (c∗0, c1)6=c∗,ASKE asks the challenger ofϕto decryptc1.
7. Finally,ASKE outputs whateverBoutputs.
From the above simulation, we get that AdvAFLB,Hyb-IND-CCA-BLT
1 (κ) ≤ Adv
SKE
ϕ,B (κ) . Since
ϕ is a CCA-secure SKE scheme, it follows that AdvSKEϕ,B (κ) is negligible (in κ). Thus, AdvAFLB,Hyb-IND-CCA-BLT
1 (κ) is also negligible inκ.