The faking simulators - B Computational implementation

B Computational implementation

C.2 The faking simulators

We define a sequence of simulators Sim1, . . . ,Sim7. Each will be indistinguishable of the pre-

ceding one (this is shown in Lemma 2 below).

Using fresh randomness for encryption. The first simulatorSim1 is defined likeSim, ex-

cept that we change the definition of β as follows: When invoking β(ek(N)) or β(dk(N)), a fresh key pair(ekN,dkN)is chosen as(ekN,dkN)←KeyGen()(KeyGenis defined in implemen-

tation condition 25), unless this key pair has been chosen before, andekN or dkN is returned,

respectively. Similarly, in τ(c), instead of invoking Adec(Adk(rN), c), we invoke Adec(dkN, c).

(That is, instead of using the randomness rN, we use fresh randomness for the key genera-

tion.) When invokingβ(enc(ek(t1), t2, M)), instead of computingAenc(β(ek(t1)), β(t2), rM), we

computeEnc(β(ek(t1)), β(t2))(Encis defined in implementation condition 25).

Using the real challenger. The simulatorSim2 is defined likeSim1, except for the following

changes:

• Sim2maintains an instance of the real challenger (Definition 2) for the encryption scheme

(KeyGen,Enc,Dec)(defined in implementation condition 25).

• Instead of invoking Adec(dkN, c) in a call to τ(c), we query the real challenger with decch(N, c). The bitstring returned bydecch(N, c)is used instead ofAdec(dkN, c). • When the adversary E queries the random oracle on input x, Sim2 queries oraclech(x)

from the real challenger instead.

• Instead of computingβ(t)to produce a bitstring to be sent to the adversary, the simulator runs R :=β∗_(t)_{(see below), queries} _reveal_ch(R) _{from the real challenger, and uses the} output of therevealch(R)query instead ofβ(t). The procedureβ∗_(t)_{is defined as follows:}

– If there already was a callβ∗_(t)_{with the same}_t_{, the register}_R_{returned by that call} β∗_(t)_{is returned. (In particular, we do not repeat the queries performed by the first} β∗_(t)_-call.)

– β∗_(ek(N₎₎ _{picks a fresh register name} _R_{, queries} _R _:= _getek_ch(N₎ _{from the real} challenger, and returnsR.

– β∗_(dk_(N₎₎_invokes_β∗_(ek(N₎₎_{(discarding the output), picks a fresh register name}_R_, queries R:=getekch(N)from the real challenger, and returnsR.

– β∗(enc(ek(N), t2, M))with N, M ∈ Rruns R:=β∗(t2), picks a fresh register name

R′, queriesR′:=encch(N, R), and returnsR′.

– β∗_(enc(ek(N_{), t}

2, M)) with N ∈ NE, M ∈ R picks some randomness r, computes the Boolean circuit C that on inpute, mwith lengths ℓ(ek(M)) andℓ(t2)computes Enc(e, m)with randomnessr (Encis defined in implementation condition 25). Then β∗ _queries _R

1 := β∗(ek(N)), R2 := β∗(t2), picks a fresh register name R, queries

R:=evalch(C, R1, R2), and returnsR.

– For all other terms, β∗ _{behaves analogously to}_β_{, except that it computes the value} that β would compute within a register. More precisely: Ifβ(t)performs callsm1:=

β(t1), . . . , mn := β(tn) and then returns f(m1, . . . , mn) for some function f, then

β∗_(t)_invokes_R

f (for input lengths ℓ(t1), . . . , ℓ(tn)), picks a fresh register name R, queries R :=

evalch(C, R1, . . . , Rn), and returnsR.

For example: β∗_(sig_(t

1, t2, N))withN ∈ RrunsR1:=β∗(t1),R2:=β∗(t2), computes

the circuitCsig that on inputss, mof lengthsℓ(t1), ℓ(t2)returnsAsig(s, m, rN), picks

a fresh register nameR, queriesR:=evalch(Csig, R1, R2), and returnsR.

• Beforeτ(m)is invoked (when translating a bitstringmfrom the adversary to the protocol), for any invocation of R := β∗_(t) _{that has occurred so far,} _Sim

1 invokes revealch(R) if

X,redi(S)⊢redi(t)whereS is the set of terms received from the protocol so far andX is the set of all variablesxc_{. (This is to ensure that rules like “}_{τ(e) :=}_ek(N)_iff_e_{was output} byβ(ek(N))” work correctly.)

Using the malicious-key extractor. The simulatorSim3is defined likeSim2, except for the

following change: LetMKE be the malicious-key extractor for(KeyGen,Enc,Dec); MKE exists by implementation condition 26. After invoking t = τ(m) and before sending the term t to the protocol,Sim3 runs, for each variable xc that has been produced by τ so far, the extractor

MKE on the list of alloraclech(x)-queries and on the ciphertextc. For each messagem˜ output by MKE, Sim3 computes τ(m) and discards the result (but performs, if necessary, additional

invocations ofMKE ifτ produces new variablesxc_).

Furthermore,Sim3aborts if the following happens during some point of the execution. There

is a decch(N, c)-query that returns a messagem˜ such that m˜ wasnot contained in the output ofMKE in the step in which the variablexc _{first occurred. (We call such an abort a}_malicious-

key-extraction-failure.)

Using the fake challenger. The simulator Sim4 is defined likeSim3, except that it uses the

fake challenger Definition 4 instead of the real challenger.

Using the ciphertext simulator directly. The simulatorSim5 is defined like Sim1 except

for the following changes:

• For each N ∈ N_P_, _Sim₅ _{maintains an instance} _CSN _{of the ciphertext simulator (Defini-}

tions 3 and 8) for the encryption scheme (KeyGen,Enc,Dec)from implementation condition 25. (No real/fake challenger is not used, we access the ciphertext simulators directly.) Sim5 also maintains an instance of the random oracleO and allows the ciphertext simu-

lators to access/programOand to get the list of queries (see Definition 3). Furthermore, Sim5maintains setscipherN and listsplainN for allN ∈NP, all initially empty.

• Instead of invokingAdec(dkN, c)in a call toτ(c), we queryCSN withdeccs(c)ifc /∈cipherN and we use the value⊥ifc∈cipherN.

• When the adversaryE queries the random oracle on inputx, Sim5 replies withO(x).

• Instead of computingβ(t)to produce a bitstring to be sent to the adversary, the simulator first call R:=β′_(t)_{(see below), then uses} _β†_(t)_{(see below) instead of}_β(t)_{. (The return} value of β′_(t)_{is ignored here. However, the description of} _β† _{refers to the outputs made} byβ′_{. The only purpose of}_β′ _{is to keep track of what}_β∗_{-calls would have occurred in the} execution ofSim4.)

The procedure β′ _{is defined like} _β∗ _from _Sim

2, except that β′ does not send any oracle

queries to the real challenger. (Note that β∗ _{only performs queries that do not return} answers, so these queries are not needed for computing the answer ofβ∗_.)

– If there already was a call β†_(t) _{with the same} _t_{, the bitstring returned by that call} β†_(t)_{is returned.}

– β†_(ek(N₎₎_{: Query}_CSN _with_getek_cs()_{. Return the answer.}

– β†_(enc(ek_(N_{), t}

2, M))withN, M ∈ Rand there was nogetdkcs()query toCSN yet:

We abbreviatet:=enc(ek(N), t2, M). LetR be the output that was returned when

β′_(t)_{was invoked, and}_R

1that ofβ′(t2). QueryCSN withfakeenccs(R, ℓ(t)). Denote

the answer withc. Appendc tocipherN and append(R7→R1)toplainN. Returnc.

– β†_(enc(ek_(N_{), t}

2, M))withN, M ∈ R and there was agetdkcs()query to CSN: We

abbreviatet:=enc(ek(N), t2, M). Computem:=β†(t2). LetRdenote the output of

β′_(t)_{, and}_R

1 that ofβ′(t2). QueryCSN withenccs(R, m). Denote the answer with

c. Appendcto cipher_N and append(R7→R1)toplainN. Returnc.

– β†_(dk_(N₎₎_{: Invoke} _β†_(ek(N)) _{(and discard the return value).} _Query _CSN _with getdkcs(). Denote the answer withd. Do the following for each (R7→R′₎_∈_plain

N: Find the t such that an invocation of β′_(t) _returned_R′_{. Call}_m_:= _β†_(t)_{. Send the} queryprogramcs(R, m)to CSN. Finally, returnd.

– For all other terms, β† _{behaves like}_β_.

• Beforeτ(m)is invoked (when translating a bitstringmfrom the adversary to the protocol), for any invocation ofβ′_(t)_{that has occurred so far,}_Sim

1invokesβ†(t)ifX,redi(S)⊢redi(t)

where S is the set of terms received from the protocol so far and X is the set of all variablesxc_.

Using fresh randomness for signatures. The simulatorSim6 is defined like Sim5, except

that we change the definition of β† _{as follows: When invoking} _β₍_vk_(N)) _or _β(_sk_(N₎₎ _with

N ∈N_P_{, a fresh key pair}₍_vk_N_,_skN₎_{is chosen using the key generation algorithm}_SKeyGen_from implementation condition 27, unless this key pair has been chosen before, and vkN or dkN is

returned, respectively. When invoking β(sig(sk(N), t, M)) with N, M ∈ N_P_{, instead of com-} putingAsig(Ask(rN), β(t), rM)we computeSig(Ask(rN), β(t2))(Sigis defined in implementation

condition 27).

Using a signing oracle. The simulator Sim7 is defined like Sim6, except that it maintains

instancesOsig_N of a signing oracle for the signature scheme(SKeyGen,Sig,Verify)from implementation condition 27 (with queries for signing, for getting the verification key, and for getting the signing key). There is an instance for any N ∈ N_P_{, each instance is initialized when} used the first time. When invoking β(vk(N)), instead of generating a key pair (vkN,skN), Sim7 queries the verification key vkN from OsigN. When invokingβ(sk(N)), instead of generat-

ing a key pair (vkN,skN), Sim7 queries the signing key skN from Osig_N. Instead of computing

Sig(β(sk(N)), β(t2)),Sim7 sends a signing query with messageβ(t2)toOsigN.

In document Computational Soundness without Protocol Restrictions (Page 30-32)