Simulation-based Selective Opening CCA Security for PKE from
Key Encapsulation Mechanisms
?Shengli Liu1 and Kenneth G. Paterson2 1
Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200240, China 2
Information Security Group, Royal Holloway, University of London [email protected] [email protected]
Abstract. We study simulation-based, selective opening security against chosen-ciphertext attacks (SIM-SO-CCA security) for public key encryption (PKE). In a selective opening, chosen-ciphertext at-tack (SO-CCA), an adversary has access to a decryption oracle, sees a vector of ciphertexts, adaptively chooses to open some of them, and obtains the corresponding plaintexts and random coins used in the creation of the ciphertexts. The SIM-SO-CCA notion captures the security of unopened ciphertexts with respect to probabilistic polynomial-time (ppt) SO-CCA adversaries in a semantic way: what a ppt SO-CCA adversary can compute can also be simulated by a ppt simulator with access only to the opened messages. Building on techniques used to achieve weak deniable encryption and non-committing encryp-tion, Fehret al.(Eurocrypt 2010) presented an approach to constructing SIM-SO-CCA secure PKE from extended hash proof systems (EHPSs), collision-resistant hash functions and an information-theoretic primitive called Cross Authentication Codes (XACs). We generalize their approach by introducing a special type of Key Encapsulation Mechanism (KEM) and using it to build SIM-SO-CCA secure PKE. We investigate what properties are needed from the KEM to achieve SIM-SO-CCA security. We also give three instantiations of our construction. The first uses hash proof systems, the second relies on then-Linear assumption, and the third uses indistinguishability obfuscation (iO) in combination with extracting, puncturable Pseudo-Random Functions in a similar way to Sahai and Waters (STOC 2014). Our results establish the existence of SIM-SO-CCA secure PKE assuming only the existence of one-way functions andiO. This result further highlights the simplicity and power ofiOin constructing different cryptographic primitives.
1
Introduction
Selective Opening Attacks (SOAs) concern a multi-user scenario, where an adversary adaptively corrupts a set of users to get their secret state information. In the case of public key encryption (PKE), we assume that several senders send ciphertexts encrypting possibly correlated messages to a receiver. The SOA adversary is able to (adaptively) corrupt some senders, exposing their messages and also the random coins used to generate their ciphertexts. Security against selective opening attacks (SOA security) considers whether the uncorrupted ciphertexts remain secure.
There are two ways of formalizing SOA security: indistinguishability-based (IND-SO) and simulation-based (SIM-SO). According to whether the adversary is able to access to a decryption oracle during its attack, SOA security is further classified into IND-SO-CPA, IND-SO-CCA, SIM-SO-CPA and SIM-SO-CCA. In the formalization of SOAs, we allow a probabilistic polynomial-time (ppt) adversary to get the public key, a vector of challenge ciphertexts, and to adaptively corrupt (open) some ciphertexts to obtain opened plaintexts and random coins (and also access to a decryption oracle in the case of SO-CCA). The IND-SO security notions require that the real messages (used to generate the challenge ciphertexts) and re-sampled messages conditioned on the opened messages are computationally indistinguishable to an SOA adversary. Here we have to assume that the joint message distributions areefficiently conditionally re-samplableafter the opened messages are exposed. On the other hand, the SIM-SO security notions have no such limitations. They require that what a probabilistic polynomial-time (ppt) SOA adversary can compute from the information it has learned can be simulated by a ppt simulator only knowing the opened plaintexts. SIM-SO security seems to be stronger than IND-SO security and significantly harder to achieve. We note the existence of a stronger IND-SO security notion, namely full IND-SO security, which imposes no limitation on the joint message distributions. However, there is no PKE achieving full IND-SO-CPA security yet. The relations among SIM-SO security, IND-SO security, and traditional IND-CPA/CCA security were explored in [5, 17]. ?An extended abstract of this paper will be published in the proceedings of the 18th International Conference on
Lossy encryption [3] has shown itself to be a very useful tool in achieving IND-SO-CPA security. Different approaches to achieving IND-SO-CCA security include the use of lossy trapdoor functions [22],
All-But-N [14], and All-But-Many lossy trapdoor functions [15]. The basic idea is to make sure that only challenge ciphertexts are lossy encryptions, while ciphertexts queried by the adversary are normal encryptions. If there exists an efficient opener which can open a lossy encryption to an encryption of an arbitrary message, then an IND-SO-CCA secure PKE can also been shown to be SIM-SO-CCA secure. However, it seems that, to date, only a single, DCR-based PKE scheme [15] is known to have this property.
In [12], Fehr et al. proposed a black-box PKE construction to achieve SIM-SO-CCA security based on an Extended Hash Proof System (EHPS) associated with a subset membership problem, a collision-resistant hash function and a new information-theoretic primitive called Cross-Authentication Code (XAC). As pointed in [18, 19], a stronger property of XACs is needed to make the security proof rigorous.
1.1 Our Contributions
We generalize the black-box PKE construction of Fehret al.[12] by using a special kind of key encapsulation mechanism (KEM) in combination with a strengthened XAC. Essentially, the KEM replaces the EHPS component in [12], opening up a new set of construction possibilities. In more detail:
– We characterise the properties needed of a KEM for our PKE construction to be SIM-SO-CCA secure. At a high level, these properties are that the KEM should have efficiently samplable and explainable (ESE) ciphertext and key spaces; tailored decapsulation; andtailored, constrained chosen-ciphertext (tCCCA) security. Here tailored decapsulation roughly means that the valid ciphertexts output by the KEM are sparse in the ciphertext space, while tCCCA security is an extension of the CCCA security notion of [16]. If a KEM has all three properties, then we say that it is atailored KEM.
– We show three constructions for tailored KEMs, including one based on hash proof systems (HPS) [8], a specific KEM from the n-Linear assumption [16] (but different from the HPS-based one) and one constructed from indistinguishability Obfuscation (iO) in combination with an extracting puncturable Pseudo-Random Function (PRF) [23]. Consequently, we obtain PKEs of three different types, all enjoying SIM-SO-CCA security. Thus, by adopting the KEM viewpoint, we significantly enlarge the scope of Fehr et al.’s construction.
– Since our PKE construction does not rely on collision-resistant hash functions, we immediately obtain the following results:
• PKE with SIM-SO-CCA security from HPS and strengthened XACs (as compared to the PKE construction of [12] using EPHS, a strong XAC, and a collision-resistant hash function).
• PKE with SIM-SO-CCA security from then-Linear assumption in a way that differs from our HPS-based construction.
• PKE with SIM-SO-CCA security assuming only the existence ofiOand one-way functions.
1.2 Ingredients of Our Main Construction
We follow the outline provided by the black-box PKE construction of Fehret al. [12]. Observing that the EHPS used in [12] can actually be viewed as a KEM, our construction can be considered as a generalization of their result. We first outline the properties of KEMs and XACs needed for our result, before describing the construction and its security analysis at a high level.
The KEM component in our construction needs to be “tailored” with the following properties:
(1) Efficiently samplable and explainable (ESE) domains. The key spaceK and ciphertext spaceC of the KEM should both be ESE domains. (Meaning that, given a randomised sampling algorithm SampleDforD, there exists an efficient algorithm,SampleD−1(D,·), with the property that, given element
dfrom a domainDas input,SampleD−1(D,·) outputs valueRsuch thatdcan be “explained” as having been sampled usingR, i.e., d=SampleD(D;R).)
(3) Tailored, constrained CCA (tCCCA) security. The output of the encapsulation algorithm is com-putationally indistinguishable from (KR, ψR), a pair of key and ciphertext randomly chosen fromK × C, for any ppt adversary, even if the adversary has access to a constrained decryption oracle. The adversary is allowed to make queries of the form (ψ, P(·)) to the constrained decryption oracle, where ψ is an element ofC andP(·) is a ppt predicate, such thatP(·) :K → {0,1}evaluates to 1 only for a negligible fraction of keys. The constrained decryption oracle will provide the decapsulated K to the adversary if only ifP(K) = 1.
We will also need a strengthened XAC definition. A strengthened `-XAC is a collection of algorithms XAC= (XGen,XAuth,XVer) having the following properties:
Authentication and Verification. Algorithm XAuth computes a tag T ← XAuth(K1, . . . , K`) from ` inputs (which will be random keys in our construction). Any Ki used in generating the tag T almost always satisfiesXVer(Ki, T) = 1.
Security against impersonation/substitution attacks. Security against impersonation attacks means that, given a tag T, a randomly chosen key K will almost always fail verification with this specific tag, i.e., XVer(K, T) = 0. A substitution attack considers an (all-powerful) adversary who obtains a tag
T =XAuth(K1, . . . , K`) and tries to forge a tag T0 6=T such that XVer(Ki, T0) = 1, where Ki is one of the keys used in computingT. Security against substitution attacks requires that, if Ki is randomly chosen, then any adversary succeeds in outputtingT0 withT0 6=T andXVer(Ki, T0) = 1 with negligible probability, even if it is givenT and all keys exceptKias input.
Strongness and semi-uniqueness. Strongness says that when Ki is randomly chosen, then Ki, given (Kj)j∈[`],j=6 i and the tag T = XAuth(K1, . . . , K`), is re-samplable with the correct probability dis-tribution. That is to say, there exists a ppt algorithm ReSample((Kj)j∈[`],j6=i, T) such that ReSample
outputs a key ˆKi that is statistically indistinguishable from Ki, even given (Kj)j∈[`],j6=i and T =
XAuth(K1, . . . , K`). Semi-uniqueness says that it is possible to parse a keyK as (Kx, Ky)∈ Kx× Ky for
some setsKx,Ky, and for everyKx∈ Kxand a tagT, there is at most oneKy∈ Ky such that (Kx, Ky)
satisfiesXVer((Kx, Ky), T) = 1.
1.3 Overview of Our Main Construction
Given a tailored KEMKEM and a strengthened (`+s)-XACXAC, our construction of a PKE schemePKE is as follows. (See Figure 4 for full details.)
– The public key of PKE is the public key pkkem of KEM, an injective function F with domain C` and
range (Ky)s, and a vector of values (Kx1, . . . , Kxs)∈(Kx)
s. The secret key of PKEissk
kem, the secret
key of KEM.
– The encryption operates in a bitwise mode. Let the`-bit message bem1||. . .||m`. • Whenmi= 1, we set (Ki, ψi)←KEM.Encap(pkkem).
• Whenmi= 0, we choose (Ki, ψi) randomly fromK × C.
• After encrypting ` bits, we compute F(ψ1, . . . , ψ`) to get (Ky1, . . . , Kys), and construct s extra
keys K`+j = (Kxj, Kyj) for j = 1, . . . , s. All `+s keys are then used to compute a tag T =
XAuth(K1, . . . , K`+s).
• Finally, thePKEciphertext isC= (ψ1, . . . , ψ`, T).
– The decryption also operates in a bitwise fashion. Omitting some crucial details, we first recompute (Ky1, . . . , Kys) using F and (ψ1, . . . , ψ`), reconstruct K`+j for j = 1, . . . , s, and then verify the
cor-rectness of T using each K`+j in turn. Assuming this step passes, for each i, we compute Ki ←
KEM.Decap(skkem, ψi), and set the recovered message bit as the output ofXVer(Ki, T). (WhenKi=⊥,
we set XVer(Ki, T) = 0).
Now, in the above decryption procedure, a KEM decapsulation error occurs whenevermi= 0. However,
1.4 SIM-SO-CCA Security of Our Main Construction
We follow the techniques of non-committing and deniable encryption [7, 6, 10, 20] and try to create equiv-ocable ciphertexts that not only can be opened arbitrarily but that are also computationally indistin-guishable from real ciphertexts. In our construction, the equivocable ciphertexts are in fact encryptions of ones. Note that tCCCA security of KEM ensures that (K, ψ)≈c (KR, ψR), where (K, ψ) is the output
ofKEM.Encap(pkkem) and (KR, ψR) is randomly chosen fromK × C. On the other hand, bothKandC are
ESE. Therefore, (K, ψ) encrypting 1 can always be explained as a random pair (KR, ψR) encrypting 0 by
exposing the randomness output fromSampleK−1(K, K) andSampleC−1(C, ψ).
However, this is not sufficient in the SO-CCA setting since the adversary is able to query its decryption oracle and perform corruptions, and it might then be easy for the adversary to distinguish an encryption of ones and an encryption of a real message. For example, consider an adversary that is given a ciphertext
C = (ψ1, ψ2, . . . , ψ`, T), where C is either an encryption of ones but opened as zeros with re-explained
randomness, or an encryption of zeros being opened honestly. In fact, opened randomness exposes allKi’s to
the adversary. Then the adversary can generate a different ciphertextC0= (ψ1, ψ2, . . . , ψ`, T0) as follows. A
new tagT0 (T0 6=T) is computed asT0 :=XAuth(K10, K2, . . . , K`+s), where K10 is randomly chosen and all otherKi’s (2≤i≤`+s) are the same as inT. The decryption ofC0will be (0,1, . . . ,1) ifCis an encryption of ones but (0,0, . . . ,0) ifC is an encryption of zeros! The problem is that the opened randomness discloses
Ki and that gives too much information to the adversary, especially when (Ki, ψi) encodes 0. To solve this problem, we have to use a different method to openKi so that the adversary obtains no extra information about Ki when (Ki, ψi) encodes 0: first, we use algorithm ReSample of XAC to resample Ki to obtain a statistically indistinguishable ˆKi; then we call SampleK−1(K,Kiˆ ) andSampleC−1(C, ψi) to open ( ˆKi, ψi) to an encryption of 0. Now an encryption of ones, say C = (ψ1, ψ2, . . . , ψ`, T), is able to play the role of an equivocable ciphertext, due to the tCCCA security of KEM and the security ofXAC.
Consequently, we can build a simulatorSwith respect to an adversaryAto prove SIM-SO-CCA security: S simulates the real environment forA by generating public and private keys, and uses the private key to answerA’s decryption queries;S createsnchallenge ciphertexts all of which are encryptions of ones; when Amakes a corruption query concerning a challenge ciphertextC,S can openCbit-by-bit according to the real message. If the bitmiis 1, it opens (Ki, ψi) honestly, otherwise it opens (Ki, ψi) to 0 by usingReSample, SampleC−1 andSampleK−1.
1.5 Related Work
The SOA security notion was first formally proposed by Dworket al.[11]. SIM-SO-CPA and IND-SO-CPA notions were given by Bellareet al.[3]. The relations among SOA security notions and traditional IND-CPA security were investigated in [5, 17]. Bellareet al. [4] proposed the first SIM-SO-CPA secure Identity-Based Encryption (IBE), while also adopting the non-committing technique and weak deniable encryption. Laiet al. [21] proposed the first construction for SIM-SO-CCA secure IBE from a so-called extractable IBE, a collision-resistant hash function, and a strengthened XAC. Recently, Sahai and Waters [23] introduced the puncturable programming technique and employed puncturable PRFs and Indistinguishability Obfuscation (iO) to obtain a variety of cryptographic primitives including deniable encryption with IND-CPA security, PKE with IND-CPA and IND-CCA security, KEM with IND-CCA security, injective trapdoor functions, etc. It should be noted that any IND-CPA secure deniable encryption with ESE ciphertext space implies a PKE with SIM-SO-CPA security. Therefore, the deniable encryption scheme in [23] that is based on a puncturable PRF andiOimplicitly already gives us a SIM-SO-CPAsecure PKE. Our result establishes that SIM-SO-CCA security is achievable from puncturable PRFs andiO as well, albeit via the combination of an IND-CCA secure KEM and a strengthened XAC.
2
Preliminaries
We uses1, . . . , st←Sto denote picking elementss1, . . . , stuniformly from setS. Let|S|denote the size of set
S. Let [n] denote the set{1, . . . , n}. Lets1ks2k. . .denotes the concatenation of strings. For a probabilistic polynomial-time (ppt) algorithm A, we denote y ← A(x;R) the process of running A on input x with randomness R, and assigning y as the result. Let RA denote the randomness space of A, and y ← A(x)
denotey ←A(x;R) with Rchosen from RA uniformly at random. LetUn denote the uniform distribution
f(κ) <1/κc for all κ > κc. Let ≈c (resp. ≈s) denote computational (resp. statistical) indistinguishability
between two ensembles of random variables.
We use boldface letters for vectors. For a vectorm of finite dimension, let |m| denote the length of the vector. For a setI={i1, i2, . . . , i|I|} ⊆[|m|], we definem[I] := (m[i1],m[i2], . . . ,m[i|I|]).
2.1 Public Key Encryption
A public key encryption (PKE) scheme is made up of three ppt algorithms:
KeyGen(1κ) takes as input the security parameterκ, and outputs a public key and a secret key (pk, sk).
Enc(pk, M) takes as input the public keypk and a messageM and outputs a ciphertextC.
Dec(sk, C) takes as input the secret keyskand a ciphertextCand outputs either a messageM or a failure symbol ⊥.
The correctness of a PKE scheme is relaxed to allow a negligible decryption error(κ). That is,Dec(sk,Enc(pk, M)) =
M holds with probability at least 1−(κ) for all (pk, sk)←KeyGen(1κ), where the probability is taken over
the coins used in encryption.
Let m and r be two vectors of dimension n :=n(κ). Define Enc(pk,m;r) := (Enc(pk,m[1];r[1]), . . . ,
Enc(pk,m[n];r[n])). Herer[i] is the fresh randomness used for the encryption ofm[i] fori∈[n].
2.2 Simulation-based, Selective Opening CCA Security of PKE
We review the simulation-based definition of security for PKE against selective opening, chosen-ciphertext adversaries from [12].Let M denote an n-message sampler, which on input string α ∈ {0,1}∗ outputs an
n-vectorm= (m[1], . . . ,m[n]) of messages. LetRbe any ppt algorithm outputting a single bit.
Definition 1 (SIM-SO-CCA Security) A PKE scheme PKE=(KeyGen, Enc, Dec) is simulation-based, selective opening, chosen-ciphertext secure (SIM-SO-CCA secure) if for every ppt n-message sampler M, every ppt relationR, every restricted, stateful ppt adversaryA= (A1,A2,A3), there is a stateful ppt simulator S= (S1,S2,S3) such thatAdvso-ccaPKE,A,S,n,M,R(κ)is negligible, where
Advso-ccaPKE,A,S,n,M,R(κ) = Pr
h
Expso-cca-realPKE,A,n,M,R(κ) = 1i−PrhExpso-cca-idealPKE,S,n,M,R(κ) = 1i
and experiments Expso-cca-realPKE,A,n,M,R(κ) andExp
so-cca-ideal
PKE,S,n,M,R(κ)are defined in Figure 1. Here the restriction on
Ais thatA2,A3are not allowed to query the decryption oracleDec(·)with any challenge ciphertextc[i]∈c.
Expso-cca-realPKE,A,n,M,R(κ): (pk, sk)←KeyGen(1κ) (α, a1)← ADec(
·) 1 (pk)
m← M(α),r←coins c←Enc(pk,m;r) (I, a2)← A
Dec∈/c(·)
2 (a1,c)
outA← A
Dec∈/c(·)
3 (a2,m[I],r[I]) returnR(m, I, outA)
Expso-cca-idealPKE,S,n,M,R(κ):
(α, s1)← S1(1κ)
m← M(α)
(I, s2)← S2(s1,(1|m[i]|)i∈[n])
outS← S3(s2,m[I]) returnR(m, I, outS)
Fig. 1.Experiments used in the definition of SIM-SO-CCA security of PKE.
2.3 Key Encapsulation Mechanisms
A Key Encapsulation Mechanism (KEM)KEMconsists of three ppt algorithms (KEM.Kg,KEM.Enc,KEM.Dec). LetKbe the key space associated with KEM.
KEM.Encap(pk) takes as input the public keypk and outputs a keyK and a ciphertext (or encapsulation)
ψ.
KEM.Decap(sk, ψ) takes as input the secret keysk and a ciphertext ψ, and outputs either a key K or a failure symbol ⊥.
The correctness condition on a KEMKEMis thatKEM.Decap(sk, ψ) =K holds for allκ∈N, all (pk, sk) ←KEM.Kg(1κ), and all (K, ψ)←KEM.Encap(pk).
2.4 Efficiently Samplable and Explainable (ESE) Domain
A domain D is said to be efficiently samplable and explainable (ESE) [12] if associated with D are the following two ppt algorithms:
Sample(D;R) : On input (a description of) domainDand random coinsR← RSample, this algorithm outputs an element that is uniformly distributed overD.
Sample−1(D, x) : On input (a description of) domain Dand any x∈ D, this algorithm outputsR that is uniformly distributed over the set{R∈ RSample |Sample(D;R) =x}.
Clearly D={0,1}κ is ESE withR =Sample(D;R) =Sample−1
(D, R). It was shown by Damg˚ard and Nielsen in [10] that any dense subset of an efficiently samplable domain is ESE as long as the dense subset admits an efficient membership test. Hence, for example,Z∗Ns for a RSA modulus N is ESE.
2.5 Cross-Authentication Codes (XACs)
Cross-Authentication Codes (XACs) were first proposed by Fehr et al. in [12] and later adapted to strong XACs in [19] and strengthened XACs in [21].
Definition 2 (L-Cross-Authentication Code [12].) For L ∈ N, an L-cross-authentication code XAC
consists of three ppt algorithms (XGen,XAuth,XVer) and two associated spaces, the key space X K and the tag space X T (whose sizes are related to the security parameterκ). The key generation algorithmXGen(1κ) outputs a uniformly random keyK∈ X K, the authentication algorithmXAuth(K1, . . . , KL)computes a tag
T ∈ X T, and the verification algorithmXVer(K, T)outputs a decision bit.
Correctness.For alli∈[L], the probability
failXAC(κ) := Pr[XVer(Ki,XAuth(K1, . . . , KL))6= 1], is negligible, where the probability is taken overK1, . . . , KL← X K.3
Security against impersonation and substitution attacks. Define:
AdvimpXAC(κ) := max
T0 Pr[XVer(K, T
0) = 1|K← X K]
where the maxis over all T0∈ X T, and
AdvsubXAC(κ) := max
i,K6=i,F
Pr
T06=T∧ XVer(Ki, T0) = 1
Ki← X K,
T :=XAuth(K1, . . . , KL),
T0←F(T)
where the maxis over all i∈[L], allK6=i= (Kj)j∈[L],j6=i∈ X KL−1 and all (possibly randomized) functions F :X T → X T. ThenAdvimpXAC(κ)andAdvsubXAC(κ)are both negligible.
Definition 3 (Strong and semi-unique XACs.) AnL-cross-authentication codeXACisstrong and semi-uniqueif it has the following two properties:
3 WhenX K =K
Strongness [19]: Suppose there exists a ppt algorithm ReSamp, which takes as input (Kj)j6=i and T,
with K1, . . . , KL ← XGen(1κ) and T ← XAuth(K1, . . . , KL), and which outputs Kˆi. We write Kˆi ←
ReSamp(K6=i, T). Suppose the statistical distance betweenKˆi output byReSamp andKi, conditioned on
(K6=i, T), is bounded by δ(κ), i.e.,
1 2 ·
X
k∈X K
Pr[ ˆKi=k |(K6=i, T) ]−Pr[Ki=k | (K6=i, T) ]
≤δ(κ).
Then the code XAC is said to be δ(κ)-strong; XAC is said to be strong if there exists ppt algorithm ReSamp such that δ(κ)is negligible in κ.
Semi-Uniqueness [21]: The codeXAC is said to be semi-uniqueifX K can be written asKx× Ky and if,
givenT ∈ X T andKx∈ Kx, there exists at most one Ky ∈ Ky such thatXVer((Kx, Ky), T) = 1.
For completeness, we include below the construction of`-cross-authentication codes proposed by Fehret al.[12]. That it is also strong and semi-unique was shown in [21].
– X K=Ka× Kb=F2q andX T =F`q∪ {⊥}. – (a, b)←XGen, where (a, b)←F2
q.
– T ← XAuth((a1, b1), . . . ,(a`, b`)). Let matrix A∈ F`q×` consists of rows (1, ai, a
2
i, . . . , a `−1
i ) for i ∈[`].
Let B be a column vector consisting of b1, . . . , b` ∈ F`q. IfAT =B has no solution or more than one
solution, set T :=⊥. OtherwiseA is a Vandermonde matrix. Let tagT = (T0, . . . , T`−1) be the column
vector that is uniquely determined by solving the linear systemAT =B.
– Define T(x) =T0+T1x+· · ·+T`−1x`−1 ∈Fq[x] with T = (T0, . . . , T`−1). XVer((a, b), T) outputs 1 if
and only ifT 6=⊥andT(a) =b.
– (a, b)← ReSamp((aj, bj)j6=i,j∈[`], T). Choosea ←Fq such that a6=aj (1 ≤j ≤`, j 6=i) and compute b :=T(a). Conditioned on T =XAuth((a1, b1), . . . ,(a`, b`)) (T 6=⊥) and (aj, bj)j6=i, both of (a, b) and
(ai, bi) are uniformly distributed over the same support.
– Anya∈Fq uniquely determines b:=T(a) =T0+T1a+· · ·+T`−1a`−1 such thatXVer((a, b), T) = 1.
3
KEM Tailored for Construction of PKE with SIM-SO-CCA Security
We describe the properties that are required of a KEM to build SIM-SO-CCA secure PKE; the construction itself is given in the next section.
3.1 Valid Ciphertext Indistinguishability (VCI) of KEMs
SupposeKEM= (KEM.Kg,KEM.Encap,KEM.Decap) is associated with an efficiently recognizable ciphertext space C. For fixed κ, let Ψ ⊂ C denote the set of possible key encapsulations output by KEM.Encap, so
Ψ ={ψ:ψ←KEM.Encap(pk;r),(pk, sk)←KEM.Kg(1κ), r←Coins}. The setΨ is called thevalid ciphertext
set (forκ).
Definition 4 (Valid Ciphertext Indistinguishability) Let KEM be a KEM with valid ciphertext setΨ
and ciphertext spaceC. Define the advantage of an adversaryAin the experiment depicted in Figure 2 to be
AdvVCIKEM,A(κ) := Pr
h
ExpVCI-0KEM,A(κ) = 1i−PrhExpVCI-1KEM,A(κ) = 1i .
ThenKEMis said to be Valid Ciphertext Indistinguishable (VCI)if for all ppt adversariesA,AdvVCIKEM,A(κ) is negligible.
3.2 Tailored KEMs
ExpVCI-b KEM,A(κ) :
(pk, sk)←KEM.Kg(1κ)
ψ∗0← C, (K
∗
, ψ1∗)←KEM.Encap(pk)
b0← ADecap^6=ψb∗(·)
(pk, ψ∗b) Return(b0)
^
Decap6=ψ∗(P, ψ) Ifψ=ψ∗return (⊥)
K←KEM.Decap(sk, ψ) IfP(K) = 0 return (⊥); Else return (K)
Fig. 2.Experiment for defining Valid Ciphertext Indistinguishability of KEMs. HereDecap^6=ψ∗(P, ψ) denotes a con-strained decryption oracle, taking as input predicateP(·) and encapsulationψ.
ExptcccaKEM,A−b(κ) :
(pk, sk)←KEM.Kg(1κ)
K0∗← K,ψ
∗
0 ← C
(K1∗, ψ1∗)←KEM.Encap(pk)
b0← ADecap^6=ψ∗(·)(pk, K∗
b, ψ
∗
b) Return(b0)
^
Decap6=ψ∗(P, ψ) Ifψ=ψ∗return (⊥)
K←KEM.Decap(sk, ψ) IfP(K) = 0 return (⊥); Else return (K)
Fig. 3.Experiment for defining IND-tCCCA security of KEMs. HereDecap^6=ψ∗(P, ψ) denotes a constrained decryption oracle, taking as input predicateP(·) and encapsulationψ. PredicateP(·) may vary in different queries.
Definition 5 (IND-tCCCA Security for KEMs) LetKEMbe a KEM with ciphertext spaceCand valid ciphertext set Ψ, let A be a ppt adversary, and consider the experiment ExptcccaKEM,−Ab(κ) defined in Figure 3. Define the advantageAdvtcccaKEM,A(κ)of Aby:
AdvtcccaKEM,A(κ) :=
Pr
h
ExptcccaKEM,−A0(κ) = 1i−PrhExptcccaKEM,−A1(κ) = 1i .
ThenKEMis said to be secure against tailored, constrained chosen ciphertext attacks (IND-tCCCA secure) if for all ppt adversaries A with negligible uncertainty uncertA(κ) (in κ), the advantage AdvtcccaKEM,A(κ) is also negligible inκ. Here, the uncertainty of A is defined as uncertA(κ) := q1d
Pqd
i=1Pr [Pi(K) = 1], which measures the average fraction of keys for which the evaluation of predicatePi(·)is equal to 1 in the tCCCA experiment, wherePi denotes the predicate used in the i-th query by A, andqd the number of decapsulation queries made byA.
Constrained CCA (CCCA) security for PKE was introduced in [16] as a strictly weaker notion than IND-CCA security. The formal defintion of IND-CCA security is included in Appendix A. The main differ-ence between IND-CCCA security and our newly defined IND-tCCCA security is that, in the IND-CCCA definition, the adversary is given a pair (K∗
b, ψ∗) whereψ∗ is always a correct encapsulation ofK1∗, while in the IND-tCCCA definition, the adversary is given a pair (K∗
b, ψ∗b) where, when b= 0,ψb∗ is just a random
element of Cand, when b= 1,ψb∗ is a correct encapsulation ofKb∗. However, IND-CCCA security and VCI together imply IND-tCCCA security for KEMs:
Lemma 1. Suppose that KEM is a KEM having an efficiently recognizable ciphertext space C. If KEM is both IND-CCCA secure and VCI then it is also IND-tCCCA secure.
Proof. Recall that the VCI and CCCA experiments are almost the same except for the construction of the adversary’s challenge. Let (K(R), ψ(R)) be chosen fromC × Kuniformly at random. Let (K, ψ) be the output ofKEM.Encapin the CCCA experiment. IND-CCCA security implies (K, ψ)≈c(K(R), ψ). The VCI property
implies thatψ≈c ψ(R), hence (K(R), ψ)≈c(K(R), ψ(R)) whenK(R)is chosen uniformly and independently
of everything else. Finally, (K, ψ)≈c(K(R), ψ(R)) follows from transitivity. ut Tailored Decapsulation. We also tailor the functionality of our KEMs’ decapsulation algorithms to suit our PKE construction.
KeyGen(1κ) :
(pkkem, skkem)←KEM.Kg(1κ)
Kx1, . . . , Kxs ← Kx pk= (pkkem,(Kxj)j∈[s], F) sk= (skkem, pk).
Return(pk, sk)
Enc(pk, m1||. . .||m`) :
Parsepkas (pkkem,(Kxj)j∈[s], F)
Fori= 1 to`
Ifmi= 1
(Ki, ψi)←KEM.Encap(pkkem) Elseψi← C;Ki← K
(Ky1, . . . , Kys)←F(ψ1, . . . , ψ`)
Forj= 1 tos K`+j←(Kxj, Kyj) T ←XAuth(K1, . . . , K`+s) Return (ψ1, . . . , ψ`, T)
Dec(sk, C) :
ParseCas (ψ1, . . . , ψ`, T) Fori= 1 to`
m0i←0 (Ky01, . . . , K
0
ys)←F(ψ1, . . . , ψ`)
Forj= 1 tos K`0+j←(Kxj, K
0
yj)
IfVs
j=1XVer(K
0
`+j, T) = 1 Fori= 1 to`
Ki0←KEM.Decap(skkem, ψi) IfKi0=⊥, thenm0i←0 Elsem0i←XVer(Ki0, T) Return(m01||m02||. . . , m0`)
Fig. 4.Construction of PKE schemePKEfrom tailored KEM and (`+s)-XAC.
– KEM.Decaprejects a random ψ0 ∈ C, except with negligible probability, i.e.,
Pr [KEM.Decap(skkem, ψ0)6=⊥ |ψ0 ← C]≤η(κ).
– KEM.Decapoutputsη(κ)-uniform keys on input a random element fromC. That is, the statistical distance between the output and a uniform distribution on K is bounded byη(κ):
1 2
X
k∈K
Pr [KEM.Decap(skkem, ψ0) =k |ψ0← C]− 1 |K|
≤η(κ).
Remark.The former case implies that valid ciphertexts are sparse in the whole ciphertext space, i.e.,|V|/|C| is negligible. In the latter case, VCI (when VCI holds for all (pk, sk) ← KEM.Kg(1κ)) alone might imply IND-tCCCA security of KEM, since the decapsulated key is uniquely determined by the secret key and the ciphertext (be it valid or invalid).
4
Construction of PKE with SIM-SO-CCA Security from Tailored KEMs
LetKEM= (KEM.Kg,KEM.Encap,KEM.Decap) be a KEM with valid ciphertext setΨ, efficiently recognizable ciphertext spaceC, and key spaceK=Kx× Ky. We further assume that:
(1) KEM.Decap has tailored functionality as per Definition 6 (this will be used for the correctness of our PKE construction);
(2) KEM is IND-tCCCA secure (this will be used in the SIM-SO-CCA security proof of the PKE construc-tion).
(3) Both the key space K and the ciphertext space C of KEM are efficiently samplable and explainable domains, with algorithms (SampleK,SampleK−1) and (SampleC,SampleC−1) (these algorithms are also used in the security analysis).
We refer to a KEM possessing all three properties above as being atailored KEM. Let F : C` →(K
y) s
be an injective function (such functions are easily constructed using, for example, encodings from C to bit-strings and from bit-strings to Ky, provided s is sufficiently large). Let XAC =
(XGen,XAuth,XVer) be aδ(κ)-strong and semi-unique (`+s)-XAC with tag spaceX T and key spaceX K; suppose also that X K=K =Kx× Ky. Our main construction of PKE schemePKE = (KeyGen,Enc,Dec)
with message space{0,1}` is shown in Figure 4.
KeyGen’(1κ) :
(pkkem, skkem)←KEM.Kg(1κ)
Kx← Kx,H ←HGen(1κ).
pk= (pkkem, Kx, H)
sk= (skkem, pk) Return(pk, sk)
Enc’(pk, m1||. . .||m`) : Fori= 1 to`
Ifmi= 1
(Ki, ψi)←KEM.Encap(pkkem) Elseψi← C;Ki← K
Ky←H(ψ1, . . . , ψ`)
K`+1←(Kx, Ky)
T =XAuth(K1, . . . , K`+1) Return (ψ1, . . . , ψ`, T)
Dec’(sk, C) :
C= (ψ1, . . . , ψ`, T) Fori= 1 to` m0i←0
Ky0 ←H(ψ1, . . . , ψ`)
K`0+1←(Kx, Ky0) IfXVer(K`0+1, T) = 1
Fori= 1 to`
Ki0←KEM.Decap(skkem, ψi) IfKi0=⊥, thenm
0
i←0 Elsem0i←XVer(Ki0, T)} Return(m01||m
0
2||. . . , m
0
`)
Fig. 5.Construction of PKE schemePKE’from tailored KEM, (`+ 1)-XAC and CR hash function.
Correctness. Encryption and decryption are performed in bitwise fashion. Supposemi = 1. Then (Ki, ψi) are the encapsulated key and corresponding valid encapsulation; by the correctness of KEM andXAC, the decryption algorithm outputsm0i = 1, except with negligible probabilityfailXAC. Supposemi = 0. ThenKi
and ψi are chosen independently and uniformly at random from K and C, respectively. It follows that the tagT is independent ofψi. Now, during the decryption of thei-th bit, according to the tailored property of KEM.Decap,K0
i is either⊥(and thusm0i= 0) with probability at least 1−η(κ), orKi0 isη(κ)-close to being
uniformly distributed onK. In the latter case, it holds thatm0i= 0 except with probabilityη(κ) +AdvimpXAC(κ) due to theη(κ)-uniformity of the key and the security of XACagainst impersonation attack. Consequently, decryption correctly undoes encryption except with probability at most`·max{failXAC(κ),AdvimpXAC(κ) +η(κ)}, which is negligible.
Lemma 2. PKE scheme PKE in Figure 4 has the property that, if two distinct ciphertexts C,Cˆ both pass the verification stepVs
j=1XVer(K`+j, T) = 1during decryption, then they must have different tagsT 6= ˆT.
Proof. The proof is by contradiction and relies on the injectivity of F. Let C = (ψ1, . . . , ψ`, T) and ˆC = ( ˆψ1, . . . ,ψ`,ˆ Tˆ) be two different ciphertexts. Let (Ky1, . . . , Kys) = F(ψ1, . . . , ψ`) and ( ˆKy1, . . . ,Kyˆ s) = F( ˆψ1, . . . ,ψ`ˆ ). Suppose V
s
j=1XVer((Kxj, Kyj), T) =
Vs
j=1XVer(( ˆKxj,Kyˆ j),Tˆ) = 1. If T = ˆT, then C 6= ˆC
implies (ψ1, . . . , ψ`) 6= ( ˆψ1, . . . ,ψ`ˆ), which further implies Kyj 6= ˆKyj for some j ∈ [s], by the injectivity
of F. On the other hand, we know that XVer((Kxj, Kyj), T) = 1 and XVer((Kxj,Kyˆ j),Tˆ = T) = 1; the semi-unique property of XACnow implies thatKyj = ˆKyj, a contradiction. ut The SIM-SO-CCA security of PKEwill rely on Lemma 2, which in turn relies on the injectivity of F. The size ofF’s domain is closely related to parameters: generally the parameterswill be linear in`. Since we need a (`+s)-XAC in the construction, the size of public key will be linear in `. The size of tag T in the ciphertext will also grow linearly insand therefore in`. To further decrease the size of public key and tags in our PKE construction, we can employ a collision-resistant (CR) hash function H= (HGen,HEval) mappingC`toK
y instead of the injective functionF (see Appendix B for definitions). Then an (`+ 1)-XAC
is sufficient for the construction, and this results in more compact public keys and tags, but requires an additional cryptographic assumption. WhenF is replaced by a CR hash functionH, Lemma 2 still holds but relies on the existence of collision-resistant (CR) hash function mappingCl to a smaller range. We omit the
obvious modifications to our PKE construction needed to accommodate the use of CR hash functions. The construction using CR hash functions is given in Figure 5.
Theorem 1 SupposeKEMis a tailored KEM, and the(`+s)-cross-authentication codeXACisδ(κ)-strong, semi-unique, and secure against impersonation and substitution attacks. Then the PKE scheme PKE con-structed in Figure 4 is SIM-SO-CCA secure. More precisely, for every ppt adversary A = (A1,A2,A3) against PKE in the SIM-SO-CCA real experiment that makes at most qd decryption queries, for every ppt
for the ideal experiment, and a ppt adversaryB against the IND-tCCCA security ofKEM, such that:
Advso-ccaPKE,A,S,n,M,R(κ)≤n`·AdvtcccaKEM,B(κ) +n`2qd·
AdvsubXAC(κ) +AdvimpXAC(κ) +η(κ)+n`·δ(κ).
First, we give a high level overview of the proof before presenting our formal proof. We construct a ppt simulatorS as follows. (See Figure 6.)
– S generates a public/private key pair and provides the public key toA.
– S answersA’s decryption queries using the private key.
– S prepares forAa vector of nchallenge ciphertexts, each ciphertext encrypting`ones.
– WhenAdecides to corrupt a subset of the challenge ciphertexts,S obtains the messages corresponding to the corrupted ciphertexts and opens the corrupted ciphertexts bit-by-bit according to the messages. If bitmi should be opened to 1,S reveals toAthe original randomness used byKEM.Encapto generate
(Ki, ψi). If bitmishould be opened to 0,Sfirst explainsψiwith randomness output bySampleC−1(C, ψi)
(as ifψiwere randomly chosen). ThenS uses algorithmReSampleofXACto resampleKi to get ˆKi, and
explains ˆKi with randomness output bySampleC−1(K,Kˆi) (as if ˆKi was randomly chosen). – S finally outputs whateverAoutputs.
The essence of the SIM-SO-CCA security proof is then to show that encryptions of 1’s are computationally indistinguishable from encryptions of real messages, even if the adversary can see the opened (real) messages and the randomness of a corrupted subset of the challenge ciphertexts of his/her choice, and have access to the decryption oracle. This is done with a hybrid argument running from Game 0 to Gamen`. In Gamek
the firstk bits of messages are 1’s and are opened as S does while the last n`−k bits come from the real messages and are opened honestly. The proof shows that Gameskandk−1 are indistinguishable using the tCCCA security of the tailored KEM and the security properties of the strengthened XAC.
If thek-th bit of the messages is 1, Gameskandk−1 are identical. Otherwise, a tailoredKEMadversary Bcan be constructed to simulate Gamek ork+ 1 for adversaryA.B is provided with a public keypkkem, a challenge (K∗, ψ∗) and a constrained decryption oracle, and is going to tell whether (K∗, ψ∗) is an output of KEM.Encap(pkkem) or a random pair.B can generate a public key for A. When preparing the vector of challenge ciphertexts,Bwill encrypt the firstk−1 bits from the real messages, use (K∗, ψ∗) as the encryption of thek-th bit, and encryptn`−kones for the remaining bits. If (K∗, ψ∗) is an output ofKEM.Encap(pkkem), the challenge vector of ciphertexts is just that in Gamek, otherwise it is just that in Gamek−1. Finally, to answer A’s decryption queryC = (ψ1, . . . , ψ`, T),B can query (ψi,XVer(·, T)) (note thatXVer(·, T) is a
predicate) to his own constrained decryption oracle ifψ∗6=ψi;Bthen replies toAwith decrypted bit 0 iffB
gets⊥from its own oracle. The decryption is correct becauseB’s oracle outputs⊥iff the decapsulated key isKi =⊥orXVer(Ki, T) = 0. Ifψ∗=ψi,Bis not allowed to query his own oracle, but can instead respond
toAwith the output ofXVer(K∗, T) as the decrypted bit. This decryption is also correct with overwhelming probability for the following reasons: (1) If K∗ is the encapsulated key of ψ∗, then XVer(K∗, T) = 1 and decryption is correct. (2) If (K∗, ψ∗) is a random pair, then all the information leaked aboutK∗ is just the very tagT∗that is computed byK∗during the generation of some challenge ciphertext. The semi-uniqueness of XACguarantees thatT 6=T∗, and the adversary’s corruption only reveals information about a re-sampled
ˆ
K∗. The security ofXACagainst substitution attacks shows that even ifAknowsT∗and all keys other than
K∗, thenAforges a different tagT such thatXVer(K∗, T) = 1 with negligible probability. Therefore,Bwill almost always respond toAwith bit 0, which is the correct answer.
Proof. (Proof of Theorem 1.) For every pptn-message samplerM, every ppt relationR, every stateful ppt adversaryA= (A1,A2,A3), we construct a stateful ppt simulatorS= (S1,S2,S3) as follows (see also Figure 6).
– S1 calls KeyGento obtain (pk, sk). Then it callsA Dec(·)
1 (pk) to obtainαand the statea1. Note thatS1 possessesskand is able to provide a decryption oracle toA1. The view ofA1is exactly the same as that in Expso-cca-realPKE,A,n,M,R(κ).
– Without the knowledge ofm= (m[1], . . . ,m[n]), which is the output ofM(α),S2generates the challenge ciphertext vectorc= (c[1], . . . ,c[n]) with eachc[i] being an encryption of`ones, i.e.,
c[i] =Enc(pk,1`;r[i]).
Then S2 calls A Dec∈/c(·)
S1(1κ):
(pk, sk)←KeyGen(1κ) (α, a1)← A
Dec(·) 1 (pk)
s1←(pk, sk, a1) Return(α, s1)
S2(s1,(1|m[i]|)i∈[n]):
pk= (pkkem, Kx, H)
sk= (skkem, pk) Fori= 1 ton
Forj= 1 to`
(Kj(i), ψj(i))←KEM.Enc(pkkem;rij)
(Ky(i1), . . . , K
(i)
ys)←F(ψ
(i) 1 , . . . , ψ
(i) ` ) Forj= 1 tos
K`(+i)j←(Kxj, K
(i) yj) T(i)←XAuth(K(i)
1 , . . . , K (i) `+s)
c[i]←(ψ1(i), . . . , ψ (i) ` , T
(i) )
r[i]←(ri1, ri2, . . . , ri`)
k[i]←(K1(i), . . . , K`(i+)s)
c←(c[1],c[2], . . . ,c[n])
r←(r[1],r[2], . . . ,r[n])
k←(k[1],k[2], . . . ,k[n]) (I, a2)← A
Dec∈/c(·) 2 (a1,c)
s2 ←(a2,c, r, k, s1) Return(I, s2)
S3(s2,m[I]): Fori∈I do
c[i] = (ψ(1i), . . . , ψ(`i), T(i))
r[i] = (ri1, ri2, . . . , ri`)
k[i] = (K1(i), . . . , K (i) `+s) Forj= 1 to`
Ifm[i][j] = 1 ˆrij←rij; Else
rc←SampleC−1(C, ψ(ji)) ˆ
Kj(i)←ReSamp(j,(Kv(i))v6=j, T(i))
rk←SampleK−1(K,Kˆj(i)) ˆ
rij←(rc, rk)
Kj(i)←Kˆj(i)
ˆ
r[i]←(ˆri1,rˆi2, . . . ,rˆi`)
outA← ADec∈/c( ·)
3 (a2,m[I],ˆr[I]) Return(outA)
Fig. 6.Construction of simulatorS forExpso-cca-idealPKE,S,n,M,R(κ).
– S3 opens the challenge ciphertext vector (c[i])i∈I, where c[i] = (ψ
(i) 1 , . . . , ψ
(i)
` , T
(i)) = Enc(pk,1`;r[i]),
according to the corrupted set of messages (m[i])i∈I.
• Ifm[i][j] = 1,S3 opens with the original random coins;
• If m[i][j] = 0, S3 utilizes SampleC−1 to recover a properly distributed randomness for ψ (i)
j , and
ReSamp to re-sample ˆKj(i) so as to hide the real key Kj(i), and then uses SampleK−1 to recover a properly distributed randomness for ˆKj(i).
Finally,S3collects the newly opened randomness ˆr[I] and callsA Dec∈/c(·)
3 (a2,m[I],ˆr[I]) to get the output
outputAas its own output.
The differences between the real and ideal experiments lie in two points. The first is how the challenge ciphertext vector is generated. We formalize it by an algorithmGenerate-c; the second is how the corrupted ciphertexts are opened, which is formalized by an algorithmOpen-c. These algorithms are shown in Figure 7. In the proof, we focus on these two points, and proceed with a series of games starting with GameG−2 and ending with GameGn`, with adjacent games being proven to be computationally indistinguishable. The full set of games are illustrated in Figures 7 and 9.
Game G−2: This is the original real experiment ExpPKEso-cca-real,A,n,M,R(κ). Here we elaborate how the challenge
ciphertext vector c is generated with algorithm Generate-c and how the randomness is opened with algorithmOpen-c. Letm← M(α). In fact,cis the output ofEnc(pk,m;r) andc[I] is opened with the real randomnessr[I] that was used to computec[I]. So
PrhExpso-cca-realPKE,A,n,M,R(κ) = 1i= Pr [G−2= 1]. (1)
Game G−1: This game is the same as Game G−2 except for the way c[I] is opened. If m[i][j] = 0 for
i ∈ I, j ∈ [`], we use SampleC−1 and SampleK−1 to obtain the randomness in Open-c. Then the original rij used to encryptm[i][j] = 0 does not need to be kept any more and we can setrij to be⊥ in Generate-c. This change makes no difference because both K and C are efficiently samplable and explainable. Hence
Pr [G−1= 1] = Pr [G−2= 1]. (2)
Game G0: This game is the same as GameG−1except for the wayc[I] is opened. In case ofm[i][j] = 0 for
ExpPKE,A,n,M,R(κ): all games (pk, sk)←KeyGen(1κ)
(α, a1)← ADec(
·) 1 (pk)
m← M(α)
(c, r, k)←Generate-c(pk,m)
(I, a2)← A Dec∈/c(·)
2 (a1,c)
r[I]←Open-c(I,m, c, r, k)
outA← A
Dec∈/c(·)
3 (a2,m[I],r[I]) returnR(m, I, outA)
Generate-c(pk,m) G−2 G−1, G0
pk= (pkkem,(Kxj)j∈[s], F) Fori= 1 ton
Forj= 1 to`
Ifm[i][j] = 1 (Kj(i), ψ
(i)
j )←KEM.Enc(pkkem;rij) Else
Kj(i)←SampleK(K;rij0 )
ψ(ji)←SampleC(C;r00ij);
rij←(rij0 , r
00
ij); rij←⊥
(Ky(i1), . . . , K
(i)
ys)←F(ψ
(i) 1 , . . . , ψ
(i) ` ) Forj= 1 tos
K`(+i)j←(Kxj, K
(i) yj) T(i)←XAuth(K(i)
1 , . . . , K (i) `+s)
c[i]←(ψ1(i), . . . , ψ`(i), T(i))
r[i]←(ri1, ri2, . . . , ri`)
k[i]←(K1(i), . . . , K`(+i)s)
c←(c[1],c[2], . . . ,c[n]);r←(r[1],r[2], . . . ,r[n])
k←(k[1],k[2], . . . ,k[n]) Return(c, r, k)
Open-c(I,m, c, r, k) G−2
Return(r[I])
Open-c(I,m, c, r, k) G−1, G0∼Gn` Fori∈I do
c[i] = (ψ(1i), . . . , ψ`(i), T(i))
r[i] = (ri1, ri2, . . . , ri`)
k[i]←(K1(i), . . . , K(`+i)s) Forj= 1 to`
Ifm[i][j] = 1 ˆrij←rij; Else
ˆ
Kj(i)←ReSamp(j,(Kv(i))v6=j, T(i));K (i) j ←Kˆ
(i) j
rij0 ←SampleK
−1(K, K(i) j )
rij00 ←SampleC−1(C, ψ (i) j ) ˆ
rij←(rij0 , r
00
ij) ˆ
r[i]←(ˆri1,ˆri2, . . . ,rˆi`) Return(ˆr[I])
Dec6=c(sk,(ψ1, . . . , ψ`, T)) G−2∼Gn` If (ψ1, . . . , ψ`, T)∈c Return(⊥)
sk= (skkem, pk) Fori= 1 to` m0i←0 (Ky01, . . . , K
0
ys)←F(ψ1, . . . , ψ`)
Forj= 1 tos K`0+j←(Kxj, K
0
yj)
IfVs
j=1XVer(K
0
`+j, T) = 1 Fori= 1 to`
Ki0←KEM.Decap(skkem, ψi) IfKi0=⊥, thenm
0
i←0 Elsem0i←XVer(K
0
i, T)} Return(m01||m02||. . . , m0`)
Fig. 7.Games
The new key ˆKj(i) is statisticallyδ(κ)-close to the real keyKj(i), due to the δ(κ)-strongness of XAC. A union bound gives
|Pr [G0= 1]−Pr [G−1= 1]| ≤(n`)δ(κ). (3)
Game Gk: Here k∈ {0,1, . . . , n`}. Let k= (u−1)`+w withu∈[n] andw∈ {0,1, . . . , `−1}, then each
k determines a unique pair (u, w). The difference between Gk and G0 is how the challenge ciphertext vectorcis created inGenerate-c. There are in totaln`bits inm; denote them byb1, b2, . . . , bn`. In this game,ccan be thought of as an encryption of bit-sequence 1kb
k+1, . . . , bn`. More precisely, as in Figure
9,
– (c[i])i∈[u−1] are all encryptions of ones, i.e.,c[i] =Enc(pk,1`;r[i]) fori∈[u−1];
– For theu-th ciphertextcu= (ψ
(u) 1 , . . . , ψ
(u)
` , T
(u)), we have (K(u)
j , ψ
(u)
j )←KEM.Enc(pkkem;ruj) for j ∈ {0,1, . . . , w}. The remaining (Kj(u), ψj(u)) for j ∈ {w+ 1, . . . , `−1} are generated according to the value ofm[u][j] as in GameG0. FinallyT(u)is computed asT(u)←XAuth(K(u)
1 , . . . , K (u)
`+s). – The remaining ciphertextsc[i] fori∈ {u+ 1, . . . , n}are generated according to the value ofm[i] as
in GameG0.
Whenk=n`, the game is exactly the environment provided by ourS (as described above) in the ideal experiment. All we have to prove is that GameG0 andGn` are computationally indistinguishable. Further
we have:
Pr [Gn`= 1]−Pr [G0= 1] =
n`
X
k=1
BDecap^,LR
(pkkem):
u←[n];w← {0,1, . . . , `−1}
k←(u−1)`+w Kx1, . . . , Kxs← Kx
pk= (pkkem,(Kxj)j∈[s], F)
K∗←⊥;ψ∗←⊥ (α, a1)← A
B.Dec(·) 1 (pk)
m← M(α)
(c, r, k)←Gk.Generate-c(pk,m) Ifm[u][w] = 0 (K∗, ψ∗)←LR(pkkem, b∗)
Kw(u)←K∗;ψ (u) w ←ψ∗ (Ky(u1), . . . , K
(u)
ys )←F(ψ
(u) 1 , . . . , ψ
(u) ` ) Forj= 1 tos K`(+u)j←(Kxj, K
(u) yj ) T(u)←XAuth(K(u)
1 , . . . , K (u) `+s)
c[u]←(ψ1(u), . . . , ψ`(u), T(u)) (I, a2)← A
B.Dec∈/c(·)
2 (a1,c)
r[I]←Gk.Open-c(I,m, c, r, k)
outA← A B.Dec∈/c(·)
3 (a2,m[I],r[I]) returnR(m, I, outA)
B.Dec(ψ1, . . . , ψ`, T): B.Dec∈/c(ψ1, . . . , ψ`, T) :
If (ψ1, . . . , ψ`, T)∈c Return(⊥) Fori= 1 to` m0i←0
(Ky01, . . . , K
0
ys)←F(ψ1, . . . , ψ`)
Forj= 1 tos K`0+j←(Kxj, K
0
yj)
IfVs
j=1XVer(K
0
`+j, T) = 1 Fori= 1 to`
Ifψi=ψ∗thenm0i←XVer(K
∗
, T) Else
Ki0←Decap^(XVer(·, T), ψi) ifKi=⊥, thenm0i←0
m0i←XVer(K
0
i, T) Return(m01||m02||. . . , m0`)
^
Decap(XVer(·, T), ψ)
K←KEM.Decap(sk, ψ)
IfK=⊥orXVer(K, T) = 0 return (⊥); Otherwise return (K)
Fig. 8.AlgorithmB, whereGk.Generate-c(pk,m) (resp.
Gk.Open-c) is algorithmGenerate-c(resp.Open-c) in gameGk.
Generate-c(pk,m) Gk=G(u,w),k∈[n`]
pk= (pkkem,(Kxj)j∈[s], F)
Fori= 1 tou−1 Forj= 1 to`
(Kj(i), ψj(i))←KEM.Enc(pkkem;rij);
(Ky(i1), . . . , K
(i)
ys)←F(ψ
(i) 1 , . . . , ψ
(i) ` ) Forj= 1 tos
K`(i+)j←(Kxj, K
(i) yj) T(i)←XAuth(K(i)
1 , . . . , K (i) `+s)
c[i]←(ψ(1i), . . . , ψ (i) ` , T
(i) )
r[i]←(ri1, ri2, . . . , ri`);k[i]←(K1(i), . . . , K (i) `+s) Fori=udo
Forj= 1 tow
(Kj(u), ψj(u))←KEM.Enc(pkkem;ruj); Forj=w+ 1 to`
Ifm[u][j] = 1
(Kj(u), ψj(u))←KEM.Enc(pkkem;ruj)
ElseKj(u)←SampleK(K;r
0
uj);
ψj(u)←SampleC(C;r00uj);ruj ←⊥ (Ky(u1), . . . , K
(u)
ys )←F(ψ
(u) 1 , . . . , ψ
(u) ` ) Forj= 1 tos
K`(u+)j←(Kxj, K
(u) yj ) T(u)←XAuth(K1(u), . . . , K`(u+)s)
c[u]←(ψ1(u), . . . , ψ`(u), T(u))
r[u]←(ru1, ru2, . . . , ru`)
k[u]←(K1(u), . . . , K`(+u)s) Fori=u+ 1 ton
Forj= 1 to`
Ifm[i][j] = 1
(Kj(i), ψj(i))←KEM.Enc(pkkem;rij) ElseKj(i)←SampleK(K;rij0 )
ψj(i)←SampleC(C;r
00
ij); rij←⊥ (Ky(i1), . . . , K
(i)
ys)←F(ψ
(i) 1 , . . . , ψ
(i) ` ) Forj= 1 tos
K`(i+)j←(Kxj, K
(i) yj) T(i)←XAuth(K1(i), . . . , K
(i) `+s)
c[i]←(ψ(1i), . . . , ψ (i) ` , T
(i) )
r[i]←(ri1, ri2, . . . , ri`);k[i]←(K1(i), . . . , K (i) `+s)
c←(c[1],c[2], . . . ,c[n]);r←(r[1],r[2], . . . ,r[n])
k←(k[1],k[2], . . . ,k[n]) Return(c, r ,k )
Fig. 9.Generation of challenge ciphertext vector inGk.
LetEj(k)be the event thatm[u][w] = 0 withk= (u−1)`+win GameGj. SinceE
(k)
j is independent ofj,
we have PrhE0(k)i= PrhE1(k)i=· · ·PrhEn`(k)i. Therefore, we use E(k)to denote the event thatm[u][w] = 1 for any game. If E(k) does not happen, i.e., m[u][w] = 1 where k = (u−1)`+w, then the two adjacent GamesGk andGk−1 are identical. Now:
Pr [Gk= 1]−Pr [Gk−1= 1] = (Pr
h
Gk= 1| E(k)iPrhE(k)i+ PrhGk = 1| ¬E(k)iPrh¬E(k)i) −(PrhGk−1= 1 |E(k)
i
PrhE(k)i+ PrhGk−1= 1 | ¬E(k)
i
Prh¬E(k)i) =PrhGk= 1| E(k)
i
−PrhGk−1= 1|E(k)
i
Then we have
Pr [Gn`= 1]−Pr [G0= 1] =
n`
X
k=1
Pr [Gk= 0]−Pr [Gk−1= 1]
=
n`
X
k=1
PrhGk= 1| E(k)i−PrhGk−1= 1|E(k)
i
PrhE(k)i
=
n`
X
k=1
PrhGk= 1, E(k)i−PrhGk−1= 1, E(k)
i
(5)
The computational indistinguishability ofG0andGn` will be proved based on the IND-tCCCA security
ofKEM, and the security of XAC. Let B be an adversary in the IND-tCCCA experiment ExpKEMtccca,−Bb(κ). Now B is provided with a KEM public key pkkem, and has access to a constrained decapsulation oracle
^
Decap6=ψ∗(·) and (effectively) a one-time encapsulation oracle LR(pkkem, b). If b= 1, LR(pkkem, b) will call
KEM.Encap(pkkem) to output (K∗, ψ∗), a key and a valid ciphertext encapsulating the key. If b = 0, it
chooses (K∗, ψ∗) fromK × Cuniformly at random.Bis aiming to tell whetherb= 0 orb= 1 after obtaining (K∗, ψ∗) from LR(pk
kem, b), while having access to a constrained decapsulation oracle Decap^6=ψ∗(·). Now B
can be constructed as follow (see also Figure 8).
– B randomly chooses u ← [n] and w ← {0,1, . . . , `−1}. Setting k = (u−1)`+w, we have that k is uniformly distributed in [n`].
– BchoosesKx1, . . . , Kxs ← Kx, an injective functionF :C`→(Ky)s, and setspk= (pkkem,(Kxj)j∈[s], F). – BprovidesA1with a decryption oracle, denoted byB.Dec(·), with the help of its own constrained
decapsu-lation oracleDecap^(·). Given a queryC= (ψ1, . . . ψ`, T), algorithmB.DecverifiesV s
j=1XVer((Kxj, K
0
yj), T) =
1, where (Ky0
1, . . . , K
0
ys) =F(ψ1, . . . , ψ`). If the verification fails,B returns` zeros. Otherwise, the
de-cryption goes bitwise as follows.B queries its oracleDecap^ with (P, ψi), where the predicateP defined
as
P(K) :=
1 if XVer(K, T) = 1
0 if XVer(K, T) = 0 orK=⊥
If the output of Decap^(·) is⊥,Bsets m0i= 0, otherwise Bsets m0i= 1. FinallyB returns (m01, . . . , m0`). Note thatB.Dec(·) functions exactly the same as the decryption oracleDec(·).
– B runsAB.Dec1 (·)(pk) to get (α, a1) and usesαto sample a message vectorm. There are in totaln` bits in m, denotedb1, b2, . . . , bn`. Then Bcomputescas follows.
• ifm[u][w] = 1,B will encrypt thenmessages consisting of bit sequence 1kbk
+1, . . . , bn` to getc. In this case,cis exactly the output of algorithm Generate-cin GameGk.
• ifm[u][w] = 0,Bwill obtaincby encryptingnmessages which constitute bit sequence 1k−1bbk
+1, . . . , bn` (notice the presence ofB’s challenge bitbhere). To do this, BqueriesLR(pkkem, b) to get (K∗, ψ∗) and setsKw(u):=K∗ andψ
(u)
w :=ψ∗ during the generation of c[u]. In this way, B embeds his own
challenge in the creation of c. If (K∗, ψ∗) is the output of LR(pkkem,1), then B implicitly sets
bk =b= 1. Otherwisebk =b= 0. Consequently, the challenge ciphertext vectorcis just the output of algorithmGenerate-cin GameGk−1orGk depending onb= 0 orb= 1.
– B usesB.Dec∈/c(·) to answer decryption queries from A2. Algorithm B.Dec∈/c(·) is almost the same as
B.Dec(·) (see Figure 8) but with the restriction that the queried ciphertextC= (ψ1, . . . , ψ`, T) does not appear in c. Recall that Bhas its own constrained decryption oracle Decap^∈/c(skkem,·). This enablesB to simulate the decryption oracle for A2 so long as ψ∗ ∈ {/ ψ1, . . . , ψ`}. However, if ψ∗ ∈ {ψ1, . . . , ψ`}, say ψj =ψ∗, thenB computesm0j =XVer(K∗, T) instead. Next it runs AB.Dec∈/c(·)
2 (a1,c) to obtain the corruption set I and statea2.
– Bcalls theOpen-calgorithm in GameGk (which is the same algorithm in all gamesG0–Gn`) to obtain the randomness r[I].
– B runsAB.Dec∈/c(·)
3 (a2,m[I],r[I]) to get the outputoutA.
– B returnsR(m, I, outA).
LetBk denote algorithm Brunning in GameGk for a fixed k. (Recall that k= (u−1)`+wwas chosen
simulates Game Gk or Gk−1 for A depending on the value of m[u][w] and B’s own challenge (K∗, ψ∗). Observe that B.Dec(·) functions exactly the same as Dec(·). If m[u][w] = 1,Bk is exactly the same as Gk.
If m[u][w] = 0, Bk will be the same as Gk when b = 1 and Gk−1 when b = 0, as long as B.Dec∈/c(·) can
perfectly simulate the decryption oracle Dec∈/c(·). However, there is a difference between B.Dec∈/c(·) and
Dec∈/c(·). Below we show that this difference has negligible influence due to the security properties ofXAC.
Claim 1 Suppose that m[u][w] = 0 in Bk, where k= (u−1)n+w. If b= 1, then the output of algorithm
B.Dec∈/c(·) is exactly the same as that of decryption algorithm Dec∈/c(·). If b = 0, algorithm B.Dec∈/c(·)
functions identically to decryption algorithmDec∈/c(·)except with probability at most
(`qd)
η(κ) +AdvimpXAC(κ) +AdvsubXAC(κ).
Proof. Let C = (ψ1, . . . , ψ`, T) denote a decryption query from A. Clearly C /∈ c. Let (Ky01, . . . , K
0
ys) = F(ψ1, . . . , ψ`). IfV
s
j=1XVer((Kxj, K
0
yj), T) = 0, both algorithmsDec∈/c(·) andB.Dec∈/c(·) will output (m
0
1, . . . , m0`) =
(0, . . . ,0). From now on, we assume thatVs
j=1XVer((Kxj, K
0
yj), T) = 1. Then it follows thatT 6=T
(i)for all
i∈[n] by Lemma 2.
Next both algorithms Dec∈/c(·) and B.Dec∈/c(·) will decrypt C = (ψ1, . . . , ψ`, T) bitwise to recover the message (m01, . . . , m0`). Recall that Dec∈/c(·) sets m0i = 0 iff the decapsulated key KEM.Decap(ψi) =⊥ or
XVer(KEM.Decap(ψi), T) = 0. As for how B.Dec∈/c(·) determines m0i, we consider two cases.
– Case ψ∗ 6= ψi: B.Dec∈/c(·) will query the constrained decapsulation oracle Decap^∈/c(·) with (P(·) =
XVer(·, T), ψi).B.Dec∈/coutputs the bitm0i= 0 iffDecap^∈/creturns⊥, and this happens whenKEM.Decap(ψi)
outputs⊥orXVer(KEM.Decap(ψi), T) = 0. Hence, in this case,B.Dec∈/c(·) functions exactly asDec∈/c(·)
does.
– Caseψ∗=ψi,B.Dec∈/c(·) simply computesm0i:=XVer(K∗, T). We further consider two sub-cases.
• Case b = 1: Then (K∗, ψ∗) is the output of B’s encryption oracle LR(pkkem,1), thus K∗ is the
encapsulated key of ψ∗, i.e. K∗ = KEM.Decap(skkem, ψ∗). Consequently, the decrypted bit m0i :=
XVer(K∗, T) is exactly the same as the bitmi0 output byDec∈/c(·).
• Caseb= 0: Then (K∗, ψ∗) is the output ofB’s encryption oracleLR(pkkem,0). Hence bothK∗andψ∗
are uniformly chosen. In this case,Dec∈/c(·) outputsm0i= 0 except with probabilityη(κ)+Adv
imp XAC(κ), according to the decryption correctness of PKE.
On the other hand,B.Dec∈/c(·) outputsm0i:=XVer(K∗, T). Recall thatT 6=T(u), soXVer(K∗, T) =
0 except with probability AdvsubXAC(κ), due to the security of XAC against substitution attacks. More precisely, K∗ is uniformly chosen from K, and all information leaked about K∗ is given by T(u) = XAuth(K(u)
1 , . . . , K (u)
w = K∗, . . . , K
(u)
` ) in the challenge ciphertext c[u] and ˆK
(u)
w =
ReSamp(w,(Kv(u))v∈[`+s],v6=w, T(u)) by theOpen-calgorithm. However, algorithmOpen-cdid not
expose the real keyKw(u)=K∗ and what it revealed is a fake key ˆK
(u)
w . The fake key is the output
of ReSamp on input (Kv(u))v6=w and T(u), hence is redundant and does not leak more information
beyond (Kv(u))v=6 w andT(u). Consequently, the security of XAC against substitution attacks shows
thatXVer(K∗, T) = 0 except with probabilityAdvsubXAC(κ), even conditioned on the knowledge ofT(u) and (Kv(u))v6=w.
HenceB.Dec∈/c(·) outputs anm0i different from that output by B.Dec∈/c(·) with probability at most η(κ) +AdvimpXAC(κ) +AdvsubXAC(κ). The lemma follows by applying the union bound, since the plaintext has` bits and there areqd decryption queries. (End of proof of Claim 1.)
LetErrk denote the event that there exists a decryption queryC to which B.Dec∈/c(·) replies differently
from Dec∈/c(·) in Bk. According to the proof of Claim 1, we know that Errk occurs only when b = 0 and m[u][w] = 0; moreover
Pr [Errk | m[u][w] = 0, b= 0]≤(`qd)
Let B = b0 (respectively Bk = b0) denote that algorithm B (respectively Bk) returns bit b0. Let E(k)
denote the event thatm[u][w] = 0 withk= (u−1)`+win Bk. The advantage ofB is given by
AdvtcccaKEM,B(κ) = Pr [B= 1|b= 1]−Pr [B= 1|b= 0]
= 1 n` n` X k=1
PrhBk= 1, E(k) |b= 1
i
−PrhBk = 1, E(k)|b= 0
i
(7)
= 1
n`Pr
h
E(k)i n`
X
k=1
PrhBk = 1|E(k), b= 1
i
−PrhBk= 1 |E(k), b= 0
i
(8)
= Pr
E(k)
n` n`
X
k=1
PrhGk= 1 |E(k)i−PrhBk = 1,Errk |E(k), b= 0
i
−PrhBk= 1,Errk |E(k), b= 0
i (9) = 1 n` n` X k=1
PrhGk= 1, E(k)
i
−1
n`Pr
h
E(k)i n`
X
k=1
PrhBk= 1 |Errk, E(k), b= 0
i
·PrhErrk |E(k), b= 0
i
−1
n`Pr
h
E(k)i n`
X
k=1
PrhBk= 1 |Errk, E(k), b= 0
i
·PrhErrk |E(k), b= 0
i = 1 n` n` X k=1
PrhGk= 1, E(k)i−PrhGk−1= 1, E(k)
i
·PrhErrk |E(k), b= 0
i −1 n` n` X k=1
PrhE(k)i·PrhBk = 1|Errk, E(k), b= 0
i
·PrhErrk |E(k), b= 0
i (10) ≥ 1 n` n` X k=1
PrhGk= 1, E(k)i−PrhGk−1= 1, E(k)
i
−max
k Pr
h
Errk |E(k), b= 0
i
(11)
Eqn. (7) follows from the fact that the output of Bk is independent of b if E(k) does not occur. Eqn. (8)
follows from thatE(k) andbare independent of each other. Eqn. (9) follows from the fact thatB
k perfectly
simulates Gk ifb= 1 andE(k)occurs. Eqn. (10) is due to the fact thatBk perfectly simulatesGk
−1 when
b= 0 andErrk does not occur. According to (5), (6) and (11), we have
Pr [Gn`= 1]−Pr [G0= 1] =
n`
X
k=1
PrhGk= 1, E(k)i−PrhGk−1= 1, E(k)
i
≤n`·AdvtcccaKEM,B(κ) +n`2qd·η(κ) +n`2qd·Adv
imp
XAC(κ) +n` 2q
d·AdvsubXAC(κ) (12) Combining (1), (2), (3) and (12), we have
Advso-ccaPKE,A,S,n,M,R(κ) =|Pr [Gn`= 1]−Pr [G−2= 1]|
≤ |Pr [Gn` = 1]−Pr [G0= 1]|+|Pr [G0= 1]−Pr [G−2= 1]|
≤n`·AdvtcccaKEM,B(κ) +n`2qd·AdvsubXAC(κ) +n`2qd·AdvimpXAC(κ) +n`2qd·η(κ) +n`·δ(κ) (13)
from which the theorem follows. ut
The security of our modified construction using CR hash functions (see Figure 5) is stated in the following theorem, whose proof is similar to that of Theorem 1.
queries, for every ppt n-message sampler M, and every ppt relation R, we can construct a stateful ppt simulator S = (S1,S2,S3)for the ideal experiment, a ppt adversary B against the IND-tCCCA security of KEM, and a ppt algorithm F against the collision-resistance of Hsuch that:
Advso-ccaPKE’,A,S,n,M,R(κ)≤n`·AdvtcccaKEM,B(κ) +n`2qd·AdvsubXAC(κ) +AdvimpXAC(κ) +η(κ) +n`·δ(κ) +AdvcrH,F(κ).
5
Instantiations
In this section, we explore three different constructions of tailored KEMs, each suitable for the application of Theorems 1 and 2. The first is based on any Strongly Universal2 hash proof system, the second is a direct construction relying on then-Linear Assumption and a target collision-resistant hash function (see Appendix B for definitions), while the third uses indistinguishability obfuscation.
5.1 Strongly Universal2 Hash Proof Systems
We use hash proof systems [8] to build tailored KEMs suitable for application in our main theorem. Let Ψ ⊂ C be a language. The hardness of the subset membership problem for Ψ with respect to C requires that a random element fromΨ is indistinguishable from a random element fromC. Let Kbe a set andΛsk :C → K be a hash function indexed withsk∈ SK. ThenΛsk is said to beprojective if there exists a mapµ:SK → PKsuch thatµ(sk)∈ PKdefines the action ofΛsk on the subsetΨ;µis then said to be a projection on subsetΨ.
A hash proof system (HPS) HPS consists of three algorithms (HPS.param, HPS.pub, HPS.priv). The randomized algorithm HPS.param(1κ) outputs params = (
G,C, Ψ,PK,SK, Λ, µ), where G is a group. The
secret key sk is randomly chosen from SK, and the public key is computed as pk = µ(sk) where µ is a projection on Ψ. Algorithm HPS.Pub(pk, ψ, w) is given the public key pk, an element ψ ∈ Ψ and its witness w, and outputs an encapsulated key K = HPS.Pub(pk, ψ, w) such that K = Λsk(ψ). Algorithm
HPS.Priv(sk, ψ) recoversK=Λsk(ψ) usingsk.
The Strongly Universal2 (SU2) property of an HPS characterizes the unpredictability of Λsk(ψ) for ψ∈ C \Ψ.
Definition 7 Let HPS = (HPS.param,HPS.pub,HPS.priv) be a hash proof system. Then HPS is said to be SU2 if
Pr [Λsk(ψ) =K |pk=µ(sk), ψ0, K0 =Λsk(ψ0)] = 1/|K|,
for all pk ∈ PK, all ψ, ψ0 ∈ C \Ψ with ψ0 6= ψ and all K, K0 ∈ K, where the probability is taken over
sk← SK.
Given that HPS is an SU2 HPS, a KEM KEM can be constructed as shown in Figure 10. The output paramsofHPS.paramis used as a set of public parameters implicitly used as input in the algorithms ofKEM. Notice that the valid ciphertext set forKEM isΨ.
KEM.Kg(1κ):
sk← SK
pk=µ(sk). Return (pk, sk)
KEM.Encap(pk):
ψ←Ψ with witnessw K←HPS.Pub(pk, ψ, w) Return(K, ψ)
KEM.Decap(sk, ψ):
K←HPS.Priv(sk, ψ)
Return(K)
Fig. 10.Construction of a KEM from an SU2 hash proof system.
Theorem 3 LetHPSbe an SU2HPS withparams= (G,C, Ψ,PK,SK, Λ, µ). Suppose the subset membership
Proof. It was already proved in [16] that the SU2 property and the hardness of the subset membership problem for Ψ with respect to C implies the IND-CCCA security of KEM. On the other hand, public and secret key pairs can be generated independently fromC and Ψ and the subset membership problem holds even if the secret key is known to the adversary. More precisely, when an adversary Bis givenψ and tries to distinguish whether ψ is randomly chosen from Ψ or C, it can establish a VCI experiment for a VCI adversary Aas follows: first call (pk, sk)←KEM.Kg(1κ) and use sk to answer decryption queries. B gives pk to A and gives ψ as the challenge ciphertext. Finally B outputs whateverA returns. It is clear that B has the same advantage asA. This implies that the VCI property holds forKEM under the hardness of the subset membership problem. Then IND-tCCCA security follows from Lemma 1.
The SU2property of HPSimplies that
Pr [KEM.Decap(sk, ψ) =K] = Pr [HPS.Priv(sk, ψ) =K] = 1 |K|
for all invalid ciphertexts ψ ∈ C \Ψ, all K ∈ K, and all pk = µ(sk), where the probability is taken over
sk← SK. Then
Pr [KEM.Decap(sk, ψ) =K |ψ← C] = Pr [KEM.Decap(sk, ψ) =K|ψ∈Ψ]· |Ψ| |C|
+ Pr [KEM.Decap(sk, ψ) =K|ψ∈ C \Ψ]·
1−|Ψ| |C|
= Pr [KEM.Decap(sk, ψ) =K |ψ∈Ψ]·|Ψ| |C| +
1 |K|·
1−|Ψ| |C|
≤ |Ψ| |C| +
1 |K|.
Noting that Pr [KEM.Decap(sk, ψ) =K |ψ∈Ψ] lies between 0 and 1, it follows that the statistical dis-tance betweenKEM.Decap(sk, ψ) (whenψ is uniformly selected from C) and the uniform distribution is at most|Ψ|/|C|, which is negligible due to the sparseness of Ψ. This establishes thatKEM.Decaphas tailored functionality.
Finally,KEMis a tailored KEM because it has samplable and explainable domainsC andK, it has
IND-tCCCA security, andKEM.Decaphas tailored functionality. ut
Remark 1. . As pointed out in [12], both DDH-based and DCR-based HPS could have samplable and ex-plainable platform groups. For example, we can choose the subgroup of orderq inZ∗p (withp= 2q+ 1) as
the DDH group, and chooseZ∗N2 as the DCR group.
5.2 Tailored KEM Based on n-Linear Assumption
LetG(1κ) be a group generator, that is, a ppt algorithm which outputs (
G, g, p) whereGis a group of prime
orderp(havingκbits) andg a generator ofG.
Definition 8 The n-Linear Assumption forG(1κ)states that for all ppt adversariesB, the advantage of B defined below is negligible.
AdvnB-lin(κ) := Pr
h
B(g1, . . . , gn, gr11, . . . , g
rn n , h, h
Pn
i=1ri) = 1
i
−Pr [B(g1, . . . , gn, gr11, . . . , g
rn n , h, h
z) = 1]
,
where(G, g, p)← G(1κ),(gi)i∈[n], h←Gand(ri)i∈[n], z←Zp.
In [16], Hofheiz and Kiltz presented a KEM based on the n-Linear Assumption for a group generator G(1κ) and a target collision-resistant hash function, and proved its IND-CCCA security. We replicate the
algorithms of this KEM in Figure 11. Note that this construction does not fall into the category of HPS-based KEMs.
Lemma 3. If the n-Linear Assumption holds for G(1κ), and TCR is target collision-resistant, then the
Hofheinz-Kiltz KEM in Fig. 11 is IND-tCCCA secure.
Proof. In view of the results of [16] and Lemma 1, we need only prove that the KEM in Figure 11 has the VCI property.
Given an adversaryAwinning the VCI experiment with non-negligible probability, we can construct a ppt algorithmBsolving then-Linear problem with help ofAwith non-negligible probability. Let (g1, . . . , gn, g1r1,
. . . , grn
n , h, K∗) be a challenge instance from then-Linear problem, where K∗=h Pn
i=1ri orK∗ is a random
element fromG. Here,Bsimulates the VCI experiment forAusing its input (g1r1, . . . , g
rn
![Fig. 11. KEM from n-Linear Assumption [16].](https://thumb-us.123doks.com/thumbv2/123dok_us/7949509.1319307/20.612.76.547.54.159/fig-kem-from-n-linear-assumption.webp)
