Research ArticleEfficient KDM-CCA Secure Public-Key Encryption viaAuxiliary-Input Authenticated Encryption
Shuai Han12 Shengli Liu123 and Lin Lyu12
1Department of Computer Science and Engineering Shanghai Jiao Tong University Shanghai 200240 China2State Key Laboratory of Cryptology PO Box 5159 Beijing 100878 China3Westone Cryptologic Research Center Beijing 100070 China
Correspondence should be addressed to Shengli Liu slliusjtueducn
Received 1 April 2017 Revised 13 June 2017 Accepted 6 July 2017 Published 11 December 2017
Academic Editor Muhammad Khurram Khan
Copyright copy 2017 Shuai Han et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
KDM[F]-CCA security of public-key encryption (PKE) ensures the privacy of key-dependent messages 119891(sk) which are closelyrelated to the secret key sk where 119891 isin F even if the adversary is allowed to make decryption queries In this paper we studythe design of KDM-CCA secure PKE To this end we develop a new primitive named Auxiliary-Input Authenticated Encryption(AIAE) For AIAE we introduce two related-key attack (RKA) security notions including IND-RKA and weak-INT-RKA Wepresent a generic construction of AIAE from tag-based hash proof system (HPS) and one-time secure authenticated encryption(AE) and give an instantiation of AIAE under the Decisional Diffie-Hellman (DDH) assumption Using AIAE as an essentialbuilding block we give two constructions of efficient KDM-CCA secure PKE based on the DDH and the Decisional CompositeResiduosity (DCR) assumptions Specifically (i) our first PKE construction is the first one achieving KDM[Faff ]-CCA securityfor the set of affine functions and compactness of ciphertexts simultaneously (ii) Our second PKE construction is the first oneachieving KDM[F119889
poly]-CCA security for the set of polynomial functions and almost compactness of ciphertexts simultaneouslyOur PKE constructions are very efficient in particular they are pairing-free and NIZK-free
1 Introduction
For public-key encryption (PKE) schemes Chosen-Ciphertext Attack (CCA) security is the de facto securitynotion In the CCA security model the adversary seesthe public key and gets challenge ciphertexts which areencryptions of messages of its choices It is also allowed tomake decryption queries and obtain the decrypted messagesfor ciphertexts (but not the challenge ciphertexts) of itschoices CCA security considers whether the challengeciphertexts can protect the security of messages Observethat the adversary does not know the secret keys thus it isnot able to submit messages that are closely related to thesecret keysThus there is a corner that is not covered by CCAsecurity that is the security of messages which are closelydependent on the secret keys It was Goldwasser and Micali[1] who first pointed out this problem In 2002 the securityof such key-dependent messages (KDM) was formalized by
Black et al [2] Up to now KDM-security has found manyapplications such as anonymous credential systems [3] andhard disk encryption [4]
KDM[F]-security means KDM-security for a set F
of functions Loosely speaking in the 119899-KDM[F]-securitymodel the adversary obtains public keys (pk1 pk119899) of119899 users and has access to an encryption oracle Each timethe adversary submits a function 119891 in the function setF the encryption oracle will encrypt 119891(sk1 sk119899) or adummy message (say 0) and output the challenge ciphertextto the adversaryThe 119899-KDM[F]-CPA security stipulates thatthe adversary cannot distinguish the two cases and the 119899-KDM[F]-CCA security demands the indistinguishability ofthe two cases even if the adversary is also allowed to makedecryption queries KDM-CCA is obviously stronger thanKDM-CPA security notion Moreover the KDM-security isstronger when the function setF is larger
HindawiSecurity and Communication NetworksVolume 2017 Article ID 2148534 27 pageshttpsdoiorg10115520172148534
2 Security and Communication Networks
KDM[F]-CPA Security In 2008 Boneh et al (BHHO) [4]proposed the first KDM[Faff ]-CPA secure PKE constructionfor the affine function set Faff from the Decisional Diffie-Hellman (DDH) assumption Soon after the BHHO schemewas generalized by Brakerski and Goldwasser [5] whopresented KDM[Faff ]-CPA secure PKE constructions undertheQuadratic Residuosity (QR) assumption or theDecisionalComposite Residuosity (DCR) assumption However theseschemes suffer from incompact ciphertext which contains119874(120582) group elements (120582 denotes the security parameterthroughout the paper)
Applebaum et al [6] proved that a variant of the Regevscheme [7] is KDM[Faff ]-CPA secure and enjoys compactciphertexts that is encompassing only 119874(1) group elements
Brakerski et al [8] provided a KDM[F119889poly]-CPA secure
PKE scheme for the polynomial function set F119889poly which
contains all polynomials whose degrees are at most 119889 Thedrawback of the scheme is incompact ciphertext whichcontains 119874(120582119889+1) group elements
Barak et al [9] presented a KDM-CPA secure PKE forthe set of Boolean circuits whose sizes are a priori boundedwhich is a very large function set Nevertheless their schemeis neither practical nor flexible
In 2011 Malkin et al [10] proposed the first efficientKDM[F119889
poly]-CPA secure PKE The ciphertext of their PKEconstruction is almost compact and consists of only 119874(119889)group elements
KDM[F]-CCA Security The first approach to KDM-CCAsecurity was proposed by Camenisch Chandran and Shoup(CCS) [11] The CCS approach follows the Naor-Yungparadigm [12] and the building blocks are a PKE schemewithCCA security a PKE scheme with KDM-CPA security and anoninteractive zero-knowledge (NIZK) proof system whichproves that the two PKE schemes encrypt the same message
The Groth-Sahai proofs [13] are the only practical NIZKTo obtain efficientKDM-CCA secure PKEwe have to employan efficient PKE scheme with KDM-CPA security and theGroth-Sahai proofs if we follow the CCS approach [11]Unfortunately the existing efficient PKE schemes with KDM-CPA security like [6 10] are not compatible with the Groth-Sahai proofs since the underlying groups of their schemes arenot pairing-friendly ones
Galindo et al [14] proposed a KDM-CCA secure PKEscheme from the Matrix Decisional Diffie-Hellman assump-tionTheir scheme enjoys compact ciphertexts but theKDM-CCA security of their scheme is constrained (more preciselyin their KDM-CCA security model the adversary is onlyallowed to have access to the encryption oracle for a numberof times linear in the secret keyrsquos size)
In order to achieve both KDM-CCA security and effi-ciency for PKE Hofheinz [15] developed another approachmaking use of a novel primitive named ldquolossy algebraic filterrdquoThe PKE scheme proposed by Hofheinz enjoys the securityof KDM[Fcirc]-CCA and the compactness of ciphertextssimultaneously but the function set Fcirc is made up ofconstant functions and selection functions 119891(sk1 sk119899) =sk119894
In fact it is a challenging job to enlarge the KDM-CCA function set F while keeping the efficiency of thePKE scheme Recently Lu et al [16] designed the firstPKE achieving both KDM[Faff ]-CCA security and compactciphertexts Their construction is referred to as the LLJscheme in this paper The essential building block in theirscheme is ldquoauthenticated encryptionrdquo (AE) The so-calledINT-Faff -RKA security of AE turns out to be critical to theKDM[Faff ]-CCA security of the LLJ scheme Unfortunatelytheir security reduction of the INT-Faff -RKA security ofAE to the underlying DDH assumption is flawed Roughlyspeaking the problem of their security reduction is thatthere is no efficient way for the DDH adversary to convertthe forgery provided by the INT-Faff -RKA adversary to adecision bit for solving the DDH problem since it has notrapdoor See our conference version [17] for details Thefailure of AErsquos INT-Faff -RKA security reduction directlyaffects the validity of LLJrsquos KDM[Faff ]-CCA security proof
To construct efficient KDM[F119889poly]-CCA secure PKE
schemes the CCS approach [11] is the unique way to the bestof our knowledge However the only efficient KDM[F119889
poly]-CPA secure PKE [10] is incompatible with the Groth-SahaiNIZK proofs [13] thus the CCS approach must adopt ageneral inefficient NIZK
Our Contribution In this work we focus on the design ofefficient PKE schemes possessing KDM[Faff ]-CCA securityand KDM[F119889
poly]-CCA security respectively
(i) We develop a new primitive named ldquoAuxiliary-InputAuthenticated Encryptionrdquo (AIAE)We introduce newrelated-key attack (RKA) security notions for it calledIND-F1015840-RKA and weak-INT-F1015840-RKA
(a) We show a general paradigm for constructingsuch an AIAE from a one-time secure AE anda tag-based hash proof system (HPS) that isuniversal2 extracting and key-homomorphic
(b) We present an instantiation of tag-based HPSunder the DDH assumption Following ourparadigm we immediately obtain a DDH-based AIAE for the set of restricted affine func-tions
(ii) Using AIAE as an essential building block we designthe first PKE scheme enjoying KDM[Faff ]-CCAsecurity and compactness of ciphertexts simulta-neously Specifically the ciphertext of our schemecontains only 119874(1) group elements
(iii) Furthermore we design the first PKE scheme enjoy-ing KDM[F119889
poly]-CCA security and almost compact-ness of ciphertexts simultaneouslyMore precisely thenumber of group elements contained in a ciphertextis independent of the security parameter 120582
In Table 1 we list the existing PKE schemes which eitherachieve KDM-CCA security or are KDM-secure for the setF119889
poly of polynomial functions
Security and Communication Networks 3
Table 1 Comparison among PKE schemes achieving either KDM-CCA security or security against the set F119889poly of polynomial functions
Here we denote by 120582 the security parameter and by Fcirc Faff and F119889poly the set of selection functions the set of affine functions and the
set of polynomial functions of bounded degree 119889 respectively ldquoCCArdquo indicates that the scheme is KDM-CCA secure By the symbol ldquordquo wemean that the security proof is not rigorous G Z1198732 Z1198733 Z119873119904 and Z119873 are the underlying groups where 119904 ge 1Scheme Set CCA Free of pairing The size of ciphertext AssumptionBHHO08 [4] + CCS09 [11] Faff radic mdash (6120582 + 13)|G| DDHBGK11 [8] F119889
poly mdash radic (120582119889+1)|G| DDH or LWEMTY11 [10] F119889
poly mdash radic (119889 + 2)|Z119873119904 | DCRHof13 [15] Fcirc radic mdash 6|Z1198733 | + 49|G| DDH amp DCRLLJ15 [16] Faff radic 3|Z1198732 | + 3|Z119873119904 | + |Z119873| DDH amp DCROur scheme in Section 4 Faff radic radic 9|Z1198732 | + 9|Z119873119904 | + 2|Z119873| DDH amp DCROur scheme in Section 5 F119889
poly radic radic 9|Z1198732 | + (81198899 + 1)|Z119873119904 | + 2|Z119873| DDH amp DCR
KEMEncrypt
AIAEEncrypt
ENCRYPTION DECRYPTION
KEMDecrypt
AIAEDecrypt
pk
m
k
kemc = ai kemc
aiaec
sk
k
mℰDecryptℰEncrypt ℰcℰc
Figure 1 Our approach of PKE construction
Overview of Our Construction In the construction of ourKDM-CCA secure PKE schemes we adopt a key encap-sulation mechanism (KEM) + data encapsulation mech-anism (DEM) approach [18] and employ three buildingblocks KEM E and AIAE as shown in Figure 1
(i) KEM and E share the same pair of public and secretkeys
(ii) A key k is encapsulated by KEMEncrypt and anencapsulation kemc is generated by KEMEncryptalong the way
(iii) The message 119898 is encrypted by EEncrypt and theresulting E-ciphertext is Ec
(iv) The key k generated by KEM is used byAIAEEncrypt to encrypt Ec with auxiliary inputai fl kemc and the resulting AIAE-ciphertextis aiaec
(v) The ciphertext of our PKE scheme is (kemc aiaec)
Following this approach we design KDM[Faff ]-CCAand KDM[F119889
poly]-CCA secure PKE schemes respectively byconstructing specific building blocks
Differences to Conference Version This paper constitutes anextended full version of [17]The new results in this paper areas follows
(i) In contrast to presenting a concrete constructionof AIAE in the conference paper we give a general
paradigm for constructing AIAE from a one-timesecure authenticated encryption (AE) and a tag-basedhash proof system (HPS) in this paper
(a) In Section 32 we show that the resulting AIAE
is IND-RKA secure and weak-INT-RKA secureas long as the underlying tag-based HPS isuniversal2 extracting and key-homomorphic
(b) In Section 33 we give an instantiation of tag-based HPS based on the DDH assumptionFollowing our paradigm we obtain a DDH-based AIAE scheme in Section 34
We view the specific AIAE proposed in the confer-ence paper as an instantiation of the general paradigmpresented in this paper
(ii) In this paper we provide the full proofs of thetheorems regarding the KDM[Faff ]-CCA securityand KDM[F119889
poly]-CCA security of our PKEs Com-pared with the conference paper we add the proofsof Lemmas 16 18 25 26 and 29 and the proofof indistinguishability between Hybrids 2 and 3 inSection 53
2 Preliminaries
Throughout this paper denote by 120582 isin N the securityparameter 119910larr$ Ymeans choosing an element 119910 from setYuniformly 119910larr$ A(119909 119903) means executing algorithm A with
4 Security and Communication Networks
Proc pkec i isin [n])
If (pkec i) isin ℰ
Output perpOutput Decrypt(ski pkec
Output ( = )
Proc f isin ℱ i isin [n])m1 = f (sk1 skn)m0 = 0|m1|pkec larr Encrypt(pk i m)ℰ = ℰ cup (pkec i)Output pkec
pars larr
For i isin [n]
(pk i ski) larr KeyGen(pars)
0 1
Proc
Proc )
)larr$
larr$ larr$
larr$
ParGen(1)
Output (pars pk1 pkn)
decrypt(initialize
finalize(
encrypt(
Figure 2 119899-KDM[F]-CCA security game
input 119909 and randomness 119903 and assigning output to 119910 Wesometimes abbreviate this to 119910larr$ A(119909) ldquoPPTrdquo is short forprobabilistic polynomial-time For integers 119899 lt 119898 we denote[119899] fl 1 2 119899 and [119899119898] fl 119899 119899 + 1 119898 For asecurity notion 119884119884 and a primitive 119883119883 the advantage of aPPT adversaryA is typically denoted by Adv119884119884119883119883A(120582) and wedenoteAdv119884119884119883119883(120582) fl maxPPTAAdv
119884119884119883119883A(120582) Let negl(sdot)denote
an unspecified negligible function
Games We will use games in our security definitions andproofs Typically a game G begins with an initialize proce-dure and ends with a finalize procedure In the game theremight be other procedures proc1 proc119899 which performas oracles All procedures are presented with pseudocodeall sets are initialized as empty sets and all variables areinitialized as empty strings In the execution of a game G
with an adversary A firstly A calls initialize and obtainsits output then A makes arbitrary oracle queries to proc119894according to their specifications and obtains their outputsfinally A calls finalize In the end of the execution iffinalize outputs 119887 then we write this as GA rArr 119887 Thestatement 119886 G= 119887 means that in game G 119886 is computed as119887 or 119886 equals 11988721 Public-Key Encryption There are four PPT algorithmsPKE = (ParGenKeyGenEncryptDecrypt) in a public-keyencryption (PKE) scheme
(i) ParGen(1120582) outputs a public parameter pars Weassume that pars implicitly defines a secret key spaceSK and a message spaceM
(ii) KeyGen(pars) takes pars as input and outputs apublic key pk and a secret key sk
(iii) Encrypt(pk 119898) takes pk and a message 119898 isin M asinput and outputs a ciphertext pkec
(iv) Decrypt(sk pkec) takes sk and a ciphertext pkec asinput and outputs either a message 119898 or a symbol perpindicating the failure of the decryption
We require PKE to have perfect correctness that is for allpossible parslarr$ ParGen(1120582) and all119898 isinM we have
Pr [(pk sk)larr997888$ KeyGen (pars) Decrypt (skEncrypt (pk 119898))= 119898] = 1 (1)
Definition 1 (KDM[F]-CCA security) Let 119899 isin N and let Fdenote a set of functions from (SK)119899 toM A scheme PKE
is 119899-KDM[F]-CCA secure if for any PPT adversary A wehave Advkdm-cca
PKEA (120582) fl |Pr[119899-KDM[F]-CCAA rArr 1] minus 12| lenegl(120582) where 119899-KDM[F]-CCA is the security game shownin Figure 2
22 Authenticated Encryption There are three PPT algo-rithms AE = (AEParGenAEEncryptAEDecrypt) in anauthenticated encryption (AE) scheme
(i) AEParGen(1120582) generates a system parameter parsAEWe require parsAE to be an implicit input to otheralgorithms and assume that parsAE implicitly definesa key spaceKAE and a message spaceM
(ii) AEEncrypt(k 119898) takes a key k isinKAE and a message119898 isinM as input and outputs a ciphertext aec(iii) AEDecrypt(k aec) takes a key k isin KAE and a
ciphertext aec as input and outputs amessage119898 isinMor a symbol perp
We require AE to have perfect correctness that is for allpossible parsAElarr$ AEParGen(1120582) all keys k isin KAE and all119898 isinM
Pr [AEDecrypt (kAEEncrypt (k 119898)) = 119898] = 1 (2)
Definition 2 (one-time security) A scheme AE is one-timesecure (OT-secure) that is IND-OT and INT-OT secure iffor any PPT A both Advind-otAEA (120582) fl |Pr[IND-OTA rArr 1] minus12| le negl(120582) and Advint-otAEA(120582) fl Pr[INT-OTA rArr 1] lenegl(120582) where IND-OT and INT-OT are the security gamespresented in Figure 3
23 Key EncapsulationMechanism There are three PPT algo-rithms KEM = (KEMKeyGenKEMEncryptKEMDecrypt)in a key encapsulation mechanism (KEM)
(i) KEMKeyGen(1120582) generates a public key pk and asecret key sk
(ii) KEMEncrypt(pk) takes pk as input and outputs a keyk together with a ciphertext kemc
(iii) KEMDecrypt(sk kemc) takes sk and aciphertext kemc as input and outputs either akey k or a symbol perp
Security and Communication Networks 5
Proc ( )
one queryProc encrypt(m0 m1)If m0
= m1 Output perp
Output aec
0 1
AE k AEparsAE
Output parsAE
Output ( = )
aec AEEncrypt(k m)
larr$ larr$
larr$
larr$
Proc initializeParGen(1)
finalize
(a)
Proc (m)encrypt one query
AE k AEparsAE
Output parsAE
Output aecaec larr AEEncrypt(k m)
If aeclowast = aec Output 0
Output (AEDecrypt(k aeclowast) = perp)
Proc aeclowast)
Proc initializelarr$
larr$
larr$ParGen(1)
finalize(
(b)
Figure 3 IND-OT (a) and INT-OT (b) security games
We require KEM to have perfect correctness that is for allpossible (pk sk)larr$ KEMKeyGen(1120582) we have
Pr [(k kemc)larr997888$ KEMEncrypt (pk) KEMDecrypt (sk kemc)= k] = 1 (3)
24 Tag-Based Hash Proof System Universal2 Extracting andKey-Homomorphism Tag-based hash proof system (HPS)was first defined in [19] The definition is similar to extendedHPS [20] but the universal2 property is slightly different
Definition 3 (tag-based hash proof system) A tag-based hashproof system THPS = (THPSSetupTHPSPubTHPSPriv) iscomprised of three PPT algorithms
(i) THPSSetup(1120582) outputs a parameterized instanceparsTHPS which implicitly defines (KCVTHKPK Λ (sdot) 120583) where KCVTHKPKare all finite sets with V sube C Λ (sdot) C times T rarr K
is a set of hash functions indexed by hk isin HK and120583 HK rarr PK is a function We assume that 120583 isefficiently computable and there are PPT algorithmssampling hklarr$ HK uniformly sampling 119862larr$ Cuniformly sampling 119862larr$ V uniformly with awitness 119908 and checking membership inC
(ii) THPSPub(pk 119862 119908 119905) takes a projection key pk =120583(hk) isin PK an element 119862 isin V with a witness 119908and a tag 119905 isin T as input and outputs a hash value119870 = Λ hk(119862 119905) isinK
(iii) THPSPriv(hk 119862 119905) takes a hashing key hk isinHK anelement 119862 isin C and a tag 119905 isin T as input and outputsa hash value 119870 = Λ hk(119862 119905) isin K without knowing awitness
We require THPS to be projective that is for all parsTHPSlarr$THPSSetup(1120582) all hk isin HK and pk = 120583(hk) isin PK all119862 isinV with all witnesses 119908 and all 119905 isin T it holds that
THPSPub (pk 119862 119908 119905) = Λ hk (119862 119905)= THPSPriv (hk 119862 119905) (4)
Tag-based HPS is associated with a subset membershipproblem Informally speaking it asks to distinguish theuniform distribution over V from the uniform distributionoverC V
Definition 4 (SMP) The Subset Membership Problem (SMP)related to THPS is hard if for any PPT adversaryA one has
AdvsmpTHPSA (120582) fl 10038161003816100381610038161003816Pr [A (parsTHPS 119862) = 1]minus Pr [A (parsTHPS 1198621015840) = 1]10038161003816100381610038161003816 le negl (120582) (5)
where parsTHPSlarr$ THPSSetup(1120582) 119862larr$ V and 1198621015840larr$ C V
Definition 5 (universal2) THPS is called (strongly)universal2 if for all possible parsTHPSlarr$ THPSSetup(1120582) allpk isin PK all 119862 isin C all 1198621015840 isin C V all 119905 1199051015840 isin T with 119905 = 1199051015840and all 1198701198701015840 isinK it holds that
Pr [Λ hk (1198621015840 1199051015840) = 1198701015840 | 120583 (hk) = pk Λ hk (119862 119905) = 119870]= 1|K| (6)
where the probability is over hklarr$ HK
The key difference between tag-based HPS and extendedHPS lies in the definition of the universal2 property [19]Extended HPS requires (6) to hold for (119862 119905) = (1198621015840 1199051015840) whiletag-based HPS requires (6) to hold only for 119905 = 1199051015840 Hence
6 Security and Communication Networks
any (universal2) extended HPS is also a (universal2) tag-based HPS but not vice versa Tag-based HPS is essentiallya weaker variant of extended HPS and admits more efficientconstructions
Dodis et al [21] defined an extracting property forextended HPS which requires the hash value Λ hk(119862 119905) to beuniformly distributed over K for any 119862 isin C and 119905 isin T aslong as hk is randomly chosen from HK Besides Xagawa[22] considered a key-homomorphic property for extendedHPS which stipulates that Λ hk+Δ(119862 119905) = Λ hk(119862 119905) sdot Λ Δ(119862 119905)holds for any hk Δ isinHK 119862 isin C and 119905 isin T Here we adaptthese notions to tag-based HPS
Definition 6 (extracting) THPS is called extracting if for allparsTHPSlarr$ THPSSetup(1120582) all 119862 isin C all 119905 isin T and all119870 isinK it holds that
Pr [Λ hk (119862 119905) = 119870] = 1|K| (7)
where hklarr$ HK
Definition 7 (key-homomorphism) THPS is called key-homomorphic if for all parsTHPSlarr$ THPSSetup(1120582) whichdefines (KCVTHKPK Λ (sdot) 120583) one has the follow-ing
(i) Both (HK +) and (K sdot) are groups(ii) For all 119862 isin C and all 119905 isin T the mapping Λ (sdot)(119862 119905)
HKrarrK is a group homomorphismThat is for allhk b isinHK and all 119886 isin Z it holds thatΛ 119886sdothk+b(119862 119905) =(Λ hk(119862 119905))119886 sdot Λ b(119862 119905)
25 DCR DDH DL and IVd Assumptions Suppose thatGenN(1120582) is a PPT algorithm generating (119901 119902119873119873) where119901 119902 are safe primes of 120582-bit 119873 = 119901119902 and 119873 = 2119873 + 1 is aprime We define the following
(i) QR119873 fl 1198862 mod119873 | 119886 isin Z119873Then QR119873 is a cyclic group of order 119873 For 119904 isin N and 119879 =1 + 119873 we define
(i) QR119873119904 fl 1198862 mod119873119904 | 119886 isin Zlowast119873119904
(ii) SCR119873119904 fl 1198862119873119904minus1 mod119873119904 | 119886 isin Zlowast119873119904
(iii) RU119873119904 fl 119879119903 mod119873119904 | 119903 isin [119873119904minus1]Then SCR119873119904 is a cyclic group of order 120601(119873)4 and QR119873119904 =SCR119873119904 otimes RU119873119904 where otimes represents the internal directproduct
Damgard and Jurik [23] showed that the discrete loga-rithm 119889 log119879(119906) isin [119873119904minus1] of an element 119906 isin RU119873119904 canbe efficiently computed from 119906 and 119873 Observe that Zlowast
119873119904 =Z2 otimes Z1015840
2 otimes SCR119873119904 otimes RU119873119904 thus for any V = V(Z2) sdot V(Z10158402) sdot
V(SCR119873119904) sdot 119879119909 isin Zlowast119873119904 we have V
120601(119873) = 119879119909sdot120601(119873) isin RU119873119904 and119889 log119879 (V120601(119873))120601 (119873) mod119873119904minus1 = 119909 (8)
Definition 8 (DCR assumption) The Decisional CompositeResiduosity (DCR) assumption holds for GenN andQR119873119904 iffor any PPTA it holds that
AdvdcrGenNA (120582)fl |Pr [A (119873 119906) = 1] minus Pr [A (119873 V) = 1]|le negl (120582) (9)
where (119901 119902119873119873)larr$ GenN(1120582) 119906larr$ QR119873119904 and Vlarr$SCR119873119904
The Interactive Vector (IV119889) assumption is implied by theDCR assumption as shown in [5] Here we recall the IV119889
assumption according to [16]
Definition 9 (IVd assumption) The IV119889 assumption holds forGenN andQR119873119904 if for any PPTA it holds that
Adviv119889GenNA (120582)fl1003816100381610038161003816100381610038161003816Pr [Achal119887IV119889 (119873 1198921 119892119889) = 119887] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
(10)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 119892119889larr$ SCR119873119904 119887larr$ 0 1 and A is allowed to query the oracle chal119887IV119889(sdot)adaptively Each timeA can submit (1205751 120575119889) to the oracleand chal119887IV119889(1205751 120575119889) selects 119903larr$ [lfloor1198734rfloor] randomly if119887 = 0 the oracle outputs (1198921199031 119892119903119889) to A otherwise itoutputs (11989211990311198791205751 119892119903119889119879120575119889) toA where 119879 = 1 + 119873
Definition 10 (DDH assumption) The DDH assumptionholds for GenN andQR119873 if for any PPTA it holds that
AdvddhGenNA (120582) fl 1003816100381610038161003816Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199092 ) = 1]minus Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199102 ) = 1]1003816100381610038161003816 le negl (120582) (11)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 1198922larr$ QR119873 119909 119910larr$Z119873 0Definition 11 (DL assumption) The Discrete Logarithm (DL)assumption holds for GenN and SCR119873119904 if for any PPTA itholds that
AdvdlGenNA (120582) fl Pr [A (119873 119901 119902 119892 119892119909) = 119909]le negl (120582) (12)
where (119901 119902119873119873)larr$ GenN(1120582) 119892larr$ SCR119873119904 119909larr$ [120601(119873)4]
Security and Communication Networks 7
26 Collision-Resistant Hashing
Definition 12 (collision-resistant hashing) Let H = H Xrarr Y be a set of hash functionsH is said to be collision-resistant if for any PPTA one has
AdvcrHA (120582) fl Pr [Hlarr997888$ H (119909 1199091015840) larr997888$ A (H) 119909= 1199091015840 and H (119909) = H (1199091015840)] le negl (120582) (13)
3 Auxiliary-Input Authenticated Encryption
Our PKE constructions in Sections 4 and 5 will resort to anewprimitive AIAE To serve theKDM-CCA security of ourPKE construction in Figure 1 our AIAE should satisfy thefollowing properties
(i) AIAE must take an auxiliary input ai in both theencryption and decryption algorithms
(ii) AIAE must have IND-F-RKA security and weak-INT-F-RKA security Compared to the INT-F-RKAsecurity proposed in [16] the weak-INT-F-RKAsecurity imposes a special rule to determine whetherthe adversaryrsquos forgery is successful or not
In the following we present the syntax ofAIAE and defineits IND-F-RKA Security and Weak-INT-F-RKA SecurityWe also show a general paradigm of AIAE from tag-basedHPS and give an instantiation of AIAE under the DDHassumption
31 Auxiliary-Input Authenticated Encryption
Definition 13 (AIAE) There are three PPT algorithmsAIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in anAIAE scheme
(i) The parameter generation algorithmAIAEParGen(1120582) generates a system parameterparsAIAE We require parsAIAE to be an implicitinput to other algorithms and assume that parsAIAEimplicitly defines a key spaceKAIAE a message spaceM and an auxiliary-input spaceAI
(ii) The encryption algorithm AIAEEncrypt(k 119898 ai)takes a key k isin KAIAE a message 119898 isin M andan auxiliary input ai isin AI as input and outputs aciphertext aiaec
(iii) The decryption algorithm AIAEDecrypt(k aiaec ai)takes a key k isin KAIAE a ciphertext aiaec and anauxiliary input ai isin AI as input and outputs amessage119898 isinM or a symbol perp
We require AIAE to have perfect correctness that is for allpossible parsAIAElarr$ AIAEParGen(1120582) all keys k isin KAIAEall messages119898 isinM and all auxiliary-inputs ai isin AI
Pr [AIAEDecrypt (kAIAEEncrypt (k 119898 ai) ai)= 119898] = 1 (14)
In fact AIAE is a generalization of traditional AE andtraditional AE can be viewed as AIAE withAI = 0Definition 14 (RKA security) Denote byF a set of functionsfrom KAIAE to KAIAE A scheme AIAE is IND-F-RKAsecure and weak-INT-F-RKA secure if for any PPTA
Advind-rkaAIAEA (120582) fl 1003816100381610038161003816100381610038161003816Pr [IND-F-RKAA 997904rArr 1] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
Advweak-int-rkaAIAEA (120582) fl Pr [weak-INT-F-RKAA 997904rArr 1]le negl (120582)
(15)
where IND-F-RKA and weak-INT-F-RKA are the securitygames presented in Figure 4
32 Generic Construction of AIAE from Tag-Based HPSand OT-Secure AE Our construction of AIAE needs thefollowing ingredients
(i) A tag-based hash proof systemTHPS = (THPSSetupTHPSPubTHPSPriv) where the hash value space isK the tag space is T and the hashing key space isHK
(ii) A (traditional) authenticated encryption schemeAE = (AEParGenAEEncryptAEDecrypt) wherethe message space isM and the key space isK
(iii) A set of hash functionsH = H 0 1lowast rarr TWe present our AIAE construction AIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in Figure 5 whose key spaceis KAIAE fl HK message space is M and auxiliary-inputspace isAI fl 0 1lowast
By the perfect correctness ofAE it is routine to check thatAIAE has perfect correctness
Theorem 15 If (i) THPS is 119906119899119894V1198901199031199041198861198972 extracting key-homomorphic and has a hard subset membership problem (ii)AE is one-time secure and (iii) H is collision-resistant thenthe scheme AIAE in Figure 5 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure Here F119903119886119891119891 fl 119891(119886b) hk isin HK 997891rarr119886 sdot hk + b isin HK | 119886 isin Zlowast
|K| b isin HK is the set of restrictedaffine functions
Proof of Theorem 15 (IND-F119903119886119891119891-RKA Security) Denote byA a PPT adversary who is against the IND-Fraff -RKAsecurity and queries encrypt oracle for at most 119876119890 timesWe show the IND-Fraff -RKA security through a series ofgames For an event E we denote by Pr119895[E] Pr1198951015840[E] andPr11989510158401015840[E] the probability of E occurring in games G119895 G
1015840119895 and
G10158401015840119895 respectively
Game G1 It is the original IND-Fraff -RKA game Denotethe event 1205731015840 = 120573 by Succ According to the definitionAdvind-rkaAIAEA(120582) = |Pr1[Succ] minus 12|
8 Security and Communication Networks
If m0 = m1
Output perp
Output aiaec
AIAE
k AIAE
0 1
aiaec AIAEEncrypt (f(k) m ai)
Output parsAIAE
parsAIAE
Proc (m0 m1 ai f isin ℱ)encrypt
Output ( = )Proc )
Proc initializelarr$
larr$
larr$
larr$
ParGen(1)
finalize(
(a)
Output aiaec
parsAIAE AIAE k
Output parsAIAEAIAE
Proc encrypt(m ai f isin ℱ)aiaec AIAEEncrypt(f(k) m ai)
ℐ-ℱ = ℐ-ℱ cup (aif)ℰ = ℰ cup (ai f )aiaec
Proc (ailowast flowastisin ℱ aiaeclowast)
Special rule
Output (AIAEDecrypt(flowast(k) aiaeclowast ailowast) = perp)ai = ai
lowast but f = flowast Output 0
If (ailowast flowast aiaeclowast) isin Output 0
If there exists (ai f) isin ℐ-ℱ such that
ℰ
Proc initializelarr$ larr$
larr$
ParGen(1)
finalize
(b)
Figure 4 IND-F-RKA (a) and weak-INT-F-RKA (b) security games We note that in the weak-INT-F-RKA game there is a special rule(as shown in the shadow) of outputting 0 in finalize
AIAEEncrypt(hk m ai)AIAEpars
pars
pars pars
pars
THPS THPS
AE AE
= ( THPS AE H)
Output AIAE
H ℋ
C with witness wt = H(C ai) isin = Λ hk (C t) isin AEEncrypt( m)Output ⟨C ⟩
AIAEDecrypt(hk ⟨C ⟩ ai)If C notin Output perpt = H(C ai) isin
= Λhk (C t) isin
mperp larr AEDecrypt( )Output mperp
parsAIAE
larr$
larr$
larr$
larr$
larr$
ParGen(1)
ParGen(1)Setup(1)
Figure 5 Generic construction of AIAE from THPS and AE
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ0 119898ℓ1aiℓ 119891ℓ) where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff the challenger preparesthe challenge ciphertext as follows
(i) pick 119862ℓlarr$ V together with witness 119908ℓ
(ii) compute 119905ℓ fl H(119862ℓ aiℓ) isin T
(iii) compute 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ) isinK
(iv) invoke 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ120573)and it outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA
Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K randomly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Succ] =Pr11[Succ]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distribu-
tion of 119862119895 In game G1119895 119862119895 is uniformly chosen from V ingameG1015840
1119895119862119895 is uniformly chosen fromCV Any differencebetween G1119895 and G1015840
1119895 results in a PPT adversary solving thesubset membership problem related to THPS thus we havethat |Pr1119895[Succ] minus Pr11198951015840[Succ]| le Adv
smpTHPS
(120582)Game G10158401015840
1119895 119895 isin [119876119890] It is identical to G10158401119895 except that
for the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 16 For all 119895 isin [119876119890] 11987511990311198951015840[Succ] = 119875119903111989510158401015840[Succ]Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryIn G1015840
1119895 120581119895 is properly computed while in G101584010158401119895 it is chosen
fromK uniformlyWe analyze the information about the key hk that is used
in game G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
Security and Communication Networks 9
(ii) For the ℓth (ℓ isin [119895 + 1 119876119890]) query encrypt can usepk = 120583(hk) to compute 120581ℓ120581ℓ = Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) 119862ℓlarr997888$ V with witness 119908ℓ= (Λ hk (119862ℓ 119905ℓ))119886ℓ sdot Λ bℓ(119862ℓ 119905ℓ) via key-homomorphism= (THPSPub (pk 119862ℓ 119908ℓ 119905ℓ))119886ℓ sdot Λ bℓ
(119862ℓ 119905ℓ) via projective property
(16)
(iii) For the 119895th query encrypt uses Λ hk(119862119895 119905119895) to com-pute 120581119895
120581119895 = Λ 119886119895 sdothk+b119895(119862119895 119905119895) 119862119895larr997888$ C V
= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) via key-homomorphism
(17)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) is uniformly distributed over K conditioned onpk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K| 120581119895 = (Λ hk(119862119895119905119895))119886119895 sdotΛ b119895(119862119895 119905119895) is also randomly distributed overK Conse-
quentlyG10158401119895 is essentially the same asG10158401015840
1119895 and Pr11198951015840[Succ] =Pr111989510158401015840[Succ]
Now we show that gameG101584010158401119895 is computationally indistin-
guishable from game G1119895+1 119895 isin [119876119890] Note that the diver-gence between G10158401015840
1119895 and G1119895+1 lies in the distribution of 119862119895 inthe 119895th encrypt query In game G10158401015840
1119895 119862119895 is uniformly chosenfrom C V in game G1119895+1 119862119895 is uniformly chosen fromV Any difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS thus we have that |Pr111989510158401015840[Succ] minus Pr1119895+1[Succ]| leAdv
smpTHPS
(120582)Game G2 It is identical to G1119876119890+1
except that whenanswering encrypt queries the challenger invokes 120594ℓlarr$AEEncrypt(120581ℓ 0|119898ℓ0|)
In game G1119876119890+1 the challenger computes 120594ℓlarr$
AEEncrypt(120581ℓ 119898ℓ120573) in game G2 the challenger computes120594ℓlarr$ AEEncrypt(120581ℓ 0|119898ℓ0|) Since each 120581ℓ is chosen fromK uniformly at random ℓ isin [119876119890] by a standard hybridargument any difference between G1119876119890+1
and G2 results in aPPT adversary against the IND-OT security of AE so that|Pr1119876119890+1[Succ] minus Pr2[Succ]| le 119876119890 sdot Advind-otAE (120582)
Finally in game G2 since the challenge ciphertexts areencryptions of 0|119898ℓ0| hence 120573 is perfectly hidden to A SoPr2[Succ] = 12
Summing up we proved the IND-Fraff -RKA securityThis completes the proof ofTheorem 15 (IND-Fraff -RKA
security)
Proof ofTheorem 15 (Weak-INT-F119903119886119891119891-RKA Security) Denoteby A a PPT adversary who is against the weak-INT-Fraff -RKA security and queries encrypt oracle for at most 119876119890
times Similarly the proof goes through a series of gameswhich are defined analogously just like those games of theprevious proof
Game G0 It is the original weak-INT-Fraff -RKA gameAs for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)
the challenger computes the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ insimilar steps as the previous proof and outputs ⟨119862ℓ 120594ℓ⟩ toA Moreover the challenger will put (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to aset QENC put (aiℓ 119891ℓ) to a set QAI-F and put (119862ℓ aiℓ 119905ℓ)to a set QTAG In the end the adversary outputs a forgery(ailowast 119891lowast ⟨119862lowast 120594lowast⟩) where 119891lowast = ⟨119886lowast blowast⟩ and the challengerinvokes the finalize procedure as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENC output 0(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
output 0(iii) If 119862lowast notin C output 0(iv) Compute 119905lowast fl H(119862lowast ailowast) isin T and 120581lowast flΛ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK
Output (AEDecrypt(120581lowast 120594lowast) =perp)Denote the event that finalize outputs 1 by Forge
According to the definition Advweak-int-rkaAIAEA (120582) = Pr0[Forge]Game G1 It is identical to G0 except that the following ruleis added to the procedure finalize by the challenger
(i) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast) output 0Since 119905ℓ = H(119862ℓ aiℓ) and 119905lowast = H(119862lowast ailowast) any differ-
ence between G0 and G1 implies a hash collision of H So|Pr0[Forge] minus Pr1[Forge]| le AdvcrH(120582)Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K uniformly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Forge] =Pr11[Forge]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distri-
bution of 119862119895 In game G1119895 119862119895 is uniformly chosen fromV in game G1015840
1119895 119862119895 is uniformly chosen from C VAny difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS We emphasize that the PPT adversary (simulator)is able to check the occurrence of Forge in an efficient waybecause the key hk can be chosen by the simulator itselfConsequently the difference between G1119895 and G1015840
1119895 can bereduced to the subset membership problem smoothly
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 Security and Communication Networks
KDM[F]-CPA Security In 2008 Boneh et al (BHHO) [4]proposed the first KDM[Faff ]-CPA secure PKE constructionfor the affine function set Faff from the Decisional Diffie-Hellman (DDH) assumption Soon after the BHHO schemewas generalized by Brakerski and Goldwasser [5] whopresented KDM[Faff ]-CPA secure PKE constructions undertheQuadratic Residuosity (QR) assumption or theDecisionalComposite Residuosity (DCR) assumption However theseschemes suffer from incompact ciphertext which contains119874(120582) group elements (120582 denotes the security parameterthroughout the paper)
Applebaum et al [6] proved that a variant of the Regevscheme [7] is KDM[Faff ]-CPA secure and enjoys compactciphertexts that is encompassing only 119874(1) group elements
Brakerski et al [8] provided a KDM[F119889poly]-CPA secure
PKE scheme for the polynomial function set F119889poly which
contains all polynomials whose degrees are at most 119889 Thedrawback of the scheme is incompact ciphertext whichcontains 119874(120582119889+1) group elements
Barak et al [9] presented a KDM-CPA secure PKE forthe set of Boolean circuits whose sizes are a priori boundedwhich is a very large function set Nevertheless their schemeis neither practical nor flexible
In 2011 Malkin et al [10] proposed the first efficientKDM[F119889
poly]-CPA secure PKE The ciphertext of their PKEconstruction is almost compact and consists of only 119874(119889)group elements
KDM[F]-CCA Security The first approach to KDM-CCAsecurity was proposed by Camenisch Chandran and Shoup(CCS) [11] The CCS approach follows the Naor-Yungparadigm [12] and the building blocks are a PKE schemewithCCA security a PKE scheme with KDM-CPA security and anoninteractive zero-knowledge (NIZK) proof system whichproves that the two PKE schemes encrypt the same message
The Groth-Sahai proofs [13] are the only practical NIZKTo obtain efficientKDM-CCA secure PKEwe have to employan efficient PKE scheme with KDM-CPA security and theGroth-Sahai proofs if we follow the CCS approach [11]Unfortunately the existing efficient PKE schemes with KDM-CPA security like [6 10] are not compatible with the Groth-Sahai proofs since the underlying groups of their schemes arenot pairing-friendly ones
Galindo et al [14] proposed a KDM-CCA secure PKEscheme from the Matrix Decisional Diffie-Hellman assump-tionTheir scheme enjoys compact ciphertexts but theKDM-CCA security of their scheme is constrained (more preciselyin their KDM-CCA security model the adversary is onlyallowed to have access to the encryption oracle for a numberof times linear in the secret keyrsquos size)
In order to achieve both KDM-CCA security and effi-ciency for PKE Hofheinz [15] developed another approachmaking use of a novel primitive named ldquolossy algebraic filterrdquoThe PKE scheme proposed by Hofheinz enjoys the securityof KDM[Fcirc]-CCA and the compactness of ciphertextssimultaneously but the function set Fcirc is made up ofconstant functions and selection functions 119891(sk1 sk119899) =sk119894
In fact it is a challenging job to enlarge the KDM-CCA function set F while keeping the efficiency of thePKE scheme Recently Lu et al [16] designed the firstPKE achieving both KDM[Faff ]-CCA security and compactciphertexts Their construction is referred to as the LLJscheme in this paper The essential building block in theirscheme is ldquoauthenticated encryptionrdquo (AE) The so-calledINT-Faff -RKA security of AE turns out to be critical to theKDM[Faff ]-CCA security of the LLJ scheme Unfortunatelytheir security reduction of the INT-Faff -RKA security ofAE to the underlying DDH assumption is flawed Roughlyspeaking the problem of their security reduction is thatthere is no efficient way for the DDH adversary to convertthe forgery provided by the INT-Faff -RKA adversary to adecision bit for solving the DDH problem since it has notrapdoor See our conference version [17] for details Thefailure of AErsquos INT-Faff -RKA security reduction directlyaffects the validity of LLJrsquos KDM[Faff ]-CCA security proof
To construct efficient KDM[F119889poly]-CCA secure PKE
schemes the CCS approach [11] is the unique way to the bestof our knowledge However the only efficient KDM[F119889
poly]-CPA secure PKE [10] is incompatible with the Groth-SahaiNIZK proofs [13] thus the CCS approach must adopt ageneral inefficient NIZK
Our Contribution In this work we focus on the design ofefficient PKE schemes possessing KDM[Faff ]-CCA securityand KDM[F119889
poly]-CCA security respectively
(i) We develop a new primitive named ldquoAuxiliary-InputAuthenticated Encryptionrdquo (AIAE)We introduce newrelated-key attack (RKA) security notions for it calledIND-F1015840-RKA and weak-INT-F1015840-RKA
(a) We show a general paradigm for constructingsuch an AIAE from a one-time secure AE anda tag-based hash proof system (HPS) that isuniversal2 extracting and key-homomorphic
(b) We present an instantiation of tag-based HPSunder the DDH assumption Following ourparadigm we immediately obtain a DDH-based AIAE for the set of restricted affine func-tions
(ii) Using AIAE as an essential building block we designthe first PKE scheme enjoying KDM[Faff ]-CCAsecurity and compactness of ciphertexts simulta-neously Specifically the ciphertext of our schemecontains only 119874(1) group elements
(iii) Furthermore we design the first PKE scheme enjoy-ing KDM[F119889
poly]-CCA security and almost compact-ness of ciphertexts simultaneouslyMore precisely thenumber of group elements contained in a ciphertextis independent of the security parameter 120582
In Table 1 we list the existing PKE schemes which eitherachieve KDM-CCA security or are KDM-secure for the setF119889
poly of polynomial functions
Security and Communication Networks 3
Table 1 Comparison among PKE schemes achieving either KDM-CCA security or security against the set F119889poly of polynomial functions
Here we denote by 120582 the security parameter and by Fcirc Faff and F119889poly the set of selection functions the set of affine functions and the
set of polynomial functions of bounded degree 119889 respectively ldquoCCArdquo indicates that the scheme is KDM-CCA secure By the symbol ldquordquo wemean that the security proof is not rigorous G Z1198732 Z1198733 Z119873119904 and Z119873 are the underlying groups where 119904 ge 1Scheme Set CCA Free of pairing The size of ciphertext AssumptionBHHO08 [4] + CCS09 [11] Faff radic mdash (6120582 + 13)|G| DDHBGK11 [8] F119889
poly mdash radic (120582119889+1)|G| DDH or LWEMTY11 [10] F119889
poly mdash radic (119889 + 2)|Z119873119904 | DCRHof13 [15] Fcirc radic mdash 6|Z1198733 | + 49|G| DDH amp DCRLLJ15 [16] Faff radic 3|Z1198732 | + 3|Z119873119904 | + |Z119873| DDH amp DCROur scheme in Section 4 Faff radic radic 9|Z1198732 | + 9|Z119873119904 | + 2|Z119873| DDH amp DCROur scheme in Section 5 F119889
poly radic radic 9|Z1198732 | + (81198899 + 1)|Z119873119904 | + 2|Z119873| DDH amp DCR
KEMEncrypt
AIAEEncrypt
ENCRYPTION DECRYPTION
KEMDecrypt
AIAEDecrypt
pk
m
k
kemc = ai kemc
aiaec
sk
k
mℰDecryptℰEncrypt ℰcℰc
Figure 1 Our approach of PKE construction
Overview of Our Construction In the construction of ourKDM-CCA secure PKE schemes we adopt a key encap-sulation mechanism (KEM) + data encapsulation mech-anism (DEM) approach [18] and employ three buildingblocks KEM E and AIAE as shown in Figure 1
(i) KEM and E share the same pair of public and secretkeys
(ii) A key k is encapsulated by KEMEncrypt and anencapsulation kemc is generated by KEMEncryptalong the way
(iii) The message 119898 is encrypted by EEncrypt and theresulting E-ciphertext is Ec
(iv) The key k generated by KEM is used byAIAEEncrypt to encrypt Ec with auxiliary inputai fl kemc and the resulting AIAE-ciphertextis aiaec
(v) The ciphertext of our PKE scheme is (kemc aiaec)
Following this approach we design KDM[Faff ]-CCAand KDM[F119889
poly]-CCA secure PKE schemes respectively byconstructing specific building blocks
Differences to Conference Version This paper constitutes anextended full version of [17]The new results in this paper areas follows
(i) In contrast to presenting a concrete constructionof AIAE in the conference paper we give a general
paradigm for constructing AIAE from a one-timesecure authenticated encryption (AE) and a tag-basedhash proof system (HPS) in this paper
(a) In Section 32 we show that the resulting AIAE
is IND-RKA secure and weak-INT-RKA secureas long as the underlying tag-based HPS isuniversal2 extracting and key-homomorphic
(b) In Section 33 we give an instantiation of tag-based HPS based on the DDH assumptionFollowing our paradigm we obtain a DDH-based AIAE scheme in Section 34
We view the specific AIAE proposed in the confer-ence paper as an instantiation of the general paradigmpresented in this paper
(ii) In this paper we provide the full proofs of thetheorems regarding the KDM[Faff ]-CCA securityand KDM[F119889
poly]-CCA security of our PKEs Com-pared with the conference paper we add the proofsof Lemmas 16 18 25 26 and 29 and the proofof indistinguishability between Hybrids 2 and 3 inSection 53
2 Preliminaries
Throughout this paper denote by 120582 isin N the securityparameter 119910larr$ Ymeans choosing an element 119910 from setYuniformly 119910larr$ A(119909 119903) means executing algorithm A with
4 Security and Communication Networks
Proc pkec i isin [n])
If (pkec i) isin ℰ
Output perpOutput Decrypt(ski pkec
Output ( = )
Proc f isin ℱ i isin [n])m1 = f (sk1 skn)m0 = 0|m1|pkec larr Encrypt(pk i m)ℰ = ℰ cup (pkec i)Output pkec
pars larr
For i isin [n]
(pk i ski) larr KeyGen(pars)
0 1
Proc
Proc )
)larr$
larr$ larr$
larr$
ParGen(1)
Output (pars pk1 pkn)
decrypt(initialize
finalize(
encrypt(
Figure 2 119899-KDM[F]-CCA security game
input 119909 and randomness 119903 and assigning output to 119910 Wesometimes abbreviate this to 119910larr$ A(119909) ldquoPPTrdquo is short forprobabilistic polynomial-time For integers 119899 lt 119898 we denote[119899] fl 1 2 119899 and [119899119898] fl 119899 119899 + 1 119898 For asecurity notion 119884119884 and a primitive 119883119883 the advantage of aPPT adversaryA is typically denoted by Adv119884119884119883119883A(120582) and wedenoteAdv119884119884119883119883(120582) fl maxPPTAAdv
119884119884119883119883A(120582) Let negl(sdot)denote
an unspecified negligible function
Games We will use games in our security definitions andproofs Typically a game G begins with an initialize proce-dure and ends with a finalize procedure In the game theremight be other procedures proc1 proc119899 which performas oracles All procedures are presented with pseudocodeall sets are initialized as empty sets and all variables areinitialized as empty strings In the execution of a game G
with an adversary A firstly A calls initialize and obtainsits output then A makes arbitrary oracle queries to proc119894according to their specifications and obtains their outputsfinally A calls finalize In the end of the execution iffinalize outputs 119887 then we write this as GA rArr 119887 Thestatement 119886 G= 119887 means that in game G 119886 is computed as119887 or 119886 equals 11988721 Public-Key Encryption There are four PPT algorithmsPKE = (ParGenKeyGenEncryptDecrypt) in a public-keyencryption (PKE) scheme
(i) ParGen(1120582) outputs a public parameter pars Weassume that pars implicitly defines a secret key spaceSK and a message spaceM
(ii) KeyGen(pars) takes pars as input and outputs apublic key pk and a secret key sk
(iii) Encrypt(pk 119898) takes pk and a message 119898 isin M asinput and outputs a ciphertext pkec
(iv) Decrypt(sk pkec) takes sk and a ciphertext pkec asinput and outputs either a message 119898 or a symbol perpindicating the failure of the decryption
We require PKE to have perfect correctness that is for allpossible parslarr$ ParGen(1120582) and all119898 isinM we have
Pr [(pk sk)larr997888$ KeyGen (pars) Decrypt (skEncrypt (pk 119898))= 119898] = 1 (1)
Definition 1 (KDM[F]-CCA security) Let 119899 isin N and let Fdenote a set of functions from (SK)119899 toM A scheme PKE
is 119899-KDM[F]-CCA secure if for any PPT adversary A wehave Advkdm-cca
PKEA (120582) fl |Pr[119899-KDM[F]-CCAA rArr 1] minus 12| lenegl(120582) where 119899-KDM[F]-CCA is the security game shownin Figure 2
22 Authenticated Encryption There are three PPT algo-rithms AE = (AEParGenAEEncryptAEDecrypt) in anauthenticated encryption (AE) scheme
(i) AEParGen(1120582) generates a system parameter parsAEWe require parsAE to be an implicit input to otheralgorithms and assume that parsAE implicitly definesa key spaceKAE and a message spaceM
(ii) AEEncrypt(k 119898) takes a key k isinKAE and a message119898 isinM as input and outputs a ciphertext aec(iii) AEDecrypt(k aec) takes a key k isin KAE and a
ciphertext aec as input and outputs amessage119898 isinMor a symbol perp
We require AE to have perfect correctness that is for allpossible parsAElarr$ AEParGen(1120582) all keys k isin KAE and all119898 isinM
Pr [AEDecrypt (kAEEncrypt (k 119898)) = 119898] = 1 (2)
Definition 2 (one-time security) A scheme AE is one-timesecure (OT-secure) that is IND-OT and INT-OT secure iffor any PPT A both Advind-otAEA (120582) fl |Pr[IND-OTA rArr 1] minus12| le negl(120582) and Advint-otAEA(120582) fl Pr[INT-OTA rArr 1] lenegl(120582) where IND-OT and INT-OT are the security gamespresented in Figure 3
23 Key EncapsulationMechanism There are three PPT algo-rithms KEM = (KEMKeyGenKEMEncryptKEMDecrypt)in a key encapsulation mechanism (KEM)
(i) KEMKeyGen(1120582) generates a public key pk and asecret key sk
(ii) KEMEncrypt(pk) takes pk as input and outputs a keyk together with a ciphertext kemc
(iii) KEMDecrypt(sk kemc) takes sk and aciphertext kemc as input and outputs either akey k or a symbol perp
Security and Communication Networks 5
Proc ( )
one queryProc encrypt(m0 m1)If m0
= m1 Output perp
Output aec
0 1
AE k AEparsAE
Output parsAE
Output ( = )
aec AEEncrypt(k m)
larr$ larr$
larr$
larr$
Proc initializeParGen(1)
finalize
(a)
Proc (m)encrypt one query
AE k AEparsAE
Output parsAE
Output aecaec larr AEEncrypt(k m)
If aeclowast = aec Output 0
Output (AEDecrypt(k aeclowast) = perp)
Proc aeclowast)
Proc initializelarr$
larr$
larr$ParGen(1)
finalize(
(b)
Figure 3 IND-OT (a) and INT-OT (b) security games
We require KEM to have perfect correctness that is for allpossible (pk sk)larr$ KEMKeyGen(1120582) we have
Pr [(k kemc)larr997888$ KEMEncrypt (pk) KEMDecrypt (sk kemc)= k] = 1 (3)
24 Tag-Based Hash Proof System Universal2 Extracting andKey-Homomorphism Tag-based hash proof system (HPS)was first defined in [19] The definition is similar to extendedHPS [20] but the universal2 property is slightly different
Definition 3 (tag-based hash proof system) A tag-based hashproof system THPS = (THPSSetupTHPSPubTHPSPriv) iscomprised of three PPT algorithms
(i) THPSSetup(1120582) outputs a parameterized instanceparsTHPS which implicitly defines (KCVTHKPK Λ (sdot) 120583) where KCVTHKPKare all finite sets with V sube C Λ (sdot) C times T rarr K
is a set of hash functions indexed by hk isin HK and120583 HK rarr PK is a function We assume that 120583 isefficiently computable and there are PPT algorithmssampling hklarr$ HK uniformly sampling 119862larr$ Cuniformly sampling 119862larr$ V uniformly with awitness 119908 and checking membership inC
(ii) THPSPub(pk 119862 119908 119905) takes a projection key pk =120583(hk) isin PK an element 119862 isin V with a witness 119908and a tag 119905 isin T as input and outputs a hash value119870 = Λ hk(119862 119905) isinK
(iii) THPSPriv(hk 119862 119905) takes a hashing key hk isinHK anelement 119862 isin C and a tag 119905 isin T as input and outputsa hash value 119870 = Λ hk(119862 119905) isin K without knowing awitness
We require THPS to be projective that is for all parsTHPSlarr$THPSSetup(1120582) all hk isin HK and pk = 120583(hk) isin PK all119862 isinV with all witnesses 119908 and all 119905 isin T it holds that
THPSPub (pk 119862 119908 119905) = Λ hk (119862 119905)= THPSPriv (hk 119862 119905) (4)
Tag-based HPS is associated with a subset membershipproblem Informally speaking it asks to distinguish theuniform distribution over V from the uniform distributionoverC V
Definition 4 (SMP) The Subset Membership Problem (SMP)related to THPS is hard if for any PPT adversaryA one has
AdvsmpTHPSA (120582) fl 10038161003816100381610038161003816Pr [A (parsTHPS 119862) = 1]minus Pr [A (parsTHPS 1198621015840) = 1]10038161003816100381610038161003816 le negl (120582) (5)
where parsTHPSlarr$ THPSSetup(1120582) 119862larr$ V and 1198621015840larr$ C V
Definition 5 (universal2) THPS is called (strongly)universal2 if for all possible parsTHPSlarr$ THPSSetup(1120582) allpk isin PK all 119862 isin C all 1198621015840 isin C V all 119905 1199051015840 isin T with 119905 = 1199051015840and all 1198701198701015840 isinK it holds that
Pr [Λ hk (1198621015840 1199051015840) = 1198701015840 | 120583 (hk) = pk Λ hk (119862 119905) = 119870]= 1|K| (6)
where the probability is over hklarr$ HK
The key difference between tag-based HPS and extendedHPS lies in the definition of the universal2 property [19]Extended HPS requires (6) to hold for (119862 119905) = (1198621015840 1199051015840) whiletag-based HPS requires (6) to hold only for 119905 = 1199051015840 Hence
6 Security and Communication Networks
any (universal2) extended HPS is also a (universal2) tag-based HPS but not vice versa Tag-based HPS is essentiallya weaker variant of extended HPS and admits more efficientconstructions
Dodis et al [21] defined an extracting property forextended HPS which requires the hash value Λ hk(119862 119905) to beuniformly distributed over K for any 119862 isin C and 119905 isin T aslong as hk is randomly chosen from HK Besides Xagawa[22] considered a key-homomorphic property for extendedHPS which stipulates that Λ hk+Δ(119862 119905) = Λ hk(119862 119905) sdot Λ Δ(119862 119905)holds for any hk Δ isinHK 119862 isin C and 119905 isin T Here we adaptthese notions to tag-based HPS
Definition 6 (extracting) THPS is called extracting if for allparsTHPSlarr$ THPSSetup(1120582) all 119862 isin C all 119905 isin T and all119870 isinK it holds that
Pr [Λ hk (119862 119905) = 119870] = 1|K| (7)
where hklarr$ HK
Definition 7 (key-homomorphism) THPS is called key-homomorphic if for all parsTHPSlarr$ THPSSetup(1120582) whichdefines (KCVTHKPK Λ (sdot) 120583) one has the follow-ing
(i) Both (HK +) and (K sdot) are groups(ii) For all 119862 isin C and all 119905 isin T the mapping Λ (sdot)(119862 119905)
HKrarrK is a group homomorphismThat is for allhk b isinHK and all 119886 isin Z it holds thatΛ 119886sdothk+b(119862 119905) =(Λ hk(119862 119905))119886 sdot Λ b(119862 119905)
25 DCR DDH DL and IVd Assumptions Suppose thatGenN(1120582) is a PPT algorithm generating (119901 119902119873119873) where119901 119902 are safe primes of 120582-bit 119873 = 119901119902 and 119873 = 2119873 + 1 is aprime We define the following
(i) QR119873 fl 1198862 mod119873 | 119886 isin Z119873Then QR119873 is a cyclic group of order 119873 For 119904 isin N and 119879 =1 + 119873 we define
(i) QR119873119904 fl 1198862 mod119873119904 | 119886 isin Zlowast119873119904
(ii) SCR119873119904 fl 1198862119873119904minus1 mod119873119904 | 119886 isin Zlowast119873119904
(iii) RU119873119904 fl 119879119903 mod119873119904 | 119903 isin [119873119904minus1]Then SCR119873119904 is a cyclic group of order 120601(119873)4 and QR119873119904 =SCR119873119904 otimes RU119873119904 where otimes represents the internal directproduct
Damgard and Jurik [23] showed that the discrete loga-rithm 119889 log119879(119906) isin [119873119904minus1] of an element 119906 isin RU119873119904 canbe efficiently computed from 119906 and 119873 Observe that Zlowast
119873119904 =Z2 otimes Z1015840
2 otimes SCR119873119904 otimes RU119873119904 thus for any V = V(Z2) sdot V(Z10158402) sdot
V(SCR119873119904) sdot 119879119909 isin Zlowast119873119904 we have V
120601(119873) = 119879119909sdot120601(119873) isin RU119873119904 and119889 log119879 (V120601(119873))120601 (119873) mod119873119904minus1 = 119909 (8)
Definition 8 (DCR assumption) The Decisional CompositeResiduosity (DCR) assumption holds for GenN andQR119873119904 iffor any PPTA it holds that
AdvdcrGenNA (120582)fl |Pr [A (119873 119906) = 1] minus Pr [A (119873 V) = 1]|le negl (120582) (9)
where (119901 119902119873119873)larr$ GenN(1120582) 119906larr$ QR119873119904 and Vlarr$SCR119873119904
The Interactive Vector (IV119889) assumption is implied by theDCR assumption as shown in [5] Here we recall the IV119889
assumption according to [16]
Definition 9 (IVd assumption) The IV119889 assumption holds forGenN andQR119873119904 if for any PPTA it holds that
Adviv119889GenNA (120582)fl1003816100381610038161003816100381610038161003816Pr [Achal119887IV119889 (119873 1198921 119892119889) = 119887] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
(10)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 119892119889larr$ SCR119873119904 119887larr$ 0 1 and A is allowed to query the oracle chal119887IV119889(sdot)adaptively Each timeA can submit (1205751 120575119889) to the oracleand chal119887IV119889(1205751 120575119889) selects 119903larr$ [lfloor1198734rfloor] randomly if119887 = 0 the oracle outputs (1198921199031 119892119903119889) to A otherwise itoutputs (11989211990311198791205751 119892119903119889119879120575119889) toA where 119879 = 1 + 119873
Definition 10 (DDH assumption) The DDH assumptionholds for GenN andQR119873 if for any PPTA it holds that
AdvddhGenNA (120582) fl 1003816100381610038161003816Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199092 ) = 1]minus Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199102 ) = 1]1003816100381610038161003816 le negl (120582) (11)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 1198922larr$ QR119873 119909 119910larr$Z119873 0Definition 11 (DL assumption) The Discrete Logarithm (DL)assumption holds for GenN and SCR119873119904 if for any PPTA itholds that
AdvdlGenNA (120582) fl Pr [A (119873 119901 119902 119892 119892119909) = 119909]le negl (120582) (12)
where (119901 119902119873119873)larr$ GenN(1120582) 119892larr$ SCR119873119904 119909larr$ [120601(119873)4]
Security and Communication Networks 7
26 Collision-Resistant Hashing
Definition 12 (collision-resistant hashing) Let H = H Xrarr Y be a set of hash functionsH is said to be collision-resistant if for any PPTA one has
AdvcrHA (120582) fl Pr [Hlarr997888$ H (119909 1199091015840) larr997888$ A (H) 119909= 1199091015840 and H (119909) = H (1199091015840)] le negl (120582) (13)
3 Auxiliary-Input Authenticated Encryption
Our PKE constructions in Sections 4 and 5 will resort to anewprimitive AIAE To serve theKDM-CCA security of ourPKE construction in Figure 1 our AIAE should satisfy thefollowing properties
(i) AIAE must take an auxiliary input ai in both theencryption and decryption algorithms
(ii) AIAE must have IND-F-RKA security and weak-INT-F-RKA security Compared to the INT-F-RKAsecurity proposed in [16] the weak-INT-F-RKAsecurity imposes a special rule to determine whetherthe adversaryrsquos forgery is successful or not
In the following we present the syntax ofAIAE and defineits IND-F-RKA Security and Weak-INT-F-RKA SecurityWe also show a general paradigm of AIAE from tag-basedHPS and give an instantiation of AIAE under the DDHassumption
31 Auxiliary-Input Authenticated Encryption
Definition 13 (AIAE) There are three PPT algorithmsAIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in anAIAE scheme
(i) The parameter generation algorithmAIAEParGen(1120582) generates a system parameterparsAIAE We require parsAIAE to be an implicitinput to other algorithms and assume that parsAIAEimplicitly defines a key spaceKAIAE a message spaceM and an auxiliary-input spaceAI
(ii) The encryption algorithm AIAEEncrypt(k 119898 ai)takes a key k isin KAIAE a message 119898 isin M andan auxiliary input ai isin AI as input and outputs aciphertext aiaec
(iii) The decryption algorithm AIAEDecrypt(k aiaec ai)takes a key k isin KAIAE a ciphertext aiaec and anauxiliary input ai isin AI as input and outputs amessage119898 isinM or a symbol perp
We require AIAE to have perfect correctness that is for allpossible parsAIAElarr$ AIAEParGen(1120582) all keys k isin KAIAEall messages119898 isinM and all auxiliary-inputs ai isin AI
Pr [AIAEDecrypt (kAIAEEncrypt (k 119898 ai) ai)= 119898] = 1 (14)
In fact AIAE is a generalization of traditional AE andtraditional AE can be viewed as AIAE withAI = 0Definition 14 (RKA security) Denote byF a set of functionsfrom KAIAE to KAIAE A scheme AIAE is IND-F-RKAsecure and weak-INT-F-RKA secure if for any PPTA
Advind-rkaAIAEA (120582) fl 1003816100381610038161003816100381610038161003816Pr [IND-F-RKAA 997904rArr 1] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
Advweak-int-rkaAIAEA (120582) fl Pr [weak-INT-F-RKAA 997904rArr 1]le negl (120582)
(15)
where IND-F-RKA and weak-INT-F-RKA are the securitygames presented in Figure 4
32 Generic Construction of AIAE from Tag-Based HPSand OT-Secure AE Our construction of AIAE needs thefollowing ingredients
(i) A tag-based hash proof systemTHPS = (THPSSetupTHPSPubTHPSPriv) where the hash value space isK the tag space is T and the hashing key space isHK
(ii) A (traditional) authenticated encryption schemeAE = (AEParGenAEEncryptAEDecrypt) wherethe message space isM and the key space isK
(iii) A set of hash functionsH = H 0 1lowast rarr TWe present our AIAE construction AIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in Figure 5 whose key spaceis KAIAE fl HK message space is M and auxiliary-inputspace isAI fl 0 1lowast
By the perfect correctness ofAE it is routine to check thatAIAE has perfect correctness
Theorem 15 If (i) THPS is 119906119899119894V1198901199031199041198861198972 extracting key-homomorphic and has a hard subset membership problem (ii)AE is one-time secure and (iii) H is collision-resistant thenthe scheme AIAE in Figure 5 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure Here F119903119886119891119891 fl 119891(119886b) hk isin HK 997891rarr119886 sdot hk + b isin HK | 119886 isin Zlowast
|K| b isin HK is the set of restrictedaffine functions
Proof of Theorem 15 (IND-F119903119886119891119891-RKA Security) Denote byA a PPT adversary who is against the IND-Fraff -RKAsecurity and queries encrypt oracle for at most 119876119890 timesWe show the IND-Fraff -RKA security through a series ofgames For an event E we denote by Pr119895[E] Pr1198951015840[E] andPr11989510158401015840[E] the probability of E occurring in games G119895 G
1015840119895 and
G10158401015840119895 respectively
Game G1 It is the original IND-Fraff -RKA game Denotethe event 1205731015840 = 120573 by Succ According to the definitionAdvind-rkaAIAEA(120582) = |Pr1[Succ] minus 12|
8 Security and Communication Networks
If m0 = m1
Output perp
Output aiaec
AIAE
k AIAE
0 1
aiaec AIAEEncrypt (f(k) m ai)
Output parsAIAE
parsAIAE
Proc (m0 m1 ai f isin ℱ)encrypt
Output ( = )Proc )
Proc initializelarr$
larr$
larr$
larr$
ParGen(1)
finalize(
(a)
Output aiaec
parsAIAE AIAE k
Output parsAIAEAIAE
Proc encrypt(m ai f isin ℱ)aiaec AIAEEncrypt(f(k) m ai)
ℐ-ℱ = ℐ-ℱ cup (aif)ℰ = ℰ cup (ai f )aiaec
Proc (ailowast flowastisin ℱ aiaeclowast)
Special rule
Output (AIAEDecrypt(flowast(k) aiaeclowast ailowast) = perp)ai = ai
lowast but f = flowast Output 0
If (ailowast flowast aiaeclowast) isin Output 0
If there exists (ai f) isin ℐ-ℱ such that
ℰ
Proc initializelarr$ larr$
larr$
ParGen(1)
finalize
(b)
Figure 4 IND-F-RKA (a) and weak-INT-F-RKA (b) security games We note that in the weak-INT-F-RKA game there is a special rule(as shown in the shadow) of outputting 0 in finalize
AIAEEncrypt(hk m ai)AIAEpars
pars
pars pars
pars
THPS THPS
AE AE
= ( THPS AE H)
Output AIAE
H ℋ
C with witness wt = H(C ai) isin = Λ hk (C t) isin AEEncrypt( m)Output ⟨C ⟩
AIAEDecrypt(hk ⟨C ⟩ ai)If C notin Output perpt = H(C ai) isin
= Λhk (C t) isin
mperp larr AEDecrypt( )Output mperp
parsAIAE
larr$
larr$
larr$
larr$
larr$
ParGen(1)
ParGen(1)Setup(1)
Figure 5 Generic construction of AIAE from THPS and AE
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ0 119898ℓ1aiℓ 119891ℓ) where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff the challenger preparesthe challenge ciphertext as follows
(i) pick 119862ℓlarr$ V together with witness 119908ℓ
(ii) compute 119905ℓ fl H(119862ℓ aiℓ) isin T
(iii) compute 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ) isinK
(iv) invoke 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ120573)and it outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA
Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K randomly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Succ] =Pr11[Succ]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distribu-
tion of 119862119895 In game G1119895 119862119895 is uniformly chosen from V ingameG1015840
1119895119862119895 is uniformly chosen fromCV Any differencebetween G1119895 and G1015840
1119895 results in a PPT adversary solving thesubset membership problem related to THPS thus we havethat |Pr1119895[Succ] minus Pr11198951015840[Succ]| le Adv
smpTHPS
(120582)Game G10158401015840
1119895 119895 isin [119876119890] It is identical to G10158401119895 except that
for the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 16 For all 119895 isin [119876119890] 11987511990311198951015840[Succ] = 119875119903111989510158401015840[Succ]Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryIn G1015840
1119895 120581119895 is properly computed while in G101584010158401119895 it is chosen
fromK uniformlyWe analyze the information about the key hk that is used
in game G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
Security and Communication Networks 9
(ii) For the ℓth (ℓ isin [119895 + 1 119876119890]) query encrypt can usepk = 120583(hk) to compute 120581ℓ120581ℓ = Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) 119862ℓlarr997888$ V with witness 119908ℓ= (Λ hk (119862ℓ 119905ℓ))119886ℓ sdot Λ bℓ(119862ℓ 119905ℓ) via key-homomorphism= (THPSPub (pk 119862ℓ 119908ℓ 119905ℓ))119886ℓ sdot Λ bℓ
(119862ℓ 119905ℓ) via projective property
(16)
(iii) For the 119895th query encrypt uses Λ hk(119862119895 119905119895) to com-pute 120581119895
120581119895 = Λ 119886119895 sdothk+b119895(119862119895 119905119895) 119862119895larr997888$ C V
= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) via key-homomorphism
(17)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) is uniformly distributed over K conditioned onpk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K| 120581119895 = (Λ hk(119862119895119905119895))119886119895 sdotΛ b119895(119862119895 119905119895) is also randomly distributed overK Conse-
quentlyG10158401119895 is essentially the same asG10158401015840
1119895 and Pr11198951015840[Succ] =Pr111989510158401015840[Succ]
Now we show that gameG101584010158401119895 is computationally indistin-
guishable from game G1119895+1 119895 isin [119876119890] Note that the diver-gence between G10158401015840
1119895 and G1119895+1 lies in the distribution of 119862119895 inthe 119895th encrypt query In game G10158401015840
1119895 119862119895 is uniformly chosenfrom C V in game G1119895+1 119862119895 is uniformly chosen fromV Any difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS thus we have that |Pr111989510158401015840[Succ] minus Pr1119895+1[Succ]| leAdv
smpTHPS
(120582)Game G2 It is identical to G1119876119890+1
except that whenanswering encrypt queries the challenger invokes 120594ℓlarr$AEEncrypt(120581ℓ 0|119898ℓ0|)
In game G1119876119890+1 the challenger computes 120594ℓlarr$
AEEncrypt(120581ℓ 119898ℓ120573) in game G2 the challenger computes120594ℓlarr$ AEEncrypt(120581ℓ 0|119898ℓ0|) Since each 120581ℓ is chosen fromK uniformly at random ℓ isin [119876119890] by a standard hybridargument any difference between G1119876119890+1
and G2 results in aPPT adversary against the IND-OT security of AE so that|Pr1119876119890+1[Succ] minus Pr2[Succ]| le 119876119890 sdot Advind-otAE (120582)
Finally in game G2 since the challenge ciphertexts areencryptions of 0|119898ℓ0| hence 120573 is perfectly hidden to A SoPr2[Succ] = 12
Summing up we proved the IND-Fraff -RKA securityThis completes the proof ofTheorem 15 (IND-Fraff -RKA
security)
Proof ofTheorem 15 (Weak-INT-F119903119886119891119891-RKA Security) Denoteby A a PPT adversary who is against the weak-INT-Fraff -RKA security and queries encrypt oracle for at most 119876119890
times Similarly the proof goes through a series of gameswhich are defined analogously just like those games of theprevious proof
Game G0 It is the original weak-INT-Fraff -RKA gameAs for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)
the challenger computes the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ insimilar steps as the previous proof and outputs ⟨119862ℓ 120594ℓ⟩ toA Moreover the challenger will put (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to aset QENC put (aiℓ 119891ℓ) to a set QAI-F and put (119862ℓ aiℓ 119905ℓ)to a set QTAG In the end the adversary outputs a forgery(ailowast 119891lowast ⟨119862lowast 120594lowast⟩) where 119891lowast = ⟨119886lowast blowast⟩ and the challengerinvokes the finalize procedure as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENC output 0(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
output 0(iii) If 119862lowast notin C output 0(iv) Compute 119905lowast fl H(119862lowast ailowast) isin T and 120581lowast flΛ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK
Output (AEDecrypt(120581lowast 120594lowast) =perp)Denote the event that finalize outputs 1 by Forge
According to the definition Advweak-int-rkaAIAEA (120582) = Pr0[Forge]Game G1 It is identical to G0 except that the following ruleis added to the procedure finalize by the challenger
(i) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast) output 0Since 119905ℓ = H(119862ℓ aiℓ) and 119905lowast = H(119862lowast ailowast) any differ-
ence between G0 and G1 implies a hash collision of H So|Pr0[Forge] minus Pr1[Forge]| le AdvcrH(120582)Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K uniformly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Forge] =Pr11[Forge]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distri-
bution of 119862119895 In game G1119895 119862119895 is uniformly chosen fromV in game G1015840
1119895 119862119895 is uniformly chosen from C VAny difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS We emphasize that the PPT adversary (simulator)is able to check the occurrence of Forge in an efficient waybecause the key hk can be chosen by the simulator itselfConsequently the difference between G1119895 and G1015840
1119895 can bereduced to the subset membership problem smoothly
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 3
Table 1 Comparison among PKE schemes achieving either KDM-CCA security or security against the set F119889poly of polynomial functions
Here we denote by 120582 the security parameter and by Fcirc Faff and F119889poly the set of selection functions the set of affine functions and the
set of polynomial functions of bounded degree 119889 respectively ldquoCCArdquo indicates that the scheme is KDM-CCA secure By the symbol ldquordquo wemean that the security proof is not rigorous G Z1198732 Z1198733 Z119873119904 and Z119873 are the underlying groups where 119904 ge 1Scheme Set CCA Free of pairing The size of ciphertext AssumptionBHHO08 [4] + CCS09 [11] Faff radic mdash (6120582 + 13)|G| DDHBGK11 [8] F119889
poly mdash radic (120582119889+1)|G| DDH or LWEMTY11 [10] F119889
poly mdash radic (119889 + 2)|Z119873119904 | DCRHof13 [15] Fcirc radic mdash 6|Z1198733 | + 49|G| DDH amp DCRLLJ15 [16] Faff radic 3|Z1198732 | + 3|Z119873119904 | + |Z119873| DDH amp DCROur scheme in Section 4 Faff radic radic 9|Z1198732 | + 9|Z119873119904 | + 2|Z119873| DDH amp DCROur scheme in Section 5 F119889
poly radic radic 9|Z1198732 | + (81198899 + 1)|Z119873119904 | + 2|Z119873| DDH amp DCR
KEMEncrypt
AIAEEncrypt
ENCRYPTION DECRYPTION
KEMDecrypt
AIAEDecrypt
pk
m
k
kemc = ai kemc
aiaec
sk
k
mℰDecryptℰEncrypt ℰcℰc
Figure 1 Our approach of PKE construction
Overview of Our Construction In the construction of ourKDM-CCA secure PKE schemes we adopt a key encap-sulation mechanism (KEM) + data encapsulation mech-anism (DEM) approach [18] and employ three buildingblocks KEM E and AIAE as shown in Figure 1
(i) KEM and E share the same pair of public and secretkeys
(ii) A key k is encapsulated by KEMEncrypt and anencapsulation kemc is generated by KEMEncryptalong the way
(iii) The message 119898 is encrypted by EEncrypt and theresulting E-ciphertext is Ec
(iv) The key k generated by KEM is used byAIAEEncrypt to encrypt Ec with auxiliary inputai fl kemc and the resulting AIAE-ciphertextis aiaec
(v) The ciphertext of our PKE scheme is (kemc aiaec)
Following this approach we design KDM[Faff ]-CCAand KDM[F119889
poly]-CCA secure PKE schemes respectively byconstructing specific building blocks
Differences to Conference Version This paper constitutes anextended full version of [17]The new results in this paper areas follows
(i) In contrast to presenting a concrete constructionof AIAE in the conference paper we give a general
paradigm for constructing AIAE from a one-timesecure authenticated encryption (AE) and a tag-basedhash proof system (HPS) in this paper
(a) In Section 32 we show that the resulting AIAE
is IND-RKA secure and weak-INT-RKA secureas long as the underlying tag-based HPS isuniversal2 extracting and key-homomorphic
(b) In Section 33 we give an instantiation of tag-based HPS based on the DDH assumptionFollowing our paradigm we obtain a DDH-based AIAE scheme in Section 34
We view the specific AIAE proposed in the confer-ence paper as an instantiation of the general paradigmpresented in this paper
(ii) In this paper we provide the full proofs of thetheorems regarding the KDM[Faff ]-CCA securityand KDM[F119889
poly]-CCA security of our PKEs Com-pared with the conference paper we add the proofsof Lemmas 16 18 25 26 and 29 and the proofof indistinguishability between Hybrids 2 and 3 inSection 53
2 Preliminaries
Throughout this paper denote by 120582 isin N the securityparameter 119910larr$ Ymeans choosing an element 119910 from setYuniformly 119910larr$ A(119909 119903) means executing algorithm A with
4 Security and Communication Networks
Proc pkec i isin [n])
If (pkec i) isin ℰ
Output perpOutput Decrypt(ski pkec
Output ( = )
Proc f isin ℱ i isin [n])m1 = f (sk1 skn)m0 = 0|m1|pkec larr Encrypt(pk i m)ℰ = ℰ cup (pkec i)Output pkec
pars larr
For i isin [n]
(pk i ski) larr KeyGen(pars)
0 1
Proc
Proc )
)larr$
larr$ larr$
larr$
ParGen(1)
Output (pars pk1 pkn)
decrypt(initialize
finalize(
encrypt(
Figure 2 119899-KDM[F]-CCA security game
input 119909 and randomness 119903 and assigning output to 119910 Wesometimes abbreviate this to 119910larr$ A(119909) ldquoPPTrdquo is short forprobabilistic polynomial-time For integers 119899 lt 119898 we denote[119899] fl 1 2 119899 and [119899119898] fl 119899 119899 + 1 119898 For asecurity notion 119884119884 and a primitive 119883119883 the advantage of aPPT adversaryA is typically denoted by Adv119884119884119883119883A(120582) and wedenoteAdv119884119884119883119883(120582) fl maxPPTAAdv
119884119884119883119883A(120582) Let negl(sdot)denote
an unspecified negligible function
Games We will use games in our security definitions andproofs Typically a game G begins with an initialize proce-dure and ends with a finalize procedure In the game theremight be other procedures proc1 proc119899 which performas oracles All procedures are presented with pseudocodeall sets are initialized as empty sets and all variables areinitialized as empty strings In the execution of a game G
with an adversary A firstly A calls initialize and obtainsits output then A makes arbitrary oracle queries to proc119894according to their specifications and obtains their outputsfinally A calls finalize In the end of the execution iffinalize outputs 119887 then we write this as GA rArr 119887 Thestatement 119886 G= 119887 means that in game G 119886 is computed as119887 or 119886 equals 11988721 Public-Key Encryption There are four PPT algorithmsPKE = (ParGenKeyGenEncryptDecrypt) in a public-keyencryption (PKE) scheme
(i) ParGen(1120582) outputs a public parameter pars Weassume that pars implicitly defines a secret key spaceSK and a message spaceM
(ii) KeyGen(pars) takes pars as input and outputs apublic key pk and a secret key sk
(iii) Encrypt(pk 119898) takes pk and a message 119898 isin M asinput and outputs a ciphertext pkec
(iv) Decrypt(sk pkec) takes sk and a ciphertext pkec asinput and outputs either a message 119898 or a symbol perpindicating the failure of the decryption
We require PKE to have perfect correctness that is for allpossible parslarr$ ParGen(1120582) and all119898 isinM we have
Pr [(pk sk)larr997888$ KeyGen (pars) Decrypt (skEncrypt (pk 119898))= 119898] = 1 (1)
Definition 1 (KDM[F]-CCA security) Let 119899 isin N and let Fdenote a set of functions from (SK)119899 toM A scheme PKE
is 119899-KDM[F]-CCA secure if for any PPT adversary A wehave Advkdm-cca
PKEA (120582) fl |Pr[119899-KDM[F]-CCAA rArr 1] minus 12| lenegl(120582) where 119899-KDM[F]-CCA is the security game shownin Figure 2
22 Authenticated Encryption There are three PPT algo-rithms AE = (AEParGenAEEncryptAEDecrypt) in anauthenticated encryption (AE) scheme
(i) AEParGen(1120582) generates a system parameter parsAEWe require parsAE to be an implicit input to otheralgorithms and assume that parsAE implicitly definesa key spaceKAE and a message spaceM
(ii) AEEncrypt(k 119898) takes a key k isinKAE and a message119898 isinM as input and outputs a ciphertext aec(iii) AEDecrypt(k aec) takes a key k isin KAE and a
ciphertext aec as input and outputs amessage119898 isinMor a symbol perp
We require AE to have perfect correctness that is for allpossible parsAElarr$ AEParGen(1120582) all keys k isin KAE and all119898 isinM
Pr [AEDecrypt (kAEEncrypt (k 119898)) = 119898] = 1 (2)
Definition 2 (one-time security) A scheme AE is one-timesecure (OT-secure) that is IND-OT and INT-OT secure iffor any PPT A both Advind-otAEA (120582) fl |Pr[IND-OTA rArr 1] minus12| le negl(120582) and Advint-otAEA(120582) fl Pr[INT-OTA rArr 1] lenegl(120582) where IND-OT and INT-OT are the security gamespresented in Figure 3
23 Key EncapsulationMechanism There are three PPT algo-rithms KEM = (KEMKeyGenKEMEncryptKEMDecrypt)in a key encapsulation mechanism (KEM)
(i) KEMKeyGen(1120582) generates a public key pk and asecret key sk
(ii) KEMEncrypt(pk) takes pk as input and outputs a keyk together with a ciphertext kemc
(iii) KEMDecrypt(sk kemc) takes sk and aciphertext kemc as input and outputs either akey k or a symbol perp
Security and Communication Networks 5
Proc ( )
one queryProc encrypt(m0 m1)If m0
= m1 Output perp
Output aec
0 1
AE k AEparsAE
Output parsAE
Output ( = )
aec AEEncrypt(k m)
larr$ larr$
larr$
larr$
Proc initializeParGen(1)
finalize
(a)
Proc (m)encrypt one query
AE k AEparsAE
Output parsAE
Output aecaec larr AEEncrypt(k m)
If aeclowast = aec Output 0
Output (AEDecrypt(k aeclowast) = perp)
Proc aeclowast)
Proc initializelarr$
larr$
larr$ParGen(1)
finalize(
(b)
Figure 3 IND-OT (a) and INT-OT (b) security games
We require KEM to have perfect correctness that is for allpossible (pk sk)larr$ KEMKeyGen(1120582) we have
Pr [(k kemc)larr997888$ KEMEncrypt (pk) KEMDecrypt (sk kemc)= k] = 1 (3)
24 Tag-Based Hash Proof System Universal2 Extracting andKey-Homomorphism Tag-based hash proof system (HPS)was first defined in [19] The definition is similar to extendedHPS [20] but the universal2 property is slightly different
Definition 3 (tag-based hash proof system) A tag-based hashproof system THPS = (THPSSetupTHPSPubTHPSPriv) iscomprised of three PPT algorithms
(i) THPSSetup(1120582) outputs a parameterized instanceparsTHPS which implicitly defines (KCVTHKPK Λ (sdot) 120583) where KCVTHKPKare all finite sets with V sube C Λ (sdot) C times T rarr K
is a set of hash functions indexed by hk isin HK and120583 HK rarr PK is a function We assume that 120583 isefficiently computable and there are PPT algorithmssampling hklarr$ HK uniformly sampling 119862larr$ Cuniformly sampling 119862larr$ V uniformly with awitness 119908 and checking membership inC
(ii) THPSPub(pk 119862 119908 119905) takes a projection key pk =120583(hk) isin PK an element 119862 isin V with a witness 119908and a tag 119905 isin T as input and outputs a hash value119870 = Λ hk(119862 119905) isinK
(iii) THPSPriv(hk 119862 119905) takes a hashing key hk isinHK anelement 119862 isin C and a tag 119905 isin T as input and outputsa hash value 119870 = Λ hk(119862 119905) isin K without knowing awitness
We require THPS to be projective that is for all parsTHPSlarr$THPSSetup(1120582) all hk isin HK and pk = 120583(hk) isin PK all119862 isinV with all witnesses 119908 and all 119905 isin T it holds that
THPSPub (pk 119862 119908 119905) = Λ hk (119862 119905)= THPSPriv (hk 119862 119905) (4)
Tag-based HPS is associated with a subset membershipproblem Informally speaking it asks to distinguish theuniform distribution over V from the uniform distributionoverC V
Definition 4 (SMP) The Subset Membership Problem (SMP)related to THPS is hard if for any PPT adversaryA one has
AdvsmpTHPSA (120582) fl 10038161003816100381610038161003816Pr [A (parsTHPS 119862) = 1]minus Pr [A (parsTHPS 1198621015840) = 1]10038161003816100381610038161003816 le negl (120582) (5)
where parsTHPSlarr$ THPSSetup(1120582) 119862larr$ V and 1198621015840larr$ C V
Definition 5 (universal2) THPS is called (strongly)universal2 if for all possible parsTHPSlarr$ THPSSetup(1120582) allpk isin PK all 119862 isin C all 1198621015840 isin C V all 119905 1199051015840 isin T with 119905 = 1199051015840and all 1198701198701015840 isinK it holds that
Pr [Λ hk (1198621015840 1199051015840) = 1198701015840 | 120583 (hk) = pk Λ hk (119862 119905) = 119870]= 1|K| (6)
where the probability is over hklarr$ HK
The key difference between tag-based HPS and extendedHPS lies in the definition of the universal2 property [19]Extended HPS requires (6) to hold for (119862 119905) = (1198621015840 1199051015840) whiletag-based HPS requires (6) to hold only for 119905 = 1199051015840 Hence
6 Security and Communication Networks
any (universal2) extended HPS is also a (universal2) tag-based HPS but not vice versa Tag-based HPS is essentiallya weaker variant of extended HPS and admits more efficientconstructions
Dodis et al [21] defined an extracting property forextended HPS which requires the hash value Λ hk(119862 119905) to beuniformly distributed over K for any 119862 isin C and 119905 isin T aslong as hk is randomly chosen from HK Besides Xagawa[22] considered a key-homomorphic property for extendedHPS which stipulates that Λ hk+Δ(119862 119905) = Λ hk(119862 119905) sdot Λ Δ(119862 119905)holds for any hk Δ isinHK 119862 isin C and 119905 isin T Here we adaptthese notions to tag-based HPS
Definition 6 (extracting) THPS is called extracting if for allparsTHPSlarr$ THPSSetup(1120582) all 119862 isin C all 119905 isin T and all119870 isinK it holds that
Pr [Λ hk (119862 119905) = 119870] = 1|K| (7)
where hklarr$ HK
Definition 7 (key-homomorphism) THPS is called key-homomorphic if for all parsTHPSlarr$ THPSSetup(1120582) whichdefines (KCVTHKPK Λ (sdot) 120583) one has the follow-ing
(i) Both (HK +) and (K sdot) are groups(ii) For all 119862 isin C and all 119905 isin T the mapping Λ (sdot)(119862 119905)
HKrarrK is a group homomorphismThat is for allhk b isinHK and all 119886 isin Z it holds thatΛ 119886sdothk+b(119862 119905) =(Λ hk(119862 119905))119886 sdot Λ b(119862 119905)
25 DCR DDH DL and IVd Assumptions Suppose thatGenN(1120582) is a PPT algorithm generating (119901 119902119873119873) where119901 119902 are safe primes of 120582-bit 119873 = 119901119902 and 119873 = 2119873 + 1 is aprime We define the following
(i) QR119873 fl 1198862 mod119873 | 119886 isin Z119873Then QR119873 is a cyclic group of order 119873 For 119904 isin N and 119879 =1 + 119873 we define
(i) QR119873119904 fl 1198862 mod119873119904 | 119886 isin Zlowast119873119904
(ii) SCR119873119904 fl 1198862119873119904minus1 mod119873119904 | 119886 isin Zlowast119873119904
(iii) RU119873119904 fl 119879119903 mod119873119904 | 119903 isin [119873119904minus1]Then SCR119873119904 is a cyclic group of order 120601(119873)4 and QR119873119904 =SCR119873119904 otimes RU119873119904 where otimes represents the internal directproduct
Damgard and Jurik [23] showed that the discrete loga-rithm 119889 log119879(119906) isin [119873119904minus1] of an element 119906 isin RU119873119904 canbe efficiently computed from 119906 and 119873 Observe that Zlowast
119873119904 =Z2 otimes Z1015840
2 otimes SCR119873119904 otimes RU119873119904 thus for any V = V(Z2) sdot V(Z10158402) sdot
V(SCR119873119904) sdot 119879119909 isin Zlowast119873119904 we have V
120601(119873) = 119879119909sdot120601(119873) isin RU119873119904 and119889 log119879 (V120601(119873))120601 (119873) mod119873119904minus1 = 119909 (8)
Definition 8 (DCR assumption) The Decisional CompositeResiduosity (DCR) assumption holds for GenN andQR119873119904 iffor any PPTA it holds that
AdvdcrGenNA (120582)fl |Pr [A (119873 119906) = 1] minus Pr [A (119873 V) = 1]|le negl (120582) (9)
where (119901 119902119873119873)larr$ GenN(1120582) 119906larr$ QR119873119904 and Vlarr$SCR119873119904
The Interactive Vector (IV119889) assumption is implied by theDCR assumption as shown in [5] Here we recall the IV119889
assumption according to [16]
Definition 9 (IVd assumption) The IV119889 assumption holds forGenN andQR119873119904 if for any PPTA it holds that
Adviv119889GenNA (120582)fl1003816100381610038161003816100381610038161003816Pr [Achal119887IV119889 (119873 1198921 119892119889) = 119887] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
(10)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 119892119889larr$ SCR119873119904 119887larr$ 0 1 and A is allowed to query the oracle chal119887IV119889(sdot)adaptively Each timeA can submit (1205751 120575119889) to the oracleand chal119887IV119889(1205751 120575119889) selects 119903larr$ [lfloor1198734rfloor] randomly if119887 = 0 the oracle outputs (1198921199031 119892119903119889) to A otherwise itoutputs (11989211990311198791205751 119892119903119889119879120575119889) toA where 119879 = 1 + 119873
Definition 10 (DDH assumption) The DDH assumptionholds for GenN andQR119873 if for any PPTA it holds that
AdvddhGenNA (120582) fl 1003816100381610038161003816Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199092 ) = 1]minus Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199102 ) = 1]1003816100381610038161003816 le negl (120582) (11)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 1198922larr$ QR119873 119909 119910larr$Z119873 0Definition 11 (DL assumption) The Discrete Logarithm (DL)assumption holds for GenN and SCR119873119904 if for any PPTA itholds that
AdvdlGenNA (120582) fl Pr [A (119873 119901 119902 119892 119892119909) = 119909]le negl (120582) (12)
where (119901 119902119873119873)larr$ GenN(1120582) 119892larr$ SCR119873119904 119909larr$ [120601(119873)4]
Security and Communication Networks 7
26 Collision-Resistant Hashing
Definition 12 (collision-resistant hashing) Let H = H Xrarr Y be a set of hash functionsH is said to be collision-resistant if for any PPTA one has
AdvcrHA (120582) fl Pr [Hlarr997888$ H (119909 1199091015840) larr997888$ A (H) 119909= 1199091015840 and H (119909) = H (1199091015840)] le negl (120582) (13)
3 Auxiliary-Input Authenticated Encryption
Our PKE constructions in Sections 4 and 5 will resort to anewprimitive AIAE To serve theKDM-CCA security of ourPKE construction in Figure 1 our AIAE should satisfy thefollowing properties
(i) AIAE must take an auxiliary input ai in both theencryption and decryption algorithms
(ii) AIAE must have IND-F-RKA security and weak-INT-F-RKA security Compared to the INT-F-RKAsecurity proposed in [16] the weak-INT-F-RKAsecurity imposes a special rule to determine whetherthe adversaryrsquos forgery is successful or not
In the following we present the syntax ofAIAE and defineits IND-F-RKA Security and Weak-INT-F-RKA SecurityWe also show a general paradigm of AIAE from tag-basedHPS and give an instantiation of AIAE under the DDHassumption
31 Auxiliary-Input Authenticated Encryption
Definition 13 (AIAE) There are three PPT algorithmsAIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in anAIAE scheme
(i) The parameter generation algorithmAIAEParGen(1120582) generates a system parameterparsAIAE We require parsAIAE to be an implicitinput to other algorithms and assume that parsAIAEimplicitly defines a key spaceKAIAE a message spaceM and an auxiliary-input spaceAI
(ii) The encryption algorithm AIAEEncrypt(k 119898 ai)takes a key k isin KAIAE a message 119898 isin M andan auxiliary input ai isin AI as input and outputs aciphertext aiaec
(iii) The decryption algorithm AIAEDecrypt(k aiaec ai)takes a key k isin KAIAE a ciphertext aiaec and anauxiliary input ai isin AI as input and outputs amessage119898 isinM or a symbol perp
We require AIAE to have perfect correctness that is for allpossible parsAIAElarr$ AIAEParGen(1120582) all keys k isin KAIAEall messages119898 isinM and all auxiliary-inputs ai isin AI
Pr [AIAEDecrypt (kAIAEEncrypt (k 119898 ai) ai)= 119898] = 1 (14)
In fact AIAE is a generalization of traditional AE andtraditional AE can be viewed as AIAE withAI = 0Definition 14 (RKA security) Denote byF a set of functionsfrom KAIAE to KAIAE A scheme AIAE is IND-F-RKAsecure and weak-INT-F-RKA secure if for any PPTA
Advind-rkaAIAEA (120582) fl 1003816100381610038161003816100381610038161003816Pr [IND-F-RKAA 997904rArr 1] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
Advweak-int-rkaAIAEA (120582) fl Pr [weak-INT-F-RKAA 997904rArr 1]le negl (120582)
(15)
where IND-F-RKA and weak-INT-F-RKA are the securitygames presented in Figure 4
32 Generic Construction of AIAE from Tag-Based HPSand OT-Secure AE Our construction of AIAE needs thefollowing ingredients
(i) A tag-based hash proof systemTHPS = (THPSSetupTHPSPubTHPSPriv) where the hash value space isK the tag space is T and the hashing key space isHK
(ii) A (traditional) authenticated encryption schemeAE = (AEParGenAEEncryptAEDecrypt) wherethe message space isM and the key space isK
(iii) A set of hash functionsH = H 0 1lowast rarr TWe present our AIAE construction AIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in Figure 5 whose key spaceis KAIAE fl HK message space is M and auxiliary-inputspace isAI fl 0 1lowast
By the perfect correctness ofAE it is routine to check thatAIAE has perfect correctness
Theorem 15 If (i) THPS is 119906119899119894V1198901199031199041198861198972 extracting key-homomorphic and has a hard subset membership problem (ii)AE is one-time secure and (iii) H is collision-resistant thenthe scheme AIAE in Figure 5 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure Here F119903119886119891119891 fl 119891(119886b) hk isin HK 997891rarr119886 sdot hk + b isin HK | 119886 isin Zlowast
|K| b isin HK is the set of restrictedaffine functions
Proof of Theorem 15 (IND-F119903119886119891119891-RKA Security) Denote byA a PPT adversary who is against the IND-Fraff -RKAsecurity and queries encrypt oracle for at most 119876119890 timesWe show the IND-Fraff -RKA security through a series ofgames For an event E we denote by Pr119895[E] Pr1198951015840[E] andPr11989510158401015840[E] the probability of E occurring in games G119895 G
1015840119895 and
G10158401015840119895 respectively
Game G1 It is the original IND-Fraff -RKA game Denotethe event 1205731015840 = 120573 by Succ According to the definitionAdvind-rkaAIAEA(120582) = |Pr1[Succ] minus 12|
8 Security and Communication Networks
If m0 = m1
Output perp
Output aiaec
AIAE
k AIAE
0 1
aiaec AIAEEncrypt (f(k) m ai)
Output parsAIAE
parsAIAE
Proc (m0 m1 ai f isin ℱ)encrypt
Output ( = )Proc )
Proc initializelarr$
larr$
larr$
larr$
ParGen(1)
finalize(
(a)
Output aiaec
parsAIAE AIAE k
Output parsAIAEAIAE
Proc encrypt(m ai f isin ℱ)aiaec AIAEEncrypt(f(k) m ai)
ℐ-ℱ = ℐ-ℱ cup (aif)ℰ = ℰ cup (ai f )aiaec
Proc (ailowast flowastisin ℱ aiaeclowast)
Special rule
Output (AIAEDecrypt(flowast(k) aiaeclowast ailowast) = perp)ai = ai
lowast but f = flowast Output 0
If (ailowast flowast aiaeclowast) isin Output 0
If there exists (ai f) isin ℐ-ℱ such that
ℰ
Proc initializelarr$ larr$
larr$
ParGen(1)
finalize
(b)
Figure 4 IND-F-RKA (a) and weak-INT-F-RKA (b) security games We note that in the weak-INT-F-RKA game there is a special rule(as shown in the shadow) of outputting 0 in finalize
AIAEEncrypt(hk m ai)AIAEpars
pars
pars pars
pars
THPS THPS
AE AE
= ( THPS AE H)
Output AIAE
H ℋ
C with witness wt = H(C ai) isin = Λ hk (C t) isin AEEncrypt( m)Output ⟨C ⟩
AIAEDecrypt(hk ⟨C ⟩ ai)If C notin Output perpt = H(C ai) isin
= Λhk (C t) isin
mperp larr AEDecrypt( )Output mperp
parsAIAE
larr$
larr$
larr$
larr$
larr$
ParGen(1)
ParGen(1)Setup(1)
Figure 5 Generic construction of AIAE from THPS and AE
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ0 119898ℓ1aiℓ 119891ℓ) where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff the challenger preparesthe challenge ciphertext as follows
(i) pick 119862ℓlarr$ V together with witness 119908ℓ
(ii) compute 119905ℓ fl H(119862ℓ aiℓ) isin T
(iii) compute 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ) isinK
(iv) invoke 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ120573)and it outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA
Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K randomly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Succ] =Pr11[Succ]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distribu-
tion of 119862119895 In game G1119895 119862119895 is uniformly chosen from V ingameG1015840
1119895119862119895 is uniformly chosen fromCV Any differencebetween G1119895 and G1015840
1119895 results in a PPT adversary solving thesubset membership problem related to THPS thus we havethat |Pr1119895[Succ] minus Pr11198951015840[Succ]| le Adv
smpTHPS
(120582)Game G10158401015840
1119895 119895 isin [119876119890] It is identical to G10158401119895 except that
for the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 16 For all 119895 isin [119876119890] 11987511990311198951015840[Succ] = 119875119903111989510158401015840[Succ]Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryIn G1015840
1119895 120581119895 is properly computed while in G101584010158401119895 it is chosen
fromK uniformlyWe analyze the information about the key hk that is used
in game G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
Security and Communication Networks 9
(ii) For the ℓth (ℓ isin [119895 + 1 119876119890]) query encrypt can usepk = 120583(hk) to compute 120581ℓ120581ℓ = Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) 119862ℓlarr997888$ V with witness 119908ℓ= (Λ hk (119862ℓ 119905ℓ))119886ℓ sdot Λ bℓ(119862ℓ 119905ℓ) via key-homomorphism= (THPSPub (pk 119862ℓ 119908ℓ 119905ℓ))119886ℓ sdot Λ bℓ
(119862ℓ 119905ℓ) via projective property
(16)
(iii) For the 119895th query encrypt uses Λ hk(119862119895 119905119895) to com-pute 120581119895
120581119895 = Λ 119886119895 sdothk+b119895(119862119895 119905119895) 119862119895larr997888$ C V
= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) via key-homomorphism
(17)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) is uniformly distributed over K conditioned onpk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K| 120581119895 = (Λ hk(119862119895119905119895))119886119895 sdotΛ b119895(119862119895 119905119895) is also randomly distributed overK Conse-
quentlyG10158401119895 is essentially the same asG10158401015840
1119895 and Pr11198951015840[Succ] =Pr111989510158401015840[Succ]
Now we show that gameG101584010158401119895 is computationally indistin-
guishable from game G1119895+1 119895 isin [119876119890] Note that the diver-gence between G10158401015840
1119895 and G1119895+1 lies in the distribution of 119862119895 inthe 119895th encrypt query In game G10158401015840
1119895 119862119895 is uniformly chosenfrom C V in game G1119895+1 119862119895 is uniformly chosen fromV Any difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS thus we have that |Pr111989510158401015840[Succ] minus Pr1119895+1[Succ]| leAdv
smpTHPS
(120582)Game G2 It is identical to G1119876119890+1
except that whenanswering encrypt queries the challenger invokes 120594ℓlarr$AEEncrypt(120581ℓ 0|119898ℓ0|)
In game G1119876119890+1 the challenger computes 120594ℓlarr$
AEEncrypt(120581ℓ 119898ℓ120573) in game G2 the challenger computes120594ℓlarr$ AEEncrypt(120581ℓ 0|119898ℓ0|) Since each 120581ℓ is chosen fromK uniformly at random ℓ isin [119876119890] by a standard hybridargument any difference between G1119876119890+1
and G2 results in aPPT adversary against the IND-OT security of AE so that|Pr1119876119890+1[Succ] minus Pr2[Succ]| le 119876119890 sdot Advind-otAE (120582)
Finally in game G2 since the challenge ciphertexts areencryptions of 0|119898ℓ0| hence 120573 is perfectly hidden to A SoPr2[Succ] = 12
Summing up we proved the IND-Fraff -RKA securityThis completes the proof ofTheorem 15 (IND-Fraff -RKA
security)
Proof ofTheorem 15 (Weak-INT-F119903119886119891119891-RKA Security) Denoteby A a PPT adversary who is against the weak-INT-Fraff -RKA security and queries encrypt oracle for at most 119876119890
times Similarly the proof goes through a series of gameswhich are defined analogously just like those games of theprevious proof
Game G0 It is the original weak-INT-Fraff -RKA gameAs for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)
the challenger computes the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ insimilar steps as the previous proof and outputs ⟨119862ℓ 120594ℓ⟩ toA Moreover the challenger will put (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to aset QENC put (aiℓ 119891ℓ) to a set QAI-F and put (119862ℓ aiℓ 119905ℓ)to a set QTAG In the end the adversary outputs a forgery(ailowast 119891lowast ⟨119862lowast 120594lowast⟩) where 119891lowast = ⟨119886lowast blowast⟩ and the challengerinvokes the finalize procedure as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENC output 0(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
output 0(iii) If 119862lowast notin C output 0(iv) Compute 119905lowast fl H(119862lowast ailowast) isin T and 120581lowast flΛ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK
Output (AEDecrypt(120581lowast 120594lowast) =perp)Denote the event that finalize outputs 1 by Forge
According to the definition Advweak-int-rkaAIAEA (120582) = Pr0[Forge]Game G1 It is identical to G0 except that the following ruleis added to the procedure finalize by the challenger
(i) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast) output 0Since 119905ℓ = H(119862ℓ aiℓ) and 119905lowast = H(119862lowast ailowast) any differ-
ence between G0 and G1 implies a hash collision of H So|Pr0[Forge] minus Pr1[Forge]| le AdvcrH(120582)Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K uniformly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Forge] =Pr11[Forge]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distri-
bution of 119862119895 In game G1119895 119862119895 is uniformly chosen fromV in game G1015840
1119895 119862119895 is uniformly chosen from C VAny difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS We emphasize that the PPT adversary (simulator)is able to check the occurrence of Forge in an efficient waybecause the key hk can be chosen by the simulator itselfConsequently the difference between G1119895 and G1015840
1119895 can bereduced to the subset membership problem smoothly
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 Security and Communication Networks
Proc pkec i isin [n])
If (pkec i) isin ℰ
Output perpOutput Decrypt(ski pkec
Output ( = )
Proc f isin ℱ i isin [n])m1 = f (sk1 skn)m0 = 0|m1|pkec larr Encrypt(pk i m)ℰ = ℰ cup (pkec i)Output pkec
pars larr
For i isin [n]
(pk i ski) larr KeyGen(pars)
0 1
Proc
Proc )
)larr$
larr$ larr$
larr$
ParGen(1)
Output (pars pk1 pkn)
decrypt(initialize
finalize(
encrypt(
Figure 2 119899-KDM[F]-CCA security game
input 119909 and randomness 119903 and assigning output to 119910 Wesometimes abbreviate this to 119910larr$ A(119909) ldquoPPTrdquo is short forprobabilistic polynomial-time For integers 119899 lt 119898 we denote[119899] fl 1 2 119899 and [119899119898] fl 119899 119899 + 1 119898 For asecurity notion 119884119884 and a primitive 119883119883 the advantage of aPPT adversaryA is typically denoted by Adv119884119884119883119883A(120582) and wedenoteAdv119884119884119883119883(120582) fl maxPPTAAdv
119884119884119883119883A(120582) Let negl(sdot)denote
an unspecified negligible function
Games We will use games in our security definitions andproofs Typically a game G begins with an initialize proce-dure and ends with a finalize procedure In the game theremight be other procedures proc1 proc119899 which performas oracles All procedures are presented with pseudocodeall sets are initialized as empty sets and all variables areinitialized as empty strings In the execution of a game G
with an adversary A firstly A calls initialize and obtainsits output then A makes arbitrary oracle queries to proc119894according to their specifications and obtains their outputsfinally A calls finalize In the end of the execution iffinalize outputs 119887 then we write this as GA rArr 119887 Thestatement 119886 G= 119887 means that in game G 119886 is computed as119887 or 119886 equals 11988721 Public-Key Encryption There are four PPT algorithmsPKE = (ParGenKeyGenEncryptDecrypt) in a public-keyencryption (PKE) scheme
(i) ParGen(1120582) outputs a public parameter pars Weassume that pars implicitly defines a secret key spaceSK and a message spaceM
(ii) KeyGen(pars) takes pars as input and outputs apublic key pk and a secret key sk
(iii) Encrypt(pk 119898) takes pk and a message 119898 isin M asinput and outputs a ciphertext pkec
(iv) Decrypt(sk pkec) takes sk and a ciphertext pkec asinput and outputs either a message 119898 or a symbol perpindicating the failure of the decryption
We require PKE to have perfect correctness that is for allpossible parslarr$ ParGen(1120582) and all119898 isinM we have
Pr [(pk sk)larr997888$ KeyGen (pars) Decrypt (skEncrypt (pk 119898))= 119898] = 1 (1)
Definition 1 (KDM[F]-CCA security) Let 119899 isin N and let Fdenote a set of functions from (SK)119899 toM A scheme PKE
is 119899-KDM[F]-CCA secure if for any PPT adversary A wehave Advkdm-cca
PKEA (120582) fl |Pr[119899-KDM[F]-CCAA rArr 1] minus 12| lenegl(120582) where 119899-KDM[F]-CCA is the security game shownin Figure 2
22 Authenticated Encryption There are three PPT algo-rithms AE = (AEParGenAEEncryptAEDecrypt) in anauthenticated encryption (AE) scheme
(i) AEParGen(1120582) generates a system parameter parsAEWe require parsAE to be an implicit input to otheralgorithms and assume that parsAE implicitly definesa key spaceKAE and a message spaceM
(ii) AEEncrypt(k 119898) takes a key k isinKAE and a message119898 isinM as input and outputs a ciphertext aec(iii) AEDecrypt(k aec) takes a key k isin KAE and a
ciphertext aec as input and outputs amessage119898 isinMor a symbol perp
We require AE to have perfect correctness that is for allpossible parsAElarr$ AEParGen(1120582) all keys k isin KAE and all119898 isinM
Pr [AEDecrypt (kAEEncrypt (k 119898)) = 119898] = 1 (2)
Definition 2 (one-time security) A scheme AE is one-timesecure (OT-secure) that is IND-OT and INT-OT secure iffor any PPT A both Advind-otAEA (120582) fl |Pr[IND-OTA rArr 1] minus12| le negl(120582) and Advint-otAEA(120582) fl Pr[INT-OTA rArr 1] lenegl(120582) where IND-OT and INT-OT are the security gamespresented in Figure 3
23 Key EncapsulationMechanism There are three PPT algo-rithms KEM = (KEMKeyGenKEMEncryptKEMDecrypt)in a key encapsulation mechanism (KEM)
(i) KEMKeyGen(1120582) generates a public key pk and asecret key sk
(ii) KEMEncrypt(pk) takes pk as input and outputs a keyk together with a ciphertext kemc
(iii) KEMDecrypt(sk kemc) takes sk and aciphertext kemc as input and outputs either akey k or a symbol perp
Security and Communication Networks 5
Proc ( )
one queryProc encrypt(m0 m1)If m0
= m1 Output perp
Output aec
0 1
AE k AEparsAE
Output parsAE
Output ( = )
aec AEEncrypt(k m)
larr$ larr$
larr$
larr$
Proc initializeParGen(1)
finalize
(a)
Proc (m)encrypt one query
AE k AEparsAE
Output parsAE
Output aecaec larr AEEncrypt(k m)
If aeclowast = aec Output 0
Output (AEDecrypt(k aeclowast) = perp)
Proc aeclowast)
Proc initializelarr$
larr$
larr$ParGen(1)
finalize(
(b)
Figure 3 IND-OT (a) and INT-OT (b) security games
We require KEM to have perfect correctness that is for allpossible (pk sk)larr$ KEMKeyGen(1120582) we have
Pr [(k kemc)larr997888$ KEMEncrypt (pk) KEMDecrypt (sk kemc)= k] = 1 (3)
24 Tag-Based Hash Proof System Universal2 Extracting andKey-Homomorphism Tag-based hash proof system (HPS)was first defined in [19] The definition is similar to extendedHPS [20] but the universal2 property is slightly different
Definition 3 (tag-based hash proof system) A tag-based hashproof system THPS = (THPSSetupTHPSPubTHPSPriv) iscomprised of three PPT algorithms
(i) THPSSetup(1120582) outputs a parameterized instanceparsTHPS which implicitly defines (KCVTHKPK Λ (sdot) 120583) where KCVTHKPKare all finite sets with V sube C Λ (sdot) C times T rarr K
is a set of hash functions indexed by hk isin HK and120583 HK rarr PK is a function We assume that 120583 isefficiently computable and there are PPT algorithmssampling hklarr$ HK uniformly sampling 119862larr$ Cuniformly sampling 119862larr$ V uniformly with awitness 119908 and checking membership inC
(ii) THPSPub(pk 119862 119908 119905) takes a projection key pk =120583(hk) isin PK an element 119862 isin V with a witness 119908and a tag 119905 isin T as input and outputs a hash value119870 = Λ hk(119862 119905) isinK
(iii) THPSPriv(hk 119862 119905) takes a hashing key hk isinHK anelement 119862 isin C and a tag 119905 isin T as input and outputsa hash value 119870 = Λ hk(119862 119905) isin K without knowing awitness
We require THPS to be projective that is for all parsTHPSlarr$THPSSetup(1120582) all hk isin HK and pk = 120583(hk) isin PK all119862 isinV with all witnesses 119908 and all 119905 isin T it holds that
THPSPub (pk 119862 119908 119905) = Λ hk (119862 119905)= THPSPriv (hk 119862 119905) (4)
Tag-based HPS is associated with a subset membershipproblem Informally speaking it asks to distinguish theuniform distribution over V from the uniform distributionoverC V
Definition 4 (SMP) The Subset Membership Problem (SMP)related to THPS is hard if for any PPT adversaryA one has
AdvsmpTHPSA (120582) fl 10038161003816100381610038161003816Pr [A (parsTHPS 119862) = 1]minus Pr [A (parsTHPS 1198621015840) = 1]10038161003816100381610038161003816 le negl (120582) (5)
where parsTHPSlarr$ THPSSetup(1120582) 119862larr$ V and 1198621015840larr$ C V
Definition 5 (universal2) THPS is called (strongly)universal2 if for all possible parsTHPSlarr$ THPSSetup(1120582) allpk isin PK all 119862 isin C all 1198621015840 isin C V all 119905 1199051015840 isin T with 119905 = 1199051015840and all 1198701198701015840 isinK it holds that
Pr [Λ hk (1198621015840 1199051015840) = 1198701015840 | 120583 (hk) = pk Λ hk (119862 119905) = 119870]= 1|K| (6)
where the probability is over hklarr$ HK
The key difference between tag-based HPS and extendedHPS lies in the definition of the universal2 property [19]Extended HPS requires (6) to hold for (119862 119905) = (1198621015840 1199051015840) whiletag-based HPS requires (6) to hold only for 119905 = 1199051015840 Hence
6 Security and Communication Networks
any (universal2) extended HPS is also a (universal2) tag-based HPS but not vice versa Tag-based HPS is essentiallya weaker variant of extended HPS and admits more efficientconstructions
Dodis et al [21] defined an extracting property forextended HPS which requires the hash value Λ hk(119862 119905) to beuniformly distributed over K for any 119862 isin C and 119905 isin T aslong as hk is randomly chosen from HK Besides Xagawa[22] considered a key-homomorphic property for extendedHPS which stipulates that Λ hk+Δ(119862 119905) = Λ hk(119862 119905) sdot Λ Δ(119862 119905)holds for any hk Δ isinHK 119862 isin C and 119905 isin T Here we adaptthese notions to tag-based HPS
Definition 6 (extracting) THPS is called extracting if for allparsTHPSlarr$ THPSSetup(1120582) all 119862 isin C all 119905 isin T and all119870 isinK it holds that
Pr [Λ hk (119862 119905) = 119870] = 1|K| (7)
where hklarr$ HK
Definition 7 (key-homomorphism) THPS is called key-homomorphic if for all parsTHPSlarr$ THPSSetup(1120582) whichdefines (KCVTHKPK Λ (sdot) 120583) one has the follow-ing
(i) Both (HK +) and (K sdot) are groups(ii) For all 119862 isin C and all 119905 isin T the mapping Λ (sdot)(119862 119905)
HKrarrK is a group homomorphismThat is for allhk b isinHK and all 119886 isin Z it holds thatΛ 119886sdothk+b(119862 119905) =(Λ hk(119862 119905))119886 sdot Λ b(119862 119905)
25 DCR DDH DL and IVd Assumptions Suppose thatGenN(1120582) is a PPT algorithm generating (119901 119902119873119873) where119901 119902 are safe primes of 120582-bit 119873 = 119901119902 and 119873 = 2119873 + 1 is aprime We define the following
(i) QR119873 fl 1198862 mod119873 | 119886 isin Z119873Then QR119873 is a cyclic group of order 119873 For 119904 isin N and 119879 =1 + 119873 we define
(i) QR119873119904 fl 1198862 mod119873119904 | 119886 isin Zlowast119873119904
(ii) SCR119873119904 fl 1198862119873119904minus1 mod119873119904 | 119886 isin Zlowast119873119904
(iii) RU119873119904 fl 119879119903 mod119873119904 | 119903 isin [119873119904minus1]Then SCR119873119904 is a cyclic group of order 120601(119873)4 and QR119873119904 =SCR119873119904 otimes RU119873119904 where otimes represents the internal directproduct
Damgard and Jurik [23] showed that the discrete loga-rithm 119889 log119879(119906) isin [119873119904minus1] of an element 119906 isin RU119873119904 canbe efficiently computed from 119906 and 119873 Observe that Zlowast
119873119904 =Z2 otimes Z1015840
2 otimes SCR119873119904 otimes RU119873119904 thus for any V = V(Z2) sdot V(Z10158402) sdot
V(SCR119873119904) sdot 119879119909 isin Zlowast119873119904 we have V
120601(119873) = 119879119909sdot120601(119873) isin RU119873119904 and119889 log119879 (V120601(119873))120601 (119873) mod119873119904minus1 = 119909 (8)
Definition 8 (DCR assumption) The Decisional CompositeResiduosity (DCR) assumption holds for GenN andQR119873119904 iffor any PPTA it holds that
AdvdcrGenNA (120582)fl |Pr [A (119873 119906) = 1] minus Pr [A (119873 V) = 1]|le negl (120582) (9)
where (119901 119902119873119873)larr$ GenN(1120582) 119906larr$ QR119873119904 and Vlarr$SCR119873119904
The Interactive Vector (IV119889) assumption is implied by theDCR assumption as shown in [5] Here we recall the IV119889
assumption according to [16]
Definition 9 (IVd assumption) The IV119889 assumption holds forGenN andQR119873119904 if for any PPTA it holds that
Adviv119889GenNA (120582)fl1003816100381610038161003816100381610038161003816Pr [Achal119887IV119889 (119873 1198921 119892119889) = 119887] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
(10)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 119892119889larr$ SCR119873119904 119887larr$ 0 1 and A is allowed to query the oracle chal119887IV119889(sdot)adaptively Each timeA can submit (1205751 120575119889) to the oracleand chal119887IV119889(1205751 120575119889) selects 119903larr$ [lfloor1198734rfloor] randomly if119887 = 0 the oracle outputs (1198921199031 119892119903119889) to A otherwise itoutputs (11989211990311198791205751 119892119903119889119879120575119889) toA where 119879 = 1 + 119873
Definition 10 (DDH assumption) The DDH assumptionholds for GenN andQR119873 if for any PPTA it holds that
AdvddhGenNA (120582) fl 1003816100381610038161003816Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199092 ) = 1]minus Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199102 ) = 1]1003816100381610038161003816 le negl (120582) (11)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 1198922larr$ QR119873 119909 119910larr$Z119873 0Definition 11 (DL assumption) The Discrete Logarithm (DL)assumption holds for GenN and SCR119873119904 if for any PPTA itholds that
AdvdlGenNA (120582) fl Pr [A (119873 119901 119902 119892 119892119909) = 119909]le negl (120582) (12)
where (119901 119902119873119873)larr$ GenN(1120582) 119892larr$ SCR119873119904 119909larr$ [120601(119873)4]
Security and Communication Networks 7
26 Collision-Resistant Hashing
Definition 12 (collision-resistant hashing) Let H = H Xrarr Y be a set of hash functionsH is said to be collision-resistant if for any PPTA one has
AdvcrHA (120582) fl Pr [Hlarr997888$ H (119909 1199091015840) larr997888$ A (H) 119909= 1199091015840 and H (119909) = H (1199091015840)] le negl (120582) (13)
3 Auxiliary-Input Authenticated Encryption
Our PKE constructions in Sections 4 and 5 will resort to anewprimitive AIAE To serve theKDM-CCA security of ourPKE construction in Figure 1 our AIAE should satisfy thefollowing properties
(i) AIAE must take an auxiliary input ai in both theencryption and decryption algorithms
(ii) AIAE must have IND-F-RKA security and weak-INT-F-RKA security Compared to the INT-F-RKAsecurity proposed in [16] the weak-INT-F-RKAsecurity imposes a special rule to determine whetherthe adversaryrsquos forgery is successful or not
In the following we present the syntax ofAIAE and defineits IND-F-RKA Security and Weak-INT-F-RKA SecurityWe also show a general paradigm of AIAE from tag-basedHPS and give an instantiation of AIAE under the DDHassumption
31 Auxiliary-Input Authenticated Encryption
Definition 13 (AIAE) There are three PPT algorithmsAIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in anAIAE scheme
(i) The parameter generation algorithmAIAEParGen(1120582) generates a system parameterparsAIAE We require parsAIAE to be an implicitinput to other algorithms and assume that parsAIAEimplicitly defines a key spaceKAIAE a message spaceM and an auxiliary-input spaceAI
(ii) The encryption algorithm AIAEEncrypt(k 119898 ai)takes a key k isin KAIAE a message 119898 isin M andan auxiliary input ai isin AI as input and outputs aciphertext aiaec
(iii) The decryption algorithm AIAEDecrypt(k aiaec ai)takes a key k isin KAIAE a ciphertext aiaec and anauxiliary input ai isin AI as input and outputs amessage119898 isinM or a symbol perp
We require AIAE to have perfect correctness that is for allpossible parsAIAElarr$ AIAEParGen(1120582) all keys k isin KAIAEall messages119898 isinM and all auxiliary-inputs ai isin AI
Pr [AIAEDecrypt (kAIAEEncrypt (k 119898 ai) ai)= 119898] = 1 (14)
In fact AIAE is a generalization of traditional AE andtraditional AE can be viewed as AIAE withAI = 0Definition 14 (RKA security) Denote byF a set of functionsfrom KAIAE to KAIAE A scheme AIAE is IND-F-RKAsecure and weak-INT-F-RKA secure if for any PPTA
Advind-rkaAIAEA (120582) fl 1003816100381610038161003816100381610038161003816Pr [IND-F-RKAA 997904rArr 1] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
Advweak-int-rkaAIAEA (120582) fl Pr [weak-INT-F-RKAA 997904rArr 1]le negl (120582)
(15)
where IND-F-RKA and weak-INT-F-RKA are the securitygames presented in Figure 4
32 Generic Construction of AIAE from Tag-Based HPSand OT-Secure AE Our construction of AIAE needs thefollowing ingredients
(i) A tag-based hash proof systemTHPS = (THPSSetupTHPSPubTHPSPriv) where the hash value space isK the tag space is T and the hashing key space isHK
(ii) A (traditional) authenticated encryption schemeAE = (AEParGenAEEncryptAEDecrypt) wherethe message space isM and the key space isK
(iii) A set of hash functionsH = H 0 1lowast rarr TWe present our AIAE construction AIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in Figure 5 whose key spaceis KAIAE fl HK message space is M and auxiliary-inputspace isAI fl 0 1lowast
By the perfect correctness ofAE it is routine to check thatAIAE has perfect correctness
Theorem 15 If (i) THPS is 119906119899119894V1198901199031199041198861198972 extracting key-homomorphic and has a hard subset membership problem (ii)AE is one-time secure and (iii) H is collision-resistant thenthe scheme AIAE in Figure 5 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure Here F119903119886119891119891 fl 119891(119886b) hk isin HK 997891rarr119886 sdot hk + b isin HK | 119886 isin Zlowast
|K| b isin HK is the set of restrictedaffine functions
Proof of Theorem 15 (IND-F119903119886119891119891-RKA Security) Denote byA a PPT adversary who is against the IND-Fraff -RKAsecurity and queries encrypt oracle for at most 119876119890 timesWe show the IND-Fraff -RKA security through a series ofgames For an event E we denote by Pr119895[E] Pr1198951015840[E] andPr11989510158401015840[E] the probability of E occurring in games G119895 G
1015840119895 and
G10158401015840119895 respectively
Game G1 It is the original IND-Fraff -RKA game Denotethe event 1205731015840 = 120573 by Succ According to the definitionAdvind-rkaAIAEA(120582) = |Pr1[Succ] minus 12|
8 Security and Communication Networks
If m0 = m1
Output perp
Output aiaec
AIAE
k AIAE
0 1
aiaec AIAEEncrypt (f(k) m ai)
Output parsAIAE
parsAIAE
Proc (m0 m1 ai f isin ℱ)encrypt
Output ( = )Proc )
Proc initializelarr$
larr$
larr$
larr$
ParGen(1)
finalize(
(a)
Output aiaec
parsAIAE AIAE k
Output parsAIAEAIAE
Proc encrypt(m ai f isin ℱ)aiaec AIAEEncrypt(f(k) m ai)
ℐ-ℱ = ℐ-ℱ cup (aif)ℰ = ℰ cup (ai f )aiaec
Proc (ailowast flowastisin ℱ aiaeclowast)
Special rule
Output (AIAEDecrypt(flowast(k) aiaeclowast ailowast) = perp)ai = ai
lowast but f = flowast Output 0
If (ailowast flowast aiaeclowast) isin Output 0
If there exists (ai f) isin ℐ-ℱ such that
ℰ
Proc initializelarr$ larr$
larr$
ParGen(1)
finalize
(b)
Figure 4 IND-F-RKA (a) and weak-INT-F-RKA (b) security games We note that in the weak-INT-F-RKA game there is a special rule(as shown in the shadow) of outputting 0 in finalize
AIAEEncrypt(hk m ai)AIAEpars
pars
pars pars
pars
THPS THPS
AE AE
= ( THPS AE H)
Output AIAE
H ℋ
C with witness wt = H(C ai) isin = Λ hk (C t) isin AEEncrypt( m)Output ⟨C ⟩
AIAEDecrypt(hk ⟨C ⟩ ai)If C notin Output perpt = H(C ai) isin
= Λhk (C t) isin
mperp larr AEDecrypt( )Output mperp
parsAIAE
larr$
larr$
larr$
larr$
larr$
ParGen(1)
ParGen(1)Setup(1)
Figure 5 Generic construction of AIAE from THPS and AE
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ0 119898ℓ1aiℓ 119891ℓ) where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff the challenger preparesthe challenge ciphertext as follows
(i) pick 119862ℓlarr$ V together with witness 119908ℓ
(ii) compute 119905ℓ fl H(119862ℓ aiℓ) isin T
(iii) compute 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ) isinK
(iv) invoke 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ120573)and it outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA
Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K randomly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Succ] =Pr11[Succ]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distribu-
tion of 119862119895 In game G1119895 119862119895 is uniformly chosen from V ingameG1015840
1119895119862119895 is uniformly chosen fromCV Any differencebetween G1119895 and G1015840
1119895 results in a PPT adversary solving thesubset membership problem related to THPS thus we havethat |Pr1119895[Succ] minus Pr11198951015840[Succ]| le Adv
smpTHPS
(120582)Game G10158401015840
1119895 119895 isin [119876119890] It is identical to G10158401119895 except that
for the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 16 For all 119895 isin [119876119890] 11987511990311198951015840[Succ] = 119875119903111989510158401015840[Succ]Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryIn G1015840
1119895 120581119895 is properly computed while in G101584010158401119895 it is chosen
fromK uniformlyWe analyze the information about the key hk that is used
in game G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
Security and Communication Networks 9
(ii) For the ℓth (ℓ isin [119895 + 1 119876119890]) query encrypt can usepk = 120583(hk) to compute 120581ℓ120581ℓ = Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) 119862ℓlarr997888$ V with witness 119908ℓ= (Λ hk (119862ℓ 119905ℓ))119886ℓ sdot Λ bℓ(119862ℓ 119905ℓ) via key-homomorphism= (THPSPub (pk 119862ℓ 119908ℓ 119905ℓ))119886ℓ sdot Λ bℓ
(119862ℓ 119905ℓ) via projective property
(16)
(iii) For the 119895th query encrypt uses Λ hk(119862119895 119905119895) to com-pute 120581119895
120581119895 = Λ 119886119895 sdothk+b119895(119862119895 119905119895) 119862119895larr997888$ C V
= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) via key-homomorphism
(17)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) is uniformly distributed over K conditioned onpk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K| 120581119895 = (Λ hk(119862119895119905119895))119886119895 sdotΛ b119895(119862119895 119905119895) is also randomly distributed overK Conse-
quentlyG10158401119895 is essentially the same asG10158401015840
1119895 and Pr11198951015840[Succ] =Pr111989510158401015840[Succ]
Now we show that gameG101584010158401119895 is computationally indistin-
guishable from game G1119895+1 119895 isin [119876119890] Note that the diver-gence between G10158401015840
1119895 and G1119895+1 lies in the distribution of 119862119895 inthe 119895th encrypt query In game G10158401015840
1119895 119862119895 is uniformly chosenfrom C V in game G1119895+1 119862119895 is uniformly chosen fromV Any difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS thus we have that |Pr111989510158401015840[Succ] minus Pr1119895+1[Succ]| leAdv
smpTHPS
(120582)Game G2 It is identical to G1119876119890+1
except that whenanswering encrypt queries the challenger invokes 120594ℓlarr$AEEncrypt(120581ℓ 0|119898ℓ0|)
In game G1119876119890+1 the challenger computes 120594ℓlarr$
AEEncrypt(120581ℓ 119898ℓ120573) in game G2 the challenger computes120594ℓlarr$ AEEncrypt(120581ℓ 0|119898ℓ0|) Since each 120581ℓ is chosen fromK uniformly at random ℓ isin [119876119890] by a standard hybridargument any difference between G1119876119890+1
and G2 results in aPPT adversary against the IND-OT security of AE so that|Pr1119876119890+1[Succ] minus Pr2[Succ]| le 119876119890 sdot Advind-otAE (120582)
Finally in game G2 since the challenge ciphertexts areencryptions of 0|119898ℓ0| hence 120573 is perfectly hidden to A SoPr2[Succ] = 12
Summing up we proved the IND-Fraff -RKA securityThis completes the proof ofTheorem 15 (IND-Fraff -RKA
security)
Proof ofTheorem 15 (Weak-INT-F119903119886119891119891-RKA Security) Denoteby A a PPT adversary who is against the weak-INT-Fraff -RKA security and queries encrypt oracle for at most 119876119890
times Similarly the proof goes through a series of gameswhich are defined analogously just like those games of theprevious proof
Game G0 It is the original weak-INT-Fraff -RKA gameAs for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)
the challenger computes the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ insimilar steps as the previous proof and outputs ⟨119862ℓ 120594ℓ⟩ toA Moreover the challenger will put (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to aset QENC put (aiℓ 119891ℓ) to a set QAI-F and put (119862ℓ aiℓ 119905ℓ)to a set QTAG In the end the adversary outputs a forgery(ailowast 119891lowast ⟨119862lowast 120594lowast⟩) where 119891lowast = ⟨119886lowast blowast⟩ and the challengerinvokes the finalize procedure as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENC output 0(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
output 0(iii) If 119862lowast notin C output 0(iv) Compute 119905lowast fl H(119862lowast ailowast) isin T and 120581lowast flΛ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK
Output (AEDecrypt(120581lowast 120594lowast) =perp)Denote the event that finalize outputs 1 by Forge
According to the definition Advweak-int-rkaAIAEA (120582) = Pr0[Forge]Game G1 It is identical to G0 except that the following ruleis added to the procedure finalize by the challenger
(i) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast) output 0Since 119905ℓ = H(119862ℓ aiℓ) and 119905lowast = H(119862lowast ailowast) any differ-
ence between G0 and G1 implies a hash collision of H So|Pr0[Forge] minus Pr1[Forge]| le AdvcrH(120582)Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K uniformly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Forge] =Pr11[Forge]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distri-
bution of 119862119895 In game G1119895 119862119895 is uniformly chosen fromV in game G1015840
1119895 119862119895 is uniformly chosen from C VAny difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS We emphasize that the PPT adversary (simulator)is able to check the occurrence of Forge in an efficient waybecause the key hk can be chosen by the simulator itselfConsequently the difference between G1119895 and G1015840
1119895 can bereduced to the subset membership problem smoothly
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 5
Proc ( )
one queryProc encrypt(m0 m1)If m0
= m1 Output perp
Output aec
0 1
AE k AEparsAE
Output parsAE
Output ( = )
aec AEEncrypt(k m)
larr$ larr$
larr$
larr$
Proc initializeParGen(1)
finalize
(a)
Proc (m)encrypt one query
AE k AEparsAE
Output parsAE
Output aecaec larr AEEncrypt(k m)
If aeclowast = aec Output 0
Output (AEDecrypt(k aeclowast) = perp)
Proc aeclowast)
Proc initializelarr$
larr$
larr$ParGen(1)
finalize(
(b)
Figure 3 IND-OT (a) and INT-OT (b) security games
We require KEM to have perfect correctness that is for allpossible (pk sk)larr$ KEMKeyGen(1120582) we have
Pr [(k kemc)larr997888$ KEMEncrypt (pk) KEMDecrypt (sk kemc)= k] = 1 (3)
24 Tag-Based Hash Proof System Universal2 Extracting andKey-Homomorphism Tag-based hash proof system (HPS)was first defined in [19] The definition is similar to extendedHPS [20] but the universal2 property is slightly different
Definition 3 (tag-based hash proof system) A tag-based hashproof system THPS = (THPSSetupTHPSPubTHPSPriv) iscomprised of three PPT algorithms
(i) THPSSetup(1120582) outputs a parameterized instanceparsTHPS which implicitly defines (KCVTHKPK Λ (sdot) 120583) where KCVTHKPKare all finite sets with V sube C Λ (sdot) C times T rarr K
is a set of hash functions indexed by hk isin HK and120583 HK rarr PK is a function We assume that 120583 isefficiently computable and there are PPT algorithmssampling hklarr$ HK uniformly sampling 119862larr$ Cuniformly sampling 119862larr$ V uniformly with awitness 119908 and checking membership inC
(ii) THPSPub(pk 119862 119908 119905) takes a projection key pk =120583(hk) isin PK an element 119862 isin V with a witness 119908and a tag 119905 isin T as input and outputs a hash value119870 = Λ hk(119862 119905) isinK
(iii) THPSPriv(hk 119862 119905) takes a hashing key hk isinHK anelement 119862 isin C and a tag 119905 isin T as input and outputsa hash value 119870 = Λ hk(119862 119905) isin K without knowing awitness
We require THPS to be projective that is for all parsTHPSlarr$THPSSetup(1120582) all hk isin HK and pk = 120583(hk) isin PK all119862 isinV with all witnesses 119908 and all 119905 isin T it holds that
THPSPub (pk 119862 119908 119905) = Λ hk (119862 119905)= THPSPriv (hk 119862 119905) (4)
Tag-based HPS is associated with a subset membershipproblem Informally speaking it asks to distinguish theuniform distribution over V from the uniform distributionoverC V
Definition 4 (SMP) The Subset Membership Problem (SMP)related to THPS is hard if for any PPT adversaryA one has
AdvsmpTHPSA (120582) fl 10038161003816100381610038161003816Pr [A (parsTHPS 119862) = 1]minus Pr [A (parsTHPS 1198621015840) = 1]10038161003816100381610038161003816 le negl (120582) (5)
where parsTHPSlarr$ THPSSetup(1120582) 119862larr$ V and 1198621015840larr$ C V
Definition 5 (universal2) THPS is called (strongly)universal2 if for all possible parsTHPSlarr$ THPSSetup(1120582) allpk isin PK all 119862 isin C all 1198621015840 isin C V all 119905 1199051015840 isin T with 119905 = 1199051015840and all 1198701198701015840 isinK it holds that
Pr [Λ hk (1198621015840 1199051015840) = 1198701015840 | 120583 (hk) = pk Λ hk (119862 119905) = 119870]= 1|K| (6)
where the probability is over hklarr$ HK
The key difference between tag-based HPS and extendedHPS lies in the definition of the universal2 property [19]Extended HPS requires (6) to hold for (119862 119905) = (1198621015840 1199051015840) whiletag-based HPS requires (6) to hold only for 119905 = 1199051015840 Hence
6 Security and Communication Networks
any (universal2) extended HPS is also a (universal2) tag-based HPS but not vice versa Tag-based HPS is essentiallya weaker variant of extended HPS and admits more efficientconstructions
Dodis et al [21] defined an extracting property forextended HPS which requires the hash value Λ hk(119862 119905) to beuniformly distributed over K for any 119862 isin C and 119905 isin T aslong as hk is randomly chosen from HK Besides Xagawa[22] considered a key-homomorphic property for extendedHPS which stipulates that Λ hk+Δ(119862 119905) = Λ hk(119862 119905) sdot Λ Δ(119862 119905)holds for any hk Δ isinHK 119862 isin C and 119905 isin T Here we adaptthese notions to tag-based HPS
Definition 6 (extracting) THPS is called extracting if for allparsTHPSlarr$ THPSSetup(1120582) all 119862 isin C all 119905 isin T and all119870 isinK it holds that
Pr [Λ hk (119862 119905) = 119870] = 1|K| (7)
where hklarr$ HK
Definition 7 (key-homomorphism) THPS is called key-homomorphic if for all parsTHPSlarr$ THPSSetup(1120582) whichdefines (KCVTHKPK Λ (sdot) 120583) one has the follow-ing
(i) Both (HK +) and (K sdot) are groups(ii) For all 119862 isin C and all 119905 isin T the mapping Λ (sdot)(119862 119905)
HKrarrK is a group homomorphismThat is for allhk b isinHK and all 119886 isin Z it holds thatΛ 119886sdothk+b(119862 119905) =(Λ hk(119862 119905))119886 sdot Λ b(119862 119905)
25 DCR DDH DL and IVd Assumptions Suppose thatGenN(1120582) is a PPT algorithm generating (119901 119902119873119873) where119901 119902 are safe primes of 120582-bit 119873 = 119901119902 and 119873 = 2119873 + 1 is aprime We define the following
(i) QR119873 fl 1198862 mod119873 | 119886 isin Z119873Then QR119873 is a cyclic group of order 119873 For 119904 isin N and 119879 =1 + 119873 we define
(i) QR119873119904 fl 1198862 mod119873119904 | 119886 isin Zlowast119873119904
(ii) SCR119873119904 fl 1198862119873119904minus1 mod119873119904 | 119886 isin Zlowast119873119904
(iii) RU119873119904 fl 119879119903 mod119873119904 | 119903 isin [119873119904minus1]Then SCR119873119904 is a cyclic group of order 120601(119873)4 and QR119873119904 =SCR119873119904 otimes RU119873119904 where otimes represents the internal directproduct
Damgard and Jurik [23] showed that the discrete loga-rithm 119889 log119879(119906) isin [119873119904minus1] of an element 119906 isin RU119873119904 canbe efficiently computed from 119906 and 119873 Observe that Zlowast
119873119904 =Z2 otimes Z1015840
2 otimes SCR119873119904 otimes RU119873119904 thus for any V = V(Z2) sdot V(Z10158402) sdot
V(SCR119873119904) sdot 119879119909 isin Zlowast119873119904 we have V
120601(119873) = 119879119909sdot120601(119873) isin RU119873119904 and119889 log119879 (V120601(119873))120601 (119873) mod119873119904minus1 = 119909 (8)
Definition 8 (DCR assumption) The Decisional CompositeResiduosity (DCR) assumption holds for GenN andQR119873119904 iffor any PPTA it holds that
AdvdcrGenNA (120582)fl |Pr [A (119873 119906) = 1] minus Pr [A (119873 V) = 1]|le negl (120582) (9)
where (119901 119902119873119873)larr$ GenN(1120582) 119906larr$ QR119873119904 and Vlarr$SCR119873119904
The Interactive Vector (IV119889) assumption is implied by theDCR assumption as shown in [5] Here we recall the IV119889
assumption according to [16]
Definition 9 (IVd assumption) The IV119889 assumption holds forGenN andQR119873119904 if for any PPTA it holds that
Adviv119889GenNA (120582)fl1003816100381610038161003816100381610038161003816Pr [Achal119887IV119889 (119873 1198921 119892119889) = 119887] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
(10)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 119892119889larr$ SCR119873119904 119887larr$ 0 1 and A is allowed to query the oracle chal119887IV119889(sdot)adaptively Each timeA can submit (1205751 120575119889) to the oracleand chal119887IV119889(1205751 120575119889) selects 119903larr$ [lfloor1198734rfloor] randomly if119887 = 0 the oracle outputs (1198921199031 119892119903119889) to A otherwise itoutputs (11989211990311198791205751 119892119903119889119879120575119889) toA where 119879 = 1 + 119873
Definition 10 (DDH assumption) The DDH assumptionholds for GenN andQR119873 if for any PPTA it holds that
AdvddhGenNA (120582) fl 1003816100381610038161003816Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199092 ) = 1]minus Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199102 ) = 1]1003816100381610038161003816 le negl (120582) (11)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 1198922larr$ QR119873 119909 119910larr$Z119873 0Definition 11 (DL assumption) The Discrete Logarithm (DL)assumption holds for GenN and SCR119873119904 if for any PPTA itholds that
AdvdlGenNA (120582) fl Pr [A (119873 119901 119902 119892 119892119909) = 119909]le negl (120582) (12)
where (119901 119902119873119873)larr$ GenN(1120582) 119892larr$ SCR119873119904 119909larr$ [120601(119873)4]
Security and Communication Networks 7
26 Collision-Resistant Hashing
Definition 12 (collision-resistant hashing) Let H = H Xrarr Y be a set of hash functionsH is said to be collision-resistant if for any PPTA one has
AdvcrHA (120582) fl Pr [Hlarr997888$ H (119909 1199091015840) larr997888$ A (H) 119909= 1199091015840 and H (119909) = H (1199091015840)] le negl (120582) (13)
3 Auxiliary-Input Authenticated Encryption
Our PKE constructions in Sections 4 and 5 will resort to anewprimitive AIAE To serve theKDM-CCA security of ourPKE construction in Figure 1 our AIAE should satisfy thefollowing properties
(i) AIAE must take an auxiliary input ai in both theencryption and decryption algorithms
(ii) AIAE must have IND-F-RKA security and weak-INT-F-RKA security Compared to the INT-F-RKAsecurity proposed in [16] the weak-INT-F-RKAsecurity imposes a special rule to determine whetherthe adversaryrsquos forgery is successful or not
In the following we present the syntax ofAIAE and defineits IND-F-RKA Security and Weak-INT-F-RKA SecurityWe also show a general paradigm of AIAE from tag-basedHPS and give an instantiation of AIAE under the DDHassumption
31 Auxiliary-Input Authenticated Encryption
Definition 13 (AIAE) There are three PPT algorithmsAIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in anAIAE scheme
(i) The parameter generation algorithmAIAEParGen(1120582) generates a system parameterparsAIAE We require parsAIAE to be an implicitinput to other algorithms and assume that parsAIAEimplicitly defines a key spaceKAIAE a message spaceM and an auxiliary-input spaceAI
(ii) The encryption algorithm AIAEEncrypt(k 119898 ai)takes a key k isin KAIAE a message 119898 isin M andan auxiliary input ai isin AI as input and outputs aciphertext aiaec
(iii) The decryption algorithm AIAEDecrypt(k aiaec ai)takes a key k isin KAIAE a ciphertext aiaec and anauxiliary input ai isin AI as input and outputs amessage119898 isinM or a symbol perp
We require AIAE to have perfect correctness that is for allpossible parsAIAElarr$ AIAEParGen(1120582) all keys k isin KAIAEall messages119898 isinM and all auxiliary-inputs ai isin AI
Pr [AIAEDecrypt (kAIAEEncrypt (k 119898 ai) ai)= 119898] = 1 (14)
In fact AIAE is a generalization of traditional AE andtraditional AE can be viewed as AIAE withAI = 0Definition 14 (RKA security) Denote byF a set of functionsfrom KAIAE to KAIAE A scheme AIAE is IND-F-RKAsecure and weak-INT-F-RKA secure if for any PPTA
Advind-rkaAIAEA (120582) fl 1003816100381610038161003816100381610038161003816Pr [IND-F-RKAA 997904rArr 1] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
Advweak-int-rkaAIAEA (120582) fl Pr [weak-INT-F-RKAA 997904rArr 1]le negl (120582)
(15)
where IND-F-RKA and weak-INT-F-RKA are the securitygames presented in Figure 4
32 Generic Construction of AIAE from Tag-Based HPSand OT-Secure AE Our construction of AIAE needs thefollowing ingredients
(i) A tag-based hash proof systemTHPS = (THPSSetupTHPSPubTHPSPriv) where the hash value space isK the tag space is T and the hashing key space isHK
(ii) A (traditional) authenticated encryption schemeAE = (AEParGenAEEncryptAEDecrypt) wherethe message space isM and the key space isK
(iii) A set of hash functionsH = H 0 1lowast rarr TWe present our AIAE construction AIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in Figure 5 whose key spaceis KAIAE fl HK message space is M and auxiliary-inputspace isAI fl 0 1lowast
By the perfect correctness ofAE it is routine to check thatAIAE has perfect correctness
Theorem 15 If (i) THPS is 119906119899119894V1198901199031199041198861198972 extracting key-homomorphic and has a hard subset membership problem (ii)AE is one-time secure and (iii) H is collision-resistant thenthe scheme AIAE in Figure 5 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure Here F119903119886119891119891 fl 119891(119886b) hk isin HK 997891rarr119886 sdot hk + b isin HK | 119886 isin Zlowast
|K| b isin HK is the set of restrictedaffine functions
Proof of Theorem 15 (IND-F119903119886119891119891-RKA Security) Denote byA a PPT adversary who is against the IND-Fraff -RKAsecurity and queries encrypt oracle for at most 119876119890 timesWe show the IND-Fraff -RKA security through a series ofgames For an event E we denote by Pr119895[E] Pr1198951015840[E] andPr11989510158401015840[E] the probability of E occurring in games G119895 G
1015840119895 and
G10158401015840119895 respectively
Game G1 It is the original IND-Fraff -RKA game Denotethe event 1205731015840 = 120573 by Succ According to the definitionAdvind-rkaAIAEA(120582) = |Pr1[Succ] minus 12|
8 Security and Communication Networks
If m0 = m1
Output perp
Output aiaec
AIAE
k AIAE
0 1
aiaec AIAEEncrypt (f(k) m ai)
Output parsAIAE
parsAIAE
Proc (m0 m1 ai f isin ℱ)encrypt
Output ( = )Proc )
Proc initializelarr$
larr$
larr$
larr$
ParGen(1)
finalize(
(a)
Output aiaec
parsAIAE AIAE k
Output parsAIAEAIAE
Proc encrypt(m ai f isin ℱ)aiaec AIAEEncrypt(f(k) m ai)
ℐ-ℱ = ℐ-ℱ cup (aif)ℰ = ℰ cup (ai f )aiaec
Proc (ailowast flowastisin ℱ aiaeclowast)
Special rule
Output (AIAEDecrypt(flowast(k) aiaeclowast ailowast) = perp)ai = ai
lowast but f = flowast Output 0
If (ailowast flowast aiaeclowast) isin Output 0
If there exists (ai f) isin ℐ-ℱ such that
ℰ
Proc initializelarr$ larr$
larr$
ParGen(1)
finalize
(b)
Figure 4 IND-F-RKA (a) and weak-INT-F-RKA (b) security games We note that in the weak-INT-F-RKA game there is a special rule(as shown in the shadow) of outputting 0 in finalize
AIAEEncrypt(hk m ai)AIAEpars
pars
pars pars
pars
THPS THPS
AE AE
= ( THPS AE H)
Output AIAE
H ℋ
C with witness wt = H(C ai) isin = Λ hk (C t) isin AEEncrypt( m)Output ⟨C ⟩
AIAEDecrypt(hk ⟨C ⟩ ai)If C notin Output perpt = H(C ai) isin
= Λhk (C t) isin
mperp larr AEDecrypt( )Output mperp
parsAIAE
larr$
larr$
larr$
larr$
larr$
ParGen(1)
ParGen(1)Setup(1)
Figure 5 Generic construction of AIAE from THPS and AE
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ0 119898ℓ1aiℓ 119891ℓ) where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff the challenger preparesthe challenge ciphertext as follows
(i) pick 119862ℓlarr$ V together with witness 119908ℓ
(ii) compute 119905ℓ fl H(119862ℓ aiℓ) isin T
(iii) compute 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ) isinK
(iv) invoke 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ120573)and it outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA
Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K randomly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Succ] =Pr11[Succ]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distribu-
tion of 119862119895 In game G1119895 119862119895 is uniformly chosen from V ingameG1015840
1119895119862119895 is uniformly chosen fromCV Any differencebetween G1119895 and G1015840
1119895 results in a PPT adversary solving thesubset membership problem related to THPS thus we havethat |Pr1119895[Succ] minus Pr11198951015840[Succ]| le Adv
smpTHPS
(120582)Game G10158401015840
1119895 119895 isin [119876119890] It is identical to G10158401119895 except that
for the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 16 For all 119895 isin [119876119890] 11987511990311198951015840[Succ] = 119875119903111989510158401015840[Succ]Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryIn G1015840
1119895 120581119895 is properly computed while in G101584010158401119895 it is chosen
fromK uniformlyWe analyze the information about the key hk that is used
in game G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
Security and Communication Networks 9
(ii) For the ℓth (ℓ isin [119895 + 1 119876119890]) query encrypt can usepk = 120583(hk) to compute 120581ℓ120581ℓ = Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) 119862ℓlarr997888$ V with witness 119908ℓ= (Λ hk (119862ℓ 119905ℓ))119886ℓ sdot Λ bℓ(119862ℓ 119905ℓ) via key-homomorphism= (THPSPub (pk 119862ℓ 119908ℓ 119905ℓ))119886ℓ sdot Λ bℓ
(119862ℓ 119905ℓ) via projective property
(16)
(iii) For the 119895th query encrypt uses Λ hk(119862119895 119905119895) to com-pute 120581119895
120581119895 = Λ 119886119895 sdothk+b119895(119862119895 119905119895) 119862119895larr997888$ C V
= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) via key-homomorphism
(17)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) is uniformly distributed over K conditioned onpk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K| 120581119895 = (Λ hk(119862119895119905119895))119886119895 sdotΛ b119895(119862119895 119905119895) is also randomly distributed overK Conse-
quentlyG10158401119895 is essentially the same asG10158401015840
1119895 and Pr11198951015840[Succ] =Pr111989510158401015840[Succ]
Now we show that gameG101584010158401119895 is computationally indistin-
guishable from game G1119895+1 119895 isin [119876119890] Note that the diver-gence between G10158401015840
1119895 and G1119895+1 lies in the distribution of 119862119895 inthe 119895th encrypt query In game G10158401015840
1119895 119862119895 is uniformly chosenfrom C V in game G1119895+1 119862119895 is uniformly chosen fromV Any difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS thus we have that |Pr111989510158401015840[Succ] minus Pr1119895+1[Succ]| leAdv
smpTHPS
(120582)Game G2 It is identical to G1119876119890+1
except that whenanswering encrypt queries the challenger invokes 120594ℓlarr$AEEncrypt(120581ℓ 0|119898ℓ0|)
In game G1119876119890+1 the challenger computes 120594ℓlarr$
AEEncrypt(120581ℓ 119898ℓ120573) in game G2 the challenger computes120594ℓlarr$ AEEncrypt(120581ℓ 0|119898ℓ0|) Since each 120581ℓ is chosen fromK uniformly at random ℓ isin [119876119890] by a standard hybridargument any difference between G1119876119890+1
and G2 results in aPPT adversary against the IND-OT security of AE so that|Pr1119876119890+1[Succ] minus Pr2[Succ]| le 119876119890 sdot Advind-otAE (120582)
Finally in game G2 since the challenge ciphertexts areencryptions of 0|119898ℓ0| hence 120573 is perfectly hidden to A SoPr2[Succ] = 12
Summing up we proved the IND-Fraff -RKA securityThis completes the proof ofTheorem 15 (IND-Fraff -RKA
security)
Proof ofTheorem 15 (Weak-INT-F119903119886119891119891-RKA Security) Denoteby A a PPT adversary who is against the weak-INT-Fraff -RKA security and queries encrypt oracle for at most 119876119890
times Similarly the proof goes through a series of gameswhich are defined analogously just like those games of theprevious proof
Game G0 It is the original weak-INT-Fraff -RKA gameAs for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)
the challenger computes the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ insimilar steps as the previous proof and outputs ⟨119862ℓ 120594ℓ⟩ toA Moreover the challenger will put (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to aset QENC put (aiℓ 119891ℓ) to a set QAI-F and put (119862ℓ aiℓ 119905ℓ)to a set QTAG In the end the adversary outputs a forgery(ailowast 119891lowast ⟨119862lowast 120594lowast⟩) where 119891lowast = ⟨119886lowast blowast⟩ and the challengerinvokes the finalize procedure as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENC output 0(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
output 0(iii) If 119862lowast notin C output 0(iv) Compute 119905lowast fl H(119862lowast ailowast) isin T and 120581lowast flΛ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK
Output (AEDecrypt(120581lowast 120594lowast) =perp)Denote the event that finalize outputs 1 by Forge
According to the definition Advweak-int-rkaAIAEA (120582) = Pr0[Forge]Game G1 It is identical to G0 except that the following ruleis added to the procedure finalize by the challenger
(i) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast) output 0Since 119905ℓ = H(119862ℓ aiℓ) and 119905lowast = H(119862lowast ailowast) any differ-
ence between G0 and G1 implies a hash collision of H So|Pr0[Forge] minus Pr1[Forge]| le AdvcrH(120582)Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K uniformly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Forge] =Pr11[Forge]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distri-
bution of 119862119895 In game G1119895 119862119895 is uniformly chosen fromV in game G1015840
1119895 119862119895 is uniformly chosen from C VAny difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS We emphasize that the PPT adversary (simulator)is able to check the occurrence of Forge in an efficient waybecause the key hk can be chosen by the simulator itselfConsequently the difference between G1119895 and G1015840
1119895 can bereduced to the subset membership problem smoothly
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 Security and Communication Networks
any (universal2) extended HPS is also a (universal2) tag-based HPS but not vice versa Tag-based HPS is essentiallya weaker variant of extended HPS and admits more efficientconstructions
Dodis et al [21] defined an extracting property forextended HPS which requires the hash value Λ hk(119862 119905) to beuniformly distributed over K for any 119862 isin C and 119905 isin T aslong as hk is randomly chosen from HK Besides Xagawa[22] considered a key-homomorphic property for extendedHPS which stipulates that Λ hk+Δ(119862 119905) = Λ hk(119862 119905) sdot Λ Δ(119862 119905)holds for any hk Δ isinHK 119862 isin C and 119905 isin T Here we adaptthese notions to tag-based HPS
Definition 6 (extracting) THPS is called extracting if for allparsTHPSlarr$ THPSSetup(1120582) all 119862 isin C all 119905 isin T and all119870 isinK it holds that
Pr [Λ hk (119862 119905) = 119870] = 1|K| (7)
where hklarr$ HK
Definition 7 (key-homomorphism) THPS is called key-homomorphic if for all parsTHPSlarr$ THPSSetup(1120582) whichdefines (KCVTHKPK Λ (sdot) 120583) one has the follow-ing
(i) Both (HK +) and (K sdot) are groups(ii) For all 119862 isin C and all 119905 isin T the mapping Λ (sdot)(119862 119905)
HKrarrK is a group homomorphismThat is for allhk b isinHK and all 119886 isin Z it holds thatΛ 119886sdothk+b(119862 119905) =(Λ hk(119862 119905))119886 sdot Λ b(119862 119905)
25 DCR DDH DL and IVd Assumptions Suppose thatGenN(1120582) is a PPT algorithm generating (119901 119902119873119873) where119901 119902 are safe primes of 120582-bit 119873 = 119901119902 and 119873 = 2119873 + 1 is aprime We define the following
(i) QR119873 fl 1198862 mod119873 | 119886 isin Z119873Then QR119873 is a cyclic group of order 119873 For 119904 isin N and 119879 =1 + 119873 we define
(i) QR119873119904 fl 1198862 mod119873119904 | 119886 isin Zlowast119873119904
(ii) SCR119873119904 fl 1198862119873119904minus1 mod119873119904 | 119886 isin Zlowast119873119904
(iii) RU119873119904 fl 119879119903 mod119873119904 | 119903 isin [119873119904minus1]Then SCR119873119904 is a cyclic group of order 120601(119873)4 and QR119873119904 =SCR119873119904 otimes RU119873119904 where otimes represents the internal directproduct
Damgard and Jurik [23] showed that the discrete loga-rithm 119889 log119879(119906) isin [119873119904minus1] of an element 119906 isin RU119873119904 canbe efficiently computed from 119906 and 119873 Observe that Zlowast
119873119904 =Z2 otimes Z1015840
2 otimes SCR119873119904 otimes RU119873119904 thus for any V = V(Z2) sdot V(Z10158402) sdot
V(SCR119873119904) sdot 119879119909 isin Zlowast119873119904 we have V
120601(119873) = 119879119909sdot120601(119873) isin RU119873119904 and119889 log119879 (V120601(119873))120601 (119873) mod119873119904minus1 = 119909 (8)
Definition 8 (DCR assumption) The Decisional CompositeResiduosity (DCR) assumption holds for GenN andQR119873119904 iffor any PPTA it holds that
AdvdcrGenNA (120582)fl |Pr [A (119873 119906) = 1] minus Pr [A (119873 V) = 1]|le negl (120582) (9)
where (119901 119902119873119873)larr$ GenN(1120582) 119906larr$ QR119873119904 and Vlarr$SCR119873119904
The Interactive Vector (IV119889) assumption is implied by theDCR assumption as shown in [5] Here we recall the IV119889
assumption according to [16]
Definition 9 (IVd assumption) The IV119889 assumption holds forGenN andQR119873119904 if for any PPTA it holds that
Adviv119889GenNA (120582)fl1003816100381610038161003816100381610038161003816Pr [Achal119887IV119889 (119873 1198921 119892119889) = 119887] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
(10)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 119892119889larr$ SCR119873119904 119887larr$ 0 1 and A is allowed to query the oracle chal119887IV119889(sdot)adaptively Each timeA can submit (1205751 120575119889) to the oracleand chal119887IV119889(1205751 120575119889) selects 119903larr$ [lfloor1198734rfloor] randomly if119887 = 0 the oracle outputs (1198921199031 119892119903119889) to A otherwise itoutputs (11989211990311198791205751 119892119903119889119879120575119889) toA where 119879 = 1 + 119873
Definition 10 (DDH assumption) The DDH assumptionholds for GenN andQR119873 if for any PPTA it holds that
AdvddhGenNA (120582) fl 1003816100381610038161003816Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199092 ) = 1]minus Pr [A (119873 119901 119902 1198921 1198922 1198921199091 1198921199102 ) = 1]1003816100381610038161003816 le negl (120582) (11)
where (119901 119902119873119873)larr$ GenN(1120582) 1198921 1198922larr$ QR119873 119909 119910larr$Z119873 0Definition 11 (DL assumption) The Discrete Logarithm (DL)assumption holds for GenN and SCR119873119904 if for any PPTA itholds that
AdvdlGenNA (120582) fl Pr [A (119873 119901 119902 119892 119892119909) = 119909]le negl (120582) (12)
where (119901 119902119873119873)larr$ GenN(1120582) 119892larr$ SCR119873119904 119909larr$ [120601(119873)4]
Security and Communication Networks 7
26 Collision-Resistant Hashing
Definition 12 (collision-resistant hashing) Let H = H Xrarr Y be a set of hash functionsH is said to be collision-resistant if for any PPTA one has
AdvcrHA (120582) fl Pr [Hlarr997888$ H (119909 1199091015840) larr997888$ A (H) 119909= 1199091015840 and H (119909) = H (1199091015840)] le negl (120582) (13)
3 Auxiliary-Input Authenticated Encryption
Our PKE constructions in Sections 4 and 5 will resort to anewprimitive AIAE To serve theKDM-CCA security of ourPKE construction in Figure 1 our AIAE should satisfy thefollowing properties
(i) AIAE must take an auxiliary input ai in both theencryption and decryption algorithms
(ii) AIAE must have IND-F-RKA security and weak-INT-F-RKA security Compared to the INT-F-RKAsecurity proposed in [16] the weak-INT-F-RKAsecurity imposes a special rule to determine whetherthe adversaryrsquos forgery is successful or not
In the following we present the syntax ofAIAE and defineits IND-F-RKA Security and Weak-INT-F-RKA SecurityWe also show a general paradigm of AIAE from tag-basedHPS and give an instantiation of AIAE under the DDHassumption
31 Auxiliary-Input Authenticated Encryption
Definition 13 (AIAE) There are three PPT algorithmsAIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in anAIAE scheme
(i) The parameter generation algorithmAIAEParGen(1120582) generates a system parameterparsAIAE We require parsAIAE to be an implicitinput to other algorithms and assume that parsAIAEimplicitly defines a key spaceKAIAE a message spaceM and an auxiliary-input spaceAI
(ii) The encryption algorithm AIAEEncrypt(k 119898 ai)takes a key k isin KAIAE a message 119898 isin M andan auxiliary input ai isin AI as input and outputs aciphertext aiaec
(iii) The decryption algorithm AIAEDecrypt(k aiaec ai)takes a key k isin KAIAE a ciphertext aiaec and anauxiliary input ai isin AI as input and outputs amessage119898 isinM or a symbol perp
We require AIAE to have perfect correctness that is for allpossible parsAIAElarr$ AIAEParGen(1120582) all keys k isin KAIAEall messages119898 isinM and all auxiliary-inputs ai isin AI
Pr [AIAEDecrypt (kAIAEEncrypt (k 119898 ai) ai)= 119898] = 1 (14)
In fact AIAE is a generalization of traditional AE andtraditional AE can be viewed as AIAE withAI = 0Definition 14 (RKA security) Denote byF a set of functionsfrom KAIAE to KAIAE A scheme AIAE is IND-F-RKAsecure and weak-INT-F-RKA secure if for any PPTA
Advind-rkaAIAEA (120582) fl 1003816100381610038161003816100381610038161003816Pr [IND-F-RKAA 997904rArr 1] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
Advweak-int-rkaAIAEA (120582) fl Pr [weak-INT-F-RKAA 997904rArr 1]le negl (120582)
(15)
where IND-F-RKA and weak-INT-F-RKA are the securitygames presented in Figure 4
32 Generic Construction of AIAE from Tag-Based HPSand OT-Secure AE Our construction of AIAE needs thefollowing ingredients
(i) A tag-based hash proof systemTHPS = (THPSSetupTHPSPubTHPSPriv) where the hash value space isK the tag space is T and the hashing key space isHK
(ii) A (traditional) authenticated encryption schemeAE = (AEParGenAEEncryptAEDecrypt) wherethe message space isM and the key space isK
(iii) A set of hash functionsH = H 0 1lowast rarr TWe present our AIAE construction AIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in Figure 5 whose key spaceis KAIAE fl HK message space is M and auxiliary-inputspace isAI fl 0 1lowast
By the perfect correctness ofAE it is routine to check thatAIAE has perfect correctness
Theorem 15 If (i) THPS is 119906119899119894V1198901199031199041198861198972 extracting key-homomorphic and has a hard subset membership problem (ii)AE is one-time secure and (iii) H is collision-resistant thenthe scheme AIAE in Figure 5 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure Here F119903119886119891119891 fl 119891(119886b) hk isin HK 997891rarr119886 sdot hk + b isin HK | 119886 isin Zlowast
|K| b isin HK is the set of restrictedaffine functions
Proof of Theorem 15 (IND-F119903119886119891119891-RKA Security) Denote byA a PPT adversary who is against the IND-Fraff -RKAsecurity and queries encrypt oracle for at most 119876119890 timesWe show the IND-Fraff -RKA security through a series ofgames For an event E we denote by Pr119895[E] Pr1198951015840[E] andPr11989510158401015840[E] the probability of E occurring in games G119895 G
1015840119895 and
G10158401015840119895 respectively
Game G1 It is the original IND-Fraff -RKA game Denotethe event 1205731015840 = 120573 by Succ According to the definitionAdvind-rkaAIAEA(120582) = |Pr1[Succ] minus 12|
8 Security and Communication Networks
If m0 = m1
Output perp
Output aiaec
AIAE
k AIAE
0 1
aiaec AIAEEncrypt (f(k) m ai)
Output parsAIAE
parsAIAE
Proc (m0 m1 ai f isin ℱ)encrypt
Output ( = )Proc )
Proc initializelarr$
larr$
larr$
larr$
ParGen(1)
finalize(
(a)
Output aiaec
parsAIAE AIAE k
Output parsAIAEAIAE
Proc encrypt(m ai f isin ℱ)aiaec AIAEEncrypt(f(k) m ai)
ℐ-ℱ = ℐ-ℱ cup (aif)ℰ = ℰ cup (ai f )aiaec
Proc (ailowast flowastisin ℱ aiaeclowast)
Special rule
Output (AIAEDecrypt(flowast(k) aiaeclowast ailowast) = perp)ai = ai
lowast but f = flowast Output 0
If (ailowast flowast aiaeclowast) isin Output 0
If there exists (ai f) isin ℐ-ℱ such that
ℰ
Proc initializelarr$ larr$
larr$
ParGen(1)
finalize
(b)
Figure 4 IND-F-RKA (a) and weak-INT-F-RKA (b) security games We note that in the weak-INT-F-RKA game there is a special rule(as shown in the shadow) of outputting 0 in finalize
AIAEEncrypt(hk m ai)AIAEpars
pars
pars pars
pars
THPS THPS
AE AE
= ( THPS AE H)
Output AIAE
H ℋ
C with witness wt = H(C ai) isin = Λ hk (C t) isin AEEncrypt( m)Output ⟨C ⟩
AIAEDecrypt(hk ⟨C ⟩ ai)If C notin Output perpt = H(C ai) isin
= Λhk (C t) isin
mperp larr AEDecrypt( )Output mperp
parsAIAE
larr$
larr$
larr$
larr$
larr$
ParGen(1)
ParGen(1)Setup(1)
Figure 5 Generic construction of AIAE from THPS and AE
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ0 119898ℓ1aiℓ 119891ℓ) where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff the challenger preparesthe challenge ciphertext as follows
(i) pick 119862ℓlarr$ V together with witness 119908ℓ
(ii) compute 119905ℓ fl H(119862ℓ aiℓ) isin T
(iii) compute 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ) isinK
(iv) invoke 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ120573)and it outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA
Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K randomly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Succ] =Pr11[Succ]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distribu-
tion of 119862119895 In game G1119895 119862119895 is uniformly chosen from V ingameG1015840
1119895119862119895 is uniformly chosen fromCV Any differencebetween G1119895 and G1015840
1119895 results in a PPT adversary solving thesubset membership problem related to THPS thus we havethat |Pr1119895[Succ] minus Pr11198951015840[Succ]| le Adv
smpTHPS
(120582)Game G10158401015840
1119895 119895 isin [119876119890] It is identical to G10158401119895 except that
for the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 16 For all 119895 isin [119876119890] 11987511990311198951015840[Succ] = 119875119903111989510158401015840[Succ]Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryIn G1015840
1119895 120581119895 is properly computed while in G101584010158401119895 it is chosen
fromK uniformlyWe analyze the information about the key hk that is used
in game G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
Security and Communication Networks 9
(ii) For the ℓth (ℓ isin [119895 + 1 119876119890]) query encrypt can usepk = 120583(hk) to compute 120581ℓ120581ℓ = Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) 119862ℓlarr997888$ V with witness 119908ℓ= (Λ hk (119862ℓ 119905ℓ))119886ℓ sdot Λ bℓ(119862ℓ 119905ℓ) via key-homomorphism= (THPSPub (pk 119862ℓ 119908ℓ 119905ℓ))119886ℓ sdot Λ bℓ
(119862ℓ 119905ℓ) via projective property
(16)
(iii) For the 119895th query encrypt uses Λ hk(119862119895 119905119895) to com-pute 120581119895
120581119895 = Λ 119886119895 sdothk+b119895(119862119895 119905119895) 119862119895larr997888$ C V
= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) via key-homomorphism
(17)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) is uniformly distributed over K conditioned onpk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K| 120581119895 = (Λ hk(119862119895119905119895))119886119895 sdotΛ b119895(119862119895 119905119895) is also randomly distributed overK Conse-
quentlyG10158401119895 is essentially the same asG10158401015840
1119895 and Pr11198951015840[Succ] =Pr111989510158401015840[Succ]
Now we show that gameG101584010158401119895 is computationally indistin-
guishable from game G1119895+1 119895 isin [119876119890] Note that the diver-gence between G10158401015840
1119895 and G1119895+1 lies in the distribution of 119862119895 inthe 119895th encrypt query In game G10158401015840
1119895 119862119895 is uniformly chosenfrom C V in game G1119895+1 119862119895 is uniformly chosen fromV Any difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS thus we have that |Pr111989510158401015840[Succ] minus Pr1119895+1[Succ]| leAdv
smpTHPS
(120582)Game G2 It is identical to G1119876119890+1
except that whenanswering encrypt queries the challenger invokes 120594ℓlarr$AEEncrypt(120581ℓ 0|119898ℓ0|)
In game G1119876119890+1 the challenger computes 120594ℓlarr$
AEEncrypt(120581ℓ 119898ℓ120573) in game G2 the challenger computes120594ℓlarr$ AEEncrypt(120581ℓ 0|119898ℓ0|) Since each 120581ℓ is chosen fromK uniformly at random ℓ isin [119876119890] by a standard hybridargument any difference between G1119876119890+1
and G2 results in aPPT adversary against the IND-OT security of AE so that|Pr1119876119890+1[Succ] minus Pr2[Succ]| le 119876119890 sdot Advind-otAE (120582)
Finally in game G2 since the challenge ciphertexts areencryptions of 0|119898ℓ0| hence 120573 is perfectly hidden to A SoPr2[Succ] = 12
Summing up we proved the IND-Fraff -RKA securityThis completes the proof ofTheorem 15 (IND-Fraff -RKA
security)
Proof ofTheorem 15 (Weak-INT-F119903119886119891119891-RKA Security) Denoteby A a PPT adversary who is against the weak-INT-Fraff -RKA security and queries encrypt oracle for at most 119876119890
times Similarly the proof goes through a series of gameswhich are defined analogously just like those games of theprevious proof
Game G0 It is the original weak-INT-Fraff -RKA gameAs for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)
the challenger computes the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ insimilar steps as the previous proof and outputs ⟨119862ℓ 120594ℓ⟩ toA Moreover the challenger will put (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to aset QENC put (aiℓ 119891ℓ) to a set QAI-F and put (119862ℓ aiℓ 119905ℓ)to a set QTAG In the end the adversary outputs a forgery(ailowast 119891lowast ⟨119862lowast 120594lowast⟩) where 119891lowast = ⟨119886lowast blowast⟩ and the challengerinvokes the finalize procedure as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENC output 0(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
output 0(iii) If 119862lowast notin C output 0(iv) Compute 119905lowast fl H(119862lowast ailowast) isin T and 120581lowast flΛ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK
Output (AEDecrypt(120581lowast 120594lowast) =perp)Denote the event that finalize outputs 1 by Forge
According to the definition Advweak-int-rkaAIAEA (120582) = Pr0[Forge]Game G1 It is identical to G0 except that the following ruleis added to the procedure finalize by the challenger
(i) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast) output 0Since 119905ℓ = H(119862ℓ aiℓ) and 119905lowast = H(119862lowast ailowast) any differ-
ence between G0 and G1 implies a hash collision of H So|Pr0[Forge] minus Pr1[Forge]| le AdvcrH(120582)Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K uniformly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Forge] =Pr11[Forge]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distri-
bution of 119862119895 In game G1119895 119862119895 is uniformly chosen fromV in game G1015840
1119895 119862119895 is uniformly chosen from C VAny difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS We emphasize that the PPT adversary (simulator)is able to check the occurrence of Forge in an efficient waybecause the key hk can be chosen by the simulator itselfConsequently the difference between G1119895 and G1015840
1119895 can bereduced to the subset membership problem smoothly
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 7
26 Collision-Resistant Hashing
Definition 12 (collision-resistant hashing) Let H = H Xrarr Y be a set of hash functionsH is said to be collision-resistant if for any PPTA one has
AdvcrHA (120582) fl Pr [Hlarr997888$ H (119909 1199091015840) larr997888$ A (H) 119909= 1199091015840 and H (119909) = H (1199091015840)] le negl (120582) (13)
3 Auxiliary-Input Authenticated Encryption
Our PKE constructions in Sections 4 and 5 will resort to anewprimitive AIAE To serve theKDM-CCA security of ourPKE construction in Figure 1 our AIAE should satisfy thefollowing properties
(i) AIAE must take an auxiliary input ai in both theencryption and decryption algorithms
(ii) AIAE must have IND-F-RKA security and weak-INT-F-RKA security Compared to the INT-F-RKAsecurity proposed in [16] the weak-INT-F-RKAsecurity imposes a special rule to determine whetherthe adversaryrsquos forgery is successful or not
In the following we present the syntax ofAIAE and defineits IND-F-RKA Security and Weak-INT-F-RKA SecurityWe also show a general paradigm of AIAE from tag-basedHPS and give an instantiation of AIAE under the DDHassumption
31 Auxiliary-Input Authenticated Encryption
Definition 13 (AIAE) There are three PPT algorithmsAIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in anAIAE scheme
(i) The parameter generation algorithmAIAEParGen(1120582) generates a system parameterparsAIAE We require parsAIAE to be an implicitinput to other algorithms and assume that parsAIAEimplicitly defines a key spaceKAIAE a message spaceM and an auxiliary-input spaceAI
(ii) The encryption algorithm AIAEEncrypt(k 119898 ai)takes a key k isin KAIAE a message 119898 isin M andan auxiliary input ai isin AI as input and outputs aciphertext aiaec
(iii) The decryption algorithm AIAEDecrypt(k aiaec ai)takes a key k isin KAIAE a ciphertext aiaec and anauxiliary input ai isin AI as input and outputs amessage119898 isinM or a symbol perp
We require AIAE to have perfect correctness that is for allpossible parsAIAElarr$ AIAEParGen(1120582) all keys k isin KAIAEall messages119898 isinM and all auxiliary-inputs ai isin AI
Pr [AIAEDecrypt (kAIAEEncrypt (k 119898 ai) ai)= 119898] = 1 (14)
In fact AIAE is a generalization of traditional AE andtraditional AE can be viewed as AIAE withAI = 0Definition 14 (RKA security) Denote byF a set of functionsfrom KAIAE to KAIAE A scheme AIAE is IND-F-RKAsecure and weak-INT-F-RKA secure if for any PPTA
Advind-rkaAIAEA (120582) fl 1003816100381610038161003816100381610038161003816Pr [IND-F-RKAA 997904rArr 1] minus 12 1003816100381610038161003816100381610038161003816le negl (120582)
Advweak-int-rkaAIAEA (120582) fl Pr [weak-INT-F-RKAA 997904rArr 1]le negl (120582)
(15)
where IND-F-RKA and weak-INT-F-RKA are the securitygames presented in Figure 4
32 Generic Construction of AIAE from Tag-Based HPSand OT-Secure AE Our construction of AIAE needs thefollowing ingredients
(i) A tag-based hash proof systemTHPS = (THPSSetupTHPSPubTHPSPriv) where the hash value space isK the tag space is T and the hashing key space isHK
(ii) A (traditional) authenticated encryption schemeAE = (AEParGenAEEncryptAEDecrypt) wherethe message space isM and the key space isK
(iii) A set of hash functionsH = H 0 1lowast rarr TWe present our AIAE construction AIAE = (AIAEParGenAIAEEncryptAIAEDecrypt) in Figure 5 whose key spaceis KAIAE fl HK message space is M and auxiliary-inputspace isAI fl 0 1lowast
By the perfect correctness ofAE it is routine to check thatAIAE has perfect correctness
Theorem 15 If (i) THPS is 119906119899119894V1198901199031199041198861198972 extracting key-homomorphic and has a hard subset membership problem (ii)AE is one-time secure and (iii) H is collision-resistant thenthe scheme AIAE in Figure 5 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure Here F119903119886119891119891 fl 119891(119886b) hk isin HK 997891rarr119886 sdot hk + b isin HK | 119886 isin Zlowast
|K| b isin HK is the set of restrictedaffine functions
Proof of Theorem 15 (IND-F119903119886119891119891-RKA Security) Denote byA a PPT adversary who is against the IND-Fraff -RKAsecurity and queries encrypt oracle for at most 119876119890 timesWe show the IND-Fraff -RKA security through a series ofgames For an event E we denote by Pr119895[E] Pr1198951015840[E] andPr11989510158401015840[E] the probability of E occurring in games G119895 G
1015840119895 and
G10158401015840119895 respectively
Game G1 It is the original IND-Fraff -RKA game Denotethe event 1205731015840 = 120573 by Succ According to the definitionAdvind-rkaAIAEA(120582) = |Pr1[Succ] minus 12|
8 Security and Communication Networks
If m0 = m1
Output perp
Output aiaec
AIAE
k AIAE
0 1
aiaec AIAEEncrypt (f(k) m ai)
Output parsAIAE
parsAIAE
Proc (m0 m1 ai f isin ℱ)encrypt
Output ( = )Proc )
Proc initializelarr$
larr$
larr$
larr$
ParGen(1)
finalize(
(a)
Output aiaec
parsAIAE AIAE k
Output parsAIAEAIAE
Proc encrypt(m ai f isin ℱ)aiaec AIAEEncrypt(f(k) m ai)
ℐ-ℱ = ℐ-ℱ cup (aif)ℰ = ℰ cup (ai f )aiaec
Proc (ailowast flowastisin ℱ aiaeclowast)
Special rule
Output (AIAEDecrypt(flowast(k) aiaeclowast ailowast) = perp)ai = ai
lowast but f = flowast Output 0
If (ailowast flowast aiaeclowast) isin Output 0
If there exists (ai f) isin ℐ-ℱ such that
ℰ
Proc initializelarr$ larr$
larr$
ParGen(1)
finalize
(b)
Figure 4 IND-F-RKA (a) and weak-INT-F-RKA (b) security games We note that in the weak-INT-F-RKA game there is a special rule(as shown in the shadow) of outputting 0 in finalize
AIAEEncrypt(hk m ai)AIAEpars
pars
pars pars
pars
THPS THPS
AE AE
= ( THPS AE H)
Output AIAE
H ℋ
C with witness wt = H(C ai) isin = Λ hk (C t) isin AEEncrypt( m)Output ⟨C ⟩
AIAEDecrypt(hk ⟨C ⟩ ai)If C notin Output perpt = H(C ai) isin
= Λhk (C t) isin
mperp larr AEDecrypt( )Output mperp
parsAIAE
larr$
larr$
larr$
larr$
larr$
ParGen(1)
ParGen(1)Setup(1)
Figure 5 Generic construction of AIAE from THPS and AE
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ0 119898ℓ1aiℓ 119891ℓ) where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff the challenger preparesthe challenge ciphertext as follows
(i) pick 119862ℓlarr$ V together with witness 119908ℓ
(ii) compute 119905ℓ fl H(119862ℓ aiℓ) isin T
(iii) compute 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ) isinK
(iv) invoke 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ120573)and it outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA
Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K randomly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Succ] =Pr11[Succ]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distribu-
tion of 119862119895 In game G1119895 119862119895 is uniformly chosen from V ingameG1015840
1119895119862119895 is uniformly chosen fromCV Any differencebetween G1119895 and G1015840
1119895 results in a PPT adversary solving thesubset membership problem related to THPS thus we havethat |Pr1119895[Succ] minus Pr11198951015840[Succ]| le Adv
smpTHPS
(120582)Game G10158401015840
1119895 119895 isin [119876119890] It is identical to G10158401119895 except that
for the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 16 For all 119895 isin [119876119890] 11987511990311198951015840[Succ] = 119875119903111989510158401015840[Succ]Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryIn G1015840
1119895 120581119895 is properly computed while in G101584010158401119895 it is chosen
fromK uniformlyWe analyze the information about the key hk that is used
in game G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
Security and Communication Networks 9
(ii) For the ℓth (ℓ isin [119895 + 1 119876119890]) query encrypt can usepk = 120583(hk) to compute 120581ℓ120581ℓ = Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) 119862ℓlarr997888$ V with witness 119908ℓ= (Λ hk (119862ℓ 119905ℓ))119886ℓ sdot Λ bℓ(119862ℓ 119905ℓ) via key-homomorphism= (THPSPub (pk 119862ℓ 119908ℓ 119905ℓ))119886ℓ sdot Λ bℓ
(119862ℓ 119905ℓ) via projective property
(16)
(iii) For the 119895th query encrypt uses Λ hk(119862119895 119905119895) to com-pute 120581119895
120581119895 = Λ 119886119895 sdothk+b119895(119862119895 119905119895) 119862119895larr997888$ C V
= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) via key-homomorphism
(17)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) is uniformly distributed over K conditioned onpk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K| 120581119895 = (Λ hk(119862119895119905119895))119886119895 sdotΛ b119895(119862119895 119905119895) is also randomly distributed overK Conse-
quentlyG10158401119895 is essentially the same asG10158401015840
1119895 and Pr11198951015840[Succ] =Pr111989510158401015840[Succ]
Now we show that gameG101584010158401119895 is computationally indistin-
guishable from game G1119895+1 119895 isin [119876119890] Note that the diver-gence between G10158401015840
1119895 and G1119895+1 lies in the distribution of 119862119895 inthe 119895th encrypt query In game G10158401015840
1119895 119862119895 is uniformly chosenfrom C V in game G1119895+1 119862119895 is uniformly chosen fromV Any difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS thus we have that |Pr111989510158401015840[Succ] minus Pr1119895+1[Succ]| leAdv
smpTHPS
(120582)Game G2 It is identical to G1119876119890+1
except that whenanswering encrypt queries the challenger invokes 120594ℓlarr$AEEncrypt(120581ℓ 0|119898ℓ0|)
In game G1119876119890+1 the challenger computes 120594ℓlarr$
AEEncrypt(120581ℓ 119898ℓ120573) in game G2 the challenger computes120594ℓlarr$ AEEncrypt(120581ℓ 0|119898ℓ0|) Since each 120581ℓ is chosen fromK uniformly at random ℓ isin [119876119890] by a standard hybridargument any difference between G1119876119890+1
and G2 results in aPPT adversary against the IND-OT security of AE so that|Pr1119876119890+1[Succ] minus Pr2[Succ]| le 119876119890 sdot Advind-otAE (120582)
Finally in game G2 since the challenge ciphertexts areencryptions of 0|119898ℓ0| hence 120573 is perfectly hidden to A SoPr2[Succ] = 12
Summing up we proved the IND-Fraff -RKA securityThis completes the proof ofTheorem 15 (IND-Fraff -RKA
security)
Proof ofTheorem 15 (Weak-INT-F119903119886119891119891-RKA Security) Denoteby A a PPT adversary who is against the weak-INT-Fraff -RKA security and queries encrypt oracle for at most 119876119890
times Similarly the proof goes through a series of gameswhich are defined analogously just like those games of theprevious proof
Game G0 It is the original weak-INT-Fraff -RKA gameAs for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)
the challenger computes the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ insimilar steps as the previous proof and outputs ⟨119862ℓ 120594ℓ⟩ toA Moreover the challenger will put (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to aset QENC put (aiℓ 119891ℓ) to a set QAI-F and put (119862ℓ aiℓ 119905ℓ)to a set QTAG In the end the adversary outputs a forgery(ailowast 119891lowast ⟨119862lowast 120594lowast⟩) where 119891lowast = ⟨119886lowast blowast⟩ and the challengerinvokes the finalize procedure as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENC output 0(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
output 0(iii) If 119862lowast notin C output 0(iv) Compute 119905lowast fl H(119862lowast ailowast) isin T and 120581lowast flΛ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK
Output (AEDecrypt(120581lowast 120594lowast) =perp)Denote the event that finalize outputs 1 by Forge
According to the definition Advweak-int-rkaAIAEA (120582) = Pr0[Forge]Game G1 It is identical to G0 except that the following ruleis added to the procedure finalize by the challenger
(i) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast) output 0Since 119905ℓ = H(119862ℓ aiℓ) and 119905lowast = H(119862lowast ailowast) any differ-
ence between G0 and G1 implies a hash collision of H So|Pr0[Forge] minus Pr1[Forge]| le AdvcrH(120582)Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K uniformly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Forge] =Pr11[Forge]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distri-
bution of 119862119895 In game G1119895 119862119895 is uniformly chosen fromV in game G1015840
1119895 119862119895 is uniformly chosen from C VAny difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS We emphasize that the PPT adversary (simulator)is able to check the occurrence of Forge in an efficient waybecause the key hk can be chosen by the simulator itselfConsequently the difference between G1119895 and G1015840
1119895 can bereduced to the subset membership problem smoothly
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 Security and Communication Networks
If m0 = m1
Output perp
Output aiaec
AIAE
k AIAE
0 1
aiaec AIAEEncrypt (f(k) m ai)
Output parsAIAE
parsAIAE
Proc (m0 m1 ai f isin ℱ)encrypt
Output ( = )Proc )
Proc initializelarr$
larr$
larr$
larr$
ParGen(1)
finalize(
(a)
Output aiaec
parsAIAE AIAE k
Output parsAIAEAIAE
Proc encrypt(m ai f isin ℱ)aiaec AIAEEncrypt(f(k) m ai)
ℐ-ℱ = ℐ-ℱ cup (aif)ℰ = ℰ cup (ai f )aiaec
Proc (ailowast flowastisin ℱ aiaeclowast)
Special rule
Output (AIAEDecrypt(flowast(k) aiaeclowast ailowast) = perp)ai = ai
lowast but f = flowast Output 0
If (ailowast flowast aiaeclowast) isin Output 0
If there exists (ai f) isin ℐ-ℱ such that
ℰ
Proc initializelarr$ larr$
larr$
ParGen(1)
finalize
(b)
Figure 4 IND-F-RKA (a) and weak-INT-F-RKA (b) security games We note that in the weak-INT-F-RKA game there is a special rule(as shown in the shadow) of outputting 0 in finalize
AIAEEncrypt(hk m ai)AIAEpars
pars
pars pars
pars
THPS THPS
AE AE
= ( THPS AE H)
Output AIAE
H ℋ
C with witness wt = H(C ai) isin = Λ hk (C t) isin AEEncrypt( m)Output ⟨C ⟩
AIAEDecrypt(hk ⟨C ⟩ ai)If C notin Output perpt = H(C ai) isin
= Λhk (C t) isin
mperp larr AEDecrypt( )Output mperp
parsAIAE
larr$
larr$
larr$
larr$
larr$
ParGen(1)
ParGen(1)Setup(1)
Figure 5 Generic construction of AIAE from THPS and AE
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ0 119898ℓ1aiℓ 119891ℓ) where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff the challenger preparesthe challenge ciphertext as follows
(i) pick 119862ℓlarr$ V together with witness 119908ℓ
(ii) compute 119905ℓ fl H(119862ℓ aiℓ) isin T
(iii) compute 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ) isinK
(iv) invoke 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ120573)and it outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA
Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K randomly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Succ] =Pr11[Succ]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distribu-
tion of 119862119895 In game G1119895 119862119895 is uniformly chosen from V ingameG1015840
1119895119862119895 is uniformly chosen fromCV Any differencebetween G1119895 and G1015840
1119895 results in a PPT adversary solving thesubset membership problem related to THPS thus we havethat |Pr1119895[Succ] minus Pr11198951015840[Succ]| le Adv
smpTHPS
(120582)Game G10158401015840
1119895 119895 isin [119876119890] It is identical to G10158401119895 except that
for the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 16 For all 119895 isin [119876119890] 11987511990311198951015840[Succ] = 119875119903111989510158401015840[Succ]Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryIn G1015840
1119895 120581119895 is properly computed while in G101584010158401119895 it is chosen
fromK uniformlyWe analyze the information about the key hk that is used
in game G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
Security and Communication Networks 9
(ii) For the ℓth (ℓ isin [119895 + 1 119876119890]) query encrypt can usepk = 120583(hk) to compute 120581ℓ120581ℓ = Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) 119862ℓlarr997888$ V with witness 119908ℓ= (Λ hk (119862ℓ 119905ℓ))119886ℓ sdot Λ bℓ(119862ℓ 119905ℓ) via key-homomorphism= (THPSPub (pk 119862ℓ 119908ℓ 119905ℓ))119886ℓ sdot Λ bℓ
(119862ℓ 119905ℓ) via projective property
(16)
(iii) For the 119895th query encrypt uses Λ hk(119862119895 119905119895) to com-pute 120581119895
120581119895 = Λ 119886119895 sdothk+b119895(119862119895 119905119895) 119862119895larr997888$ C V
= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) via key-homomorphism
(17)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) is uniformly distributed over K conditioned onpk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K| 120581119895 = (Λ hk(119862119895119905119895))119886119895 sdotΛ b119895(119862119895 119905119895) is also randomly distributed overK Conse-
quentlyG10158401119895 is essentially the same asG10158401015840
1119895 and Pr11198951015840[Succ] =Pr111989510158401015840[Succ]
Now we show that gameG101584010158401119895 is computationally indistin-
guishable from game G1119895+1 119895 isin [119876119890] Note that the diver-gence between G10158401015840
1119895 and G1119895+1 lies in the distribution of 119862119895 inthe 119895th encrypt query In game G10158401015840
1119895 119862119895 is uniformly chosenfrom C V in game G1119895+1 119862119895 is uniformly chosen fromV Any difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS thus we have that |Pr111989510158401015840[Succ] minus Pr1119895+1[Succ]| leAdv
smpTHPS
(120582)Game G2 It is identical to G1119876119890+1
except that whenanswering encrypt queries the challenger invokes 120594ℓlarr$AEEncrypt(120581ℓ 0|119898ℓ0|)
In game G1119876119890+1 the challenger computes 120594ℓlarr$
AEEncrypt(120581ℓ 119898ℓ120573) in game G2 the challenger computes120594ℓlarr$ AEEncrypt(120581ℓ 0|119898ℓ0|) Since each 120581ℓ is chosen fromK uniformly at random ℓ isin [119876119890] by a standard hybridargument any difference between G1119876119890+1
and G2 results in aPPT adversary against the IND-OT security of AE so that|Pr1119876119890+1[Succ] minus Pr2[Succ]| le 119876119890 sdot Advind-otAE (120582)
Finally in game G2 since the challenge ciphertexts areencryptions of 0|119898ℓ0| hence 120573 is perfectly hidden to A SoPr2[Succ] = 12
Summing up we proved the IND-Fraff -RKA securityThis completes the proof ofTheorem 15 (IND-Fraff -RKA
security)
Proof ofTheorem 15 (Weak-INT-F119903119886119891119891-RKA Security) Denoteby A a PPT adversary who is against the weak-INT-Fraff -RKA security and queries encrypt oracle for at most 119876119890
times Similarly the proof goes through a series of gameswhich are defined analogously just like those games of theprevious proof
Game G0 It is the original weak-INT-Fraff -RKA gameAs for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)
the challenger computes the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ insimilar steps as the previous proof and outputs ⟨119862ℓ 120594ℓ⟩ toA Moreover the challenger will put (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to aset QENC put (aiℓ 119891ℓ) to a set QAI-F and put (119862ℓ aiℓ 119905ℓ)to a set QTAG In the end the adversary outputs a forgery(ailowast 119891lowast ⟨119862lowast 120594lowast⟩) where 119891lowast = ⟨119886lowast blowast⟩ and the challengerinvokes the finalize procedure as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENC output 0(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
output 0(iii) If 119862lowast notin C output 0(iv) Compute 119905lowast fl H(119862lowast ailowast) isin T and 120581lowast flΛ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK
Output (AEDecrypt(120581lowast 120594lowast) =perp)Denote the event that finalize outputs 1 by Forge
According to the definition Advweak-int-rkaAIAEA (120582) = Pr0[Forge]Game G1 It is identical to G0 except that the following ruleis added to the procedure finalize by the challenger
(i) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast) output 0Since 119905ℓ = H(119862ℓ aiℓ) and 119905lowast = H(119862lowast ailowast) any differ-
ence between G0 and G1 implies a hash collision of H So|Pr0[Forge] minus Pr1[Forge]| le AdvcrH(120582)Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K uniformly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Forge] =Pr11[Forge]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distri-
bution of 119862119895 In game G1119895 119862119895 is uniformly chosen fromV in game G1015840
1119895 119862119895 is uniformly chosen from C VAny difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS We emphasize that the PPT adversary (simulator)is able to check the occurrence of Forge in an efficient waybecause the key hk can be chosen by the simulator itselfConsequently the difference between G1119895 and G1015840
1119895 can bereduced to the subset membership problem smoothly
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 9
(ii) For the ℓth (ℓ isin [119895 + 1 119876119890]) query encrypt can usepk = 120583(hk) to compute 120581ℓ120581ℓ = Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) 119862ℓlarr997888$ V with witness 119908ℓ= (Λ hk (119862ℓ 119905ℓ))119886ℓ sdot Λ bℓ(119862ℓ 119905ℓ) via key-homomorphism= (THPSPub (pk 119862ℓ 119908ℓ 119905ℓ))119886ℓ sdot Λ bℓ
(119862ℓ 119905ℓ) via projective property
(16)
(iii) For the 119895th query encrypt uses Λ hk(119862119895 119905119895) to com-pute 120581119895
120581119895 = Λ 119886119895 sdothk+b119895(119862119895 119905119895) 119862119895larr997888$ C V
= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) via key-homomorphism
(17)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) is uniformly distributed over K conditioned onpk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K| 120581119895 = (Λ hk(119862119895119905119895))119886119895 sdotΛ b119895(119862119895 119905119895) is also randomly distributed overK Conse-
quentlyG10158401119895 is essentially the same asG10158401015840
1119895 and Pr11198951015840[Succ] =Pr111989510158401015840[Succ]
Now we show that gameG101584010158401119895 is computationally indistin-
guishable from game G1119895+1 119895 isin [119876119890] Note that the diver-gence between G10158401015840
1119895 and G1119895+1 lies in the distribution of 119862119895 inthe 119895th encrypt query In game G10158401015840
1119895 119862119895 is uniformly chosenfrom C V in game G1119895+1 119862119895 is uniformly chosen fromV Any difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS thus we have that |Pr111989510158401015840[Succ] minus Pr1119895+1[Succ]| leAdv
smpTHPS
(120582)Game G2 It is identical to G1119876119890+1
except that whenanswering encrypt queries the challenger invokes 120594ℓlarr$AEEncrypt(120581ℓ 0|119898ℓ0|)
In game G1119876119890+1 the challenger computes 120594ℓlarr$
AEEncrypt(120581ℓ 119898ℓ120573) in game G2 the challenger computes120594ℓlarr$ AEEncrypt(120581ℓ 0|119898ℓ0|) Since each 120581ℓ is chosen fromK uniformly at random ℓ isin [119876119890] by a standard hybridargument any difference between G1119876119890+1
and G2 results in aPPT adversary against the IND-OT security of AE so that|Pr1119876119890+1[Succ] minus Pr2[Succ]| le 119876119890 sdot Advind-otAE (120582)
Finally in game G2 since the challenge ciphertexts areencryptions of 0|119898ℓ0| hence 120573 is perfectly hidden to A SoPr2[Succ] = 12
Summing up we proved the IND-Fraff -RKA securityThis completes the proof ofTheorem 15 (IND-Fraff -RKA
security)
Proof ofTheorem 15 (Weak-INT-F119903119886119891119891-RKA Security) Denoteby A a PPT adversary who is against the weak-INT-Fraff -RKA security and queries encrypt oracle for at most 119876119890
times Similarly the proof goes through a series of gameswhich are defined analogously just like those games of theprevious proof
Game G0 It is the original weak-INT-Fraff -RKA gameAs for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)
the challenger computes the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ insimilar steps as the previous proof and outputs ⟨119862ℓ 120594ℓ⟩ toA Moreover the challenger will put (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to aset QENC put (aiℓ 119891ℓ) to a set QAI-F and put (119862ℓ aiℓ 119905ℓ)to a set QTAG In the end the adversary outputs a forgery(ailowast 119891lowast ⟨119862lowast 120594lowast⟩) where 119891lowast = ⟨119886lowast blowast⟩ and the challengerinvokes the finalize procedure as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENC output 0(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
output 0(iii) If 119862lowast notin C output 0(iv) Compute 119905lowast fl H(119862lowast ailowast) isin T and 120581lowast flΛ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK
Output (AEDecrypt(120581lowast 120594lowast) =perp)Denote the event that finalize outputs 1 by Forge
According to the definition Advweak-int-rkaAIAEA (120582) = Pr0[Forge]Game G1 It is identical to G0 except that the following ruleis added to the procedure finalize by the challenger
(i) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast) output 0Since 119905ℓ = H(119862ℓ aiℓ) and 119905lowast = H(119862lowast ailowast) any differ-
ence between G0 and G1 implies a hash collision of H So|Pr0[Forge] minus Pr1[Forge]| le AdvcrH(120582)Game G1119895 119895 isin [119876119890 + 1] It is identical to G1 except that forthe first 119895minus1 times of encrypt queries that is ℓ isin [119895minus1] thechallenger chooses 120581ℓlarr$ K uniformly for the AE scheme
Clearly G11 is identical to G1 thus Pr1[Forge] =Pr11[Forge]Game G1015840
1119895 119895 isin [119876119890] It is identical to G1119895 except that forthe 119895th encrypt query the challenger samples 119862119895larr$ C Vuniformly
The difference between G1119895 and G10158401119895 lies in the distri-
bution of 119862119895 In game G1119895 119862119895 is uniformly chosen fromV in game G1015840
1119895 119862119895 is uniformly chosen from C VAny difference between these two games results in a PPTadversary solving the subset membership problem relatedto THPS We emphasize that the PPT adversary (simulator)is able to check the occurrence of Forge in an efficient waybecause the key hk can be chosen by the simulator itselfConsequently the difference between G1119895 and G1015840
1119895 can bereduced to the subset membership problem smoothly
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
10 Security and Communication Networks
Lemma 17 For all 119895 isin [119876119890] |1198751199031119895[Forge] minus 11987511990311198951015840[Forge]| leAdv
119904119898119901THPS
(120582)Proof To bound the difference between G1119895 and G1015840
1119895 webuild an efficient adversary B solving the subset mem-bership problem Given (parsTHPS 119862) where parsTHPSlarr$THPSSetup(1120582) B aims to distinguish 119862larr$ V from 119862larr$C V
B simulates G1119895 or G10158401119895 for A Firstly B invokes
parsAElarr$ AEParGen(1120582) picks Hlarr$ H randomly andsends parsAIAE fl (parsTHPS parsAEH) toA NextB chooseshklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895 minus 1] B computes ⟨119862ℓ 120594ℓ⟩ just like that inboth G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$ V withwitness 119908ℓ chooses 120581ℓlarr$ K randomly and invokes120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)
(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just likethat in both G1119895 and G1015840
1119895 That is B chooses 119862ℓlarr$V with witness 119908ℓ computes 119905ℓ fl H(119862ℓ aiℓ)and 120581ℓ fl Λ 119886ℓ sdothk+bℓ
(119862ℓ 119905ℓ) and invokes 120594ℓlarr$AEEncrypt(120581ℓ 119898ℓ)
(iii) If ℓ = 119895 B embeds its own challenge 119862 to 119862119895that is 119862119895 fl 119862 Then it computes 119905119895 fl H(119862119895ai119895) 120581119895 fl Λ 119886119895 sdothk+b119895
(119862119895 119905119895) and invokes 120594119895larr$AEEncrypt(120581119895 119898119895)
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Obviously B simulates G1119895 in the case of 119862larr$ V andsimulates G1015840
1119895 in the case of 119862larr$ C VFinally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff Then B decides whether finalize
outputs 1 or not with the help of hk
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB outputs 0 (to its ownchallenger)
(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowastB outputs 0
(iii) If 119862lowast notin CB outputs 0(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B outputs 0(vi) B computes 120581lowast fl Λ 119886lowast sdothk+blowast(119862lowast 119905lowast) isinK and outputs(AEDecrypt(120581lowast 120594lowast) =perp)With the help of hk B is able to perfectly simulate
finalize just like that in both G1119895 and G10158401119895 Moreover B
outputs 1 to its own challenger if and only if the event Forge
occursAs a result we have that |Pr1119895[Forge] minus Pr11198951015840[Forge]| le
AdvsmpTHPSB(120582)
Game G101584010158401119895 119895 isin [119876119890] It is identical to G1015840
1119895 except thatfor the 119895th encrypt query the challenger chooses 120581119895larr$ Krandomly
Lemma 18 For all 119895 isin [119876119890] 11987511990311198951015840[Forge] le 119875119903111989510158401015840[Forge] +Advint-otAE (120582)Proof For game G1015840
1119895 and game G101584010158401119895 the difference between
them lies in the computation of 120581119895 in the 119895th encrypt queryInG1015840
1119895 120581119895 is properly computed in G101584010158401119895 120581119895 is chosen fromK
uniformlyWe consider the information about the key hk that is used
in G10158401119895
(i) For the ℓth (ℓ isin [119895 minus 1]) query encrypt does notuse hk at all since 120581ℓ is randomly chosen fromK
(ii) For the ℓth (ℓ isin [119895+1 119876119890]) query similar to the proofof Lemma 16 encrypt can use pk = 120583(sk) to compute120581ℓ
(iii) For the 119895th query similar to the proof of Lemma 16encrypt uses Λ hk(119862119895 119905119895) to compute 120581119895120581119895 = Λ 119886119895 sdothk+b119895
(119862119895 119905119895) 119862119895larr997888$ C V= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895
(119862119895 119905119895) via key-homomorphism
(18)
(iv) The finalize procedure which defines the eventForge uses Λ hk(119862lowast 119905lowast) to compute 120581lowast120581lowast = Λ 119886lowast sdothk+blowast (119862lowast 119905lowast)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) via key-homomorphism (19)
We divide the event Forge into the following twosubevents
(i) Subevent Forge and 119905119895 = 119905lowast Let us first consider the event119905119895 = 119905lowast We show that
Pr11198951015840 [119905119895 = 119905lowast] = Pr111989510158401015840 [119905119895 = 119905lowast] (20)
By the fact that 119862119895 isin C V and by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) Then as long as 119886119895 isin Zlowast
|K|120581119895 = (Λ hk(119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) is also randomly distributed
over K Hence G10158401119895 is the same as G10158401015840
1119895 before A queriesfinalize and consequently 119905119895 = 119905lowast occurs with the sameprobability in G1015840
1119895 and G101584010158401119895
Next we consider the event Forge conditioned on 119905119895 = 119905lowastWe show that
Pr11198951015840 [Forge | 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge | 119905119895 = 119905lowast] (21)
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 11
Since 119905119895 = 119905lowast and 119862119895 isin C V by the universal2property of THPS Λ hk(119862119895 119905119895) is uniformly distributed overK conditioned on pk = 120583(hk) andΛ hk(119862lowast 119905lowast)With a similarargument 120581119895 is also randomly distributed over K HenceG10158401119895 is the same as G10158401015840
1119895 when 119905119895 = 119905lowast and consequently theprobability that Forge occurs inG1015840
1119895 andG101584010158401119895 conditioned on119905119895 = 119905lowast is the same
In conclusion we have that
Pr11198951015840 [Forge and 119905119895 = 119905lowast] = Pr111989510158401015840 [Forge and 119905119895 = 119905lowast]le Pr111989510158401015840 [Forge] (22)
(ii) Subevent Forge and 119905119895 = 119905lowast By the new rule addedin game G1 Forge and 119905119895 = 119905lowast will imply (119862119895 ai119895) =(119862lowast ailowast) In addition Forge and ai119895 = ailowast will imply that119891119895 = 119891lowast due to the special rule in the weak-INT-Fraff -RKAgame (see Figure 4) Then it is straightforward to check thatΛ hk(119862119895 119905119895) = Λ hk(119862lowast 119905lowast) and
120581119895 = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895)
= (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) = 120581lowast (23)
Since 119862119895 isin C V by the universal2 property of THPSΛ hk(119862119895 119905119895) (= Λ hk(119862lowast 119905lowast)) is uniformly distributed over Kconditioned on pk = 120583(hk) Then as long as 119886119895 (which equals119886lowast) isin Zlowast
|K| 120581119895 (which equals 120581lowast) is also randomly distributedover K Also in this subevent (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895)implies 120594lowast = 120594119895 thus the probability ofAEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) So we have the followingclaim We present the full description of the reduction inAppendix A
Claim 19 One has Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAE (120582)Combining the above two subevents together Lemma 18
follows
Now we show that game G101584010158401119895 is computationally indis-
tinguishable from game G1119895+1 119895 isin [119876119890] Note that thedivergence between G10158401015840
1119895 and G1119895+1 lies in the distribution of119862119895 in the 119895th encrypt query In game G101584010158401119895 119862119895 is uniformly
chosen from C V in game G1119895+1 119862119895 is uniformly chosenfrom V Similar to Lemma 17 any difference between thesetwo games results in a PPT adversary solving the subsetmembership problem related to THPS thus we have that|Pr111989510158401015840[Forge] minus Pr1119895+1[Forge]| le Adv
smpTHPS
(120582)Finally in gameG1119876119890+1
note that the challenger does notuse hk to compute 120581ℓ at all thus hk is uniformly random toA Consequently in the finalize procedure we have
120581lowast = (Λ hk (119862lowast 119905lowast))119886lowast sdot Λ blowast (119862lowast 119905lowast) (24)
By the extracting property of THPSΛ hk(119862lowast 119905lowast) is uniformlyrandom over K Therefore as long as 119886lowast isin Zlowast
|K| 120581lowast isuniformly random over K as well Hence the probability of
AEDecrypt(120581lowast 120594lowast) =perp is bounded by Advint-otAE (120582) and wehave Pr1119876119890+1[Forge] le Advint-otAE (120582)
In all we proved the weak-INT-Fraff -RKA securityThis completes the proof ofTheorem 15 (weak-INT-Fraff -
RKA security)
Remark 20 We emphasize that the special rule in the weak-INT-F-RKA game (cf Figure 4) plays an essential role inproving Lemma 18 Below is the reason
Without this special rule the adversary is allowed tosubmit119891lowast (= ⟨119886lowast blowast⟩) which is different from119891119895 (= ⟨119886119895 b119895⟩)even if ailowast = ai119895 holds In this case we cannot expect toemploy the INT-OT security of the underlying AE scheme toshow that the second subevent (Forge and 119905119895 = 119905lowast) occurs withonly a negligible probability To demonstrate the problemclearly suppose that the adversary A submits 119891119895 = ⟨119886119895 b119895⟩in the 119895th encrypt query and submits 119891lowast = ⟨119886lowast blowast⟩ =⟨119886119895 b119895 +Δ⟩ in the finalize procedure where Δ is a constantThen we have120581lowast = (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895+Δ
(119862119895 119905119895)= (Λ hk (119862119895 119905119895))119886119895 sdot Λ b119895(119862119895 119905119895) sdot Λ Δ (119862119895 119905119895)= 120581119895 sdot Λ Δ (119862119895 119905119895)
(25)
where the second equality follows from the key-homomor-phism of THPS Thus 120581lowast and 120581119895 are closely related but maynot be equal in particular the quotient 120581lowast120581119895 (= Λ Δ(119862119895 119905119895))is a constant
Consequently it is hard for us to show that the subeventForge and 119905119895 = 119905lowast occurs with a negligible probability Thereason is as follows To show that it is infeasible for any PPTadversary A who obtains 120594119895larr$ AEEncrypt(120581119895 119898119895) in the119895th encrypt query to generate an AE-ciphertext 120594lowast satisfy-ingAEDecrypt(120581lowast 120594lowast) (= AEDecrypt(120581119895 sdotΛ Δ(119862119895 119905119895) 120594lowast)) =perp it seems that INT-RKA security of AE is required to someextent We definitely cannot require INT-RKA security forthe underlying AE scheme since we are constructing (weak)INT-RKA secure (AI)AE scheme AIAE As a result it is hardto prove Lemma 18 without our special rule in the weak-INT-F-RKA game
33 Tag-Based HPS from the DDH Assumption Qin et al[19] gave a construction of tag-based HPS from the 119889-LIN assumption Here we construct a key-homomorphicTHPSDDH under the DDH assumption in Figure 6 With aroutine check the projective property of THPSDDH follows
Theorem 21 THPSDDH in Figure 6 is 119906119899119894V1198901199031199041198861198972 extractingand key-homomorphicMoreover the subsetmembership prob-lem related to THPSDDH is hard under the DDH assumptionfor GenN andQR119873
Proof of Theorem 21119880119899119894V1198901199031199041198861198972 Suppose that 119862 = (11989211990811 11989211990822 ) isin C 1198621015840 = (119892119908101584011 119892119908101584022 ) isin C V and 119905 1199051015840 isin T with 119905 = 1199051015840 For hk = (1198961 1198962 1198963
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
12 Security and Communication Networks
parsTHPS THPS
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN
Output parsTHPS = (N p q N g1 g2) which implicitly defines ( ℋ Λ(middot) ) = QRN
= ZN = QR2
N(1 1)
ℋ = (ZN)4
= (gw1 gw
2 ) w isin ZN 0 = QR2
N
For hk = (k1 k2 k3 k4) isin ℋ C = (c1 c2) isin t isin Λ hk(C t) = ck1+k3t1 c
k2+k4t2 isin
For hk = (k1 k2 k3 k4) isin ℋ pk = (hk) = (gk11 g
k22 g
k31 g
k42 ) isin
K larrTHPSPub(pk C w t)
Parse pk = (ℎ1 ℎ2) isin
Output K = ℎw1 ℎwt
2
K larr THPSPriv(hk C t)
Parse hk = (k1 k2 k3 k4) isin ℋ and C = (c1 c2) isin
Output K = ck1+k3t1 c
k2+k4t2
|
larr$
larr$
larr$
GenN(1)
Setup(1)
Figure 6 Construction of THPSDDH
1198964)larr$ (Z119873)4 we analyze the distribution of Λ hk(1198621015840 1199051015840)conditioned on pk = 120583(hk) and Λ hk(119862 119905)
Denote 119889 fl 119889 log11989211198922 isin Z119873 Firstly pk = 120583(hk) =(11989211989611 11989211989622 11989211989631 11989211989642 ) = (1198921198961+11988911989621 1198921198963+11988911989641 ) which may leak thevalues of 1198961 + 1198891198962 and 1198963 + 1198891198964
NextΛ hk (119862 119905) = (11989211990811 )1198961+1198963119905 sdot (11989211990822 )1198962+1198964119905= 119892 ≜119883⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(11990811198961 + 11990821198891198962) + 119905 sdot (11990811198963 + 11990821198891198964)
1 (26)
which may further leak the value of119883Similarly
Λ hk (1198621015840 1199051015840) = (119892119908101584011 )1198961+11989631199051015840 sdot (119892119908101584022 )1198962+11989641199051015840= 119892 ≜119884⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞(1199081015840
11198961 + 119908101584021198891198962) + 1199051015840 sdot (1199081015840
11198963 + 119908101584021198891198964)
1 (27)
By the fact that 1198621015840 = (119892119908101584011 119892119908101584022 ) notin V we have 11990810158401 = 1199081015840
2 Thenas long as 119905 = 1199051015840 119884 is independent of 1198961 + 1198891198962 1198963 + 1198891198964 and119883 and consequently 119884 is uniformly distributed over Z119873
Therefore conditioned on pk = 120583(hk) and Λ hk(119862 119905)Λ hk(1198621015840 1199051015840) (= 1198921198841 ) is randomly distributed overK = QR119873
Extracting Suppose that 119862 = (11989211990811 11989211990822 ) isin C and 119905 isin T Forhk = (1198961 1198962 1198963 1198964)larr$ (Z119873)4 we analyze the distribution ofΛ hk(119862 119905)
By (26) Λ hk(119862 119905) = 1198921198831 with 119883 = (11990811198961 + 11990821198891198962) + 119905 sdot(11990811198963+11990821198891198964) Since119862 = (11989211990811 11989211990822 ) isin C we have (1199081 1199082) =(0 0) Then when (1198961 1198962 1198963 1198964) is randomly chosen from(Z119873)4 119883 is uniformly distributed over Z119873 ConsequentlyΛ hk(119862 119905) is randomly distributed overK = QR119873
Key-Homomorphism For all hk = (1198961 1198962 1198963 1198964) isin (Z119873)4 all119886 isin Z all b = (1198871 1198872 1198873 1198874) isin (Z119873)4 all 119862 = (1198881 1198882) isin C and
all 119905 isin T we have 119886sdothk+b = 119886sdot(1198961 1198962 1198963 1198964)+(1198871 1198872 1198873 1198874) =(1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 + 1198874) Then it follows that
Λ 119886sdothk+b (119862 119905) = 119888(1198861198961+1198871)+(1198861198963+1198873)1199051 sdot 119888(1198861198962+1198872)+(1198861198964+1198874)1199052= (1198881198961+11989631199051 1198881198962+11989641199052 )119886 sdot (1198881198871+11988731199051 1198881198872+11988741199052 )= Λ hk (119862 119905)119886 sdot Λ b (119862 119905) (28)
Subset Membership Problem The subset membership prob-lem related to THPSDDH requires that (parsTHPS = (119873 119901 119902119873 1198921 1198922) 119862 = (1198921199081 1198921199082 )) is computationally indistinguish-able from (parsTHPS = (119873 119901 119902119873 1198921 1198922) 1198621015840 = (11989211990811 11989211990822 ))where 119862larr$ V and 1198621015840larr$ C V It trivially holds under theDDH assumption for GenN andQR119873
34 Instantiation AIAE119863119863119867 from DDH-Based THPS119863119863119867 andOT-Secure AE When plugging the THPSDDH (cf Figure 6)into the paradigm in Figure 5 we immediately obtain anAIAE scheme AIAEDDH under the DDH assumption asshown in Figure 7 The key space isKAIAE = (Z119873)4
By combining Theorem 15 with Theorem 21 we have thefollowing corollary regarding the RKA security of AIAEDDH
Corollary 22 If (i) the DDH assumption holds for GenN
and QR119873 (ii) AE is one-time secure and (iii)H is collision-resistant then the scheme AIAEDDH in Figure 7 is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure HereF119903119886119891119891 fl 119891(119886b) (1198961 1198962 1198963 1198964) isin (Z119873)4 997891rarr (1198861198961 + 1198871 1198861198962 + 1198872 1198861198963 + 1198873 1198861198964 +1198874) isin (Z119873)4 | 119886 isin Zlowast
119873 b = (1198871 1198872 1198873 1198874) isin (Z119873)4Remark 23 OurAIAEDDH enjoys the following property 120581 =1198881198961+11989631199051 sdot1198881198962+11989641199052 will be randomly distributed overQR119873 as longas any element 119896119895 in k = (1198961 1198962 1198963 1198964) is uniformly chosenAs a result the one-time security of AE will guaranteethat AIAEDecrypt(k aiaec ai) =perp holds for any (aiaec ai)except with probability Advint-otAE (120582) le Advweak-int-rkaAIAEDDH
(120582) This
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 13
AIAE
(p q N N)ie p q are safe primes N = pq N = 2N + 1 is a prime
g1 g2 QRN parsAE AE H ℋ
Output parsAIAE = (N p q N g1 g2 parsAE H)
AIAEEncrypt(k m ai)
Parse k =
w ZN (c1 c2) = (gw1 gw
2 ) isin QR2N
t = H(c1 c2 C) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
AEEncrypt ( m)Output ⟨c1 c2 ⟩
If (c1 c2) notin QR2N
or (c1 c2) = (1 1)
Output perpt = H (c1 c2 ai) isin ZN
= ck1+k3t1 middot c
k2+k4t2 isin QRN
Output AEDecrypt( )
AIAEDecrypt(k ⟨c1 c2 ⟩ ai)
0
Parse k = (k1 k2 k3 k4) isin (ZN)4(k1 k2 k3 k4) isin (ZN)4
larr$
larr$ larr$ larr$
larr$
larr$
ParGen(1)
GenN(1)
ParGen(1)
Figure 7 Construction of AIAEDDH from AE and THPSDDH
fact will be used in the security proof of the PKE schemespresented in Sections 4 and 5
4 PKE with n-KDM[Faff]-CCA Security
Denote by AIAEDDH = (AIAEParGenAIAEEncryptAIAEDecrypt) the DDH-based AIAE scheme in Figure 7where the key space is (Z119873)4 We need two other buildingblocks following the approach in Figure 1
KEM to be compatible with this AIAEDDH we haveto design a KEM encapsulating a key tuple (1198961 1198962 11989631198964) isin (Z119873)4E to support the setFaff of affine functions we haveto construct a special public-key encryption E sothat after a computationally indistinguishable changeEEncrypt can serve as an entropy filter for the affinefunction set
The proposed PKE scheme PKE = (ParGenKeyGenEncryptDecrypt) is presented in Figure 8 in which theshadowed parts highlight algorithms of KEM and E
The correctness of PKE is guaranteed by the correctnessof AIAEDDH E and KEM
Theorem 24 If (i) the DCR assumption holds for GenN
and QR119873119904 (ii) AIAEDDH is IND-F119903119886119891119891-RKA and weak-INT-F119903119886119891119891-RKA secure and (iii) the DL assumption holdsfor GenN and SCR119873119904 then the proposed scheme PKE inFigure 8 is 119899-KDM[F119886119891119891]-CCA secure
Proof of Theorem 24 Denote by A a PPT adversary who isagainst the 119899-KDM[Faff ]-CCA security querying encryptoracle for at most 119876119890 times and decrypt oracle for at most119876119889 times The theorem is proved through a series of gamesA rough description of differences between adjacent games issummarized in Table 2
In the proof G1-G2 deals with the 119899-user case G3-G4
is used to eliminate the utilization of the (mod119873) part of
(119909119895 119910119895)4119895=1 in the encrypt oracle the aim of G5-G6 is to use(119909119895 119910119895)4119895=1 mod119873 to hide a base key klowast = (119896lowast1 119896lowast4 ) ofAIAEDDH in the encrypt oracle G7-G8 is used to eliminatethe utilization of (119909119895 119910119895)4119895=1 mod119873 in the decrypt oracle inG9-G10 the IND-Fraff -RKA security ofAIAEDDH leads to the119899-KDM[Faff ]-CCA security because klowast = (119896lowast1 119896lowast4 ) nowis concealed by (119909119895 119910119895)4119895=1 mod119873 perfectly
GameG0 It is the 119899-KDM[Faff ]-CCA gameDenote the event1205731015840 = 120573 by Succ According to the definition Advkdm-ccaPKEA (120582) =|Pr0[Succ] minus 12|
For the 119894th user 119894 isin [119899] let pk119894 = (ℎ1198941 ℎ1198944) andsk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) denote the corresponding publickey and secret key respectively
Game G1 It is identical to G0 except the way of answeringthe decrypt query (⟨ai aiaec⟩ 119894 isin [119899]) More precisely thechallenger outputs perp if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for someℓ isin [119876119890] where ⟨aiℓ aiaecℓ⟩ is the challenge ciphertext ofthe ℓth encrypt oracle query (119891ℓ 119894ℓ)Case 1 (⟨ai aiaec⟩ 119894) = (⟨aiℓ aiaecℓ⟩ 119894ℓ) decrypt willoutput perp in G0 since (⟨aiℓ aiaecℓ⟩ 119894ℓ) isin QENC is prohibitedby decrypt
Case 2 (⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ but 119894 = 119894ℓ) We show thatin G0 decrypt will output perp due to 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 with overwhelming probability Recall that 119906ℓ1 = 119892119903ℓ1 119906ℓ2 =119892119903ℓ2 119890ℓ1 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 so
119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 = ℎ119903ℓ119894ℓ 1119879119896ℓ1 sdot (119892119903ℓ1 )1199091198941 (119892119903ℓ2 )1199101198941= (ℎ119894ℓ 1ℎminus11198941)119903ℓ 119879119896ℓ1 mod1198732 (29)
where ℎ119894ℓ 1 and ℎ1198941 are parts of public keys of 119894ℓth user and119894th user respectively and are uniformly randomoverSCR119873119904
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
14 Security and Communication Networks
parsAIAE AIAEparsAIAE = (N p q N parsAE H)g1 g2
N = pq N = 2N + 1 g1 g2 isin QRN
parsAIAE = (N N g1 g2 parsAE H)
g1 g2 g3 g4 g5 SCRN Output pars = (pars
AIAE g1 g2 g3 g4 g5)
(k ai) KEMEncrypt(pk)
ℰc ℰEncrypt(pk m)
aiaec AIAEEncrypt(k ℰc ai)Output ⟨ai aiaec⟩
Encrypt(pk m)⟨ai aiaec⟩
(pk sk) KeyGen(pars)
x1 y1 x2 y2 x3 y3 x4 y4 [lfloor lfloorN2
4]
(ℎ1 ℎ2 ℎ3 ℎ4) = (gminusx11 g
minusy12 g
minusx22 g
minusy23
gminusx33 g
minusy34 g
minusx44 g
minusy45 ) mod Ns
pk = (ℎ1 ℎ2 ℎ3 ℎ4)sk = (x1 y1 x2 y2 x3 y3 x4 y4)Output (pk sk)mperp larr Decrypt(sk⟨ai aiaec⟩) kperp larr KEMDecrypt(sk ai)
ℰcperp larr AIAEDecrypt(k aiaec ai) mperp larr ℰDecrypt(sk ℰc)
r [lfloorN4rfloor]
mod
gr1 gr
2 gr3 gr
4 gr5)(
(e1 e2 e3 e4) = (ℎr1Tk1 ℎr
2Tk2 ℎr3Tk3
ℎr4Tk4 )mod
ai
[lfloorN4rfloor]
(( )u1 u2 u3 u4 u5 u6 u7 u8 = gr11 g
r12
) modgr22 g
r23 g
r33 g
r34 g
r44 g
r45
mod Nse = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 Tm
t = gm1 mod N isin
ℰc
Parse aiIf e1u
x11 u
y12 e2u
x22 u
y23 e3u
x33 u
y34
e4ux44 u
y45 isin RUN2
T(e4ux44 u
y45 )) mod N
k = (k1 k2 k3 k4)
Else Output perp
Parse ℰc =
If eux11 u
y12 u
x23 u
y24 u
x35 u
y36 u
x47 u
y48 isin RUN
m = T( eux11 u
y12 u
x23 u
y24 u
x35 u
y36
If t = gm1 mod N Output m
Else Output perp
((k1 k2 k3 k4) = T e1ux11 u
y12 )(
T(e 2ux22 u
y23 ) T e3u
x33 u
y34 )(
ZN
Ns
N2
N2
ux47 u
y48 )mod Nsminus1
pars
where
k = (k1 k2 k3 k4) (ZN)4
(u1 u2 u3 u4 u5) =
= (u1 u5 e1 e4)
r1 r2 r3 r4
= (u1 u8 e t)
= (u1 u5 e1 e4)
(u1 u8 e t)
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$
larr$ParGen(1)
ParGen(1)
m isin [Nsminus1]
d logd log
d log
d logd log
Figure 8 Construction of PKE from AIAEDDH The shadowed parts highlight algorithms of KEM and E Here 119901 119902 in parsAIAE are notprovided in pars1015840AIAE since they are not used in AIAEEncrypt and AIAEDecrypt of AIAEDDH
So ℎ119894ℓ 1ℎminus11198941 = 1 hence 119890ℓ11199061199091198941ℓ1 1199061199101198941ℓ2 notin RU1198732 except withnegligible probability 2minusΩ(120582)
Thus G0 and G1 are the same except with probabilityat most 119876119889 sdot 2minusΩ(120582) according to the union bound and|Pr0[Succ] minus Pr1[Succ]| le 119876119889 sdot 2minusΩ(120582)
Game G2 It is identical to G1 except the way the challengersamples the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) 119894 isin [119899]In game G2 the challenger first chooses (1199091 1199101 1199094 1199104)and (1199091198941 1199101198941 1199091198944 1199101198944) randomly from [lfloor11987324rfloor] nextit computes (1199091198941 1199101198941 1199091198944 1199101198944) fl (1199091 1199101 1199094 1199104) +(1199091198941 1199101198941 1199091198944 1199101198944) mod lfloor11987324rfloor for 119894 isin [119899]
Obviously the secret keys sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944)are uniformly distributed Hence G2 is identical to G1 andPr1[Succ] = Pr2[Succ]Game G3 It is identical to G2 except the way the chal-lenger responds to the ℓth (ℓ isin [119876119890]) encrypt query(119891ℓ 119894ℓ) In game G3 instead of using the public key pk119894ℓ =(ℎ119894ℓ 1 ℎ119894ℓ 4) the challenger uses the secret key sk119894ℓ =(119909119894ℓ 1 119910119894ℓ 1 119909119894ℓ 4 119910119894ℓ 4) to prepare (119890ℓ1 119890ℓ4) and 119890ℓ inthe following way
(i)
(119890ℓ1 119890ℓ4)fl (119906minus119909119894ℓ 1ℓ1 119906minus119910119894ℓ 1ℓ2 119879119896ℓ1 119906minus119909119894ℓ 4ℓ4 119906minus119910119894ℓ 4ℓ5 119879119896ℓ4)
mod1198732(30)
(ii)
119890ℓfl minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 minus119909119894ℓ 2ℓ3 minus119910119894ℓ 2ℓ4 minus119909119894ℓ 3ℓ5 minus119910119894ℓ 3ℓ6 minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573
mod119873119904 (31)
Note that for 119895 isin [4]119890ℓ119895 G2= ℎ119903ℓ119894ℓ 119895119879119896ℓ119895 = (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ 119879119896ℓ119895
G3= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895 mod1198732
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 15
Table 2 Brief description of the security proof of Theorem 24
Changes between adjacent games AssumptionsG0 The original 119899-KDM-CCA security game mdashG1 decrypt reject if ⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for some ℓ isin [119876119890] G0 asymp119904 G1
G2
initialize sample secret keys with(1199091198941 1199101198941 1199091198944 1199101198944) = (1199091 1199101 1199094 1199104) + (1199091198941 1199101198941 119909i4 1199101198944) G1 = G2
G3 encrypt(119891ℓ 119894ℓ) use the secret keys to run KEMEncrypt and EEncrypt G2 = G3
G4
encrypt(119891ℓ 119894ℓ) when encrypt oracle encrypts affine function of secret keysEc iscomputed with (ℓ119895)119895isin[8] = (119892119903ℓ11 1198791205751 119892119903ℓ45 1198791205758 ) instead of (119892119903ℓ11 119892119903ℓ45 )encrypt does not use (119909119895 119910119895)4119895=1 mod119873 any more if (120575119895)119895isin[8] is carefully chosen G3 asymp119888 G4 by IV5
G5
encrypt(119891ℓ 119894ℓ) kemct (= ai) of KEMEncrypt is computed with(119906ℓ119895)119895isin[5] = ((119892119903lowast119895 119879120572119895 )119903ℓ )119895isin[5] instead of (119892119903ℓ119895 )119895isin[5]Now KEMEncrypt encapsulates four keys (119896ℓ119895 minus 119903ℓ sdot (120572119895119909119894119895 + 120572119895+1119910119894119895))4119895=1 mod119873 but(119896ℓ119895)4119895=1 is the key used in AIAEEncrypt
G4 asymp119888 G5 by IV5
G6
encrypt(119891ℓ 119894ℓ) sample 119896ℓ119895 fl 119903ℓ119896lowast119895 + 119904ℓ119895 for 119895 isin [4]Now KEMEncrypt encapsulates four keys(119903ℓ(119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895) minus 119903ℓ(120572119895119909119894119895 + 120572119895+1119910119894119895) + 119904ℓ119895)4119895=1 but (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key usedin AIAEEncrypt
G5 = G6
G7 decrypt use 120601(119873) and secret keys to answer decryption queries G6 = G7
G8
decrypt add an additional rejection rule Reject ifBad1015840 = (exist119906119895 notin SCR1198732 ) orBad = (forall119906119895 isin SCR1198732 ) and (exist119895 notin SCR119873119904 ) happensBad1015840 and Bad can be detected by using 120601(119873) Now only the (mod120601(119873)4) part ofsecret keys and 120601(119873) are used in decryptThe randomness of (120572119895119909119895 + 120572119895+1119910119895)4119895=1 mod119873 perfectly hides (119896lowast1 119896lowast4 ) in encryptthus (119896lowast1 119896lowast4 ) is uniform(119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 is the key used in AIAEEncryptBad1015840 may lead to a fresh successful forgery for AIAEDDH
G7 = G8 if neither Bad1015840 nor
Bad happensPr[Bad1015840] = negl due to weakINT-Fraff -RKA security of
AIAEDDH
G9
initialize sample an independent random tuple (119896lowast1 119896lowast4 )encrypt(119891ℓ 119894ℓ) use (119903ℓ119896lowast119895 + 119904ℓ119895)4119895=1 in AIAEEncrypt G8 = G9 to the adversary
G10
encrypt encrypt zeros instead of the affine function of secret keysBad happens with negligible probability since 119905 = 1198921198981 mod119873 in decryptAdversaryA wins with probability 12
G9 asymp119888 G10 by IND-Fraff -RKAsecurity of AIAEDDH
Pr[Bad] = negl
119890ℓ G2= ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879119898120573
= (119892minus119909119894ℓ 11 119892minus119910119894ℓ 12 )119903ℓ1 sdot sdot sdot (119892minus119909119894ℓ 44 119892minus119910119894ℓ 45 )119903ℓ4 119879119898120573
G3= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 119879119898120573 mod119873119904(32)
Thus G3 is the same as G2 and Pr2[Succ] = Pr3[Succ]Game G4 It is identical to G3 except the way the challengerresponds to the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) Ingame G4 in the case of 120573 = 1 (ℓ1 ℓ8) and 119890ℓ arecomputed without the use of (1199091 1199101 1199094 1199104) mod119873
(i)
(ℓ1 ℓ8) fl (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941
119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944) mod119873119904
(33)(ii)
119890ℓ fl ℎ119903ℓ1119894ℓ 1 sdot sdot sdot ℎ119903ℓ4119894ℓ 4119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
mod119873119904 (34)
where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff Note that
119890ℓ G4= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895
))+119888
= 4prod119895=1
ℎ119903ℓ119895119894ℓ 119895 sdot 119879sum119899119894=1 sum4119895=1(119886119894119895(119909119894119895minus119909119894ℓ 119895)+119887119894119895(119910119894119895minus119910119894ℓ 119895))+119888
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
16 Security and Communication Networks
= 4prod119895=1
(119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903ℓ119895 sdot 1198791198981minussum119899119894=1 sum4119895=1(119886119894119895119909119894ℓ 119895+119887119894119895119910119894ℓ 119895)
= 4prod119895=1
(119892119903ℓ119895119895 119879sum119899119894=1 119886119894119895)minus119909119894ℓ 119895 (119892119903ℓ119895119895+1119879sum119899119894=1 119887119894119895)minus119910119894ℓ 119895 sdot 1198791198981
= minus119909119894ℓ 1ℓ1 minus119910119894ℓ 1ℓ2 sdot sdot sdot minus119909119894ℓ 4ℓ7 minus119910119894ℓ 4ℓ8 1198791198981 mod119873119904(35)
where the third equality follows from 1198981 = sum119899119894=1(11988611989411199091198941 +11988711989411199101198941 + sdot sdot sdot + 11988611989441199091198944 + 11988711989441199101198944) + 119888
We analyze the difference between G3 and G4 via thefollowing lemma
Lemma 25 One has |Pr3[Succ] minus Pr4[Succ]| le Adv119894V5GenN
(120582)Proof According to the last line of (35) the way that 119890ℓ iscomputed from (ℓ1 ℓ8) is the same in G3 and G4Therefore the only divergence between G3 and G4 lies in(ℓ1 ℓ8)
We show that any difference between G3 and G4 resultsin a PPT adversary B1 solving the IV5 problem B1 isprovided with (119873 1198921 1198925) and has access to its chal119887IV5oracle B1 simulates game G3 or game G4 for A FirstlyB1 prepares pars and generates (pk119894 sk119894) 119894 isin [119899] as in G3
and G4 As for the ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ)from A where 119891ℓ = (1198861198941 1198871198941 1198861198944 1198871198944119894isin[119899] 119888) isin Faff B1 proceeds as follows it queries its own chal119887IV5 oraclewith (sum119899
119894=1 1198861198941 sum119899119894=1 1198871198941 lowast lowast lowast) (lowast sum119899
119894=1 1198861198942 sum119899119894=1 1198871198942 lowast lowast)(lowast lowast sum119899
119894=1 1198861198943 sum119899119894=1 1198871198943 lowast) (lowast lowast lowast sum119899
119894=1 1198861198944 sum119899119894=1 1198871198944) where
the symbol ldquolowastrdquo denotes dummy messages Then B1
obtains its challenges (ℓ1 ℓ2 lowast lowast lowast) (lowast ℓ3 ℓ4 lowast lowast)(lowast lowast ℓ5 ℓ6 lowast) (lowast lowast lowast ℓ7 ℓ8) and neglects ldquolowastrdquo termsAccording to the definition of chal119887IV5 oracle (ℓ1 ℓ8)is one of the following
Case 1 (119887 = 0) (119892119903ℓ11 119892119903ℓ12 119892119903ℓ22 119892119903ℓ23 119892119903ℓ33 119892119903ℓ34 119892119903ℓ44 119892119903ℓ45 )Case 2 (119887 = 1) (119892119903ℓ11 119879sum119899119894=1 1198861198941 119892119903ℓ12 119879sum119899119894=1 1198871198941 119892119903ℓ22 119879sum119899119894=1 1198861198942 119892119903ℓ23 119879sum119899119894=1 1198871198942 119892119903ℓ33 119879sum119899119894=1 1198861198943 119892119903ℓ34 119879sum119899119894=1 1198871198943 119892119903ℓ44 119879sum119899119894=1 1198861198944 119892119903ℓ45 119879sum119899119894=1 1198871198944)
Next B1 uses the obtained (ℓ1 ℓ8) and the secretkeys to compute 119890ℓ via (35) for A In the meantime B1 canalso simulate decrypt for A since it knows the secret keysFinallyB1 outputs 1 if the event Succ occurs
In Case 1B1 simulates game G3 perfectly forA in Case2 B1 simulates game G4 perfectly for A Any differencebetween Pr3[Succ] and Pr4[Succ] results in B1rsquos advantageover the IV5 problem Thus Lemma 25 follows
Game G5 It is identical to G4 except for the following differ-ences In the initialize procedure of gameG5 the challengerpicks 119903lowastlarr$ [lfloor1198734rfloor] and 1205721 1205725larr$ Z119873 randomly As forthe ℓth (ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challengercomputes (119906ℓ1 119906ℓ5) as follows
(i) (119906ℓ1 119906ℓ5) fl ((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732
The only difference between G4 and G5 is the dis-tribution of (119906ℓ1 119906ℓ5) In game G4 (119906ℓ1 119906ℓ5) =(119892119903ℓ1 119892119903ℓ5 ) mod1198732 while in game G5 (119906ℓ1 119906ℓ5) =((119892119903lowast1 1198791205721)119903ℓ (119892119903lowast5 1198791205725)119903ℓ) mod1198732 Just like Lemma 25 anydifference between G4 and G5 results in a PPT adversarysolving IV5 problem by invoking A Therefore |Pr4[Succ] minusPr5[Succ]| le Adv
iv5GenN
(120582)Game G6 It is identical to G5 except for the followingdifferences In the initialize procedure of game G6 thechallenger picks klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) randomly As for the ℓth(ℓ isin [119876119890]) encrypt query (119891ℓ 119894ℓ) the challenger computeskℓ = (119896ℓ1 119896ℓ2 119896ℓ3 119896ℓ4) and (119890ℓ1 119890ℓ4) in a different way
(i) Pick sℓ = (119904ℓ1 119904ℓ2 119904ℓ3 119904ℓ4)larr$ (Z119873)4 and 119903ℓlarr$ [lfloor1198734rfloor] randomly and compute kℓ = (119896ℓ1 119896ℓ2 119896ℓ3119896ℓ4) fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii)
(119890ℓ1 119890ℓ4) fl (ℎ119903lowast119903ℓ119894ℓ 1119879119903ℓ sdot(119896
lowast1minus1205721119909119894ℓ 1minus1205722119910119894ℓ 1)+119904ℓ1
ℎ119903lowast119903ℓ119894ℓ 4119879119903ℓ sdot(119896
lowast4minus1205724119909119894ℓ 4minus1205725119910119894ℓ 4)+119904ℓ4) (36)
Clearly kℓ is uniformly random over (Z119873)4 just like thatin game G5 In the meantime for 119895 isin [4] we have
119890ℓ119895 G5= 119906minus119909119894ℓ 119895ℓ119895 119906minus119910119894ℓ 119895ℓ119895+1119879119896ℓ119895
= (119892119903lowast119895 119879120572119895)minus119903ℓ sdot119909119894ℓ 119895 (119892119903lowast119895+1119879120572119895+1)minus119903ℓ sdot119910119894ℓ 119895 119879119896ℓ119895
= (119892minus119909119894ℓ 119895119895 119892minus119910119894ℓ 119895119895+1 )119903lowast119903ℓ 119879119896ℓ119895minus119903ℓ sdot(120572119895119909119894ℓ 119895+120572119895+1119910119894ℓ 119895)
G6= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
(37)
Thus G6 is the same as G5 and Pr5[Succ] = Pr6[Succ]Game G7 It is identical to G6 except the way the challengeranswers the decrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) Ingame G7 it uses sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and 120601(119873) =(119901 minus 1)(119902 minus 1) to decrypt ⟨ai aiaec⟩ where ai = (1199061 1199065 1198901 1198904)More precisely it computes k = (1198961 1198964)and119898 in the following way
(i)
(12057210158401 12057210158405)fl (119889 log119879 (119906120601(119873)
1 )120601 (119873) 119889 log119879 (119906120601(119873)5 )120601 (119873) )
mod119873
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 17
(12057410158401 12057410158404) fl (119889 log119879 (119890120601(119873)1 )120601 (119873) 119889 log119879 (119890120601(119873)
4 )120601 (119873) )mod119873
k = (1198961 1198964)fl (120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 120572101584041199091198944 + 120572101584051199101198944 + 12057410158404)
mod119873(38)
(ii)
Ec = (1 8 119890 119905) perplarr997888 AIAEDecrypt (k aiaec ai) (39)
(iii)
(1 8)fl (119889 log119879 (120601(119873)
1 )120601 (119873) 119889 log119879 (120601(119873)8 )120601 (119873) )
mod119873119904minus1120574 fl 119889 log119879 (119890120601(119873))120601 (119873) mod119873119904minus1119898
fl 11199091198941 + 21199101198941 + 31199091198942 + 41199101198942 + 51199091198943 + 61199101198943+ 71199091198944 + 81199101198944 + 120574 mod119873119904minus1
(40)
According to (8) for 119895 isin [4] we have that119896119895 G6= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)= 119889 log119879 (119890119895119906119909119894119895119895 119906119910119894119895119895+1)120601(119873)
120601 (119873) mod119873= 119889 log119879 (119906120601(119873)sdot119909119894119895
119895 )120601 (119873) + 119889 log119879 (119906120601(119873)sdot119910119894119895119895+1 )120601 (119873)
+ 119889 log119879 (119890120601(119873)119895 )120601 (119873)
G7= 119889 log119879 (119906120601(119873)119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895
sdot 119909119894119895 + 119889 log119879 (119906120601(119873)119895+1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1205721015840119895+1
sdot 119910119894119895+ 119889 log119879 (119890120601(119873)
119895 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟1205741015840119895
119898 G6= 119889 log119879 (11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 )mod119873119904minus1
G7= 119889 log119879 (120601(119873)1 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
1
sdot 1199091198941 + sdot sdot sdot + 119889 log119879 (120601(119873)8 )120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
8
sdot 1199101198944 + 119889 log119879 (119890120601(119873))120601 (119873)⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟120574
(41)
Hence G7 is essentially the same as G6 and Pr6[Succ] =Pr7[Succ]GameG8 It is identical toG7 except the way of answering thedecrypt oracle queries (⟨ai aiaec⟩ 119894 isin [119899]) More preciselya rejection rule is added in decrypt
(i) If 12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0 outputperpDenote by Bad the event thatA ever queries the decrypt
oracle with (⟨ai aiaec⟩ 119894 isin [119899]) satisfying119890111990611990911989411 11990611991011989412 119890411990611990911989444 11990611991011989445 isin RU1198732and AIAEDecrypt (k aiaec ai) =perp (42)
and 11989011990911989411 11991011989412 11990911989423 11991011989424 11990911989435 11991011989436 11990911989447 11991011989448 isin RU119873119904and 119905 = 1198921198981 mod119873 (43)
and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0 or 1 = 0 or sdot sdot sdot or 8 = 0) (44)
Obviously G8 is identical to G7 unless Bad occurs Thus|Pr7[Succ] minus Pr8[Succ]| le Pr8[Bad]To show the computational indistinguishability ofG7 and
G8 wemust prove that Pr8[Bad] is negligible To this endBadis divided into two subevents
(i) Bad1015840 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0) (45)
(ii) Bad A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0)and (1 = 0 or sdot sdot sdot or 8 = 0) (46)
Obviously Pr8[Bad] le Pr8[Bad1015840] + Pr8[Bad] We will deferthe analysis of Pr8[Bad] to subsequent games Through thefollowing lemma we provide the analysis of Pr8[Bad1015840]Lemma 26 One has Pr8[Bad1015840] le 2119876119889 sdot Advweak-int-rkaAIAEDDH
(120582)
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
18 Security and Communication Networks
Proof In decrypt of game G8 the challenger will reply perpto A unless 12057210158401 = sdot sdot sdot = 12057210158405 = 0 and 1 = sdot sdot sdot =8 = 0 Consequently the (mod120601(119873)4) part of sk119894 thatis (1199091198941 1199101198941 1199091198944 1199101198944) mod120601(119873)4 119894 isin [119899] and thevalue of 120601(119873) is enough for answering decrypt queriesIn particular the values of (1199091 1199101 1199094 1199104) mod119873 are notnecessary in decrypt
Bad1015840 is further divided into the following two subevents
(i) Bad1015840-1 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (exist119895 isin [4] 1205721015840119895120572119895 = 1205721015840119895+1120572119895+1 mod119873) (47)
(ii) Bad1015840-2 A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) satisfyingConditions (42) (43) and (12057210158401 = 0 or sdot sdot sdot or 12057210158405 = 0)and (120572101584011205721 = sdot sdot sdot = 120572101584051205725 mod119873) (48)
Recall that (1205721 1205725) are chosen in initializeWe will consider the two subevents in gameG8 separately
via the following two claims
Claim 27 One has Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof In game G8 the values of (1199091 1199101 1199094 1199104) mod119873are not needed in decrypt and the computation of119905ℓ = 1198921198981205731 mod119873 in encrypt only makes use of (1199091 1199101 1199094 1199104) mod120601(119873)4 Thus the only information about(1199091 1199101 1199094 1199104) mod119873 leaked to A is through thecomputation of (119890ℓ1 119890ℓ4) in encrypt which may leakthe values of (12057211199091 + 12057221199101) (12057221199092 + 12057231199102) (12057231199093 + 12057241199103)(12057241199094 + 12057251199104) mod119873 for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
≜ 119895
minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895
mod1198732(49)
If Bad1015840-1 occurs for concreteness say that 120572101584011205721 =120572101584021205722 mod119873 then
1198961 = 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401= 120572101584011199091 + 120572101584021199101 + 120572101584011199091198941 + 120572101584021199101198941 + 12057410158401 mod119873 (50)
where 1198961 is independent of (12057211199091 + 12057221199101) mod119873 thusuniformly distributed overZ119873 fromArsquos view By Remark 23for k = (1198961 1198962 1198963 1198964) where 1198961larr$ Z119873 the probability
of AIAEDecrypt(k aiaec ai) =perp is upper bounded byAdvweak-int-rkaAIAEDDH
(120582)Then Pr8[Bad1015840-1] le 119876119889 sdot Advweak-int-rkaAIAEDDH
(120582) by a unionbound
Claim 28 One has Pr8[Bad1015840-2] le 119876119889 sdot Advweak-int-rkaAIAEDDH(120582)
Proof Similar to the discussion in the proof for the pre-vious claim in game G8 the only information about(1199091 1199101 1199094 1199104) mod119873 and klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) involvedis through encrypt which uses the value of 1 fl (119896lowast1 minus12057211199091minus12057221199101) 2 fl (119896lowast2 minus 12057221199092 minus 12057231199102) 3 fl (119896lowast3 minus 12057231199093 minus 12057241199103)4 fl (119896lowast4 minus 12057241199094 minus 12057251199104) mod119873 via computing (119890ℓ1 119890ℓ4)(see (49)) and also uses kℓ = 119903ℓ sdot(119896lowast1 119896lowast2 119896lowast3 119896lowast4 )+(119904ℓ1 119904ℓ4)as the encryption key of AIAEEncrypt
Note that because of the randomness of (1199091 1199101 11990941199104) mod119873 (1 2 3 4) are uniformly distributed andindependent of (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) Therefore it is possible toconstruct an algorithm to simulate decrypt and encryptof game G8 without k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) and (1199091 1199101 11990941199104) mod119873 The algorithm can also simulate AIAEEncryptas long as it has access to a weak-INT-Fraff -RKA encryptionoracle of the AIAEDDH scheme
More precisely we construct a PPT adversaryB2(parsAIAE) which has access to encryptAIAE oracleagainst the weak-INT-Fraff -RKA security of the AIAEDDH
scheme where parsAIAE = (119873 119901 119902 ) B2 does not chooseklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in initialize any more and it implicitlysets klowast to be the encryption key used by its weak-INT-Fraff -RKA challenger B2 does not choose (1199091 1199101 11990941199104) mod119873 either and instead it chooses k = (1 2 34) uniformly from (Z119873)4 B2 picks (1199091 1199101 11990941199104) mod120601(119873)4 and (1199091198941 1199101198941 1199091198944 1199101198944) isin [lfloor11987324rfloor]119894 isin [119899] randomly To simulate encrypt B2 can use(119909119894ℓ 119895 119910119894ℓ 119895 119895)4119895=1 to compute (119890ℓ119895)4119895=1 via (49) and use(119909119894119895 119910119894119895)4119895=1 119894 isin [119899] to compute 119890ℓ Note that B2 is able tocompute 119905ℓ = 1198921198981205731 mod119873 even if 120573 = 1 because it knowsthe (mod120601(119873)4) part of sk119894 that is (119909119895 119910119895)4119895=1 mod120601(119873)4 and (119909119894119895 119910119894119895)4119895=1 mod120601(119873)4 119894 isin [119899] Then B2 submits(Ecℓ aiℓ ⟨119903ℓ sℓ = (119904ℓ1 119904ℓ4)⟩) to its own encryptAIAEoracle and obtains aiaecℓ The final ciphertext is ⟨aiℓaiaecℓ⟩ According to the weak-INT-Fraff -RKA securitygame the encryptAIAE oracle will encrypt Ecℓ withthe auxiliary input aiℓ under the transformed key kℓ =119903ℓ sdot klowast + sℓ that is the encryptAIAE oracle behavesas AIAEEncrypt(kℓEcℓ aiℓ) Thus B2rsquos simulation ofencrypt is identical to G8 For decrypt B2 answersdecryption queries with the (mod120601(119873)4) part of all thesecret keys and 120601(119873) = (119901 minus 1)(119902 minus 1) just like G8
Suppose that A ever queries the decrypt oracle with(⟨ai aiaec⟩ 119894 isin [119899]) such that Bad1015840-2 occurs For concrete-ness say that 119903 fl 120572101584011205721 = sdot sdot sdot = 120572101584051205725 = 0 mod119873 then for119895 isin [4]119896119895 = 1205721015840119895119909119894119895 + 1205721015840119895+1119910119894119895 + 1205741015840119895 = 119903 sdot (120572119895119909119894119895 + 120572119895+1119910119894119895) + 1205741015840119895
mod119873
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 19
= 119903 sdot 119896lowast119895 minus 119903 sdot (119896lowast119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 mod119873= 119903 sdot 119896lowast119895 minus 119903sdot (119896lowast119895 minus 120572119895119909119895 minus 120572119895+1119910119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
=119895
minus 120572119895119909119894119895 minus 120572119895+1119910119894119895)+ 1205741015840119895 mod119873
= 119903 sdot 119896lowast119895 minus 119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟≜119904119895= 119903 sdot 119896lowast119895 + 119904119895 mod119873
(51)
Thus k = (1198961 1198964) = 119903sdotklowast+s where s fl (1199041 1199044)B2 cancompute ⟨119903 s = (1199041 1199044)⟩ as above using (119909119894119895 119910119894119895 119895)4119895=1and outputs (ai ⟨119903 s⟩ aiaec) to its weak-INT-Fraff -RKAchallenger as a forgery We analyze the success probability ofB2 as follows
(i) Firstly a valid decryption query from A satisfies⟨ai aiaec⟩ = ⟨aiℓ aiaecℓ⟩ for all ℓ isin [119876119890] thus (ai ⟨119903s⟩ aiaec) = (aiℓ ⟨119903ℓ sℓ⟩ aiaecℓ) will hold for all ℓ isin[119876119890] that isB2 always outputs a fresh forgery
(ii) Secondly if ai = aiℓ for some ℓ isin [119876119890] then it is easyto have that 12057210158401 = 1205721 sdot 119903ℓ 12057210158405 = 1205725 sdot 119903ℓ and thus119903 = 119903ℓ Furthermore for 119895 isin [4] it clearly holds that1205741015840119895 = 119903ℓ sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 119904ℓ119895 (cf (49)) thus119904119895 = minus119903 sdot (119895 minus 120572119895119909119894119895 minus 120572119895+1119910119894119895) + 1205741015840119895 = 119904ℓ119895 and s = sℓThat is if ai = aiℓ for some ℓ isin [119876119890] then it holds that⟨119903 s⟩ = ⟨119903ℓ sℓ⟩ Obviously it satisfies the special rulerequired for the weak-INT-Fraff -RKA security
(iii) Finally ifBad1015840-2 occurs in this decryption query thenAIAEDecrypt(k aiaec ai) =perp where k = 119903 sdot klowast + swill imply thatB2rsquos forgery is successful
By a union bound we have that Pr8[Bad1015840-2] le 119876119889 sdotAdvweak-int-rkaAIAEDDH B2
(120582)In conclusion Lemma 26 follows from the above two
claimsThis completes the proof of Lemma 26
Game G9 It is identical to G8 except for the following differ-ences In the initialize procedure of gameG9 the challengerpicks an independent k
lowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 )larr$ (Z119873)4 besidesklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) As for the ℓth (ℓ isin [119876119890]) encryptoracle query (119891ℓ 119894ℓ) the challenger employs a different keyfor AIAEDDH in the computation of aiaecℓ
(i) kℓ fl (119903ℓ119896lowast1 + 119904ℓ1 119903ℓ119896lowast4 + 119904ℓ4)(ii) aiaecℓlarr$ AIAEEncrypt(kℓEcℓ aiℓ)
We stress that the challenger still employs klowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) in the computation of (119890ℓ1 119890ℓ4)
In G8 the only place that involves the value of (1199091 1199101 1199094 1199104) mod119873 is in the computation of (119890ℓ1 119890ℓ4) inthe encrypt oracle Specifically for 119895 isin [4]119890ℓ119895 = ℎ119903lowast119903ℓ119894ℓ 119895
119879119903ℓ sdot(119896lowast119895 minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895)+119904ℓ119895 mod1198732
= ℎ119903lowast119903ℓ119894ℓ 119895119879119903ℓ sdot(119896
lowast119895 minus120572119895119909119895minus120572119895+1119910119895minus120572119895119909119894ℓ 119895minus120572119895+1119910119894ℓ 119895
)+119904ℓ119895
mod1198732(52)
Note that the computation of 119905ℓ = 1198921198981205731 mod119873 in theencrypt oracle only involves (1199091 1199101 1199094 1199104) mod120601(119873)4 Moreover observe that neither klowast = (119896lowast1 klowast2 119896lowast3 119896lowast4 )nor (1199091 1199101 1199094 1199104) mod119873 is used in decrypt Henceklowast = (119896lowast1 119896lowast2 119896lowast3 119896lowast4 ) is perfectly hidden by (1199091 1199101 11990941199104) mod119873
Therefore the challenger could always employ anotherklowast = (119896lowast1 119896lowast4 ) in the computation of kℓ and utilize kℓin the AIAEDDHrsquos encryption in the encrypt oracle as inG9
Then gameG8 and gameG9 are essentially the same fromArsquos view so Pr8[Succ] = Pr9[Succ] and Pr8[Bad] = Pr9[Bad]Game G10 It is identical to G9 except the way the challengeranswers the ℓth (ℓ isin [119876119890]) encrypt oracle query (119891ℓ 119894ℓ)More precisely in game G10 the challenger computes aiaecℓin the following way
(i) aiaecℓlarr$ AIAEEncrypt(kℓ 0120582M aiℓ)Observe that in G9 and G10 k
lowastis employed only in the
AIAEDDH encryption where it uses kℓ = 119903ℓ sdot klowast + sℓ asthe encryption key with sℓ = (119904ℓ1 119904ℓ4) Any differencebetween G9 and G10 results in a PPT adversary against theIND-Fraff -RKA security of the AIAEDDH schemeTherefore|Pr9[Succ] minus Pr10[Succ]| le Advind-rkaAIAEDDH
(120582) and |Pr9[Bad] minusPr10[Bad]| le Advind-rkaAIAEDDH
(120582)Finally in G10 the challenger always computes the
AIAEDDH encryption of 0120582M in the encrypt oracle so 120573 isperfectly hidden fromArsquos view Thus Pr10[Succ] = 12
To complete the proof of Theorem 24 we only need toprove the following lemma
Lemma 29 One has Pr10[Bad] le (119876119889 + 1) sdot 2minusΩ(120582) +Adv119889119897GenN(120582)Proof InG10 neither decryptnor encrypt uses the values of(1199091 1199101 1199094 1199104) mod120601(119873)4The only information leakedabout them lies in the public keys pk119894 119894 isin [119899] whichreveal the values of (11990811199091 + 11990821199101) (11990821199092 + 11990831199102) (11990831199093 +11990841199103) (11990841199094 + 11990851199104) mod120601(119873)4 where we denote 119908119895 fl119889 log119892119892119895 mod120601(119873)4 for some base 119892 isin SCR119873119904 119895 isin[5]
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
20 Security and Communication Networks
Bad is further divided into the following disjoint twosubevents
(i) Bad-1 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
or 31199082
= 41199083
or 51199083
= 61199084
or 71199084
= 81199085
) (53)
(ii) Bad-2 A ever queries the decrypt oracle with (⟨aiaiaec⟩ 119894 isin [119899]) satisfying
Conditions (42) (43) and (12057210158401 = sdot sdot sdot = 12057210158405 = 0) and (1= 0 or sdot sdot sdot or 8 = 0) and ( 11199081
= 21199082
and 31199082
= 41199083
and 51199083
= 61199084
and 71199084
= 81199085
) (54)
We will analyze the two subevents in gameG10 separatelyvia the following two claims
Claim 30 One has Pr10[Bad-1] le 119876119889 sdot 2minusΩ(120582)
Proof If Bad-1 occurs for concreteness say that 11199081 =21199082 then1198921198981 = 11989211199091198941+21199101198941+sdotsdotsdot1= 11989211199091+21199101+11199091198941+21199101198941+sdotsdotsdotmod120601(119873)4
1 mod119873 (55)
and (11199091 + 21199101) mod120601(119873)4 is independent of (11990811199091 +11990821199101) mod120601(119873)4 Thus 1198921198981 is uniformly distributed overSCR119873119904 from Arsquos view and 119905 = 1198921198981 mod119873 will not holdexcept with negligible probability 2minusΩ(120582)
Then according to a union bound Pr10[Bad-1] le 119876119889 sdot2minusΩ(120582)
Claim 31 One has Pr10[Bad-2] le AdvdlGenN(120582) + 2minusΩ(120582)Proof In game G10 if Bad-2 occurs then we can constructa PPT adversary B3(119873 119901 119902 119892 ℎ) to compute the discretelogarithm of ℎ based on 119892 where 119892 ℎ isin SCR119873119904 With(119873 119901 119902 119892 ℎ) B3 simulates initialize as follows B3 picks119911119895 1199111015840119895 uniformly from [120601(119873)4] and sets 119892119895 fl 119892119911119895ℎ1199111015840119895 for119895 isin [5] Then 119892119895 is uniformly distributed over SCR119873119904 NextB3 samples secret keys and computes public keys just thesame way as initialize in G10 SinceB3 knows all the secretkeys together with 120601(119873) = (119901 minus 1)(119902 minus 1) B3 can perfectlysimulates encrypt and decrypt the same way as G10 doesFurthermore 1199111015840119895 is hidden by 119911119895 perfectly from Arsquo view Ifwe denote 119908 fl 119889 log119892ℎ mod120601(119873)4 then for 119895 isin [5]119908119895 = 119889 log119892119892119895 = 119911119895 + 1199081199111015840119895 mod120601(119873)4
If Bad-2 occurs in decrypt for concreteness say that11199081 = 21199082 = 0 mod120601(119873)4 that is 11989221 = 11989212 = 1then B3 can compute 119908 by solving the equation 11990812 =11990821 mod120601(119873)4 or equivalently
11991112 + 119908119911101584012 = 11991121 + 119908119911101584021mod120601 (119873)4 (56)
Since 1199111015840119895 is hidden from the point of view of A (119911101584012 minus119911101584021) mod120601(119873)4 is multiplicative invertible except withnegligible probability 2minusΩ(120582) Thus B3 will succeed in com-puting the discrete logarithm of ℎ based on 119892 and output119908 =(119911101584012 minus 119911101584021)minus1 sdot (11991121 minus 11991112) mod120601(119873)4 to its challengerClearly we have Pr10[Bad-2] le AdvdlGenNB3(120582) + 2minusΩ(120582)
In conclusion Lemma 29 follows from the above twoclaims
This completes the proof of Lemma 29In all we proved the 119899-KDM[Faff ]-CCA securityThis completes the proof of Theorem 24
5 PKE with n-KDM[F119889poly]-CCA Security
51 The Basic Idea We extend the construction of 119899-KDM[Faff ]-CCA secure PKE to that of 119899-KDM[F119889
poly]-CCAsecure PKE We allow adversaries to submit polynomialfunction in F119889
poly in the form of modular arithmetic circuit(MAC) [10] which is a polynomial-sized circuit computing119891 isin F119889
poly We stress that there is no a priori bound on thesize of modular arithmetic circuits The only requirement isthat the degree 119889 of the polynomials is a priori bounded Westill follow the approach in Figure 1 in our PKE constructionIndeed we use the same AIAEDDH and KEM as those in theprevious 119899-KDM[Faff ]-CCA secure PKE in Figure 8Weonlyneed to construct a newE to serve as an entropy filter for thepolynomial function setMoreover the newE should employthe same pair of public and secret keys with KEM That iswe have sk119894 = (1199091198941 1199101198941 1199091198944 1199101198944) and pk119894 = (ℎ1198941 ℎ1198944)with ℎ1198941 = 119892minus11990911989411 119892minus11991011989412 ℎ1198944 = 119892minus11990911989444 119892minus11991011989445 mod119873119904 for119894 isin [119899]52 Reducing Polynomials of 8n Variables to
Polynomials of 8 Variables
How to Reduce 8n-Variable Polynomial 119891ℓ In the 119899-KDM[F119889
poly]-CCA security game the adversary is allowed toquery the encrypt oracle with (119891ℓ 119894ℓ isin [119899]) for ℓ isin [119876119890]Note that the function 119891ℓ is a polynomial in the 119899 secret keys(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] thus 119891ℓ has 8119899 variables and is of degree atmost 119889 The bad news is that 119891ℓ contains as many as ( 8119899+1198898119899 ) =Θ(1198898119899) monomial functions Note that this number can beexponentially large
The good news is that we found an efficient way to greatlyreduce the number of monomials from Θ(1198898119899) to Θ(1198898) Inparticular the polynomial 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) can alwaysbe changed to a polynomial 1198911015840
ℓ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) of 8 variables
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 21
consisting of at most ( 8+1198898 ) = Θ(1198898) monomial functionsNow this number is polynomial in 120582
The efficient method for reducing the 8119899-variable poly-nomial 119891ℓ is as follows In the initialize procedure sk119894could be computed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 +119910119894119895 modlfloor11987324rfloor for 119894 isin [119899] and 119895 isin [4] By using(119909119894119895 119910119894119895)119894isin[119899]119895isin[4] (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] could be represented asshifts of (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119909119894119895 = 119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895119910119894119895 = 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895 (57)
Consequently 119891ℓ in 8119899 variables (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] can bereduced to 1198911015840
ℓ in 8 variables (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] that is119891ℓ ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4]) = 119891ℓ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119909119894119895
119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟⏟
119910119894119895
)119894isin[119899]119895isin[4]
) = 1198911015840ℓ ((119909119894ℓ 119895
119910119894ℓ 119895)119895isin[4]) = sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(58)
The degree of the resulting polynomial 1198911015840ℓ is still upper
bounded by 119889 Moreover the coefficients 119886(1198881 1198888) of 1198911015840ℓ are
completely determined by the shifts (119909119894119895 119910119894119895)119894isin[119899]119895isin[4]How to Determine Coefficients 119886(1198881 1198888) for 1198911015840
ℓ Efficiently withOnly (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] In order to compute the coefficients119886(1198881 1198888) of 1198911015840
ℓ we can repeat the following procedure
(i) Choose (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4] uniformly(ii) Feed modular arithmetic circuit (which functions as119891ℓ) with (119909119894ℓ 119895 +119909119894119895 minus119909119894ℓ 119895 119910119894ℓ 119895 +119910119894119895 minus119910119894ℓ 119895)119894isin[119899]119895isin[4] as
input We stress that (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] are always theones chosen in initialize
(iii) Record the output of the circuit
Repeating the above procedure about ( 8+1198898 ) = Θ(1198898) timesall the coefficients 119886(1198881 1198888) can be extracted through solving alinear system of equations
119891ℓ ((119909119894ℓ 119895 + 119909119894119895 minus 119909119894ℓ 119895 119910119894ℓ 119895 + 119910119894119895 minus 119910119894ℓ 119895)119894isin[119899]119895isin[4])= sum0le1198881+sdotsdotsdot+1198888le119889
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4
(59)
The overall time complexity for computing the coefficients119886(1198881 1198888) is polynomial in 120582
53 How to Design E A Warmup To illustrate the ideasbehind our construction we take a simple case as considera-tion construct E for a concrete type of monomial functionthat is 1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (60)
AlgorithmsEEncrypt andEDecrypt are shown in Figure 9
Security Proof Now we sketch the proof of KDM-CCAsecurity for this concrete type of monomial functions thatis 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 The proof is similarto that for Theorem 24 (cf Table 2) The only difference liesin games G3-G4 which are related to the building block ENext we will replace G3-G4 with the following hybrids (ieHybrid 1ndashHybrid 3) as shown in Figure 10 Concretely theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor this concretemonomial function reserving the entropy of(1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and calculate the coefficient 119886 of 1198911015840
ℓ such that
1198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4 (61)
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) Invoke EEncrypt to set up table(ii) Invoke EDecrypt to compute V0 V8 from table(iii) Employ V8 rather than V8 in the computation of 119890 that
is 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Clearly V0 V8 computed via EDecrypt are the sameas V0 V8 computed via EEncrypt Therefore this is just aconceptual change
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) table is computed similarly as that in EEncryptexcept for a small difference More precisely in table
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
22 Security and Communication Networks
ℰc ℰEncrypt(pk = (ℎ1 ℎ2 ℎ3 ℎ4) m)For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34
gr44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
table =
d
d
u88 middot 7u82u81
u28middot middot middot
middot middot middot
u22 middot 1u21
u18middot middot middotu12u11 middot 0
u08middot middot middotu02u01
u88u82u81
u18middot middot middot
middot middot middot
u12u11
u08middot middot middotu02u01
Output ℰc = (table e t)
e = 8 middot Tm mod Nst = gm
1 mod N isin ZN
Parse ℰc = (table e t)
Parse table =
mperp larr ℰDecrypt(sk = (x1 y1 x4 y4) ℰc)
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 middot middot middot u
minusx407 u
minusy408
1 = (u110)minusx1 uminusy112 u
minusx213 u
minusy214 middot middot middot u
minusx417 u
minusy418
2 = uminusx121 (u221)minusy1 u
minusx223 u
minusy224 middot middot middot u
minusx427 u
minusy428
8 = uminusx181 u
minusy182 u
minusx283 u
minusy284 middot middot middot u
minusx487 (u887)minusy4
If e8 isin RUN m = T(e8) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
Figure 9 E designed for a concrete type of monomial functions 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Hybrid 1 Hybrid 2 Hybrid 3 Hybrid 3 (Equivalent Form)
table =
ℰc ℰEncrypt(f i isin [n])
Output ℰc = (table e t)
d
d
u88 middot 7middot middot middotu83u82u81
u38middot middot middotu33 middot 2u32u31
u28middot middot middotu23u22 middot 1u21
u18middot middot middotu13u12u11Ta middot 0
u11 middot 0
u08middot middot middotu03u02u01
u88middot middot middotu83u82u81
u38middot middot middotu33u32u31
u28middot middot middotu23u22u21
u18middot middot middotu13u12u11
u08middot middot middotu03u02u01
e = 8 middot
e = middot
e = 8 mod Ns
For l isin 0 1 8
rl1 rl2 rl3 rl4 [lfloorN4rfloor]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
≜
8 = uminusx 1
81 uminusy 1
82 uminusx 2
83 uminusy 2
84 uminusx 3
85 uminusy 3
86 uminusx 4
87 mod(u887)minusy 4 Ns
2 = uminusx 1
21 (u221)minusy 1 uminusx 2
23 uminusy 2
24 uminusx 3
25 uminusy 3
26 uminusx 4
27 uminusy 4
28 mod Ns
1 = (u110)minusx 1 uminusy 1
12 uminusx 2
13 uminusy 2
14 uminusx 3
15 uminusy 3
16 uminusx 4
17 uminusy 4
18 mod Ns
0 = uminusx 1
01 uminusy 1
02 uminusx 2
03 uminusy 2
04 uminusx 3
05 uminusy 3
06 uminusx 4
07 uminusy 4
08 mod Ns
Tf
((x y j)isin[4] ) mod Ns
Tf
((x y )isin[4] ) mod Ns
1t = gf
((x y)isin[4] ) mod N isin ZN
larr$
larr$
8
Figure 10 Security proof of EEncrypt as an entropy filter for concrete monomials 119886 sdot 119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2119910119894ℓ 2119909119894ℓ 3119910119894ℓ 3119909119894ℓ 4119910119894ℓ 4
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 23
the entry located in row 1 and column 1 is nowcomputed as 11 = (11119879119886) sdot V0 rather than 11 =11 sdot V0 By the IV5 assumption this difference iscomputationally undetectable (see Appendix B for aformal analysis)
(ii) Invoke EDecrypt to compute V0 V8 from table
(iii) Compute 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation we have V0 = V0 V1 = V1 sdot119879minus119886119909119894ℓ 1 V2 = V2 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 V8 = V8 sdot 119879minus119886119909119894ℓ 1119910119894ℓ 1 sdotsdotsdot119909119894ℓ 4119910119894ℓ 4 =V8 sdot 119879minus1198911015840ℓ ((119909119894ℓ 119895119910119894ℓ 119895)119895isin[4]) hence 119890 = V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = V8
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) table is computed similarlyas that in EEncrypt except for a small difference Moreprecisely the entry located in row 1 and column 1 in table isnow computed as 11 = (11119879119886)sdotV0 rather than 11 = 11 sdotV0
(ii) Compute 119890 fl V8 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
Similarly we can change the decrypt oracle in a com-putationally indistinguishable way so that (119909119895 119910119895)4119895=1 mod119873is not involved at all More precisely decrypt uses onlythe (mod120601(119873)4) part of secret key and 120601(119873) This changecorresponds to G7-G8 in the proof of Theorem 24 Looselyspeaking 120601(119873) is used to ensure that all entries in table areelements in SCR119873119904 If this is not the case decrypt rejectsimmediately Consequently the decrypt oracle leaks noth-ing about (1199091 1199101 1199094 1199104) mod119873 We can also show thecomputational indistinguishability of this change through asimilar analysis as that of Pr[Bad] in the proof ofTheorem 24
54 The General E Designed for F119889poly In Section 53 we
presented the construction of E for a concrete type ofmonomial functions Generally a polynomial function 1198911015840
ℓ
of degree 119889 might contain as many as ( 8+1198898 ) = Θ(1198898)monomials In order to construct a general E for the setF119889
poly of polynomial functions we must handle all types ofmonomial functions To this end we generate a table for eachtype of nonconstantmonomial and associate it with a V whichis named as a title Algorithms EEncrypt and EDecrypt areshown in Figure 11
Neglecting the coefficients of monomials there are( 8+1198898 ) minus 1 types of nonconstant monomial functions whosedegrees are at most 119889 For each nonconstant monomial type1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 we can associate it with adegree tuple c = (1198881 1198888) Let S denote the set of all suchdegree tuples that isS fl c = (1198881 1198888) | 1 le 1198881 + sdot sdot sdot + 1198888 le119889
For each degree tuple c = (1198881 1198888) isin S which corre-sponds to the monomial 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 wegenerate table(c) and V(c) by invoking the algorithm TableGen
shown in Figure 11 Finally in 119890 119879119898 is hidden by the productof all the titles
Meanwhile with the help of the secret key sk =(1199091 1199101 1199094 1199104) we can recover V(c) = V(c) from table(c)
by invoking the algorithm CalculateV in Figure 11 Thus thetitles (V(c))cisinS could always be extracted from (table(c))cisinSone by one and finally119898 is recovered
Security Proof We sketch the proof of KDM[F119889poly]-CCA
security for the set of polynomial functions The proof is alsosimilar to that for Theorem 24 (cf Table 2) The only differ-ence lies in games G3-G4 Next we will replace G3-G4 withthe following hybrids (Hybrid 1ndashHybrid 3) Specifically theEEncrypt part of encrypt is changed in a computationallyindistinguishable way so that it can serve as an entropy filterfor polynomial functions of degree at most 119889 reserving theentropy of (1199091 1199101 1199094 1199104) mod119873
Suppose that the adversary submits (119891ℓ 119894ℓ isin [119899]) tothe encrypt oracle Our purpose is to eliminate the useof (119909119895 119910119895)4119895=1 mod119873 in the computation of EEncrypt(pk119894ℓ 119891ℓ((119909119894119895 119910119894119895)119894isin[119899]119895isin[4])) so the entropy of (119909119895 119910119895)4119895=1 mod119873 isreserved
Hybrid 0 In the initialize procedure the secret keys arecomputed as 119909119894119895 fl 119909119895 + 119909119894119895 and 119910119894119895 fl 119910119895 + 119910119894119895 mod lfloor11987324rfloorfor 119894 isin [119899] 119895 isin [4] This hybrid is identical to G2 in the proofof Theorem 24
Hybrid 1 Using (119909119894119895 119910119894119895)119894isin[119899]119895isin[4] reduce (119891ℓ 119894ℓ isin [119899]) to(1198911015840ℓ 119894ℓ isin [119899]) and compute the coefficients 119886(1198881 1198888) of 1198911015840
ℓ asdiscussed in Section 52 Then1198911015840
ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])= sum
(1198881 1198888)isinS
119886(1198881 1198888)sdot 1199091198881119894ℓ 11199101198882119894ℓ 11199091198883119894ℓ 21199101198884119894ℓ 21199091198885119894ℓ 31199101198886119894ℓ 31199091198887119894ℓ 41199101198888119894ℓ 4 + 120575
(62)
where 120575 is the constant term 119886(00) of 1198911015840ℓ
Hybrid 2 Implement EEncrypt using sk119894ℓ = (119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]This hybrid corresponds to G3 in the proof of Theorem 24
(i) For each c = (1198881 1198888) isin S
(1) invoke (table(c) V(c))larr$ TableGen(pk119894ℓ c)(2) invoke V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Employ (V(c))cisinS rather than (V(c))cisinS in thecomputation of 119890 that is 119890 fl prodcisinSV
(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and compute 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
24 Security and Communication Networks
ℰc ℰEncrypt(pk m) mperp larr ℰDecrypt(sk ℰc)
For each c = (c1 c8) isin
(table (c) (c)) TableGen(pk c)
e = prodcisin(c) middot Tm mod Ns
t = gm1 mod N isin ZN
Output ℰc = ((table(c))cisin
e t)
Parse ℰc = ((table (c))cisin e t) For each c = (c1 c8) isin
(c) larr CalculateV(sk table (c) c) If e middot (prodcisin(c))minus1 isin RUN
m = T( e middot (prodcisin(c))minus1) mod Nsminus1If t = gm
1 mod N Output mOtherwise Output perp
larr$
larr$
d log
(a)
For each l isin 0 1 sum8j=1 cj
TableGen(pk = (ℎ1 ℎ2 ℎ3 ℎ4) c = (c1 c8))
rl1 rl2 rl3 rl4 [lfloorN4rfloor ]
(ul1 ul8) = (gr11 g
r12 g
r22 g
r23 g
r33 g
r34 g
r44 g
r45 ) mod Ns
l = ℎr11 ℎ
r22 ℎ
r33 ℎ
r44 mod Ns
Output (table(c) (c) = sum8=1 c)
table(c) =
u18middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
middot middot middot
u12u11 middot 0
u08u02u01
d
d
d
d
uc1+11 uc1+11 middot c1 uc1+18
uc1+c21 uc1+c22 middot c1+c2minus1 uc1+c28
uc18uc12uc11 middot c1minus1
usum7=1 c+11
usum7=1 c+12
usum7=1 c+18 middot sum7
=1 c
usum8=1 c 1 usum8
=1 c 2usum8
=1 c 8 middot sum8=1 cminus1
c1
c2
c8rows
rows
rows
larr$
(b)
CalculateV(sk = (x1 y1 x4 y4) table(c) c = (c1 c8)) Parse table (c) = lisin01sum8
=1 cul8middot middot middotul2ul1
0 = uminusx101 u
minusy102 u
minusx203 u
minusy204 u
minusx305 u
minusy306 u
minusx407 u
minusy408
l = (ul1lminus1)minusx1 uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin 1 c1
For each l isin c1 + 1 c1 + c2
l = uminusx1l1
(ul2lminus1)minusy1 uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
uminusy4l8
For each l isin sum7j=1 cj + 1 sum8
j=1 cj
l = uminusx1l1
uminusy1l2
uminusx2l3
uminusy2l4
uminusx3l5
uminusy3l6
uminusx4l7
(ul8lminus1)minusy4
Output ( ) = sum8=1 c
c
(c)
Figure 11 (a)EEncrypt (left) andEDecrypt (right) ofE designed forF119889poly (b) TableGen which generates table(c) together with a title V(c)
(c) CalculateV which calculates a title V(c) from table(c) using secret key
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 25
Clearly for each c = (1198881 1198888) isin S V(c) computedvia CalculateV is the same as V(c) computed via TableGenTherefore this change is just conceptual
Hybrid 3 This hybrid corresponds to G4 in the proof ofTheorem 24
(i) For each c = (1198881 1198888) isin S
(1) table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differencemore precisely in table(c) the entry located inrow 1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0is now computed as 1119895 = (1119895119879119886(11988811198888)) sdot V0rather than 1119895 = 1119895 sdot V0 by the IV5
assumption this difference is computationallyundetectable
(2) extract V(c) from the (modified) table(c) byinvoking V(c) larr CalculateV(sk119894ℓ table(c) c)
(ii) Compute 119890 fl prodcisinSV(c) sdot1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 and119905 fl 1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873
Through a routine calculation for each c = (1198881 1198888) isinS we have
V(c) = V(c) sdot 119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ 4 (63)
Hence
119890 = prodcisinS
V(c) sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])
= prodcisinS
V(c) sdot prodcisinS
119879minus119886(11988811198888)1199091198881119894ℓ 1
1199101198882119894ℓ 1
1199091198883119894ℓ 2
1199101198884119894ℓ 2
1199091198885119894ℓ 3
1199101198886119894ℓ 3
1199091198887119894ℓ 4
1199101198888119894ℓ4
sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) = prodcisinS
V(c) sdot 119879120575(64)
Consequently Hybrid 3 can be implemented in an equiv-alent way
Hybrid 3 (Equivalent Form) (i) For each c = (1198881 1198888) isin S
table(c) is computed by (table(c) V(c))larr$TableGen(pk119894ℓ c) except for a small differenceMore precisely in table(c) the entry located in row1 and column 119895 fl min119894 | 1 le 119894 le 8 119888119894 = 0 is nowcomputed as 1119895 = (1119895119879119886(11988811198888)) sdot V0 rather than1119895 = 1119895 sdot V0
(ii) Compute 119890 fl prodcisinSV(c) sdot 119879120575 mod119873119904 and 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])mod120601(119873)4
1 mod119873Now (1199091 1199101 1199094 1199104) mod119873 is not used in EEncrypt
any more
After these computationally indistinguishable changestheEEncrypt part of the encrypt oracle reserves the entropyof (1199091 1199101 1199094 1199104) mod119873
With a similar argument as that in Section 53 we canchange the decrypt oracle in a computationally indistin-guishable way so that (119909119895 119910119895)4119895=1 mod119873 is not employed atall
Appendix
A Proof of Claim 19
We build a PPT adversary B against the INT-OT securityof AE Suppose that the INT-OT challenger picks a key120581larr$ K randomly B is given parsAE and has access to theoracle encryptAE(sdot) = AEEncrypt(120581 sdot) for one time
Firstly B prepares parsAIAE in the same way as in G10158401119895
That is invoke parsTHPSlarr$ THPSSetup(1120582) pick Hlarr$ Hrandomly and set parsAIAE fl (parsTHPS parsAEH)B sendsparsAIAE toA BesidesB chooses hklarr$ HK
As for the ℓth (ℓ isin [119876119890]) encrypt query (119898ℓ aiℓ 119891ℓ)where 119891ℓ = ⟨119886ℓ bℓ⟩ isin Fraff B prepares the challengeciphertext ⟨119862ℓ 120594ℓ⟩ in the following way
(i) If ℓ isin [119895minus1]B computes ⟨119862ℓ 120594ℓ⟩ just like that inG10158401119895
That is B picks 119862ℓlarr$ V with witness 119908ℓ chooses120581ℓlarr$ K and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(ii) If ℓ isin [119895 + 1 119876119890] B computes ⟨119862ℓ 120594ℓ⟩ just like that
in G10158401119895 That is B picks 119862ℓlarr$ V with witness 119908ℓ
computes 119905ℓ fl H(119862ℓ aiℓ) and 120581ℓ fl Λ 119886ℓ sdothk+bℓ(119862ℓ 119905ℓ)
and invokes 120594ℓlarr$ AEEncrypt(120581ℓ 119898ℓ)(iii) If ℓ = 119895 B does not use the key hk at all and
instead it will resort to its own encryptAE(sdot) oracleMore precisely B picks 119862119895larr$ C V randomly andcomputes 119905119895 fl H(119862119895 ai119895) Then B implicitly sets120581119895 = 120581 as the key used by its challenger and queriesits encryptAE(sdot) oracle with119898119895 and gets the challenge120594119895According to the encryptAE(sdot) oracle we have120594119895larr$ AEEncrypt(120581119898119895) As discussed in the proof ofLemma 18 120581119895 is uniformly random inG1015840
1119895 Thereforethe simulation ofB is the same as that in G1015840
1119895
B outputs the challenge ciphertext ⟨119862ℓ 120594ℓ⟩ toA MoreoverB puts (aiℓ 119891ℓ ⟨119862ℓ 120594ℓ⟩) to QENC (aiℓ 119891ℓ) to QAI-F and(119862ℓ aiℓ 119905ℓ) to QTAG
Finally A sends a forgery (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) to B with119891lowast = ⟨119886lowast blowast⟩ isin Fraff B prepares its own forgery withrespect to the AE scheme as follows
(i) If (ailowast 119891lowast ⟨119862lowast 120594lowast⟩) isin QENCB aborts the game(ii) If exist(aiℓ 119891ℓ) isin QAI-F such that aiℓ = ailowast but 119891ℓ = 119891lowast
B aborts the game(iii) If 119862lowast notin CB aborts the game(iv) B computes 119905lowast fl H(119862lowast ailowast) isin T(v) If exist(119862ℓ aiℓ 119905ℓ) isin QTAG such that 119905ℓ = 119905lowast but(119862ℓ aiℓ) = (119862lowast ailowast)B aborts the game(vi) If 119905lowast = 119905119895B aborts the game If 119905lowast = 119905119895B outputs 120594lowast
to its INT-OT challenger
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
26 Security and Communication Networks
We analyze Brsquos success probability As discussed in theproof of Lemma 18 the subevent Forge and 119905119895 = 119905lowast will implythat (ailowast 119891lowast 119862lowast) = (ai119895 119891119895 119862119895) 120594lowast = 120594119895 120581lowast = 120581119895 andAEDecrypt(120581lowast 120594lowast) =perp Since B implicitly sets 120581119895 = 120581as the key used by its challenger then 120594lowast = 120594119895 120581lowast =120581119895 and AEDecrypt(120581lowast 120594lowast) =perp implies that 120594lowast = 120594119895 andAEDecrypt(120581 120594lowast) =perp that is the 120594lowast output by B is a freshforgery
In summaryB perfectly simulatesG10158401119895 forA and outputs
a fresh forgery as long as the subevent Forgeand 119905119895 = 119905lowast occursThus we have that Pr11198951015840[Forge and 119905119895 = 119905lowast] le Advint-otAEB(120582) Thiscompletes the proof of Claim 19
B Proof of Indistinguishability betweenHybrids 2 and 3 in Section 53
To show the indistinguishability between Hybrids 2 and 3we build a PPT adversaryBchal119887IV5 (119873 1198921 1198925) to solve theIV5 problem Firstly B generates secret and public keys ininitialize as Hybrid 0 doesWhenA submits an encryptionquery (119891ℓ 119894ℓ isin [119899])B reduces (119891ℓ 119894ℓ isin [119899]) to (1198911015840
ℓ 119894ℓ isin [119899]) asHybrid 1 does and obtains the coefficient 119886ThenB simulatesEEncrypt as follows
(i) For the 0th row of table B computes (01 08)and V0 as in Hybrids 2 and 3
(ii) For the 1st rowB queries its own chal119887IV5 oracle with(119886 0 lowast lowast lowast) and obtains its challenge (lowast11 lowast12 lowast lowast lowast) thatis
Case (119887 = 0) (lowast11 lowast12) = (119892119903111 119892119903112 ) = (11 12) orCase (119887 = 1) (lowast11 lowast12) = (119892119903111 119879119886 119892119903112 ) =(11119879119886 12)
B sets 11 fl lowast11 sdot V0 which is 11 = 11 sdot V0 if 119887 = 0 and11 = 11119879119886 sdot V0 if 119887 = 1 Then B generates the remainingelements (13 18) in the 1st row of table using its publickeys and sets the 1st row of table to be
11 = lowast11 sdot V0 lowast12 13 sdot sdot sdot 18 (B1)
B also computes Vlowast1 from (lowast11 lowast12 13 18) viaVlowast1 fl lowastminus119909119894ℓ 111 lowastminus119910119894ℓ 112 minus119909119894ℓ 213 sdot sdot sdot minus119910119894ℓ 418 which equals
Case (119887 = 0) Vlowast1 = V1 orCase (119887 = 1) Vlowast1 = V1119879minus119886sdot119909119894ℓ 1
(iii) For the 2nd row B queries its own chal119887IV5 oraclewith (0 119886 sdot 119909119894ℓ 1 lowast lowast lowast) remember thatB has the secret keysand obtains its challenge (lowast21 lowast22 lowast lowast lowast) that is
Case (119887 = 0) (lowast21 lowast22) = (119892119903211 119892119903212 ) = (21 22) orCase (119887 = 1) (lowast21 lowast22) = (119892119903211 119892119903212 119879119886sdot119909119894ℓ 1) =(21 22119879119886sdot119909119894ℓ 1)
B sets 22 fl lowast22 sdot Vlowast1 that is 22 = 22 sdot V1 if 119887 = 0and 22 = (22119879119886sdot119909119894ℓ 1)(V1119879minus119886sdot119909119894ℓ 1) = 22 sdot V1 if 119887 = 1
Thus 22 = 22 sdot V1 in both cases Then B generates theremaining elements (23 28) in the 2nd row of table
using its public keys and sets the 2nd row of table to be
lowast21 22 = lowast22 sdot Vlowast1 23 sdot sdot sdot 28 (B2)
B also computes Vlowast2 from (lowast21 lowast22 23 28) viaVlowast2 fl lowastminus119909119894ℓ 121 lowastminus119910119894ℓ 122 minus119909119894ℓ 223 sdot sdot sdot minus119910119894ℓ 428 which equals
Case (119887 = 0) Vlowast2 = V2 or
Case (119887 = 1) Vlowast2 = V2119879minus119886sdot119909119894ℓ 1119910119894ℓ 1
(iv) For the 3rd row B queries its own chal119887IV5 ora-cle with (lowast 119886 sdot 119909119894ℓ 1119910119894ℓ 1 0 lowast lowast) and obtains its challenge(lowast lowast33 lowast34 lowast lowast) that is
Case (119887 = 0) (lowast33 lowast34) = (119892119903322 119892119903323 ) = (33 34) orCase (119887 = 1) (lowast33 lowast34) = (119892119903322 119879119886sdot119909119894ℓ 1119910119894ℓ 1 119892119903323 ) =(33119879119886sdot119909119894ℓ 1119910119894ℓ 1 34)
B sets 33 fl lowast33 sdot Vlowast2 similarly it is easy to check that33 = 33 sdot V2 in both cases ThenB generates the remainingelements in the 3rd row of table using its public keys and setsthe 3rd row of table to be
31 32 33 = lowast33 sdot Vlowast2 lowast34 35 sdot sdot sdot 38 (B3)
B also computes Vlowast3 from (31 32 lowast33 lowast34 35 38) via Vlowast3 fl minus119909119894ℓ 131 minus119910119894ℓ 132 lowastminus119909119894ℓ 233 lowastminus119910119894ℓ 234 minus119909119894ℓ 335 sdot sdot sdot minus119910119894ℓ 438 whichequals
Case (119887 = 0) Vlowast3 = V3 or
Case (119887 = 1) Vlowast3 = V3119879minus119886sdot119909119894ℓ 1119910119894ℓ 1119909119894ℓ 2
(v) For the 4sim8th rows B computes table similarly asabove
(vi) Finally B computes V0 V8 from table just as inHybrids 2 and 3 (also as the original EDecrypt algorithm)and computes 119890 fl V8 sdot 1198791198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4]) mod119873119904 119905 fl1198921198911015840ℓ ((119909119894ℓ 119895 119910119894ℓ 119895)119895isin[4])1 mod119873 using the secret keys
If 119887 = 0 B perfectly simulates Hybrid 2 If 119887 =1 B perfectly simulates Hybrid 3 Any difference betweenHybrids 2 and 3 results in Brsquos advantage over the IV5
problem
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
This work was supported by the National Natural ScienceFoundation of China Grant nos 61672346 and 61373153
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 27
References
[1] S Goldwasser and S Micali ldquoProbabilistic encryptionrdquo Journalof Computer and System Sciences vol 28 no 2 pp 270ndash2991984
[2] J Black P Rogaway and T Shrimpton ldquoEncryption-schemesecurity in the presence of key-dependentmessagesrdquo in SelectedAreas in Cryptography K Nyberg and H M Heys Eds vol2595 of Lecture Notes in Computer Science pp 62ndash75 Springer2003
[3] J Camenisch and A Lysyanskaya ldquoAn efficient system for non-transferable anonymous credentials with optional anonymityrevocationrdquo in Advances in Cryptology B Pfitzmann Ed vol2045 of Lecture Notes in Computer Science pp 93ndash118 Springer2001
[4] D Boneh S Halevi M Hamburg and R Ostrovsky ldquoCircular-secure encryption from decision Diffie-Hellmanrdquo in Advancesin Cryptology D Wagner Ed vol 5157 of Lecture Notes inComputer Science pp 108ndash125 Springer 2008
[5] Z Brakerski and S Goldwasser ldquoCircular and leakage resilientpublic-key encryption under subgroup indistinguishability (orquadratic residuosity strikes back)rdquo in Advances in CryptologyT Rabin Ed vol 6223 of Lecture Notes in Computer Science pp1ndash20 Springer 2010
[6] B Applebaum D Cash C Peikert and A Sahai ldquoFast cryp-tographic primitives and circular-secure encryption based onhard learning problemsrdquo in Advances in Cryptology S HaleviEd vol 5677 of Lecture Notes in Computer Science pp 595ndash618Springer 2009
[7] O Regev ldquoOn lattices learning with errors random linearcodes and cryptographyrdquo in Proceedings of the 37th AnnualACM Symposium on Theory of Computing (STOC rsquo05) H NGabow and R Fagin Eds pp 84ndash93 ACM 2005
[8] Z Brakerski S Goldwasser and Y T Kalai ldquoBlack-box circular-secure encryption beyond affine functionsrdquo in Theory of Cryp-tography Y Ishai Ed vol 6597 of Lecture Notes in ComputerScience pp 201ndash218 Springer 2011
[9] B Barak I Haitner D Hofheinz and Y Ishai ldquoBounded key-dependent message securityrdquo in Advances in Cryptology HGilbert Ed vol 6110 of Lecture Notes in Computer Science pp423ndash444 Springer 2010
[10] T Malkin I Teranishi and M Yung ldquoEfficient circuit-sizeindependent public key encryption with KDM securityrdquo inAdvances in Cryptology K G Paterson Ed vol 6632 of LectureNotes in Computer Science pp 507ndash526 Springer 2011
[11] J CamenischNChandran andV Shoup ldquoApublic key encryp-tion scheme secure against key dependent chosen plaintext andadaptive chosen ciphertext attacksrdquo in Advances in CryptologyA Joux Ed vol 5479 of Lecture Notes in Computer Science pp351ndash368 Springer 2009
[12] M Naor and M Yung ldquoPublic-key cryptosystems provablysecure against chosen ciphertext attacksrdquo in Proceedings of the22nd Annual ACM Symposium on Theory of Computing (STOCrsquo90) H Ortiz Ed pp 427ndash437 May 1990
[13] J Groth and A Sahai ldquoEfficient non-interactive proof systemsfor bilinear groupsrdquo inAdvances in Cryptology N P Smart Edvol 4965 of Lecture Notes in Computer Science pp 415ndash432Springer 2008
[14] D Galindo J Herranz and J Villar ldquoIdentity-based encryptionwith master key-dependent message security and leakage-resiliencerdquo in European Symposium on Research in Computer
Security S Foresti M Yung and F Martinelli Eds vol 7459of Lecture Notes in Computer Science pp 627ndash642 2012
[15] D Hofheinz ldquoCircular chosen-ciphertext security with com-pact ciphertextsrdquo inAdvances in Cryptology T Johansson and PQ Nguyen Eds vol 7881 of Lecture Notes in Computer Sciencepp 520ndash536 Springer 2013
[16] X Lu B Li and D Jia ldquoKDM-CCA security from RKA secureauthenticated encryptionrdquo in Advances in Cryptology Part IE Oswald and M Fischlin Eds vol 9056 of Lecture Notes inComputer Science pp 559ndash583 Springer 2015
[17] S Han S Liu and L Lyu ldquoEfficient KDM-CCA secure public-key encryption for polynomial functionsrdquo in Annual Interna-tional Conference on the Theory and Applications of Cryptologyand Information Security J H Cheon and T Takagi Edsvol 10032 of Lecture Notes in Computer Science pp 307ndash338Springer 2016
[18] R Cramer and V Shoup ldquoDesign and analysis of practicalpublic-key encryption schemes secure against adaptive chosenciphertext attackrdquo SIAM Journal on Computing vol 33 no 1 pp167ndash226 2003
[19] B Qin S Liu and K Chen ldquoEfficient chosen-ciphertext securepublic-key encryption scheme with high leakage-resiliencerdquoIET Information Security vol 9 no 1 pp 32ndash42 2015
[20] R Cramer andV Shoup ldquoUniversal hash proofs and a paradigmfor adaptive chosen ciphertext secure public-key encryptionrdquo inAdvances in Cryptology L R Knudsen Ed vol 2332 of LectureNotes in Computer Science pp 45ndash64 Springer 2002
[21] Y Dodis E Kiltz K Pietrzak and D Wichs ldquoMessage authen-tication revisitedrdquo in Advances in Cryptology D Pointchevaland T Johansson Eds vol 7237 of Lecture Notes in ComputerScience pp 355ndash374 Springer 2012
[22] K Xagawa ldquoMessage authentication codes secure against addi-tively related-key attacksrdquo in Proceedings of the Symposium onCryptography and Information Security (SCIS rsquo13) 2013
[23] I DamgArd andM Jurik ldquoA generalisation a simplification andsome applications of Paillierrsquos probabilistic public-key systemrdquoin Public Key Cryptography K Kim Ed vol 1992 of LectureNotes in Computer Science pp 119ndash136 Springer 2001
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of