Circular chosen-ciphertext security with compact ciphertexts

Transcription

1 Crcular chosen-cphertext securty wth compact cphertexts Denns Hofhenz January 19, 2013 Abstract A key-dependent message (KDM secure encrypton scheme s secure even f an adversary obtans encryptons of messages that depend on the secret key. Such key-dependent encryptons naturally occur n scenaros such as harddsk encrypton, formal cryptography, or n specfc protocols. However, there are not many provably secure constructons of KDM-secure encrypton schemes. Moreover, only one constructon, due to Camensch, Chandran, and Shoup (Eurocrypt 2009 s known to be secure aganst actve (.e., CCA attacks. In ths work, we construct the frst publc-key encrypton scheme that s KDM-secure aganst actve adversares and has compact cphertexts. As usual, we allow only crcular key dependences, meanng that encryptons of arbtrary entre secret keys under arbtrary publc keys are consdered n a mult-user settng. Techncally, we follow the approach of Boneh, Halev, Hamburg, and Ostrovsky (Crypto 2008 to KDM securty, whch however only acheves securty aganst passve adversares. We explan an nherent problem n adaptng ther technques to actve securty, and resolve ths problem usng a new techncal tool called lossy algebrac flters (LAFs. We stress that we sgnfcantly devate from the approach of Camensch, Chandran, and Shoup to obtan KDM securty aganst actve adversares. Ths allows us to develop a scheme wth compact cphertexts that consst only of a constant number of group elements. Keywords: key-dependent messages, chosen-cphertext securty, publc-key encrypton. 1 Introducton KDM securty. An encrypton scheme s key-dependent message (KDM secure f t s secure even aganst an adversary who has access to encryptons of messages that depend on the secret key. Such a settng arses, e.g., n harddsk encrypton [12], computatonal soundness results n formal methods [8, 3], or specfc protocols [15]. KDM securty does not follow from standard securty [2, 17], and there are ndcatons [23, 6] that KDM securty (at least n ts most general form cannot be proven usng standard technques; t seems that dedcated constructons and proof technques are necessary. 1 The BHHO approach to KDM-CPA securty. Boneh, Halev, Hamburg, and Ostrovsky [12] (henceforth BHHO were the frst to construct and prove a publc-key encrypton (PKE scheme that s KDM secure under chosen-plantext attacks (KDM-CPA-secure n the standard model, under the Decsonal Dffe-Hellman (DDH assumpton. Whle they dd not prove ther scheme secure under messages that arbtrarly depend on the secret key, ther result encompasses the mportant case of crcular (CIRC-CPA securty. Loosely speakng, a PKE scheme s crcular secure f t s secure even n a mult-user settng where encryptons of arbtrary secret keys under arbtrary publc keys are known. Ths noton s suffcent for certan applcatons [15], and can often be extended to stronger forms of KDM securty [6, 14]. Inspred by BHHO, KDM-CPA-secure PKE schemes from other computatonal assumptons followed [5, 13, 28]. Supported by DFG grant GZ HO 4534/ We menton, however, that there are sem-generc transformatons that enhance the KDM securty of an already slghtly KDM-secure scheme [6, 14, 4]. 1

2 Snce we wll be usng a smlar approach, we gve a hgh-level ntuton of BHHO s approach. The crucal property of ther scheme s that t s publcly possble to construct encryptons of the secret key (under the correspondng publc key. Thus, encryptons of the secret key tself do not harm the (IND-CPA securty of that scheme. Sutable homomorphc propertes of both keys and cphertexts allow to extend ths argument to crcular securty (for arbtrarly many users/keys, and to affne functons of all keys. Why the BHHO approach fals to acheve KDM-CCA securty. When consderng an actve adversary, we requre a stronger form of KDM securty. Namely, KDM-CCA, resp. CIRC- CCA securty requres securty aganst an adversary who has access to key-dependent encryptons and a decrypton oracle. (Naturally, to avod a trval noton, the adversary s not allow to submt any of those gven KDM encryptons to ts decrypton oracle. Now f we want to extend BHHO s KDM-CPA approach to an adversary wth a decrypton oracle, the followng problem arses: snce t s publcly possble to construct (fresh encryptons of the secret key, an adversary can generate such an encrypton and then submt t to ts decrypton oracle, thus obtanng the full secret key. Hence, the very property that BHHO use to prove KDM-CPA securty seemngly contradcts chosen-cphertext securty. Our techncal tool: lossy algebrac flters (LAFs. Before we descrbe our approach to KDM-CCA securty, let us present the core techncal tool we use. Namely, a lossy algebrac flter (LAF s a famly of functons, ndexed by a publc key and a tag. A functon from that famly takes a vector X = (X n =1 as nput. Now f the tag s lossy, then the output of the functon reveals only a lnear combnaton of the X. If the tag s njectve, however, then so s the functon. We requre that there are many lossy tags, whch however requre a specal trapdoor to be found. On the other hand, lossy and njectve tags are computatonally ndstngushable. Ths concept s very smlar to (parameterzed lossy trapdoor functons [30], and n partcular to all-but-many lossy trapdoor functons (ABM-LTFs [24]. However, we do not requre effcent nverson, but we do requre that lossy functons always reveal the same lnear combnaton about the nput. In partcular, evaluatng the same nput under many lossy tags wll stll leave the nput (partally undetermned. We gve a constructon of LAFs under the Decson Lnear (DLIN assumpton n parngfrendly groups. Smlar to ABM-LTFs, lossy tags correspond to sutably blnded sgnatures. (Ths n partcular allows to release many lossy tags, whle stll makng the generaton of a fresh lossy tag hard for an adversary. However, unlke wth ABM-LTFs, functons wth lossy tags always release the same nformaton about ts nput. Our constructon has compact tags wth O(1 group elements, whch wll be crucal for our KDM-CCA secure encrypton scheme. 2 Our approach to KDM-CCA securty. We can now descrbe our soluton to the KDM-CCA dlemma explaned above. We wll start from a hybrd between the BHHO-lke PKE schemes of Brakersk and Goldwasser [13], resp. Malkn et al. [28]. Ths scheme has compact cphertexts (O(1 group elements, and ts KDM-CPA securty can be proved under the Decsonal Composte Resduosty (DCR assumpton. As wth the BHHO scheme, the scheme s KDM-CPA securty reles on the fact that encryptons of ts secret key can be publcly generated. Essentally, our modfcaton conssts of addng a sutable authentcaton tag to each cphertext. Ths authentcaton tag comprses the (encrypted mage of the plantext message under an LAF. Durng decrypton, a cphertext s rejected n case of a wrong authentcaton tag. In our securty proof, all authentcaton tags for the key-dependent encryptons the adversary gets are made wth respect to lossy flter tags. Ths means that nformaton-theoretcally, lttle nformaton about the secret key s released (even wth many key-dependent encryptons, resp. LAF evaluatons. However, any decrypton query the adversary makes must refer (by the LAF propertes to an njectve tag. Hence, n order to place a vald key-dependent decrypton query, the 2 The sze of the LAF publc key depends on the employed sgnature scheme. In our man constructon, we use Waters sgnatures, whch results n very compact tags, but publc keys of O(k group elements, where k s the securty parameter. Alternatvely, at the end of Secton 3.2, we sketch an LAF wth constant-sze (but larger than n our man constructon tags and constant-sze publc keys. 2

3 adversary would have to guess the whole (hdden secret key. 3 Thus, addng a sutable authentcaton tag allows us to leverage the technques by BHHO, resp. Brakersk and Goldwasser, Malkn et al. to chosen-cphertext attacks. In partcular, we obtan a CIRC-CCA-secure PKE scheme wth compact cphertexts (of O(1 group elements. We prove securty under the conjuncton of the followng assumptons: the DCR assumpton (n Z N, 3 the DLIN assumpton (n a parng-frendly group, and the DDH assumpton (somewhat curously, n the subgroup of order (P 1(Q 1/4 of Z N, where N = P Q. 4 3 Relaton to Camensch et al. s CIRC-CCA-secure scheme. Camensch, Chandran, and Shoup [16] present the only other known CIRC-CCA-secure PKE scheme n the standard model. They also buld upon BHHO technques, but nstead use a Naor-Yung-style double encrypton technque [29] to acheve chosen-cphertext securty. As an authentcaton tag, they attach to each cphertext a non-nteractve zero-knowledge proof that ether the encrypton s consstent (n the usual Naor-Yung sense, or that they know a sgnature for the cphertext. Snce they buld on the orgnal, DDH-based BHHO scheme, they can use Groth-Saha proofs [22] to prove consstency. Compared to our scheme, ther system s less effcent: they requre O(k group elements per cphertext, and the secret key can only be encrypted btwse. However, ther sole computatonal assumpton to prove crcular securty s the DDH (or, more generally, k-lnear assumpton n parng-frendly groups. One thng to pont out s ther mplct use of a sgnature scheme. Ther argument s conceptually not unlke our LAF argument. However, snce they can apply a hybrd argument to substtute all key-dependent encryptons wth random cphertexts, they only requre one-tme sgnatures. Furthermore, the meanng of consstent cphertext and proof n our case s very dfferent. (Unlke Camensch et al., we apply an argument that rests on the nformaton that the adversary has about the secret key. Note about concurrent work. In a work concurrent to ours, Galndo, Herranz, and Vllar [21] defne and nstantate a strong noton of KDM securty for dentty-based encrypton (IBE schemes. Usng the IBE PKE transformaton of Boneh, Canett, Halev, and Katz [11], they derve a KDM-CCA-secure PKE scheme. Ther concrete constructon s entropy-based and acheves only a bounded form of KDM securty, much lke the KDM-secure SKE scheme from [26]. Thus, whle ther cphertexts are very compact, they can only tolerate a number of (arbtrary KDM queres that s lnear n the sze of the secret key. In partcular, t s not clear how to argue that the encrypton of a full secret key n ther scheme s secure. 2 Prelmnares Notaton. For n N, let [n] := {1,..., n}. Throughout the paper, k N s the securty parameter. For a fnte set S, s S denotes the process of samplng s unformly from S. For a probablstc algorthm A, y A(x; R denotes the process of runnng A on nput x and wth randomness R, and assgnng y the result. We wrte y A(x for y A(x; R wth unformly chosen R. If A s runnng tme s polynomal n k, A s called probablstc polynomal-tme (PPT. Key-unque SKE schemes. A secret-key encrypton (SKE scheme (E, D conssts of two PPT algorthms. Encrypton E(K, M takes a key K and a message M, and outputs a cphertext C. Decrypton D(K, C takes a key K and a cphertext C, and outputs a message M. For correctness, we want D(K, C = M for all M, all K, and all C E(K, M. We say that (E, D s key-unque f for every cphertext C, there s at most one key K wth D(K, C. For nstance, ElGamal 3 We wll also have to protect aganst a re-use of (lossy authentcaton tags, and ordnary, key-ndependent chosen-cphertext attacks. Ths wll be acheved by a combnaton of one-tme sgnatures and 2-unversal hash proof systems [19, 27, 25]. 4 Very roughly, we resort to the DDH assumpton snce we release partal nformaton about our secret keys. Whereas the argument of [13, 28] reles on the fact that the secret key sk s completely hdden modulo N, where computatons take place n Z N, we cannot avod to leak some nformaton about sk mod N by releasng LAF mages of sk. However, usng a sutable message encodng, we can argue that sk s completely hdden modulo the coprme order (P 1(Q 1/4 of quadratc resdues modulo N, whch enables a reducton to the DDH assumpton. 3

4 encrypton can be nterpreted as a key-unque SKE scheme through E(x, M := (g x, g y, g xy M (and the obvous D. Ths example assumes a publcly known group G = g n whch the DDH assumpton holds. 5 If a larger message space (e.g., {0, 1} s desred, hybrd encrypton technques (whch are easly seen to preserve key-unqueness can be employed. PKE schemes. A publc-key encrypton (PKE scheme PKE conssts of four 6 PPT algorthms (Pars, Gen, Enc, Dec. The parameter generator Pars(1 k outputs publc parameters pp such as a group descrpton. Key generaton Gen(pp outputs a publc key pk and a secret key sk. Encrypton Enc(pp, pk, M takes parameters pp, a publc key pk, and a message M, and outputs a cphertext C. Decrypton Dec(pp, sk, C takes publc parameters pp, a secret key sk, and a cphertext C, and outputs a message M. For correctness, we want Dec(pp, sk, C = M for all M, all pp Pars(1 k, all (pk, sk Gen(pp, and all C Enc(pp, pk, M. IND-CPA securty of SKE and PKE schemes. An SKE scheme (E, D s IND-CPA secure ff no effcent adversary A wns the followng game wth probablty non-neglgbly away from 1/2. Frst, A selects two equal-length messages M 0, M 1, then gets an encrypton E(K, M b (for random K and b {0, 1}, and then takes a guess b {0, 1}. Durng ths, A gets access to an encrypton oracle E(K,. We say that A wns ff b = b. For concrete securty analyses, let Adv nd-cpa (E,D,A(k denote the probablty that A wns ths game. Ths defnton can be adapted to the PKE settng by ntally gvng A the publc parameters pp and the publc key pk nstead of access to an encrypton oracle. (Chameleon hashng. A hash functon H s collson-resstant ff the probablty Adv cr H,C (k that C, upon nput H, fnds X X wth H(X = H(X s neglgble for every PPT C. A chameleon hash functon CH s a keyed and randomzed hash functon n whch key generaton outputs a keypar (Hpk, Htd. Gven a premage X and randomness R CH, the evaluaton key Hpk allows to effcently evaluate CH, wrtten CH Hpk (X; R CH. We requre collson-resstance n the sense that t s nfeasble to fnd (X, R CH (X, R CH wth CH Hpk(X; R CH = CH Hpk (X ; R CH. However, the trapdoor Htd allows to produce collsons, n the followng sense: gven arbtrary X, R CH, X, Htd allows to effcently fnd R CH wth CH Hpk(X; R CH = CH Hpk (X ; R CH for the correspondng Hpk. We requre that the dstrbuton of R CH s unform gven only Hpk and X. Sgnature schemes. A sgnature scheme Sg conssts of three PPT algorthms (SGen, Sg, Ver. Key generaton SGen(1 k outputs a verfcaton key vk and a sgnng key sgk. The sgnature algorthm Sg(sgk, M takes a sgnng key sgk and a message M and outputs a sgnature σ. Verfcaton Ver(vk, M, σ takes a verfcaton key vk, a message M and a potental sgnature σ and outputs a verdct b {0, 1}. For correctness, we requre that Ver(vk, M, σ = 1 for all M, all (vk, sgk SGen(1 k, and all σ Sg(sgk, M. (One-tme, strong exstental unforgeablty. A sgnature scheme Sg s exstentally unforgeable (EUF-CMA secure ff no PPT forger F wns the followng game wth non-neglgble probablty. Frst, F gets a verfcaton key vk as well as access to a sgnature oracle Sg(sgk,. A wns ff t fnally outputs a vald sgnature σ for a fresh message M that has not yet been quered to Sg(sgk,. Let Adv euf-cma Sg,A (k denote the probablty that A wns ths game. Sg s called onetme exstentally unforgeable (OT-EUF-CMA secure ff no PPT forger F that makes at most one sgnature query wns the above game wth non-neglgble probablty. Sg s strongly (OT- EUF-CMA secure ff t s (OT-EUF-CMA secure as above, but n a game n whch an adversary already wns already f t generates a fresh sgnature for a (perhaps already sgned message. We let AdvSg,A seuf-cma (k denote the probablty that A wns ths strong EUF-CMA securty game. DCR assumpton. The Decsonal Composte Resduosty (DCR assumpton over a group Z N (for N = P Q wth prmes P, Q, and s 1 states that for every PPT adversary A, s+1 Adv dcr Z Ns+1,A(k := Pr [A(N, g = 1] Pr [A(N, g h = 1], 5 In our applcaton, G can be made part of the publc parameters. 6 We wll only use publc parameters for PKE schemes, but not, e.g., for sgnature schemes. 4

5 s neglgble, where g = g N s for unform g Z N s a unformly chosen N s -th power, and s+1 h := 1 + N Z N s a fxed element of order N s. Damgård and Jurk [20] have shown that the s+1 DCR assumptons over Z N and s+1 Z are equvalent for any s, N s +1 s. DDH and DLIN assumptons. The Decsonal Dffe-Hellman (DDH, resp. Decson Lnear [9] (DLIN assumptons over a group G of (not necessarly prme order q state that for every PPT adversary A, the respectve followng functons are neglgble: Adv ddh G,A(k := Pr [A(g, g x, g y, g xy = 1] Pr [A(g, g x, g y, g z = 1], Adv dln G,A(k := Pr [ A(g, U 1, U 2, g s 0, U s 1 1, U s 0+s 1 2 = 1 ] Pr [A(g, U 1, U 2, g s 0, U s 1 1, U s 2 2 = 1], where g s a unform generator of G, and U 1, U 2 G and x, y, z, s 0, s 1, s 2 Z q are unform. Parngs. A (symmetrc parng s a map e : G G G T between two cyclc groups G and G T that satsfes e(g, g 1 and e(g a, g b = e(g, g ab for all generators g of G and all a, b Z. Waters sgnatures. In [31], Waters proves the followng sgnature scheme EUF-CMA secure: 7 Gen(1 k chooses groups G, G T of prme order p, along wth a parng e : G G G T, a generator g G, and unform group elements g ω, H 0,..., H k G. Output s vk = (G, G T, e, p, g, (H k =0, e(g, g ω, sgk = (vk, g ω. Sg(sgk, M, for M = (M k =1 {0, 1}k, unformly chooses r Z p, and outputs σ := (g r, g ω (H k 0 =1 HM r. Ver(vk, M, (σ 0, σ 1, outputs 1 ff e(g, σ 1 = e(g, g ω e(σ 0, H k 0 =1 HM. KDM-CCA and CIRC-CCA securty. Let n = n(k and let PKE be a PKE scheme wth message space M. PKE s chosen-cphertext secure under key-dependent message attacks (n- KDM-CCA secure ff [ ] Adv kdm-cca PKE,n,A (k := Pr Exp kdm-cca PKE,n,A (k = 1 1/2 s neglgble for all PPT A, where experment ExpPKE,n,A kdm-cca s defned as follows. Frst, the experment tosses a con b {0, 1}, and samples publc parameters pp Pars(1 k and n keypars (pk, sk Gen(pp. Then A s nvoked wth nput pp and (pk n =1, and access to two oracles: a KDM oracle KDM b (, that maps [n] and a functon f : ({0, 1} n {0, 1} to a cphertext C Enc(pp, pk, M. If b = 0, then M = f((sk n =1 ; else, M = 0 f((sk n =1. a decrypton oracle DEC(, that takes as nput an ndex [n] and a cphertext C, and outputs Dec(pp, sk, C. When A fnally generates an output b {0, 1}, the experment outputs 1 f b = b (and 0 else. We requre that (a A never nputs a cphertext C to DEC that has been produced by KDM b (for the same ndex, and (b A only specfes PPT-computable functons f that always output messages of the same length. As a relevant specal case, PKE s n-circ-cca-secure f t s n-kdm-cca secure aganst all A that only query KDM b wth functons f F for F := {f j : f j ((sk n =1 = sk j } j [n] {f M : f M ((sk n =1 = M} M M. (Techncally, what we call crcular securty s called clque securty n [12]. However, our noton of crcular securty mples that of [12]. Our man result wll be a PKE scheme that s n-circ-cca-secure for all polynomals n = n(k. 7 In fact, our descrpton s a slght folklore varant of Waters s scheme. The orgnal scheme features elements g α, g β n vk, so that e(g α, g β takes the role of e(g, g ω. 5

6 3 Lossy algebrac flters 3.1 Defnton Informal descrpton. An (l LAF, n-lossy algebrac flter (LAF s a famly of functons ndexed by a publc key Fpk and a tag t. A functon LAF Fpk,t from the famly maps an nput X = (X n =1 Z n p to an output LAF Fpk,t (X, where p s an l LAF -bt prme contaned n the publc key. The crucal property of an LAF s ts lossness. Namely, for a gven publc key Fpk, we dstngush njectve and lossy tags. 8 For an njectve tag t, the functon LAF Fpk,t ( s njectve, and thus has an mage of sze p n. However, f t s lossy, then LAF Fpk,t ( only depends on a lnear combnaton n =1 ω X mod p of ts nput. In partcular, dfferent X wth the same value n =1 ω X mod p are mapped to the same mage. Here, the coeffcents ω Z p only depend on Fpk (but not on t. For a lossy tag t, the mage of LAF Fpk,t ( s thus of sze at most p. Note that the modulus p s publc, whle the coeffcents ω may be (and n fact wll have to be computatonally hdden. For ths concept to be useful, we requre that (a lossy and njectve tags are computatonally ndstngushable, (b lossy tags can be generated usng a specal trapdoor, but (c new lossy (or, rather, non-njectve tags cannot be found effcently wthout that trapdoor, even when havng seen polynomally many lossy tags before. In vew of our applcaton, we wll work wth structured tags: each tag t = (t c, t a conssts of a core tag t c and an auxlary tag t a. The auxlary tag wll be a cphertext part that s authentcated by a flter mage. Defnton 3.1. An (l LAF, n-lossy algebrac flter (LAF LAF conssts of three PPT algorthms: Key generaton. FGen(1 k samples a keypar (Fpk, Ftd. The publc key Fpk contans an l LAF - bt prme p and the descrpton of a tag space T = T c {0, 1} for effcently samplable T c. A tag t = (t c, t a conssts of a core tag t c T c and an auxlary tag t a {0, 1}. A tag may be njectve, or lossy, or nether. Ftd s a trapdoor that wll allow to sample lossy tags. Evaluaton. FEval(Fpk, t, X, for a publc key Fpk and a tag t = (t c, t a T, maps an nput X = (X n =1 Zn p to a unque output LAF Fpk,t (X. Lossy tag generaton. FTag(Ftd, t a, for a trapdoor Ftd and t a {0, 1}, samples a core tag t c such that t = (t c, t a s lossy. We requre the followng: Lossness. The functon LAF Fpk,t ( s njectve f t s njectve. If t s lossy, then LAF Fpk,t (X depends only on n =1 ω X mod p for ω Z p that only depend on Fpk. Indstngushablty. Lossy tags are ndstngushable from random tags: ] Adv nd LAF,A [A(1 (k := Pr k, Fpk FTag(Ftd, = 1 Pr [ ] A(1 k, Fpk O Tc ( = 1 s neglgble for all PPT A, where (Fpk, Ftd FGen(1 k, and O Tc ( s the oracle that gnores ts nput and samples a random core tag t c. Evasveness. Non-njectve (and n partcular lossy tags are hard to fnd, even gven multple lossy tags: Adv eva LAF,A (k := Pr [t non-njectve t A(1 k, Fpk FTag(Ftd, ] s neglgble wth (Fpk, Ftd FGen(1 k, and for any PPT algorthm A that never outputs a tag obtaned through oracle queres (.e., A never outputs t = (t c, t a when t c has been obtaned by an oracle query FTag(Ftd, t a. 3.2 Constructon Intuton. We present a constructon based on the DLIN problem n a group G of order p wth symmetrc parng e : G G G T. Essentally, each tag corresponds to n DLIN-encrypted 8 Techncally, there may also be tags that are nether njectve nor lossy. 6

7 Waters sgnatures. If the sgnatures are vald, the tag s lossy. The actual flter maps an nput X = (X n =1 Zn p to the tuple LAF Fpk,t (X := M X := ( n j=1 M X j,j n j=1 G n T, (1 where the matrx M = (M,j,j [n] G n n T mappng s lossy f and only f the matrx s computed from publc key and tag. Note that ths M := ( M,j := (dlog e(g,g (M,j,j Z n n p (2 of dscrete logarthms (to some arbtrary bass e(g, g G T s non-nvertble. For a formal descrpton, let l LAF (k, n(k be two functons. Key generaton. FGen(1 k generates cyclc groups G, G T of prme order p (where p has btlength log 2 (p = l LAF (k, and a symmetrc parng e : G G G T. Then FGen chooses a generator g G and a unform exponent ω Z p, unform group elements U 1,..., U n G, H 0,..., H k G, and a keypar (Hpk, Htd for a chameleon hash functonch : {0, 1} {0, 1} k. FGen fnally outputs Fpk := (G, G T, e, p, g, (H k =0, (U n =1, W := e(g, g ω, Hpk Ftd := (Fpk, g ω, Htd. For convenence, wrte U = g u for sutable (unknown exponents u. Tags. (Core tags are of the form t c := (R, ( S n =1, (S,j n,j=1, R CH G G G n n R CH (for CH s randomness space R CH, where we requre e(u j, S,j = e(u j, S,j whenever {j, j }. Ths means we can wrte R = g r, S = g s, S,j = U s j ( j for sutable r, s, s. To a tag t = (t c, t a (wth auxlary part t a {0, 1}, we assocate the matrx M = (M,j n,j=1 Gn n T wth M,j = e(u j, S e(g, S,j = e(g, g u j( s +s M, = e(g, S, W e(h 0 k =1 HT, R ( j (3 for (T k =1 := CH Hpk(R, ( S n =1, (S,j n,j=1, t a; R CH. If the matrx M of dscrete logarthms (see (2 s nvertble, we say that t s njectve; f M has rank 1, then t s lossy. Thus, for lossy tags, M,j = e(g, g u j( s +s for all, j. Evaluaton. FEval(Fpk, t, X, for t = (t c, t a, t a {0, 1}, X = (X n =1 Zn p, and Fpk and t c as above, computes M as n (3 and then (Y n =1 := LAF Fpk,t(X G n T as n (1. Lossness. If we wrte Y = e(g, g y, the defnton of FEval mples (y n =1 = M X. Snce njectve tags satsfy that M s nvertble, they lead to njectve functons LAF Fpk,t (. But for a lossy tag, M,j = u j ( s + s, so that y = n n u j ( s + s X j = ( s + s u j X j mod p. j=1 j=1 Specfcally, LAF Fpk,t (X depends only on ω X mod p for ω := u. 7

8 Lossy tag generaton. FTag(Ftd, t a, for Ftd as above and t a {0, 1}, frst chooses a random CH-mage T = (T k =1 {0, 1}k that can later be explaned, usng Htd, as the CH-mage of an arbtrary premage. FTag then chooses unform r, s, s Z p and sets (for j R := g r, S := g s, S,j := U s j, S, := U s +s g ω ( k H 0 H T =1 r. (4 Fnally, FTag chooses R CH wth CH Hpk (R, ( S n =1, (S,j n,j=1, t a; R CH = T and outputs t c = (R, ( S n =1, (S,j n,j=1, R CH. Intutvely, t c conssts of n DLIN encryptons (wth correlated randomness s, s of Waters sgnatures (g r, g ω (H 0 k =1 HT r for message T. Indeed, substtutng nto (3 yelds M, := e(g, gu ( s +s W e(g, (H k 0 =1 HT r W e(g r, H k = e(g, g u ( s +s. 0 =1 HT Hence, M,j = u j ( s + s for all, j, and thus the resultng tag t = (t c, t a s lossy. A generalzaton wth constant-sze evaluaton keys. The LAF LAF above nherts a rather large publc key of O(k group elements from Waters sgnatures. We now sketch how to generalze LAF to any structure-preservng sgnature scheme; pluggng n, e.g., the DLIN-based sgnature scheme of Abe et al. [1] yelds an LAF wth constant-sze tags and keys. (Compared to LAF, tags wll be larger, however. The dea s to have tags that drectly contan a matrx M G n n T as above, along wth a DLIN cphertext C, and a Groth-Saha [22] proof π. The statement proved by π s that ether M s njectve (e.g., n the sense that there exst V 1,..., V n wth M, = e(u, V e(g, g and M,j = e(u j, V for fxed elements U from the publc key and all j, or that C contans a fresh sgnature (e.g., of a chameleon hash value T as above. Evaluaton of ths LAF takes place as n (1. Lossy tags can be generated usng a sgnng key and provng the or branch of the statement. The soundness of Groth-Saha proofs ensures that any adversarally produced lossy tag (wth lossy M would mply a fresh forged sgnature. Other nstances and further applcatons of LAFs. Snce LAFs can be seen as dsgused sgnature schemes, t seems nterestng to try to convert other sgnature schemes (and n partcular schemes that do not requre parng-frendly groups to LAFs. Besdes, LAFs would seem potentally useful n other settngs, specfcally n settngs wth nherently many challenges (e.g., the selectve-openng settng [7]. 3.3 Securty proof Theorem 3.2. If the DLIN assumpton holds n G, and CH s a chameleon hash functon, then the LAF constructon LAF from Secton 3.2 satsfes Defnton 3.1. The lossness of LAF has already been dscussed n Secton 3.2. We prove ndstngushablty and evasveness separately. Lemma 3.3. For every adversary A on LAF s ndstngushablty, there exsts a DLIN dstngusher B such that Adv nd LAF,A (k = n Advdln B (k. (5 Intutvely, to see Lemma 3.3, observe that lossy tags dffer from random tags only n ther S, components, and n how the CH randomness R CH s generated. For lossy tags, the S, are (parts of DLIN cphertexts, whch are pseudorandom under the DLIN assumpton. Furthermore, the unformty property of CH guarantees that the dstrbuton of R CH s the same for lossy and random tags. 8

9 Proof. Assume a PPT adversary A. We proceed n games. In Game, A gets an nput Fpk and nteracts wth an oracle O. Let out denote A s output n Game. In Game 1, we let O 1 ( := FTag(Ftd,, where Ftd s the trapdoor ntally sampled alongsde Fpk. Thus, O 1 (t a outputs core tags t c = (R, ( S n =1, (S,j n,j=1, R CH generated as n (4. In Game 2. (for 0 n, we let O 2 generate core tags as n Game 1, but wth ndependently and unformly chosen S, G for. Note that Game 2.0 s equvalent to Game 1. Let furthermore Game 2 be defned as Game 2.n. We clam Pr [out 1 = 1] Pr [out 2 = 1] = Pr [out 2.0 = 1] Pr [out 2.n = 1] = n Adv dln B (k (6 for a sutable DLIN dstngusher B. Namely, B unformly chooses [n] and parses ts DLIN challenge as (g, U, U, g s, U s, C, where C = U s +s or C G s unform. B then frst re-randomzes ts nput to obtan many tuples (g s,l, U s,l, C l, where (a the s,l, s,l are ndependently and unformly random, and (b C l = U s,l+s,l ff X = U s +s (otherwse, all C l are ndependently and unformly random. Next, B smulates Game 2.( 1 or Game 2., dependng on ts own challenge C. Concretely, to prepare a key Fpk for A, B sets U j = U α j for all j and unform α j Z p. (Lke Game 2., B chooses ω Z p and a CH keypar (Hpk, Htd on ts own. When answerng A s l-th oracle query, B proceeds as n Game 2., but sets up (a S = g s,l, (b S, as n Game 1 for >, (c S, G ( unformly (as n Game 2 for <, (d S,j = (U s,l α j = U s,l j for j, (e S, = C l g ω H k r. 0 =1 HT Ths mplctly sets s = s,l and s = s,l. (All other s, s are chosen by B. Furthermore, f C = U s +s, ths settng of S, yelds Game 2.( 1; but f C s unform, then all C are ndependently unform, and we obtan Game 2.. We get (6. In Game 3, we choose the hash values R CH n the core tags output by O 3 unformly and ndependently. Recall that up to Game 2, R CH was nstead chosen as follows: frst choose a random CH-output T, and later select R CH such that CH Hpk (R, ( S n =1, (S,j n,j=1 ; R CH = T holds. By defnton of chameleon hashng, ths nduces a unform dstrbuton of R CH. Moreover, T s not used n Game 2 or Game 3. Hence, the change n Game 3 s merely conceptual, and we obtan Pr [out 3 = 1] = Pr [out 2 = 1]. Now note that n Game 3, the tags t c output by O 3 are random tags. Takng thngs together, (5 follows as desred. Lemma 3.4. For every adversary A on LAF s evasveness, there exst adversares B, C, and F wth Adv eva Adv LAF,A (k nd LAF,B (k + Adv cr CH,C (k + Adveuf-cma Sg Wat,F (k. (7 Intutvely, Lemma 3.4 holds because lossy (or, rather, non-njectve tags correspond to DLINencrypted Waters sgnatures. Hence, even after seeng many lossy tags (.e., encrypted sgnatures, an adversary cannot produce a fresh encrypted sgnature. We note that the orgnal Waters sgnatures from [31] are re-randomzable and thus not strongly unforgeable. To acheve evasveness, we have thus used a chameleon hash functon, much lke Boneh et al. [10] dd to make Waters sgnatures strongly unforgeable. Proof. Assume a PPT adversary A. Agan, we proceed n games. Let bad denote the event that A s output n Game s a fresh non-njectve tag. In Game 1, A gets nput Fpk and nteracts wth an FTag(Ftd, oracle. By defnton, Pr [bad 1 ] = Adv eva LAF,A (k. To descrbe Game 2, denote A s output by t = (t c, t a, for t c = (R, ( S n =1, (S,j n,j=1 ; R CH Denote by bad coll the event that t nduces a CH-collson n the sense that T = CH Hpk (R, ( S n =1, (S,j n,j=1; R CH = CH Hpk(R, ( S n =1, (S,j n,j=1; R CH = T 9

10 for some hash value T assocated wth an FTag-output t c = (R, ( S n =1, (S,j n,j=1 ; R CH (and the correspondng query t a. In Game 2, we abort (and do not rase event bad 2 f bad coll occurs. Intutvely, we would expect to use CH s collson resstance drectly to argue that bad coll occurs only neglgbly often. However, both n Game 1 and Game 2, we use CH s trapdoor Htd to construct lossy tags for A. Hence, we frst argue that bad coll occurs wth essentally the same probablty n a modfed Game 1, n whch A gets random tags nstead of lossy tags as oracle answers. Indeed, snce lossy and random tags are ndstngushable by Lemma 3.3, and bad coll s effcently recognzable from A s vew, we obtan Pr [ bad coll n Game 1 ] Pr [bad coll n Game 1] = Adv nd LAF,B (k for a sutable adversary B on LAF s ndstngushablty. CH-trapdoor Htd s not requred, we have Pr [ bad coll n Game 1 ] = Adv cr CH,C (k Furthermore, snce n Game 1, the for a sutable collson-fnder C. However, Game 1 and Game 2 only dffer when bad coll occurs, and so we fnally get Pr [bad 2 ] Pr [bad 1 ] Pr [bad coll n Game 1] Adv nd LAF,B (k + Adv cr CH,C (k. The fnal reducton. Now that CH-collsons are excluded, we can fnally conclude that any occurence of bad 2 means that A has forged a Waters sgnature. Concretely, we show that Pr [bad 2 ] = Adv euf-cma Sg Wat,F (k (8 for a sutable forger F that attacks Sg Wat and nternally smulates Game 2 wth A. Namely, F gets as nput a Sg Wat publc key (G, G T, e, p, g, (H k =0, W := e(g, gω. F extends ths publc key to an LAF publc key Fpk by pckng U = g u and Hpk. (In partcular, F knows all u and Htd. Upon an FTag-query from A, F constructs elements S and S,j (for j exactly as n (4; note, however, that F cannot drectly compute the S,, snce F does not know g ω. Instead, F requests a Sg Wat sgnature for the message T {0, 1} k (as derved n (4. Such a sgnature s of the form ( r k (g r, g ω, H 0 =1 from whch F can compute the elements R and S, as n (4. Snce F also knows the CH-trapdoor Htd, ths allows to construct lossy tags exactly as FTag would do n Game 2. It remans to descrbe how F extracts a Sg Wat -sgnature out of a lossy tag t = (t c, t a that A fnally outputs. By our defnton of tags, we may assume that t c = (R, ( S n =1, (S,j n,j=1, R CH s of the form R = g r, S = g s, and S,j = U s j for sutable r, s, s and all j. Furthermore, snce t c s lossy, ( r rank( M < n = : M k, = u ( s + s = : S, = U s +s g ω H 0 H T. (9 Snce F knows all u, t can compute σ := S, S u S u /u j,j H T = S, U s +s for all (and some j. By (9, for some, the par (R, σ forms a vald Sg Wat sgnature for T = CH Hpk (R, ( S n =1, (S,j n,j=1 ; R CH. Because Game 2 aborts n case of a CH-collson, we may further assume that T s a message for whch F has not yet requested a sgnature. Consequently, F can output a forged sgnature for a fresh message whenever bad 2 occurs. Ths yelds (8. Puttng thngs together fnally gves (7. Combnng Lemma 3.3, Lemma 3.4, and the fact that Waters sgnatures are EUF-CMA secure already under the CDH assumpton, we obtan Theorem 3.2. =1 10

11 4 CIRC-CCA-secure encrypton scheme 4.1 The scheme Intuton. The PKE scheme we are about to present borrows deas from the KDM-CPA-secure PKE schemes from [13, 28]. Both of these schemes buld upon BHHO [12], and n partcular allow the publc generaton of key-dependent cphertexts; besdes, both schemes work n rngs Z N and are proven secure under the DCR assumpton. However, [13] use several Z N -elements to encrypt a blndng element (whch s used to hde the actual payload message, whereas [28] use only one Z N -element n a larger rng (.e., wth larger for ths purpose. One consequence s that the secret key n [13] conssts of several smaller Z N -compartments, whle the secret key of [28] conssts of one large Z N j-element (for j > 1. In our scheme, we wll combne both concepts: our cphertext encrypts a blndng element n several Z N -elements, each of whch encodes a Z N j-component. Our secret key thus conssts of several larger Z N j-components. Ths allows to use deas from [13] n a settng n whch some parts of the key are leaked (through key-dependent encryptons. As we have mentoned, the schemes of [13, 28] allow to publcly generate cphertexts whch decrypt to a secret key component. Ths property enables a smulaton that shows KDM-CPA securty; namely, a smulaton can now generate key-dependent challenge cphertexts for an nternally smulated adversary. However, ths property s also hghly dangerous n combnaton wth a decrypton oracle (as n KDM-CCA securty, snce now also an adversary can construct key-dependent cphertexts and ask for ther decrypton. Our extenson thus essentally conssts n addng an authentcaton tag that causes the rejecton of key-dependent decrypton queres. The techncal dffculty n ths s that our smulaton needs to add vald authentcaton tags to all smulated key-dependent cphertexts. However, at the same tme, the adversary must not be able to generate a vald authentcaton for a fresh key-dependent cphertext. (Thus, the smulaton wll requre some knd of leverage over the adversary. We resolve ths problem wth lossy algebrac flters. Essentally, we add an (encrypted flter mage of the encrypted message to each cphertext as authentcaton tag. In the proof, all these flter mages wll be generated wth respect to a lossy flter tag, so the mage reveals lttle nformaton about the encrypted secret keys. (Furthermore, even wth dfferent lossy flter tags, always the same nformaton about the encrypted secret key s revealed. At the same tme, each decrypton query of the adversary wll refer to an njectve flter tag (unless the adversary breaks the flter s evasveness property. Thus, the adversary would have to predct the full secret key to generate a vald authentcaton tag for a key-dependent cphertext. Snce publc key and (smulated KDM cphertexts reveal lttle nformaton about the secret key, the adversary wll fal to generate the rght authentcaton tag wth hgh probablty. The above strategy ensures that an adversary cannot (successfully submt any key-dependent cphertexts for decrypton. However, we stll need to ensure that our scheme wthstands ordnary (.e., key-ndependent chosen-cphertext attacks. To ths end, we wll addtonally authentcate cphertexts usng a 2-unversal hash proof system [19, 27, 25]. (Roughly speakng, ths hash proof system ensures that the adversary does not gan any new nformaton through key-ndependent decrypton queres. Our use of the 2-unversal hash proof system s rather mplct n our scheme below, hash proofs consst of the group elements (G 1, G 2 = (g1 r, gr 2 and ( G 1, G 2 = (g r 1, g r 2. Settng and ngredents. Frst, we assume an algorthm GenN that outputs l N -bt Blum ntegers N = P Q along wth ther prme factors P and Q. If N s clear from the context, we wrte G rnd and G msg for the unque subgroups of Z N of order (P 1(Q 1/4, resp. N 2. We also wrte 3 h := 1 + N mod N 3, so h = G msg. Note that t s effcently possble to compute dlog h (X := x for X := h x G msg and x Z N 2. Specfcally, t s effcently possble to test for membershp n G msg. In our scheme, G msg wll be used to embed a sutably encoded message, and G rnd wll be used for blndng. We requre that P and Q are safe prmes of btlength between l N /2 k and l N /2 + k, gcd((p 1(Q 1/4, N = 1 (as, e.g., for unform P, Q of a certan length, 11

12 l N 25k + 8 (e.g., k = 80 and l N = the DCR assumpton holds n Z N 3, and the DDH assumpton holds n G rnd. We also assume an (l LAF, n-lossy algebrac flter LAF for n = 6 and l LAF = (l N +k +1/(n 2. Our scheme wll encrypt messages from the doman M := Z 2 3k Z p 2 k Z N 2 k 2, where p s the modulus of the used LAF. (The reason for ths werd-lookng message space wll become clearer n the proof. Durng encrypton, we wll have to treat a message M = (a, b, c M both as an element of Z N 2 and as an LAF-nput from Z n p. In these cases, we can encode Z := a + 2 3k b + p 2 4k c Z, [M] Z n p := (a, b mod p, c 0,..., c n 3 Z n p (10 for the natural nterpretaton of Z -elements as ntegers between 0 and 1, and c s p-adc representaton (c n 3 =0 Zn 2 p wth c = n 3 =0 c p. By our choce of l N and l LAF, we have 0 [M] Z < N 2 2 k. However, the encodng [M] Z n p s not njectve, snce t only depends on b mod p (whle 0 b < p 2 k. Fnally, we assume a strongly OT-EUF-CMA secure sgnature scheme Sg = (SGen, Sg, Ver wth k-bt verfcaton keys, and a key-unque IND-CPA secure symmetrc encrypton scheme (E, D (see Secton 2 wth k-bt symmetrc keys K and message space {0, 1}. Now consder the followng PKE scheme PKE: Publc parameters. Pars(1 k frst runs (N, P, Q GenN(1 k. Recall that ths fxes the groups G rnd and G msg. Then, Pars selects two generators g 1, g 2 of G rnd. Fnally, Pars runs (Fpk, Ftd FGen(1 k and outputs pp = (N, g 1, g 2, Fpk. In the followng, we denote wth p the LAF modulus contaned n Fpk. Key generaton. Gen(pp unformly selects four messages s j = (a j, b j, c j M (for 1 j 4 as secret key, and sets ( pk := u := g [s 1]Z 1 g [s 2]Z 2, v := g [s 3]Z 1 g [s 4]Z 2, sk := (s j 4 j=1. Encrypton. Enc(pp, pk, M, for pp and pk as above, and M M, unformly selects exponents r, r Z N/4, a random flter core tag t c, a Sg-keypar (vk, sgk SGen(1 k, and a random symmetrc key K {0, 1} k for (E, D, and computes (G 1, G 2 := (g r 1, g r 2 Z := (u vk v r N 2 ( G 1, G 2 := (g r 1, g r 2 Z := (u vk v r u r h K +2k [M]Z, C E E(K, LAF Fpk,t ([M] Z n p, σ Sg(sgk, ((G j, G j 2 j=1, Z, Z, C E, t c C := ((G j, G j 2 j=1, Z, Z, C E, t c, vk, σ for the auxlary tag t a := vk, and the resultng flter tag t := (t c, t a. Decrypton. Dec(pp, sk, C, for pp, sk and C as above, frst checks the sgnature σ and rejects wth f Ver(vk, ((G j, G j 2 j=1, Z, Z, C E, t c, σ = 0, or f Then Dec computes Z ( G [s 1]Z vk+[s 3 ]Z 1 G [s N 2 2]Z vk+[s 4 ]Z 2. Z := G [s 1]Z vk+[s 3 ]Z 1 G [s 2]Z vk+[s 4 ]Z 2 G [s 1]Z 1 G [s 2]Z 2 9 Dependng on n below, shorter l N are possble. The relevant nequalty that must hold s (17. 12

13 and then K {0, 1} k, M M wth K + 2 k [M] Z := dlog h ( Z/Z. If Z/Z G msg, or no such M exsts, or D(K, C E LAF Fpk,t ([M] Z n p (for t = (t c, t a computed as durng encrypton, then Dec rejects wth. Else, Dec outputs M. Secret keys as messages. Our scheme has secret keys s = (s j 4 j=1 M4 ; hence, we can only encrypt one quarter s j of a secret key at a tme. In the securty proof below, we wll thus only consder KDM queres that ask to encrypt a specfc secret key part. Alternatvely, we can change our scheme, so that 4-tuples of M-elements are encrypted. To avod malleablty (whch would destroy CCA securty, we of course have to use only one LAF tag for ths. Our CIRC-CCA proof below apples to such a changed scheme wth mnor syntactc changes. Effcency. When nstantated wth our DLIN-based LAF constructon from Secton 3, and takng n = 6 as above, our scheme has cphertexts wth 43 G-elements, 6 Z N 3-elements, plus chameleon hash randomness, a one-tme sgnature and verfcaton key, and a symmetrc cphertext (whose sze could be n the range of one Z N 2-element plus some encrypton randomness. The number of group elements n the cphertext s constant, and does not grow n the securty parameter. The publc parameters contan O(k group elements 10 (most of them from G, and publc keys contan two Z N 3-elements; secret keys consst of four Z N 2-elements. Whle these parameters are not compettve wth current non-kdm-secure schemes, they are sgnfcantly better than those from the crcular-secure scheme of Camensch et al. [16] Securty proof (sngle-user case It s nstructve to frst treat the sngle-user case. Here, we essentally only requre that PKE s IND-CCA secure, even f encryptons of ts secret key are made publc. Theorem 4.1. Assume the DCR assumpton holds n Z N 3, the DDH assumpton holds n G rnd, LAF s an LAF, Sg s a strongly OT-EUF-CMA secure sgnature scheme, H s collson-resstant, and (E, D s a key-unque IND-CPA secure SKE scheme. Then PKE s 1-CIRC-CCA-secure. Proof. Assume a PPT adversary A on PKE s 1-CIRC-CCA securty. Say that A always makes q = q(k KDM queres. We proceed n games. Let out denote the output of Game. Game 1 s the 1-KDM-CCA experment wth PKE and A. By defnton, Pr [out 1 = 1] 1/2 = Adv kdm-cca PKE,A (k. In Game 2, we modfy the way KDM queres are answered. prepared for A, we set up Z and Z up as Z := ( G [s 1]Z vk+[s 3 ]Z 1 G [s N 2 2]Z vk+[s 4 ]Z 2 Z := G [s 1]Z vk+[s 3 ]Z 1 G [s 2]Z vk+[s 4 ]Z 2 G [s 1]Z 1 G [s 2]Z 2 h K +2k [M]Z. Namely, n each cphertext for the already prepared (G j, G j = (gj r, g r j. Ths change s only conceptual by our setup of u, v, so Pr [out 2 = 1] = Pr [out 1 = 1]. In Game 3, we agan change how KDM cphertexts are prepared. Intutvely, our goal s now to prepare the G j and G j wth addtonal G msg -components, such that Z, as computed n (11, s 10 Usng the generalzed LAF mentoned at the end of Secton 3.2, publc parameters wth O(1 group elements are possble, at the cost of a (constant number of extra group elements per tag. 11 For nstance, Secton 7 of the full verson of [16] mples that ther scheme has a publc key, resp. cphertext of about 500, resp G-elements (for log 2 ( G = 160. (11 13

14 of the form g h K for some g G rnd. (That s, we want the G msg -components of the G j, G j to cancel out the h 2k [M]Z term n (11. To do so, we prepare G j = g r j /h α j 2 k Gj = g r j /h α j 2 k for j {1, 2} and sutable α j, α j to be determned. Z s stll computed as n (11, so Z = g h K +2k [M]Z 2 k (α 1 ([s 1 ]Z vk+[s 3 ]Z+α 2 ([s 2 ]Z vk+[s 4 ]Z+ α 1 [s 1 ]Z+ α 2 [s 2 ]Z for g = g r ([s 1]Z vk+[s 3 ]Z+ r[s 1 ]Z 1 g r ([s 2]Z vk+[s 4 ]Z+ r[s 2 ]Z 2 = ( u vk v r u r G rnd. So to prepare a KDM encrypton of s j wth a Z of the form Z = g h K, we can set (0, 0, 1, 0 for j = 1 (0, 0, 0, 1 for j = 2 (α 1, α 2, α 1, α 2 := (1, 0, vk, 0 for j = 3 (0, 1, 0, vk for j = 4. (vk can be chosen ndependently n advance. The remanng parts of C are prepared as n Game 2. We clam Pr [out 3 = 1] Pr [out 2 = 1] 4 Adv dcr Z N 3,B(k + O(2 k (12 for a sutable DCR dstngusher B that smulates Game 2, resp. Game 3. Concretely, B gets as nput a value W Z N 3 of the form W = g N 2 h b for b {0, 1}. Note that f we set W := W 2k, we have W = g r /h b 2k Z N, wth unform g r 3 G rnd. Frst, B guesses a value of j [4]. (Ths gves a very small hybrd argument, n whch n the j -th step, only encryptons of s j are changed. We only detal B s behavor for the case j = 3; the other cases are easer or analogous. Frst, B sets up g 1 := W N 2 and g 2 := W γn 4 for unform γ Z N/4. To prepare an encrypton of s 3, B chooses unform ρ, ρ Z N 2 /4 and sets G 1 := W ρ (ρ 1 G 2 := W γ ρ (ρ 1 N 2 G1 := W vk ρ ( ρ 1 G2 := W γ vk ρ ( ρ 1 N 2, where the values ρ 1, ρ 1 are computed modulo N 2. Ths mplctly sets r = ρ (ρ 1 /N 2 mod G rnd and r = vk ρ ( ρ 1 /N 2 mod G rnd, both of whch are statstcally close to unform. Furthermore, G j = gj r/hb α j 2 k and G j = g r j /hb α j 2 k ; so, dependng on B s challenge, encryptons of s 3 are prepared as n Game 2 or Game 3. Smlar arguments work for j = 1, 2, 4, and (12 follows. (The O(2 k term n (12 accounts for the statstcal defect caused by choosng G rnd - exponents from Z N/4, resp. Z N 2 /4. Usng the defnton of u and v, our change n Game 3 mples Z = (u vk v r u r h K when a key part s j s to be encrypted. (However, note that we stll have Z = (u vk v r N 2 n any case. Ths means that A stll obtans nformaton about the s j (beyond what s publc from pk from ts KDM queres, but ths nformaton s lmted to values LAF Fpk,t ([s j ] Z n p. We wll now further cap ths leaked nformaton by makng LAF Fpk,t ( lossy. Namely, n Game 4, we use the LAF trapdoor Ftd ntally sampled along wth Fpk. Concretely, when preparng a cphertext C for A, we sample t c usng t c FTag(Ftd, t a for the correspondng auxlary tag t a = vk. A smple reducton shows Pr [out 4 = 1] Pr [out 3 = 1] = Adv nd LAF,C 2 (k for a sutable adversary C 2 on LAF s ndstngushablty. In Game 5, we reject all decrypton queres of A that re-use a verfcaton key vk from one of the KDM cphertexts. To show that ths change does not sgnfcantly affect A s vew, assume a decrypton query C that re-uses a key vk = vk from a KDM cphertext C. Recall that C contans 14

15 a sgnature σ of X := ((G j, G j 2 j=1, Z, Z, C E, t c under an honestly generated Sg-verfcaton-key vk = t a = t a = vk. Snce we assumed t = (t c, t a = (t c, t a = t, and A s not allowed to query unchanged challenge cphertexts for decrypton, we must have (X, σ (X, σ for the correspondng message X and sgnature σ from C. Hence, Game 4 and Game 5 only dffer when A manages to forge a sgnature. A straghtforward reducton to the strong OT-EUF-CMA securty of Sg yelds Pr [out 5 = 1] Pr [out 4 = 1] = q(k AdvLAF,F seuf-cma (k for a forger F aganst Sg that makes at most one sgnature query. In Game 6. (for 0 q, the frst challenge cphertexts are prepared usng Z = ĝ N 2 and Z = ĝ u r h K (f a key component s j s to be encrypted, resp. Z = ĝ u r h K +2k [M]Z (f a constant M M s to be encrypted for an ndependently unform ĝ G rnd drawn freshly for each cphertext. Obvously, Game 6.0 s dentcal to Game 5: Pr [out 6.0 = 1] = Pr [out 5 = 1]. We wll move from Game 6. to Game 6.( + 1 n several steps. Durng these steps, we denote wth C = ((G j, G j 2 j=1, Z, Z, C E, t c, vk, σ the ( + 1-st KDM cphertext. In Game 6..1, we change the G rnd parts of G 1, G 2 from a Dffe-Hellman tuple (wth respect to g 1, g 2 to a random tuple. Concretely, f an s j s to be encrypted, we set (G 1, G 2 = (g r 1 1 /hα 1 2 k, g r 2 2 /hα 2 2 k ; f a constant M s encrypted, we set (C 1, C 2 = (g r 1 1, gr 2 2, n both cases for ndependently unform r 1, r 2 Z N/4. The G msg parts of G 1, G 2 are thus unchanged compared to Game 6.. Note that the G j are stll prepared as G j = g r j /h α 2k, resp. G j = g r j. A straghtforward reducton to the DDH assumpton n G rnd yelds q(k =1 (Pr [out 6. = 1] Pr [out 6..1 = 1] = q(k Adv ddh G rnd,d 1 (k + O(2 k for a sutable D 1. The O(2 k error term accounts for the statstcal dfference caused by the choce of exponents r j Z N/4, whch nduces an only almost-unform dstrbuton on group elements g r j. Note that at ths pont, Z and Z are stll computed as n (11, even f an s j s to be encrypted. In Game 6..2, we compute Z and Z as Z = ĝ N 2 and Z = ĝ u r h K, resp. Z = ĝ u r h K +2k [M]Z for a fresh ĝ G rnd. Thus, the dfference to Game 6..1 s that we substtute a G rnd -element computed as G [s 1]Z vk+[s 3 ]Z 1 G [s 2]Z vk+[s 4 ]Z 2 wth a fresh random ĝ. To show that ths change affects A s vew only neglgbly, t suffces to show that A s statstcal nformaton about ( X := dlog g G [s 1]Z vk+[s 3 ]Z 1 G [s 2]Z vk+[s 4 ]Z 2 = γ 1 r 1 ([s 1 ] Z vk+[s 3 ] Z +γ 2 r 2 ([s 2 ] Z vk+[s 4 ] Z mod G rnd (for some arbtrary generator g of G rnd and γ j = dlog g (g j s neglgble. Ths part wll be rather delcate, snce we wll have to argue that both A s KDM queres and A s decrypton queres yeld (almost no nformaton about X. Frst, observe that A gets the followng nformaton about the s j : pk reveals (through u and v precsely the two lnear equatons γ 1 [s 1 ] Z + γ 2 [s 2 ] Z mod G rnd and γ 1 [s 3 ] Z + γ 2 [s 4 ] Z mod G rnd about the s j, where the γ j are as above. For r 1 r 2, these equatons are lnearly ndependent of the equaton that defnes X. Hence, for unform r 1, r 2, X s (almost ndependent of pk. By LAF s lossness, KDM queres yeld (through C E = E(K, LAF Fpk,t ([s j ] Z n p n total at most one equaton ω 1 a j + ω 2 b j + n 2 =0 ω 3+c j, mod p for each j, where (a j, b j, c j,0,..., c j,n 3 := [s j ] Z n p, and the ω are the (fxed coeffcents from LAF s lossness property. (Recall the encodngs [s j ] Z, [s j ] Z n p of the s j = (a j, b j, c j from (10. Hence, the b j Z p 2 k fully blnd the nformaton released about the c j Z 2 k 2 N through the KDM cphertexts. Thus, KDM cphertexts reveal no nformaton about c j mod G rnd and hence also about [s j ] Z mod G rnd. 15