A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION

Transcription

1 A ROBUST AND PLAINTEXT-AWARE VARIANT OF SIGNED ELGAMAL ENCRYPTION Joana Treger ANSSI, France. Session ID: CRYP-W21 Session Classification: Advanced

2 ELGAMAL ENCRYPTION & BASIC CONCEPTS

3 CDH / DDH Computational Diffie-Hellman Assumption : G generator of finite cyclic group G. For all efficient algorithms A : Pr A(Ga, Gb ) = Gab is at most negligible. Decisional Diffie-Hellman Assumption : G generator of finite cyclic group G. For all efficient algorithms A : Pr A(Ga, Gb, C) = 1 is at most negligible. Pr A(Ga, Gb, Gab ) = 1

4 ELGAMAL PUBLIC KEY ENCRYPTION SCHEME [ElGamal84] G is the generator of some finite cyclic group G of prime order p. Encryption [ Decryption ] [ pk : X = Gx r $ Zp* R Gr { Y { R0 MX Output : pk : X = Gx, sk : x r = (Y, R) ] Rx Output : M = Y /R0

5 IND-CPA / IND-CCA2 IND CPA Game b CCA2 Game M0, M1 M0, M1 b IND A? b =b b b A? b = b IND-CCA2 security: strongest security notion. O O

6 SECURITY OF ELGAMAL [TsiounisYung98] ElGamal is IND-CPA under DDH. ElGamal is not IND-CCA2. It is malleable: it s easy to transform a ciphertext into another one that decrypts to a related plaintext. An IND-CCA2 attacker can ask for a decryption to win the game. M0, M1 (Yb, R) A (ZYb, R) Mb Z O

7 HOW TO TWEAK ELGAMAL ENCRYPTION TO REACH IND-CCA2 SECURITY?

8 TWO OPTIONS 1st option: Include hashing [AbdallaBellareRogaway01] Example: DHIES - R is hashed through some random oracle to create a symmetric key used to encrypt the message. k = H(R, R0 ). The resulting scheme is no longer malleable. It requires a symmetric cipher. 2nd option: Add a non interactive proof of knowledge. Example: Schnorr Signed ElGamal (SS-EG) - Add a Schnorr signature as a PoK of r. [Jakobsson98] [TsiounisYung98]

9 PLAINTEXT-AWARENESS [BellareRogaway94] [BelDesaiPointchRog98] ROM-PA for a public-key encryption scheme: C LH, L, P Output: Dec( ) C : efficient ciphertext creator. P: efficient plaintext extractor.

10 PLAINTEXT-AWARENESS & IND-CCA2 SECURITY [BelDesaiPointchRog98] Intuitively The only way to produce a valid ciphertext is to apply the encryption algorithm to a public key and a message, rendering a decryption oracle available to an IND-CCA2 adversary useless. PA & IND-CCA2? ( IND-CPA + PA IND-CCA2

11 LIMITATIONS OF SS-EG So... Adding a Schnorr signature to ElGamal encryption would render the scheme IND-CCA2. However... No proof that SS-EG reaches IND-CCA2 security in the ROM; SS-EG is not plaintext-aware. [SeurinT13]

12 SCHNORR SIGNED ELGAMAL ENCRYPTION Decryption Encryption [ pk : X = Gx ] r, a $ Zp* R Gr, A Y M Xr { c [ Ga H(Y, R, A) s = a + cr Output : = (Y, R, s, c) pk : X = Gx sk : x { R0 A Rx Gs R ] c? c= H(Y, R, A) Output : M = Y /R0

13 SS-EG IS NOT PLAINTEXT AWARE [SeurinT13] Sketch of the proof: Assume it is ROM-PA secure and build a reduction that solves the CDH problem. (X = Gx, R = Gr ) R s, c $ Zp* Y $G A = Gs R c H(Y, R, A) = c L =; LH = ((Y, R, A), c) = (Y, R, s, c) Output: Gxr = Y /M M P pk : X = Gx

14 CPS-EG: A NEW VARIANT OF SIGNED ELGAMAL ENCRYPTION

15 Chaum Pedersen Signed ElGamal Add a CP signature as a PoK of a DL equality : logg(r)=logx(r ). [SeurinT13] CPS-EG - Definition Encryption [ pk : X = Gx Decryption ] r, a $ Zp* R Gr, A Y M Xr { c [ Ga, A0 Xa { R0 c 0 r 0 H(Y, R, R = X, A, A ) s = a + cr Output : pk : X = Gx sk : x = (Y, R, A, s) Rx, A0 ] Ax H(Y, R, R0, A, A0 )? Gs = ARc? Xs = A0 R0c Output : M = Y /R0

16 COMPARISON - EFFICIENCY Scheme pub., sec. key size exponen./ encryption exponen./ decryption ciphertext size ElGamal G, p 2 1 2G SS-EG G, p 3 2 2G+2p TDH-1 G, p 3 (+ 2 online) 3 3G+2p TDH-2 G, 2p 5 3 3G+2p CPS-EG G, p 4 4 3G+p [ShoupGen02]

17 CPS-EG REACHES IND-CCA2 SECURITY LH L = (Y, R, A, s) P Output: M = Y /R0 or?... c1 c2... LH CPS-EG is IND-CPA. CPS-EG is ROM-PA: (Y, R,, A, )? [SeurinT13] (? A = Gs R ci? A0 = X s R 0 Output: (Y, R, R0, A, A0 ) or ; ci

18 CAUTION Caution when relying on Chaum & Pedersen s signature: If one uses the pair (s,c) in the ciphertext instead of (A,s) the scheme does not remain IND-CPA. [Poettering] c = H(Y, R, R0, A, A0 ), R0 = Y /Mb. Part of the ciphertext M0, M1 known to the attacker. The attacker tries both values for R. A0 is deduced from R0, s, c and X : A0 = X s R0 c. It simply needs to test the two hash queries corresponding to the two possible values for R. This defect is avoided when using the pair (A,s). [SeurinT13-Full]

19 CPS-EG IS ANONYMOUS & STRONGLY ROBUST Anonymity [BellareBoldyrevaDesaiPointcheval01] A ciphertext does not reveal the public key under which it was created. CPS-EG is ANON-CCA2 under the DDH. Strong Robustness [AbdallaBellareNeven10] Hard to create a ciphertext that decrypts to a valid plaintext under 2 different secret keys. CPS-EG is SROB-CCA when H is a collisionresistant hash function.

20 COMPARISON - SECURITY Scheme IND-CCA2 under ElGamal (CPA under DDH) SS-EG ~ GGM TDH-1 DDH TDH-2 DDH CPS-EG DDH ANON+SROB

21 TO SUM UP New variant of signed ElGamal encryption : CPS-EG IND-CCA2-secure (plaintext-aware) under DDH assumption; Reaches CCA2-anonymity and strong robustness. There exists a hybrid version of CPS-EG. Full (and revised) version of this paper: Eprint #2012/649. [SeurinT13-Full]

22 THANKS

23 ADDITIONAL SLIDES

24 ELGAMAL

25 ELGAMAL: IND-CPA UNDER DDH Sketch of the proof: [TsiounisYung98] Reduction solving the DDH prob. from an IND-CPA attacker. (X = Gx, R = Gr, R0 ) pk R b $ X {0, 1} Output: b == b M0, M1 (Mb R0, R) b A

26 DHIES

27 1ST OPTION: HASHED VARIANT Example: DHIES [AbdallaBellareRogaway01] Encryption [ Decryption ] pk : X = Gx r $ Zp R Gr, R0 = X r { [ pk : X = Gx sk : x 0 k = H(R, R ) Output : = (R, c = Ek (M )) { ] R0 Rx k = H(R, R0 ) Output : M = Dk (c) The resulting scheme is no longer malleable. It requires a symmetric cipher.

28 SECURITY OF DHIES Strong Diffie-Hellman Assumption It is hard to compute DH(Y,X), even when additional access to a decision oracle is given, which on input (Z,T) returns 1 if DH(X,Z)=T and 0 otherwise.

29 LEMMA

30 CPS-EG - USEFUL LEMMA Fix X = Gx, x 2 Fp. Let R = Gr, R0, A = Ga, A0 2 G be four group elements such that r, a 6= 0 mod p, and R0 6= Rx or A0 6= Ax. Then there is at most one integer c 2 Zp such that there exists s 2 Zp satisfying both Gs = ARc and X s = A0 R0c.

31 NO PROOF OF IND-CCA2 SECURITY FOR SS-EG

32 SCHNORR SIGNATURES & FORKING LEMMA Schnorr signatures are not online-extractable Suppose there exists a forger and build a reduction that solves the DL problem. The reduction has to rewind the forger to obtain two signatures of the same message under the same public key. s R=G Y c s0 =G Y s s0 dlog(y ) = c c0 c0

33 NO PROOF THAT SS-EG IS IND-CCA2 IND-CCA2 security & SS-EG Schnorr signatures are not online-extractable. Setting: We consider a(ny) reduction that would use an IND-CCA2 adversary. The reduction has to answer hash queries and decryption queries. Possible for the adversary to construct a list of specific ciphertexts and hash queries, where one ciphert./h. query is obtained from the previous ones. If the attacker then sends its list of queries to the reduction, in the exact reverse order, then the reduction has to rewind the forger exponentially.

34 ROBUSTNESS AND ANONYMITY

35 WEAK ROBUSTNESS AND STRONG ROBUSTNESS Strong and Weak Robustness [AbdallaBellareNeven10] Definition [Weak robustness]: Hard to create a ciphertext that decrypts under 2 different secret keys. Definition [Strong Robustness]: Hard to produce a plaintext that, once encrypted under some public key, decrypts to a valid plaintext under another secret key. Robustness can always be achieved How? Append public key of the receiver to the ciphertext.

36 ROBUSTNESS COMBINED WITH ANONYMITY Robustness: Definition [Robustness]: Hard to create a ciphertext that decrypts under 2 different secret keys. Anonymity: Definition [Anonymity]: A ciphertext does not reveal the public key under which it was created. Anonymity + Robustness: Help make encryption more resistant to misuse. Ex. Anonymously send a ciphertext to a particular target of a larger group. Who s the target? Solution: Robustness. First solution for robustness not ok.

37 HYBRID VARIANT HCPS-EG

38 HYBRID VERSION

39 PROPERTIES OF HCPS-EG IND-CCA2 secure in the ROM under CDH. Using the weakest form of security for the data encapsulation mechanism (DEM): ciphertext indistinguishability under one-time attacks (IND-OT). Example: With AES in counter mode. Anonymous against CCA2-attacks under CDH. Strongly robust.

40 Efficient Public Key Cryptosystem Resilient to Key Leakage Chosen Ciphertext Attacks Shengli Liu 1, Jian Weng 2 and Yunlei Zhao 3 1 Shanghai Jiao Tong University (slliu@sjtu.edu.cn) 2 Jinan University(cryptjweng@gmail.com) 3 Fudan University(ylzhao@fudan.edu.cn) Liu, Weng and Zhao Efficient KL-CS-PKE Slide 1 of 40

41 Introduction and Motivation Liu, Weng and Zhao Efficient KL-CS-PKE Slide 2 of 40

42 Introduction to leakage-resilient PKE IND-CCA2 security assumes that the secret key sk is totally randomly distributed, i.e., Entropy(sk) = sk. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 3 of 40

43 Introduction to leakage-resilient PKE IND-CCA2 security assumes that the secret key sk is totally randomly distributed, i.e., Entropy(sk) = sk. Side-channel attack, i.e., memory attacks, may leak information about the secret key sk, i.e., Entropy(sk) sk. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 3 of 40

44 Introduction to leakage-resilient PKE IND-CCA2 security assumes that the secret key sk is totally randomly distributed, i.e., Entropy(sk) = sk. Side-channel attack, i.e., memory attacks, may leak information about the secret key sk, i.e., Entropy(sk) sk. Leakage-resilient public key encryption (PKE) schemes are designed to resist key leakage. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 3 of 40

45 Introduction to leakage-resilient PKE IND-CCA2 security assumes that the secret key sk is totally randomly distributed, i.e., Entropy(sk) = sk. Side-channel attack, i.e., memory attacks, may leak information about the secret key sk, i.e., Entropy(sk) sk. Leakage-resilient public key encryption (PKE) schemes are designed to resist key leakage. We will consider IND-CCA2 security in bounded key-leakage model, where the total amount of leaked information about the key is bounded by some parameter λ (bits). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 3 of 40

46 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40

47 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40

48 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40

49 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. IND-KL-CPA secure PKE1 + IND-KL-CPA secure PKE2 + NIZK Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40

50 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. IND-KL-CPA secure PKE1 + IND-KL-CPA secure PKE2 + NIZK Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40

51 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. IND-KL-CPA secure PKE1 + IND-KL-CPA secure PKE2 + NIZK IND-KL-CCA2 secure PKE Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40

52 Related Works In 2005, Akavia et.al.[agv09] showed that the lattice-based PKE scheme proposed by Regev [R05] is resilient to any leakage of L/polylog(L) bits, with L the bit length of the secret key. In 2009, Noar and Segev [NS09] suggested that any PKE based on hash proof systems [CS02] can be made secure against chosen-plaintext key leakage attacks (IND-KL-CPA) with help of randomness extractors. For chosen-ciphertext key leakage attacks (IND-KL-CCA2), Naorand Segev [NS09] proved that Noar-Yung s double encryption paradigm works as well. IND-KL-CPA secure PKE1 + IND-KL-CPA secure PKE2 + NIZK IND-KL-CCA2 secure PKE The key leakage λ is also up to L(1 o(1)). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 4 of 40

53 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40

54 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40

55 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). IND-KL-CPA secure PKE + strong f -true-simulation extractable NIZK Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40

56 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). IND-KL-CPA secure PKE + strong f -true-simulation extractable NIZK Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40

57 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). IND-KL-CPA secure PKE + strong f -true-simulation extractable NIZK IND-KL-CCA2 secure PKE Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40

58 In 2010, Dodis et.al. [DHLW10] exploited more efficient ways to achieve IND-KL-CCA2 security. They proposed a new concept of true-simulation extractable NIZK arguments, and gave a construction of IND-KL-CCA2-secure PKE from an IND-KL-CPA secure one together with a strong f -true-simulation extractable NIZK argument. The key leakage λ is also up to L(1 o(1)). IND-KL-CPA secure PKE + strong f -true-simulation extractable NIZK IND-KL-CCA2 secure PKE The key leakage λ is also up to L(1 o(1)). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 5 of 40

59 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40

60 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d z 1, z 2 }{{} h Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40

61 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d z 1, z }{{} 2 h Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40

62 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d consistence check z 1, z }{{} 2 h one-time key Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40

63 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d consistence check z 1, z }{{} 2 h one-time key Encryption u 1 = g r 1, u 2 = g r 2, r Z q, s {0, 1} t ; e = M Ext(h r, s); Decryption α = T(u 1, u 2, e, s); If v u x 1+y 1 α 1 u x 2+y 2 α 2, output ; α = T(u 1, u 2, e, s); v = c r d rα ; otherwise M = e Ext(u z 1 1 u z 2 2, s); Output (u 1, u 2, s, e, v). Output M. Figure: The KL-CS-PKE Scheme by Naor-Segev. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40

64 Practical PKE with IND-KL-CCA2 Security The variant of Cramer-Shoup cryptosystem ( KL-CS-PKE ) presented by Naor-Segev [NS,CRYPTO09] is the most practical one. x 1, x 2, y 1, y 2 }{{} c }{{} d consistence check z 1, z }{{} 2 h one-time key Encryption u 1 = g r 1, u 2 = g r 2, r Z q, s {0, 1} t ; e = M Ext(h r, s); Decryption α = T(u 1, u 2, e, s); If v u x 1+y 1 α 1 u x 2+y 2 α 2, output ; α = T(u 1, u 2, e, s); v = c r d rα ; otherwise M = e Ext(u z 1 1 u z 2 2, s); Output (u 1, u 2, s, e, v). Output M. Figure: The KL-CS-PKE Scheme by Naor-Segev. It uses extractors to deal with key leakage. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 6 of 40

65 Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40

66 Undesirable dependency between λ and m: λ + m log 2 q ω(log κ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40

67 Undesirable dependency between λ and m: λ + m log 2 q ω(log κ). m is the bit length of plaintext; Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40

68 Undesirable dependency between λ and m: λ + m log 2 q ω(log κ). m is the bit length of plaintext; q is the order of the group that CS is based. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40

69 Undesirable dependency between λ and m: λ + m log 2 q ω(log κ). m is the bit length of plaintext; q is the order of the group that CS is based. Naor and Segev noted this and called for further refinement. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 7 of 40

70 Our contributions Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40

71 Our contributions As a response to the calling-for of Naor and Segev [NS09], this work answers the open question proposed in [NS09], and follows a new technical line. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40

72 Our contributions As a response to the calling-for of Naor and Segev [NS09], this work answers the open question proposed in [NS09], and follows a new technical line. Our proposal is almost efficient as the CS-PKE, and we show it is λ log q ω(log κ) leakage resilient. In addition, it has the following two advantages: Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40

73 Our contributions As a response to the calling-for of Naor and Segev [NS09], this work answers the open question proposed in [NS09], and follows a new technical line. Our proposal is almost efficient as the CS-PKE, and we show it is λ log q ω(log κ) leakage resilient. In addition, it has the following two advantages: The plaintext space is the group G, enjoying a constant size q. It is independent of the leakage parameter λ. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40

74 Our contributions As a response to the calling-for of Naor and Segev [NS09], this work answers the open question proposed in [NS09], and follows a new technical line. Our proposal is almost efficient as the CS-PKE, and we show it is λ log q ω(log κ) leakage resilient. In addition, it has the following two advantages: The plaintext space is the group G, enjoying a constant size q. It is independent of the leakage parameter λ. The security reduction is tighter than that of KL-CS-PKE [NS09]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 8 of 40

75 Preliminaries Liu, Weng and Zhao Efficient KL-CS-PKE Slide 9 of 40

76 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40

77 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. The guessing probability of X is defined as P g (X) = max x X Pr[X = x]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40

78 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. The guessing probability of X is defined as P g (X) = max x X Pr[X = x]. The min entropy of X is defined as H (X) := log P g (X). The average min-entropy of X given Y is defined as the logarithm of the average guessing probability of X given Y, i.e., ( ) H (X Y ) := log E y Y [2 H (X Y =y) ]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40

79 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. The guessing probability of X is defined as P g (X) = max x X Pr[X = x]. The min entropy of X is defined as H (X) := log P g (X). The average min-entropy of X given Y is defined as the logarithm of the average guessing probability of X given Y, i.e., ( ) H (X Y ) := log E y Y [2 H (X Y =y) ]. The statistic distance of two distributions of variable X and Y is defined as SD(X, Y ) = 1 Pr[X = a] Pr[Y = a]. 2 a X Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40

80 Statistical Distance, Min-Entropy, and Leftover Hash Lemma Definition Let X be a random variable, which takes value from a finite set X. The guessing probability of X is defined as P g (X) = max x X Pr[X = x]. The min entropy of X is defined as H (X) := log P g (X). The average min-entropy of X given Y is defined as the logarithm of the average guessing probability of X given Y, i.e., ( ) H (X Y ) := log E y Y [2 H (X Y =y) ]. The statistic distance of two distributions of variable X and Y is defined as SD(X, Y ) = 1 Pr[X = a] Pr[Y = a]. 2 a X Liu, Weng and Zhao Efficient KL-CS-PKE Slide 10 of 40

81 Universal Hash and Examples Definition (Universal hash functions) A family of functions {H k : X Y, k K} is universal if for all x 1 x 2 with x 1, x 2 X. Pr k K [H k (x 1 ) = H k (x 2 )] 1 Y. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 11 of 40

82 Universal Hash and Examples Definition (Universal hash functions) A family of functions {H k : X Y, k K} is universal if for all x 1 x 2 with x 1, x 2 X. Pr k K [H k (x 1 ) = H k (x 2 )] 1 Y. Shoup05 : Universal hash {H k1,k 2,,k l : F l+1 q F q, k i F q, i = 1, 2,, l} H k1,k 2,,k l (x 0, x 1,, x l ) = x 0 + k 1 x k l x l. All operations are in the prime field F q. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 11 of 40

83 Universal Hash and Examples Definition (Universal hash functions) A family of functions {H k : X Y, k K} is universal if for all x 1 x 2 with x 1, x 2 X. Pr k K [H k (x 1 ) = H k (x 2 )] 1 Y. Shoup05 : Universal hash {H k1,k 2,,k l : F l+1 q F q, k i F q, i = 1, 2,, l} H k1,k 2,,k l (x 0, x 1,, x l ) = x 0 + k 1 x k l x l. All operations are in the prime field F q. Let G be a multiplicative group of prime order q with generator g. Then (Z q, +) = (G, ) with bijection x g x. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 11 of 40

84 Universal Hash and Examples Definition (Universal hash functions) A family of functions {H k : X Y, k K} is universal if for all x 1 x 2 with x 1, x 2 X. Pr k K [H k (x 1 ) = H k (x 2 )] 1 Y. Shoup05 : Universal hash {H k1,k 2,,k l : F l+1 q F q, k i F q, i = 1, 2,, l} H k1,k 2,,k l (x 0, x 1,, x l ) = x 0 + k 1 x k l x l. All operations are in the prime field F q. Let G be a multiplicative group of prime order q with generator g. Then (Z q, +) = (G, ) with bijection x g x. The family {H k1,k 2,,k l : G l+1 G, k i Z q, i = 1, 2,, l} is universal, where H k1,k 2,,k l (g 0, g 1,, g l ) = g 0 g k gk l l (= g x0+k1x1+ +k lx l ), with g i = g xi for i = 0, 1,, l. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 11 of 40

85 Leftover Hash Lemma[Dodis08] Lemma Assume {H k : X Y} k K is a family of universal hash functions. For any random variables X X, Z Z, and K K, SD((H k (X), K), (U Y, K)) 1 Pc (X) Y H (X) Y, and SD((H k (X), K, Z), (U Y, K, Z)) H (X Z) Y, where U Y denotes a uniform distribution over Y. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 12 of 40

86 Extractors with Universal Hashing [Dodis08] Liu, Weng and Zhao Efficient KL-CS-PKE Slide 13 of 40

87 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40

88 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40

89 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Noon A submits two messages (M 0, M 1 ) of equal length to the encryption oracle. The encryption oracle picks a random bit σ {0, 1} and responds with the target" ciphertext ψ = Encrypt(PK, m σ ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40

90 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Noon A submits two messages (M 0, M 1 ) of equal length to the encryption oracle. The encryption oracle picks a random bit σ {0, 1} and responds with the target" ciphertext ψ = Encrypt(PK, m σ ). Afternoon A continues to query the decryption oracle with arbitrary ciphertext ψ under the restriction: ψ ψ, but the KL(sk) oracle access is denied in the afternoon. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40

91 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Noon A submits two messages (M 0, M 1 ) of equal length to the encryption oracle. The encryption oracle picks a random bit σ {0, 1} and responds with the target" ciphertext ψ = Encrypt(PK, m σ ). Afternoon A continues to query the decryption oracle with arbitrary ciphertext ψ under the restriction: ψ ψ, but the KL(sk) oracle access is denied in the afternoon. Guess A outputs a guess bit ˆσ {0, 1}. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40

92 IND-KL-CCA2 Security KL-CCA2 Game: Adversary A v.s. its environment Setup A queries the key generation oracle. The key generation oracle computes (PK,SK) and responds with PK. Morning Besides normal queries to decryption oracle Dec(sk, ), A is also allowed to make queries to a key-leakage oracle KL(sk), as follows: A can adaptively query the oracle KL(sk) with any function f i, i 1, and then gets back f i (sk). Noon A submits two messages (M 0, M 1 ) of equal length to the encryption oracle. The encryption oracle picks a random bit σ {0, 1} and responds with the target" ciphertext ψ = Encrypt(PK, m σ ). Afternoon A continues to query the decryption oracle with arbitrary ciphertext ψ under the restriction: ψ ψ, but the KL(sk) oracle access is denied in the afternoon. Guess A outputs a guess bit ˆσ {0, 1}. The KL-CCA advantage of A against a PKE scheme: Adv A = Pr[σ = ˆσ] 1/2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 14 of 40

93 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] Key Generation A group (G, q, g). T: TCR hash function. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 15 of 40

94 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] Key Generation A group (G, q, g). T: TCR hash function. { secret key: x1, x 2, y 1, y 2, z 1, z 2 R Z q public key: c = g x1 1 gx2 2, d = gy1 1 gy2 2, h = gz1 1 gz2 2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 15 of 40

95 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] Key Generation A group (G, q, g). T: TCR hash function. { secret key: x1, x 2, y 1, y 2, z 1, z 2 R Z q public key: c = g x1 1 gx2 2, d = gy1 1 gy2 2, h = gz1 1 gz2 2. PK = (G, q, g, T, c, d, h), SK = (x 1, x 2, y 1, y 2, z 1, z 2 ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 15 of 40

96 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] Key Generation A group (G, q, g). T: TCR hash function. { secret key: x1, x 2, y 1, y 2, z 1, z 2 R Z q public key: c = g x1 1 gx2 2, d = gy1 1 gy2 2, h = gz1 1 gz2 2. PK = (G, q, g, T, c, d, h), SK = (x 1, x 2, y 1, y 2, z 1, z 2 ). Encryption u 1 = g r 1, u 2 = g r 2, r Z q, s {0, 1} t ; e = M Ext(h r, s); Decryption α = T(u 1, u 2, e, s); If v u x 1+y 1 α 1 u x 2+y 2 α 2, output ; α = T(u 1, u 2, e, s); v = c r d rα ; otherwise M = e Ext(u z 1 1 u z 2 2, s); Output (u 1, u 2, s, e, v). Output M. Figure: The KL-CS-PKE Scheme by Naor-Segev. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 15 of 40

97 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] The key leakage of CS-PKE brings two effects: Liu, Weng and Zhao Efficient KL-CS-PKE Slide 16 of 40

98 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] The key leakage of CS-PKE brings two effects: The information leakage related to (x 1, x 2, y 1, y 2) makes the security reduction looser than that of CS-PKE. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 16 of 40

99 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] The key leakage of CS-PKE brings two effects: The information leakage related to (x 1, x 2, y 1, y 2) makes the security reduction looser than that of CS-PKE. The information leakage related to (z 1, z 2) makes it unsuitable to mask the plaintext directly. Naor and Segev employed an extractor Ext to distill a random shorter key from the ephemeral key u z 1 1 u z 2 2 that is in turn used to mask the plaintext. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 16 of 40

100 Overview of KL-CS-PKE by Naor and Segev [CRYPTO09] The key leakage of CS-PKE brings two effects: The information leakage related to (x 1, x 2, y 1, y 2) makes the security reduction looser than that of CS-PKE. The information leakage related to (z 1, z 2) makes it unsuitable to mask the plaintext directly. Naor and Segev employed an extractor Ext to distill a random shorter key from the ephemeral key u z 1 1 u z 2 2 that is in turn used to mask the plaintext. m log 2 q λ ω(log κ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 16 of 40

101 Our Proposal Liu, Weng and Zhao Efficient KL-CS-PKE Slide 17 of 40

102 New Idea and Key Observation The new idea is that all the three parts of secret key, namely (x 1, x 2 ), (y 1, y 2 ) and (z 1, z 2 ), are involved both in the ciphertext consistence check and the random distillation to mask plaintexts. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 18 of 40

103 New Idea and Key Observation The new idea is that all the three parts of secret key, namely (x 1, x 2 ), (y 1, y 2 ) and (z 1, z 2 ), are involved both in the ciphertext consistence check and the random distillation to mask plaintexts. The key observation is: The three parts of secret key altogether imply larger average min-entropy, even conditioned on all the leaked information bounded by λ log q ω(log κ). Larger min-entropy implies more randomness can be distilled. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 18 of 40

104 New Idea and Key Observation The new idea is that all the three parts of secret key, namely (x 1, x 2 ), (y 1, y 2 ) and (z 1, z 2 ), are involved both in the ciphertext consistence check and the random distillation to mask plaintexts. The key observation is: The three parts of secret key altogether imply larger average min-entropy, even conditioned on all the leaked information bounded by λ log q ω(log κ). Larger min-entropy implies more randomness can be distilled. On the other hand, we use a special universal hash function (i.e., H s(a, b) = a b s, for a, b G and s Z q) as an extractor, where a = (cd) r and b = h r for r Z q with our proposal, which allows plaintext space to be G, and makes the security proof neat and tighter. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 18 of 40

105 New Idea and Key Observation The new idea is that all the three parts of secret key, namely (x 1, x 2 ), (y 1, y 2 ) and (z 1, z 2 ), are involved both in the ciphertext consistence check and the random distillation to mask plaintexts. The key observation is: The three parts of secret key altogether imply larger average min-entropy, even conditioned on all the leaked information bounded by λ log q ω(log κ). Larger min-entropy implies more randomness can be distilled. On the other hand, we use a special universal hash function (i.e., H s(a, b) = a b s, for a, b G and s Z q) as an extractor, where a = (cd) r and b = h r for r Z q with our proposal, which allows plaintext space to be G, and makes the security proof neat and tighter. The actual design of our proposal was also carefully guided by the underlying analysis, particularly for ensuring non-zero matrix determinant. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 18 of 40

106 Overview of Our Proposal Encryption u 1 = g r 1, u 2 = g r 2, r, s Z q; α = T(u 1, u 2, e, s); e = M (cd) r h rs ; α = T(u 1, u 2, e, s); v = (c h) r d rα ; Decryption If v u x1+y1α+z1 1 u x2+y2α+z2 2, outpu otherwise Output (u 1, u 2, s, e, v) Output M. Figure: Our proposal M = e u (x1+y1+z1s) 1 u (x2+y2+z2s 2 Liu, Weng and Zhao Efficient KL-CS-PKE Slide 19 of 40

107 Proof Outline Liu, Weng and Zhao Efficient KL-CS-PKE Slide 20 of 40

108 Main Theorem Theorem The above scheme is (log q, λ, ɛ)-ind-kl-cca2 secure public key encryption scheme. Here q is the prime order of the group G that PKE is based on, λ log q ω(log κ) (more precisely, λ log q 2 log 1 2λ/2 1 δ + 2 where δ = q )) and ɛ Adv DDH (κ) + Adv TCR (κ) + 2λ Q(κ) q Q(κ) + 2λ/2 1 q, where Q(κ) is the number of decryption queries. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 21 of 40

109 Main Theorem Theorem The above scheme is (log q, λ, ɛ)-ind-kl-cca2 secure public key encryption scheme. Here q is the prime order of the group G that PKE is based on, λ log q ω(log κ) (more precisely, λ log q 2 log 1 2λ/2 1 δ + 2 where δ = q )) and ɛ Adv DDH (κ) + Adv TCR (κ) + 2λ Q(κ) q Q(κ) + 2λ/2 1 q, where Q(κ) is the number of decryption queries. Plaintext length m = log q; Liu, Weng and Zhao Efficient KL-CS-PKE Slide 21 of 40

110 Main Theorem Theorem The above scheme is (log q, λ, ɛ)-ind-kl-cca2 secure public key encryption scheme. Here q is the prime order of the group G that PKE is based on, λ log q ω(log κ) (more precisely, λ log q 2 log 1 2λ/2 1 δ + 2 where δ = q )) and ɛ Adv DDH (κ) + Adv TCR (κ) + 2λ Q(κ) q Q(κ) + 2λ/2 1 q, where Q(κ) is the number of decryption queries. Plaintext length m = log q; Leakage parameter λ = log q o(1). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 21 of 40

111 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40

112 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40

113 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Game 1: The same as Game 0 except for the generation of the challenge ciphertext ψ. In this game, the simulator generates the target ciphertext ψ = (u 1, u 2, e, s, v ) with its secret key SK as follows. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40

114 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Game 1: The same as Game 0 except for the generation of the challenge ciphertext ψ. In this game, the simulator generates the target ciphertext ψ = (u1, u2, e, s, v ) with its secret key SK as follows. e = M u (x1+y1+z1s) 1 u (x2+y2+z2s) 2 = M (cd) r h rs ; Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40

115 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Game 1: The same as Game 0 except for the generation of the challenge ciphertext ψ. In this game, the simulator generates the target ciphertext ψ = (u1, u2, e, s, v ) with its secret key SK as follows. e = M u (x1+y1+z1s) 1 u (x2+y2+z2s) 2 = M (cd) r h rs ; v = u x1+y1α+z1 1 u x2+y2α+z2 2 = (c h) r d rα. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40

116 Security Proof We proceed with a series of games played between a simulator D and an adversary A, and show that Game i and Game i + 1 are indistinguishable except with negligible probability, i = 0, 1, 2, 3, 4, 5. We define S i as the event that the adversary A outputs a correct guess of b. Game 0: The original KL-CCA2 game. Game 1: The same as Game 0 except for the generation of the challenge ciphertext ψ. In this game, the simulator generates the target ciphertext ψ = (u1, u2, e, s, v ) with its secret key SK as follows. e = M u (x1+y1+z1s) 1 u (x2+y2+z2s) 2 = M (cd) r h rs ; v = u x1+y1α+z1 1 u x2+y2α+z2 2 = (c h) r d rα. The change is only conceptual, and thus Pr[S 1 ] = Pr[S 0 ]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 22 of 40

117 Game 2: Same as Game 1 except for the generation of the challenge ciphertext C = (u1, u2, e, s, v ), where u1 = g r 1 1, u 2 = g r 2 2, with r 1, r2 chosen uniformly at random from Z q. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 23 of 40

118 Game 2: Same as Game 1 except for the generation of the challenge ciphertext C = (u1, u2, e, s, v ), where u1 = g r 1 1, u 2 = g r 2 2, with r 1, r2 chosen uniformly at random from Z q. In Game 1: (g 1, g 2, u 1, u 2) is a DDH tuple, i.e, u 1 = g r 1, u 2 = g r 2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 23 of 40

119 Game 2: Same as Game 1 except for the generation of the challenge ciphertext C = (u1, u2, e, s, v ), where u1 = g r 1 1, u 2 = g r 2 2, with r 1, r2 chosen uniformly at random from Z q. In Game 1: (g 1, g 2, u 1, u 2) is a DDH tuple, i.e, u 1 = g r 1, u 2 = g r 2. In Game 2: (g 1, g 2, u 1, u 2) is a random tuple, i.e, u 1 = g r 1 1, u 2 = g r 2 2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 23 of 40

120 Game 2: Same as Game 1 except for the generation of the challenge ciphertext C = (u1, u2, e, s, v ), where u1 = g r 1 1, u 2 = g r 2 2, with r 1, r2 chosen uniformly at random from Z q. In Game 1: (g 1, g 2, u 1, u 2) is a DDH tuple, i.e, u 1 = g r 1, u 2 = g r 2. In Game 2: (g 1, g 2, u 1, u 2) is a random tuple, i.e, u 1 = g r 1 1, u 2 = g r 2 2. By the DDH assumption, Pr[S 2 ] Pr[S 1 ] is negligible. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 23 of 40

121 Game 3: Same as Game 2 except that the simulator applies a special rejection rule. Let F denote the event that there exists a decryption query of the form C = (u 1, u 2, e, s, v) such that C C but T(u 1, u 2, e, s) = T(u 1, u 2, e, s ), which means a hash collision occurs. The simulator D rejects the corresponding queried ciphertext C when F occurs. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 24 of 40

122 Game 3: Same as Game 2 except that the simulator applies a special rejection rule. Let F denote the event that there exists a decryption query of the form C = (u 1, u 2, e, s, v) such that C C but T(u 1, u 2, e, s) = T(u 1, u 2, e, s ), which means a hash collision occurs. The simulator D rejects the corresponding queried ciphertext C when F occurs. By the TCR property of T, Pr[S 3 ] Pr[S 2 ] is negligible. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 24 of 40

123 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40

124 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. In Game 3: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e., v u x1+y1α 1 u x2+y2α 2. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40

125 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. In Game 3: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e., v u x1+y1α 1 u x2+y2α 2. In Game 4: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e. (log g1 u 1 log g2 u 2 ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40

126 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. In Game 3: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e., v u x1+y1α 1 u x2+y2α 2. In Game 4: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e. (log g1 u 1 log g2 u 2 ). Let F be the event that D outputs for a consistent but valid ciphertext, we have: Pr[S 4 F ] Pr[S 3 F ] Pr[F ], Pr[S 4 ] Pr[S 3 ] Pr[F ]. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40

127 Game 4: Same as Game 3, except that the simulator applies a special rejection rule. If A asks for decryption of an invalid ciphertext C = (u 1, u 2, e, s, v), i.e., (g 1, g 2, u 1, u 2 ) is not a DDH tuple, the simulator D rejects with and the game aborts. In Game 3: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e., v u x1+y1α 1 u x2+y2α 2. In Game 4: C = (u 1, u 2, e, s, v) is rejected if it is not consistent, i.e. (log g1 u 1 log g2 u 2 ). Let F be the event that D outputs for a consistent but valid ciphertext, we have: Pr[S 4 F ] Pr[S 3 F ] Pr[F ], Pr[S 4 ] Pr[S 3 ] Pr[F ]. Below, we analyze the probability that the event F occurs. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 25 of 40

128 Analyzing the Event F Let β = log g1 g 2. Firstly, note that by submitting valid ciphertexts to the decryption oracle, the adversary only learns linear combinations of the constraints log g1 c = x 1 + βx 2, log g1 d = y 1 + βy 2 and log g1 h = z 1 + βz 2, which are already known from the public-keys. Also note that q, g 1, g 2, T, u 1, u 2, s, σ all are independent of the secret key. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 26 of 40

129 Analyzing the Event F Let β = log g1 g 2. Firstly, note that by submitting valid ciphertexts to the decryption oracle, the adversary only learns linear combinations of the constraints log g1 c = x 1 + βx 2, log g1 d = y 1 + βy 2 and log g1 h = z 1 + βz 2, which are already known from the public-keys. Also note that q, g 1, g 2, T, u 1, u 2, s, σ all are independent of the secret key. From the view of the attack and the λ-bit key leakage, what can be learnt about the secret-keys can be formulated by the following equations, where Liu, Weng and Zhao Efficient KL-CS-PKE Slide 26 of 40

130 Analyzing the Event F Let β = log g1 g 2. Firstly, note that by submitting valid ciphertexts to the decryption oracle, the adversary only learns linear combinations of the constraints log g1 c = x 1 + βx 2, log g1 d = y 1 + βy 2 and log g1 h = z 1 + βz 2, which are already known from the public-keys. Also note that q, g 1, g 2, T, u 1, u 2, s, σ all are independent of the secret key. From the view of the attack and the λ-bit key leakage, what can be learnt about the secret-keys can be formulated by the following equations, where log g1 c = x 1 + βx 2 log g1 d = y 1 + βy 2 log g1 h = z 1 + βz 2 log g1 v = r1 x 1 + r2 βx 2 + α r1 y 1 + α r2 βy 2 + r1 z 1 + r2 βz 2 log g1 e /M b = r1 x 1 + r2 βx 2 + r1 y 1 + r2 βy 2 + s r1 z 1 + s r2 βz 2 ; λ-bit leakage of (x 1, x 2, y 1, y 2, z 1, z 2 ). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 26 of 40

131 As the secret key elements (x 1, x 2, y 1, y 2, z 1, z 2 ) are uniformly chosen from Z 6 q, according to the average min-entropy theory, we have H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, C, M b, λ-leakage) = H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, u 1, u 2, s, v, e /M b, λ-leakage) = H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, v, e /M b, λ-leakage) (1) log q λ. (2) Liu, Weng and Zhao Efficient KL-CS-PKE Slide 27 of 40

132 As the secret key elements (x 1, x 2, y 1, y 2, z 1, z 2 ) are uniformly chosen from Z 6 q, according to the average min-entropy theory, we have H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, C, M b, λ-leakage) = H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, u 1, u 2, s, v, e /M b, λ-leakage) = H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, v, e /M b, λ-leakage) (1) log q λ. Let C = (u 1, u 2, e, s, v) be the first invalid ciphertext submitted by A. Let r 1 = log g1 u 1 and r 2 = log g1 u 2, then r 1 r 2. We must have: (2) log g1 c = x 1 + βx 2 ; log g1 d = y 1 + βy 2 ; log g1 h = z 1 + βz 2 ; log g1 v = r1 x 1 + r2 βx 2 + α r1 y 1 + α r2 βy 2 + r1 z 1 + r2 βz 2 ; log g1 e /M b = r1 x 1 + r2 βx 2 + r1 y 1 + r2 βy 2 + s r1 z 1 + s r2 βz 2 ; log g1 v = r 1 x 1 + r 2 βx 2 + αr 1 y 1 + αr 2 βy 2 + r 1 z 1 + r 2 βz 2. (3) Liu, Weng and Zhao Efficient KL-CS-PKE Slide 27 of 40

133 Let A= into: 1 β β β r1 r2 β α r1 α r2 β r1 r2 β r1 r2 β r1 r2 β s r1 s r2 β r 1 r 2 β αr 1 αr 2 β r 1 r 2 β 1 β β β r1 r2 β α r1 α r2 β r1 r2 β r1 r2 β r1 r2 β s r1 s r2 β r 1 r 2 β αr 1 αr 2 β r 1 r 2 β x 1 x 2 y 1 y 2 z 1 z 2. This is distilled = log g1 c log g1 d log g1 h log g1 v log g1 e /M b log g1 v (4). Liu, Weng and Zhao Efficient KL-CS-PKE Slide 28 of 40

134 Let A= into: 1 β β β r1 r2 β α r1 α r2 β r1 r2 β r1 r2 β r1 r2 β s r1 s r2 β r 1 r 2 β αr 1 αr 2 β r 1 r 2 β 1 β β β r1 r2 β α r1 α r2 β r1 r2 β r1 r2 β r1 r2 β s r1 s r2 β r 1 r 2 β αr 1 αr 2 β r 1 r 2 β The determinant of matrix A is given by x 1 x 2 y 1 y 2 z 1 z 2. This is distilled = det(a) = β 3 (r 1 r 2 ) 2 (r 1 r 2 )(α α)(s 1). log g1 c log g1 d log g1 h log g1 v log g1 e /M b log g1 v (4). Then det(a) 0 except with a negligible probability 1/q. Hence Eq. (4) is an injective function. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 28 of 40

135 An injective function preserves its min-entropy. Then H ((x 1, x 2, y 1, y 2, z 1, z 2 ) c, d, h, C, M b, λ-leakage) = H ((c, d, h, v, e /M b, v) c, d, h, C, M b, λ-leakage) = H (v c, d, h, C, M b, λ-leakage) log q λ. Liu, Weng and Zhao Efficient KL-CS-PKE Slide 29 of 40