Tightly CCA-Secure Encryption without Pairings

Transcription

1 Tghtly CCA-Secure Encrypton wthout Parngs Roman Gay 1,, Denns Hofhenz 2,, Eke Kltz 3,, and Hoeteck Wee 1, 1 ENS, Pars, France rgay,wee@d.ens.fr 2 Ruhr-Unverstät Bochum, Bochum, Germany eke.kltz@rub.de 3 Karlsruhe Insttute of Technology, Karlsruhe, Germany Denns.Hofhenz@kt.edu Abstract. We present the frst CCA-secure publc-key encrypton scheme based on DDH where the securty loss s ndependent of the number of challenge cphertexts and the number of decrypton ueres. Our constructon extends also to the standard k-ln assumpton n parng-free groups, whereas all pror constructons startng wth Hofhenz and Jager (Crypto 12) rely on the use of parngs. Moreover, our constructon mproves upon the concrete effcency of exstng schemes, reducng the cphertext overhead by about half (to only 3 group elements under DDH), n addton to elmnatng the use of parngs. We also show how to use our technues n the NIZK settng. Specfcally, we construct the frst tghtly smulaton-sound desgnated-verfer NIZK for lnear languages wthout parngs. Usng parngs, we can turn our constructon nto a hghly optmzed publcly verfable NIZK wth tght smulaton-soundness. 1 Introducton The most basc securty guarantee we reure of a publc key encrypton scheme s that of semantc securty aganst chosen-plantext attacks (CPA) [15]: t s nfeasble to learn anythng about the plantext from the cphertext. On the other hand, there s a general consensus wthn the cryptographc research communty that n vrtually every practcal applcaton, we reure semantc securty aganst adaptve chosen-cphertext attacks (CCA) [31, 13], wheren an adversary s gven access to decryptons of cphertexts of her choce. In ths work, we focus on the ssue of securty reducton and securty loss n the constructon of CPA and CCA-secure publc-key encrypton from the DDH assumpton. Suppose we have such a scheme along wth a securty reducton showng that attackng the scheme n tme t wth success probablty ɛ mples breakng the DDH assumpton n tme roughly t wth success probablty ɛ/l; we refer to L as the securty loss. In general, L would depend on the securty parameter λ as well as the number of challenge cphertexts Q enc and the number decrypton ueres Q dec, and we say that we have a tght securty reducton f L depends only on the securty parameter and s ndependent of both Q enc and Q dec. Note that for typcal settngs of parameters (e.g., λ = 80 and Q enc, Q dec 2 20, or even Q enc, Q dec 2 30 n truly large settngs), λ s much smaller than Q enc and Q dec. In the smpler settng of CPA-secure encrypton, the ElGamal encrypton scheme already has a tght securty reducton to the DDH assumpton [28, 6], thanks to random self-reducblty of DDH wth a tght securty reducton. In the case of CCA-secure encrypton, the best result s stll the Ths s the extended verson of an EUROCRYPT 2016 paper of the same name. Compared to the proceedngs verson, ths verson offers a detaled descrpton of (desgnated-verfer and publcly verfable) NIZK proof systems, and of course full proofs. CNRS. Supported by ERC Project ascend (639554). Supported by DFG grants HO 4534/2-2, HO 4534/4-1. Partally supported by DFG grant KI 795/4-1 and ERC Project ERCC (FP7/615074). CNRS and Columba Unversty. Partally supported by the Alexander von Humboldt Foundaton, NSF Award CNS and ERC Project ascend (639554).

2 semnal Cramer-Shoup encrypton scheme [11], whch acheves securty loss Q enc. 4 Ths rases the followng open problem: Does there exst a CCA-secure encrypton scheme wth a tght securty reducton to the DDH assumpton? Hofhenz and Jager [17] gave an affrmatve answer to ths problem under stronger (and parngrelated) assumptons, notably the 2-Ln assumptons n blnear groups, albet wth large cphertexts and secret keys; a seres of follow-up works [24, 26, 5, 16] leveraged technues ntroduced n the context of tghtly-secure IBE [10, 7, 19] to reduce the sze of cphertext and secret keys to a relatvely small constant. However, all of these works rely crucally on the use of parngs, and seem to shed lttle nsght on constructons under the standard DDH assumpton; n fact, a pessmst may nterpret the recent works as strong ndcaton that the use of parngs s lkely to be necessary for tghtly CCA-secure encrypton. We may then restate the open problem as elmnatng the use of parngs n these pror CCAsecure encrypton schemes whle stll preservng a tght securty reducton. From a theoretcal standpont, ths s mportant because an affrmatve answer would yeld tghtly CCA-secure encrypton under ualtatvely weaker assumptons, and n addton, shed nsght nto the broader ueston of whether tght securty comes at the cost of ualtatve stronger assumptons. Elmnatng the use of parngs s also mportant n practce as t allows us to nstantate the underlyng assumpton over a much larger class of groups that admt more effcent group operatons and more compact representatons, and also avod the use of expensve parng operatons. Smlarly, tght reductons matter n practce because as L ncreases, we should ncrease the sze of the underlyng groups n order to compensate for the securty loss, whch n turn ncreases the runnng tme of the mplementaton. Note that the mpact on performance s ute substantal, as exponentaton n a r-bt group takes tme roughly O(r 3 ). 1.1 Our Results We settle the man open problem affrmatvely: we construct a tghtly CCA-secure encrypton scheme from the DDH assumpton wthout parngs. Moreover, our constructon mproves upon the concrete effcency of exstng schemes, reducng the cphertext overhead by about half, n addton to elmnatng the use of parngs. We refer to Fgure 2 for a comparson wth pror works. Overvew of our constructon. Fx an addtvely wrtten group G of order. We rely on mplct representaton notaton [14] for group elements: for a fxed generator P of G and for a matrx M Z n t, we defne [M] := MP G n t where multplcaton s done component-wse. We rely on the D k -MDDH Assumpton [14], whch stpulates that gven [M] drawn from a matrx dstrbuton D k over Z (k+1) k, [Mr] for a random vector r n Z k p s computatonally ndstngushable from a unform vector n G k+1 ; ths s a generalzaton of the k-ln Assumpton. We outlne the constructon under the k-ln assumpton over G, of whch the DDH assumpton s a specal case correspondng to k = 1. In ths overvew, we wll consder a weaker noton of securty, namely tag-based KEM securty aganst plantext check attacks (PCA) [30]. In the PCA securty experment, the adversary gets no decrypton oracle (as wth CCA securty), but a PCA oracle that takes as nput a tag and a cphertext/plantext par and checks whether the cphertext decrypts to the plantext. Furthermore, we restrct the adversary to only uery the PCA oracle on tags dfferent from those used n the 4 We gnore contrbutons to the securty loss that depend only on a statstcal securty parameter. 2

3 challenge cphertexts. PCA securty s strctly weaker than the CCA securty we actually strve for, but allows us to present our soluton n a clean and smple way. (We show how to obtan full CCA securty separately.) The startng pont of our constructon s the Cramer-Shoup KEM. The publc key s gven by pk := ([M], [M k 0 ], [M k 1 ]) for M r Z (k+1) k. On nput pk and a tag τ, the encrypton algorthm outputs the cphertext/plantext par ([y], [z]) = ([Mr], [r M k τ ]), (1) where k τ = k 0 + τk 1 and r r Z k. Decrypton reles on the fact that y k τ = r M k τ. The KEM s PCA-secure under k-ln, wth a securty loss that depends on the number of cphertexts Q (va a hybrd argument) but ndependent of the number of PCA ueres [11, 1]. Followng the randomzed Naor-Rengold paradgm ntroduced by Chen and Wee on tghtly secure IBE [10], our startng pont s (1), where we replace k τ = k 0 + τk 1 wth k τ = λ j=1 and pk := ([M], [M k j,b ] j=1,...,λ,b=0,1 ), where (τ 1,..., τ λ ) denotes the bnary representaton of the tag τ {0, 1} λ. Followng [10], we want to analyze ths constructon by a seuence of games n whch we frst replace [y] n the challenge cphertexts by unformly random group elements va random selfreducblty of MDDH (k-ln), and then ncrementally replace k τ n both the challenge cphertexts and n the PCA oracle by k τ +m RF(τ), where RF s a truly random functon and m s a random element from the kernel of M,.e., M m = 0. Concretely, n Game, we wll replace k τ wth k τ + m RF (τ) where RF s a random functon on {0, 1} appled to the -bt prefx of τ. We proceed to outlne the two man deas needed to carry out ths transton. Lookng ahead, note that once we reach Game λ, we would have replaced k τ wth k τ + m RF(τ), upon whch securty follows from a straght-forward nformaton-theoretc argument (and the fact that cphertexts and decrypton ueres carry parwse dfferent τ). Frst dea. Frst, we show how to transton from Game to Game + 1, under the restrcton that the adversary s only allowed to uery the encrypton oracle on tags whose + 1-st bt s 0; we show how to remove ths unreasonable restrcton later. Here, we rely on an nformaton-theoretc argument smlar to that of Cramer and Shoup to ncrease the entropy from RF to RF +1. Ths s n contrast to pror works whch rely on a computatonal argument; note that the latter reures encodng secret keys as group elements and thus a parng to carry out decrypton. More precsely, we pck a random functon RF on {0, 1}, and mplctly defne RF +1 as follows: RF +1 (τ) = k j,τj { RF (τ) f τ +1 = 0 RF (τ) f τ +1 = 1 Observe all of the challenge cphertexts leak no nformaton about RF or k +1,1 snce they all correspond to tags whose + 1-st bt s 0. To handle a PCA uery (τ, [y], [z]), we proceed va a case analyss: f τ +1 = 0, then k τ + RF +1 (τ) = k τ + RF (τ) and the PCA oracle returns the same value n both Games and

4 f τ +1 = 1 and y les n the span of M, we have y m = 0 = y (k τ + m RF (τ)) = y (k τ + m RF +1 (τ)), and agan the PCA oracle returns the same value n both Games and + 1. f τ +1 = 1 and y les outsde the span of M, then y k +1,1 s unformly random gven M, M k +1,1. (Here, we crucally use that the adversary does not uery encryptons wth τ +1 = 1, whch ensures that the challenge cphertexts do not leak addtonal nformaton about k +1,1.) Ths means that y k τ s unformly random from the adversary s vew-pont, and therefore the PCA oracle wll reject wth hgh probablty n both Games and + 1. (At ths pont, we crucally rely on the fact that the PCA oracle only outputs a sngle check bt and not all of k τ + RF(τ).) Va a hybrd argument, we may deduce that the dstngushng advantage between Games and + 1 s at most Q/ where Q s the number of PCA ueres. Second dea. Next, we remove the restrcton on the encrypton ueres usng an dea of Hofhenz, Koch and Strecks [19] for tghtly-secure IBE n the mult-cphertext settng, and ts nstantaton n prme-order groups [16]. The dea s to create two ndependent copes of (m, RF ); we use one to handle encrypton ueres on tags whose + 1-st bt s 0, and the other to handle those whose + 1-st bt s 1. We call these two copes (M 0, RF(0) Concretely, we replace M r Z (k+1) k ) and (M 1, RF(1) ), where M M 0 = M M 1 = 0.. We decompose Z 3k nto the span of nto that wth M r Z 3k k the respectve matrces M, M 0, M 1, and we wll also decompose the span of M Z 3k 2k of M 0, M 1. Smlarly, we decompose M RF (τ) nto M 0 RF(0) (τ) + M 1 RF(1) (τ). We then refne the bass for span(m ) M 0 M 1 bass for Z 3k M M 0 M 1 Fg. 1. Sold lnes mean orthogonal, that s: M M 0 = M 1M 0 = 0 = M M 1 = M 0M 1. pror transton from Games to + 1 as follows: Game.0 (= Game ): pck y Z 3k M 1 RF(1) (τ); Game.1: replace y r Z 3k for cphertexts, and replace k τ wth k τ + M 0 RF(0) (τ) + wth y r span(m, M τ+1 ); Game.2: replace RF (0) (τ) wth RF (0) +1 (τ); Game.3: replace RF (1) (τ) wth RF (1) +1 (τ); Game.4 (= Game + 1): replace y r span(m, M τ+1 ) wth y r Z 3k. For the transton from Game.0 to Game.1, we rely on the fact that the unform dstrbutons over Z 3k and span(m, M τ+1 ) encoded n the group are computatonally ndstngushable, even gven a random bass for span(m ) (n the clear). Ths extends to the settng wth multple samples, wth a tght reducton to the D k -MDDH Assumpton ndependent of the number of samples. For the transton from Game.1 to.2, we rely on an nformaton-theoretc argument lke the one we just outlned, replacng span(m) wth span(m, M 1 ) and M wth M 0 n the case analyss. 4

5 In partcular, we wll explot the fact that f y les outsde span(m, M 1 ), then y k +1,1 s unformly random even gven M, Mk +1,1, M 1, M 1 k +1,1. The transton from Game.2 to.3 s completely analogous. From PCA to CCA. Usng standard technues from [11, 23, 21, 8, 4], we could transform our basc tag-based PCA-secure scheme nto a full-fledged CCA-secure encrypton scheme by addng another hash proof system (or an authentcated symmetrc encrypton scheme) and a one-tme sgnature scheme. However, ths would ncur an addtonal overhead of several group elements n the cphertext. Instead, we show how to drectly modfy our tag-based PCA-secure scheme to obtan a more effcent CCA-secure scheme wth the mnmal addtonal overhead of a sngle symmetrc-key authentcated encrypton. In partcular, the overall cphertext overhead n our tghtly CCA-secure encrypton scheme s merely one group element more than that for the best known non-tght schemes [23, 18]. To encrypt a message M n the CCA-secure encrypton scheme, we wll () pck a random y as n the tag-based PCA scheme, () derve a tag τ from y, () encrypt M usng a one-tme authentcated encrypton under the KEM key [y k τ ]. The nave approach s to derve the tag τ by hashng [y] G 3k, as n [23]. However, ths creates a crcularty n Game.1 where the dstrbuton of [y] depends on the tag. Instead, we wll derve the tag τ by hashng [y] G k, where y Z k are the top k entres of y Z 3k. We then modfy M 0, M 1 so that the top k rows of both matrces are zero, whch avods the crcularty ssue. In the proof of securty, we wll also rely on the fact that for any y 0, y 1 Z 3k, f y 0 = y 1 and y 0 span(m), then ether y 0 = y 1 or y 1 / span(m). Ths allows us to deduce that f the adversary ueres the CCA oracle on a cphertext whch shares the same tag as some challenge cphertext, then the CCA oracle wll reject wth overwhelmng probablty. Alternatve vew-pont. Our constructon can also be vewed as applyng the BCHK IBE PKE transform [8] to the scheme from [19], and then wrtng the exponents of the secret keys n the clear, thereby avodng the parng. Ths means that we can no longer apply a computatonal assumpton and the randomzed Naor-Rengold argument to the secret key space. Indeed, we replace ths wth an nformaton-theoretc Cramer-Shoup-lke argument as outlned above. Pror approaches. Several approaches to construct tghtly CCA-secure PKE schemes exst: frst, the schemes of [17, 2, 3, 25, 24, 26] construct a tghtly secure NIZK scheme from a tghtly secure sgnature scheme, and then use the tghtly secure NIZK n a CCA-secure PKE scheme followng the Naor-Yung double encrypton paradgm [29, 13]. Snce these approaches buld on the publc verfablty of the used NIZK scheme (n order to fathfully smulate a decrypton oracle), ther relance on a parng seems nherent. Next, the works of [10, 7, 19, 5, 16] used a (Naor-Rengold-based) MAC nstead of a sgnature scheme to desgn tghtly secure IBE schemes. Those IBE schemes can then be converted (usng the BCHK transformaton [8]) nto tghtly CCA-secure PKE schemes. However, the derved PKE schemes stll rely on parngs, snce the orgnal IBE schemes do (and the BCHK does not remove the relance on parngs). In contrast, our approach drectly fuses a Naor-Rengold-lke randomzaton argument wth the encrypton process. We are able to do so snce we substtute a computatonal randomzaton argument (as used n the latter lne of works) wth an nformaton-theoretc one, as descrbed above. Hence, we can apply that argument to exponents rather than group elements. Ths enables us to trade parng operatons for exponentatons n our scheme. Effcency comparson wth non-tghtly secure schemes. We fnally menton that our DDH-based scheme compares favorably even wth the most effcent (non-tghtly) CCA-secure DDH-based en- 5

6 Reference pk ct m securty loss assumpton parng CS98 [11] O(1) 3 O(Q) DDH no KD04, HK07 [23, 18] O(1) 2 O(Q) DDH no HJ12 [17] O(1) O(λ) O(1) 2-Ln yes LPJY15 [24, 26] O(λ) 47 O(λ) 2-Ln yes AHY15 [5] O(λ) 12 O(λ) 2-Ln yes GCDCT15 [16] O(λ) 10 (resp. 6k + 4) O(λ) SXDH (resp. k-ln) yes Ours 4 O(λ) 3 (resp. 3k) O(λ) DDH (resp. k-ln) no Fg. 2. Comparson amongst CCA-secure encrypton schemes, where Q s the number of cphertexts, pk denotes the sze (.e the number of groups elements, or exponent of group elements) of the publc key, and ct m denotes the cphertext overhead, gnorng smaller contrbutons from symmetrc-key encrypton. We omt [19] from ths table snce we only focus on prme-order groups here. crypton schemes [23, 18]. To make thngs concrete, assume λ = 80 and a settng wth Q enc = Q dec = The best known reductons for the schemes of [23, 18] lose a factor of Q enc = 2 30, whereas our scheme loses a factor of about 4λ 2 9. Hence, the group sze for [23, 18] should be at least 2 2 (80+30) = compared to 2 2 (80+9) = n our case. Thus, the cphertext overhead (gnorng the symmetrc encrypton part) n our scheme s = 534 bts, whch s close to = 440 bts wth [23, 18]. 5 Perhaps even more nterestngly, we can compare computatonal effcency of encrypton n ths scenaro. For smplctly, we only count exponentatons and assume a nave suare-and-multplybased exponentaton wth no further mult-exponentaton optmzatons. 6 Encrypton n [23, 18] takes about 3.5 exponentatons (where we count an exponentaton wth a (λ + log 2 (Q enc + Q dec ))- bt hash value 7 as 0.5 exponentatons). In our scheme, we have about 4.67 exponentatons, where we count the computaton of [M k τ ] whch conssts of 2λ multplcatons as 0.67 exponentatons.) Snce exponentaton (under our assumptons) takes tme cubc n the btlength, we get that encrypton wth our scheme s actually about 29% less expensve than wth [23, 18]. However, of course we should also note that publc and secret key n our scheme are sgnfcantly larger (e.g., 4λ + 3 = 323 group elements n pk) than wth [23, 18] (4 group elements n pk). Extenson: NIZK arguments. We also obtan tghtly smulaton-sound non-nteractve zero-knowledge (NIZK) arguments from our encrypton scheme n a sem-generc way. Let us start wth any desgnated-verfer uas-adaptve NIZK (short: DVQANIZK) argument system Π for a gven language. Recall that n a desgnated-verfer NIZK, proofs can only be verfed wth a secret verfcaton key, and soundness only holds aganst adversares who do not know that key. Furthermore, uas-adaptvty means that the language has to be fxed at setup tme of the scheme. Let Π PKE be the varant of Π n whch proofs are encrypted usng a CCA-secure PKE scheme PKE. Publc and secret key of PKE are of course made part of CRS and verfcaton key, respectvely. Observe that Π PKE enjoys smulaton-soundness, assumng that smulated proofs are smply encryptons of random plantexts. Indeed, the CCA securty of PKE guarantees that authentc Π PKE -proofs can be substtuted wth smulated ones, whle beng able to verfy (usng a decrypton oracle) a purported Π PKE -proof generated by an adversary. Furthermore, f PKE s tghtly secure, then so s Π PKE. 5 In ths calculaton, we do not consder the symmetrc authentcated encrypton of the actual plantext (and a correspondng MAC value), whch s the same wth [23, 18] and our scheme. 6 Here, optmzatons would mprove the schemes of [23, 18] and ours smlarly, snce the schemes are very smlar. 7 It s possble to prove the securty of [23, 18] usng a target-collson-resstant hash functon, such that τ = λ. However, n the mult-user settng, a hybrd argument s reured, such that the output sze of the hash functon wll have to be ncreased to at least τ = λ + log 2 (Q enc + Q dec ). 6

7 When usng a hash proof system for Π and our encrypton scheme for PKE, ths mmedately yelds a tghtly smulaton-sound DVQANIZK for lnear languages (.e., languages of the form {[Mr] r Z t } for some matrx M Z n t wth t < n) that does not reure parngs. We stress that our DVQANIZK s tghtly secure n a settng wth many smulated proofs and many adversaral verfcaton ueres. Usng the sem-generc transformaton of [22], we can then derve a tghtly smulaton-sound QANIZK proof system (wth publc verfcaton), that however reles on parngs. We note that the transformaton of [22] only reures a DVQANIZK that s secure aganst a sngle adversaral verfcaton uery, snce the parng enables the publc verfablty of proofs. Hence, we can frst optmze and trm down our DVQANIZK (such that only a sngle adversaral verfcaton uery s supported), and then apply the transformaton. Ths yelds a QANIZK wth partcularly compact proofs. See Fgure 3 for a comparson wth relevant exstng proof systems. Reference type crs π sec. loss assumpton parng CCS09 [9] NIZK O(1) 2n + 6t + 52 O(Q sm ) 2-Ln yes HJ12 [17] NIZK O(1) 500 O(1) 2-Ln yes LPJY14 [25] QANIZK O(n + λ) 20 O(Q sm ) 2-Ln yes KW15 [22] QANIZK O(kn) 2k + 2 O(Q sm ) k-ln yes LPJY15 [26] QANIZK O(n + λ) 42 O(λ) 2-Ln yes Ours 6.2 DVQANIZK O(t + kλ) 3k + 1 O(λ) k-ln no Ours 6.3 QANIZK O(k 2 λ + kn) 2k + 1 O(λ) k-ln yes Fg. 3. (DV)QANIZK schemes for subspaces of G n of dmenson t < n. crs and π denote the sze (n group elements) of the CRS and of proofs. Q sm s the number of smulated proofs n the smulaton-soundness experment. The scheme from [22] (as well as our own schemes) can also be generalzed to matrx assumptons [14], at the cost of a larger CRS. Roadmap. We recall some notaton and basc defntons (ncludng those concernng our algebrac settng and for tghtly secure encrypton) n Secton 2. Secton 3 presents our basc PCA-secure encrypton scheme and represents the core of our results. In Secton 4, we present our optmzed CCA-secure PKE scheme. Our NIZK-related applcatons are presented n Secton 6. 2 Prelmnares 2.1 Notatons If x B n, then x denotes the length n of the vector. Further, x r B denotes the process of samplng an element x from set B unformly at random. For any bt strng τ {0, 1}, we denote by τ the th bt of τ. We denote by λ the securty parameter, and by negl( ) any neglgble functon wth l > k, A Z k k denotes the upper suare matrx of A and A Z l k k denotes the lower l k rows of A. Wth span(a) := {Ar r Z k } Z l, we denote the span of A. of λ. For all matrx A Z l k 2.2 Collson resstant hashng A hash functon generator s a PPT algorthm H that, on nput 1 λ, outputs an effcently computable functon H : {0, 1} {0, 1} λ. Defnton 1 (Collson Resstance). We say that a hash functon generator H outputs collsonresstant functons H f for all PPT adversares A, Adv cr H(A) := Pr[x x H(x) = H(x ) H r H(1 λ ), (x, x ) A(1 λ, H)] = negl(λ). 7

8 2.3 Prme-order groups Let GGen be a probablstc polynomal tme (PPT) algorthm that on nput 1 λ returns a descrpton G = (G,, P ) of an addtve cyclc group G of order for a λ-bt prme, whose generator s P. We use mplct representaton of group elements as ntroduced n [14]. For a Z, defne [a] = ap G as the mplct representaton of a n G. More generally, for a matrx A = (a j ) Z n m we defne [A] as the mplct representaton of A n G: a 11 P... a 1m P [A] := G n m a n1 P... a nm P We wll always use ths mplct notaton of elements n G,.e., we let [a] G be an element n G. Note that from [a] G t s generally hard to compute the value a (dscrete logarthm problem n G). Obvously, gven [a], [b] G and a scalar x Z, one can effcently compute [ax] G and [a + b] G. 2.4 Matrx Dffe-Hellman Assumpton We recall the defntons of the Matrx Decson Dffe-Hellman (MDDH) Assumpton [14]. Defnton 2 (Matrx Dstrbuton). Let k, l N, wth l > k. We call D l,k a matrx dstrbuton f t outputs matrces n Z l k of full rank k n polynomal tme. We wrte D k := D k+1,k. Wthout loss of generalty, we assume the frst k rows of A r D l,k form an nvertble matrx. The D l,k -Matrx Dffe-Hellman problem s to dstngush the two dstrbutons ([A], [Aw]) and ([A], [u]) where A r D l,k, w r Z k and u r Z l. Defnton 3 (D l,k -Matrx Dffe-Hellman Assumpton D l,k -MDDH). Let D l,k be a matrx dstrbuton. We say that the D l,k -Matrx Dffe-Hellman (D l,k -MDDH) Assumpton holds relatve to GGen f for all PPT adversares A, Adv mddh D l,k,ggen(a) := Pr[A(G, [A], [Aw]) = 1] Pr[A(G, [A], [u]) = 1] = negl(λ), where the probablty s taken over G r GGen(1 λ ), A r D k, w r Z k, u r Z l. For each k 1, [14] specfes dstrbutons L k, SC k, C k (and others) over Z (k+1) k such that the correspondng D k -MDDH assumptons are genercally secure n blnear groups and form a herarchy of ncreasngly weaker assumptons. L k -MDDH s the well known k-lnear Assumpton k-ln wth 1-Ln = DDH. In ths work we are mostly nterested n the unform matrx dstrbuton U l,k. Defnton 4 (Unform dstrbuton). Let l, k N, wth l > k. We denote by U l,k the unform dstrbuton over all full-rank l k matrces over Z. Let U k := U k+1,k. Lemma 1 (U k -MDDH U l,k -MDDH). Let l, k N, wth l > k. For any PPT adversary A, there exsts an adversary B (and vce versa) such that T(B) T(A) and Adv mddh U l,k,ggen (A) = Adv mddh U k,ggen (B). Proof. Ths follows from the smple fact that a U l,k -MDDH nstance ([A], [z]) can be transformed nto an U k -MDDH nstance ([A ] = [TA], [z ] = [Tz]) for a random (k +1) l matrx T. If z = Aw, then z = TAw = A w; f z s unform, so s z. Smlarly, a U k -MDDH nstance ([A ], [z ]) can 8

9 be transformed nto an U l,k -MDDH nstance ([A] = [T A ], [z] = [T z ]) for a random l (k + 1) matrx T. Among all possble matrx dstrbutons D l,k, the unform matrx dstrbuton U k s the hardest possble nstance, so n partcular k-ln U k -MDDH. Lemma 2 (D l,k -MDDH U k -MDDH, [14]). Let D l,k be a matrx dstrbuton. For any PPT adversary A, there exsts an adversary B such that T(B) T(A) and Adv mddh D l,k,ggen(a) = Advmddh U k,ggen (B). Let Q 1. For W r Z k Q, U r Z l Q, we consder the Q-fold D l,k -MDDH Assumpton whch conssts n dstngushng the dstrbutons ([A], [AW]) from ([A], [U]). That s, a challenge for the Q-fold D l,k -MDDH Assumpton conssts of Q ndependent challenges of the D l,k -MDDH Assumpton (wth the same A but dfferent randomness w). In [14] t s shown that the two problems are euvalent, where (for Q l k) the reducton loses a factor l k. In combnaton wth Lemma 1 we obtan the followng tghter verson for the specal case of D l,k = U l,k. Lemma 3 (Random self-reducblty of U l,k -MDDH, [14]). Let l, k, Q N wth l > k. For any PPT adversary A, there exsts an adversary B such that T(B) T(A) + Q poly(λ) wth poly(λ) ndependent of T(A), and Adv Q-mddh U l,k,ggen(a) Advmddh U l,k,ggen (B) where Adv Q-mddh U l,k,ggen(b) := Pr[B(G, [A], [AW]) = 1] Pr[B(G, [A], [U]) = 1] and the probablty s over G r GGen(1 λ ), A r U l,k, W r Z k Q, U r Z l Q. 2.5 Publc-Key Encrypton Defnton 5 (PKE). A Publc-Key Encrypton (PKE) conssts of three PPT algorthms PKE = (Param PKE, Gen PKE, Enc PKE, Dec PKE ): The probablstc key generaton algorthm Gen PKE (1 λ ) generates a par of publc and secret keys (pk, sk). The probablstc encrypton algorthm Enc PKE (pk, M) returns a cphertext ct. The determnstc decrypton algorthm Dec PKE (pk, sk, ct) returns a message M or, where s a specal rejecton symbol. We defne the followng propertes: Perfect correctness. For all λ, we have [ Pr Dec PKE (pk, sk, ct) = M (pk, sk) r Gen PKE (1 λ ] ); = 1. ct r Enc PKE (pk, M) Mult-cphertext CCA securty [6]. For any adversary A, we defne [ ] Adv nd-cca PKE (A) := Pr b = b b A Setup,DecO( ),EncO(, ) (1 λ ) 1/2 where: Setup sets C enc :=, samples (pk, sk) r Gen KEM (1 λ ) and b r {0, 1}, and returns pk. Setup must be called once at the begnnng of the game. DecO(ct) returns Dec PKE (pk, sk, ct) f ct / C enc, otherwse. If M 0 and M 1 are two messages of eual length, EncO(M 0, M 1 ) returns Enc PKE (pk, M b ) and sets C enc := C enc {ct}. We say PKE s IND-CCA secure f for all PPT adversares A, the advantage Adv nd-cca PKE (A) s a neglgble functon of λ. 9

10 2.6 Key-Encapsulaton Mechansm Defnton 6 (Tag-based KEM). A tag-based Key-Encapsulaton Mechansm (KEM) conssts of three PPT algorthms KEM = (Gen KEM, Enc KEM, Dec KEM ): The probablstc key generaton algorthm Gen KEM (1 λ ) generates a par of publc and secret keys (pk, sk). The probablstc encrypton algorthm Enc KEM (pk, τ) returns a par (K, C) where K s a unformly dstrbuted symmetrc key n K and C s a cphertext, wth respect to the tag τ T. The determnstc decrypton algorthm Dec KEM (pk, sk, τ, C) returns a key K K. We defne the followng propertes: Perfect correctness. For all λ, for all tags τ T, we have [ Pr Dec KEM (pk, sk, τ, C) = K (pk, sk) r Gen KEM (1 λ ] ); = 1. (K, C) r Enc KEM (pk, τ) Mult-cphertext PCA securty [30]. For any adversary A, we defne [ ] Adv nd-pca Pr KEM (A) := b = b b A Setup,DecO(,, ),EncO( ) (1 λ ) 1/2 where: Setup sets T enc = T dec :=, samples (pk, sk) r Gen KEM (1 λ ), pcks b r {0, 1}, and returns pk. Setup s called once at the begnnng of the game. The decrypton oracle DecO(τ, C, K) computes K := Dec KEM (pk, sk, τ, C). It returns 1 f K = K τ / T enc, 0 otherwse. Then t sets T dec := T dec {τ}. EncO(τ) computes (K, C) r Enc KEM (pk, τ), sets K 0 := K and K 1 r K. If τ / T dec T enc, t returns (C, K b ), and sets T enc := T enc {τ}; otherwse t returns. We say KEM s IND-PCA secure f for all PPT adversares A, the advantage Adv nd-pca KEM (A) s a neglgble functon of λ. 2.7 Authentcated Encrypton Defnton 7 (AE [18]). An authentcated symmetrc encrypton (AE) wth message-space M and key-space K conssts of two polynomal-tme determnstc algorthms (Enc AE, Dec AE ): The encrypton algorthm Enc AE (K, M) generates C, encrypton of the message M wth the secret key K. The decrypton algorthm Dec AE (K, C), returns a message M or. We reure that the algorthms satsfy the followng propertes: Perfect correctness. For all λ, for all K K and M M, we have Dec AE (K, Enc AE (K, M)) = M. One-tme Prvacy and Authentcty. For any PPT adversary A, [ AdvAE ae-ot (A) := Pr b = b K ] r K; b r {0, 1} b r A ot-enco(, ),ot-deco( ) (1 λ 1/2, M, K) s neglgble, where ot-enco(m 0, M 1 ), on nput two messages M 0 and M 1 of the same length, Enc AE (K, M b ), and ot-deco(φ) returns Dec AE (K, φ) f b = 0, otherwse. A s allowed at most one call to each oracle ot-enco and ot-deco, and the uery to ot-deco must be dfferent from the output of ot-enco. A s also gven the descrpton of the key-space K as nput. 10

11 3 Mult-cphertext PCA-secure KEM In ths secton we descrbe a tag-based Key Encapsulaton Mechansm KEM PCA that s IND-PCAsecure (see Defnton 6). For smplcty, we use the matrx dstrbuton U 3k,k n our scheme n Fgure 4, and prove t secure under the U k -MDDH Assumpton ( U 3k,k -MDDH Assumpton, by Lemma 1), whch n turn admts a tght reducton to the standard k-ln Assumpton. However, usng a matrx dstrbuton D 3k,k wth more compact representaton yelds a more effcent scheme, secure under the D 3k,k -MDDH Assumpton (see Remark 1). 3.1 Our constructon Gen KEM (1 λ ): G r GGen(1 λ ); M r U 3k,k k 1,0,.. (., k λ,1 r Z 3k pk := G, [M], ( [M k j,β ] ) ) 1 j λ,0 β 1 sk := (k j,β ) 1 j λ,0 β 1 Return (pk, sk) Enc KEM (pk, τ): r r Z k ; C := [r M ] k τ := λ j=1 kj,τ j K := [r M k τ ] Return (C, K) G 1 3k G Dec KEM (pk, sk, τ, C): k τ := λ j=1 kj,τ j Return K := C k τ Fg. 4. KEM PCA, an IND-PCA-secure KEM under the U k -MDDH Assumpton, wth tag-space T = {0, 1} λ. Here, GGen s a prme-order group generator (see Secton 2.3). Remark 1 (On the use of the U k -MDDH Assumpton). In our scheme, we use a matrx dstrbuton U 3k,k for the matrx M, therefore provng securty under the U 3k,k -MDDH Assumpton U k - MDDH Assumpton (see Lemma 2). Ths s for smplcty of presentaton. However, for effcency, one may want to use an assumpton wth a more compact representaton, such as the CI 3k,k -MDDH Assumpton [27] wth representaton sze 2k nstead of 3k 2 for U 3k,k. 3.2 Securty proof Theorem 1. The tag-based Key Encapsulaton Mechansm KEM PCA defned n Fgure 4 has perfect correctness. Moreover, f the U k -MDDH Assumpton holds n G, KEM PCA s IND-PCA secure. Namely, for any adversary A, there exsts an adversary B such that T(B) T(A) + (Q dec + Q enc ) poly(λ) and Adv nd-pca KEM PCA (A) (4λ + 1) Adv mddh U k,ggen (B) + (Q dec + Q enc ) 2 Ω(λ), where Q enc, Q dec are the number of tmes A ueres EncO, DecO, respectvely, and poly(λ) s ndependent of T(A). Proof of Theorem 1. Perfect correctness follows readly from the fact that for all r Z k C = r M, for all k Z 3k : r (M k) = C k. and 11

12 game y unform n: k τ used by EncO and DecO justfcaton/remark G 0 span(m) k τ actual scheme G 1 G 2. Z 3k k τ U 3k,k -MDDH on [M] Z 3k k τ + M RF (τ ) G 1 G 2.0 G 2..1 τ +1 = 0 : span(m, M 0) k τ + M RF (τ ) U 3k,k -MDDH on [M 0] τ +1 = 1 : span(m, M 1) U 3k,k -MDDH on [M 1] G 2..2 τ +1 = 0 : span(m, M 0) k τ + M 0RF (0) +1 (τ +1) + M 1RF (1) (τ ) τ +1 = 1 : span(m, M 1) G 2..3 τ +1 = 0 : span(m, M 0) kτ + M 0RF (0) +1 (τ +1) + M 1RF (1) τ +1 (τ +1 = 1 : span(m, M 1) +1) G 2.+1 Cramer-Shoup argument Cramer-Shoup argument Z 3k k τ + M RF +1(τ +1 ) U 3k,k -MDDH on [M 0] and [M 1] Fg. 5. Seuence of games for the proof of Theorem 1. Throughout, we have () k τ := λ j=1 kj,τ j ; () EncO(τ) = ([y], K b ) where K 0 = [y k τ ] and K 1 r G; () DecO(τ, [y], K) computes the encapsulaton key K := [y k τ ]. Here, (M 0, M 1) s a bass for span(m ), so that M 1M 0 = M 0M 1 = 0, and we wrte M RF (τ ) := M 0RF (0) (τ ) + M 1RF (1) (τ ). The second column shows whch set y s unformly pcked from by EncO, the thrd column shows the value of k τ used by both EncO and DecO. We now prove the IND-PCA securty of KEM PCA. We proceed va a seres of games descrbed n Fgure 6 and 7 and we use Adv to denote the advantage of A n game G. We also gve a hgh-level pcture of the proof n Fgure 5, summarzng the seuence of games. Lemma 4 (G 0 to G 1 ). There exsts an adversary B 0 such that T(B 0 ) T(A) + (Q enc + Q dec ) poly(λ) and Adv 0 Adv 1 Adv mddh U k,ggen (B 0) + 1 1, where Q enc, Q dec are the number of tmes A ueres EncO, DecO, respectvely, and poly(λ) s ndependent of T(A). Here, we use the MDDH assumpton to tghtly swtch the dstrbuton of all the challenge cphertexts. Proof of Lemma 4. To go from G 0 to G 1, we swtch the dstrbuton of the vectors [y] sampled by EncO, usng the Q enc -fold U 3k,k -MDDH Assumpton on [M] (see Defnton 4 and Lemma 3). We buld an adversary B 0 aganst the Q enc-fold U 3k,k -MDDH Assumpton, such that T(B 0 ) T(A) + (Q enc + Q dec ) poly(λ) wth poly(λ) ndependent of T(A), and Adv 0 Adv 1 Adv Qenc-mddh U 3k,k,GGen (B 0). Ths mples the lemma by Lemma 3 (self-reducblty of U 3k,k -MDDH), and Lemma 1 (U 3k,k - MDDH U k -MDDH). Upon recevng a challenge (G, [M] G 3k k, [H] := [h 1... h Qenc ] G 3k Qenc ) for the Q enc -fold U 3k,k -MDDH Assumpton, B 0 pcks b r {0, 1}, k 1,0,..., k λ,1 r Z 3k, and smulates Setup, DecO as descrbed n Fgure 6. To smulate EncO on ts j th uery, for j = 1,..., Q enc, B 0 sets [y] := [h j], and computes K b as descrbed n Fgure 6. Lemma 5 (G 1 to G 2.0 ). Adv 1 Adv 2.0 = 0. 12

13 Setup: G 0,G 1, G 2. T enc = T dec := ; b r {0, 1} G r GGen(1 λ ); M r U 3k,k M r U 3k,2k s.t. M M = 0 Pck random RF : {0, 1} Z 2k k 1,0,..., k λ,1 r Z 3k For all τ {0, 1} λ, k τ := λ j=1 kj,τ j k τ := k τ + M RF (τ ) Return( pk := G, [M], ( [M k j,β ] ) ) 1 j λ,0 β 1 EncO(τ): G 0, G 1,G 2. r r Z k ; y := Mr; y r Z 3k K 0 := [y k τ ]; K 1 r G If τ / T dec T enc, return (C := [y], K b ), and set T enc := T enc {τ}. Otherwse, return. DecO(τ, C := [y], K): G 0,G 1,G 2. K := [y { k τ ] 1 f Return K = K τ / T enc 0 otherwse T dec := T dec {τ} Fg. 6. Games G 0, G 1, G 2. (for 0 λ) for the proof of mult-cphertext PCA securty of KEM PCA n Fgure 4. In each procedure, the components nsde a sold (dotted) frame are only present n the games marked by a sold (dotted) frame. Proof of Lemma 5. We show that the two games are dentcally dstrbuted. To go from G 1 to G 2.0, we change the dstrbuton of k 1,β r Z 3k for β = 0, 1, to k 1,β + M RF 0 (ε), where k 1,β r Z 3k, RF 0 (ε) r Z 2k, and M r U 3k,2k such that M M = 0. Note that the extra term M RF 0 (ε) does not appear n pk, snce M (k 1,β + M RF 0 (ε)) = M k 1,β. Lemma 6 (G 2. to G 2.+1 ). For all 0 λ 1, there exsts an adversary B 2. such that T(B 2. ) T(A) + (Q enc + Q dec ) poly(λ) and Adv 2. Adv Adv mddh U k,ggen (B 2.) + 4Q dec + 2k + 4 1, where Q enc, Q dec are the number of tmes A ueres EncO, DecO, respectvely, and poly(λ) s ndependent of T(A). Proof of Lemma 6. To go from G 2. to G 2.+1, we ntroduce ntermedate games G 2..1, G 2..2 and G 2..3, defned n Fgure 7. We prove that these games are ndstngushable n Lemmas Lemma 7 (G 2. to G 2..1 ). For all 0 λ 1, there exsts an adversary B 2..0 such that T(B 2..0 ) T(A) + (Q enc + Q dec ) poly(λ) and Adv 2. Adv Adv mddh U k,ggen (B 2..0) + 2 1, where Q enc, Q dec are the number of tmes A ueres EncO, DecO, respectvely, and poly(λ) s ndependent of T(A). Here, we use the MDDH Assumpton to tghtly swtch the dstrbuton of all the challenge cphertexts. We proceed n two steps, frst, by changng the dstrbuton of all the cphertexts wth a tag τ such that τ +1 = 0, and then, for those wth a tag τ such that τ +1 = 1. We use the MDDH Assumpton wth respect to an ndependent matrx for each step. Proof of Lemma 7. To go from G 2. to G 2..1, we swtch the dstrbuton of the vectors [y] sampled by EncO, usng the Q enc -fold U 3k,k -MDDH Assumpton. 13

14 Setup: T enc = T dec := ; b r {0, 1} G r GGen(1 λ ); M r U 3k,k M r U 3k,2k s.t. M M = 0 M 0, M 1 r U 3k,k G 2., G 2..1, G 2..2, G 2..3 M 0, M 1 r U 3k,k s.t. span(m ) = span(m 0, M 1) M M 0 = M 1M 0 = 0 = M M 1 = M 0M 1 Pck random RF : {0, 1} Z 2k. Pck random RF (0) +1 : {0, 1}+1 Z k and RF (1) : {0, 1} Z k Pck random RF (0) +1, RF(1) +1 : {0, 1}+1 Z k. k 1,0,..., k λ,1 r Z 3k For all τ {0, 1} λ, k τ := λ j=1 kj,τ j k τ := k τ + M RF (τ ) k τ := k τ + M 0RF (0) +1 (τ +1) + M 1RF (1) (τ ) k τ := k τ + M 0RF (0) +1 (τ +1) + M 1RF (1) +1 (τ +1) ( Return pk := G, [M], ( [M k j,β ] ) ) 1 j λ,0 β 1 EncO(τ): y r Z 3k G 2., G 2..1, G 2..2,G 2..3 If τ +1 = 0 : r r Z k ; r 0 r Z k ; y := Mr + M 0r 0 If τ +1 = 1 : r r Z k ; r 1 r Z k ; y := Mr + M 1r 1 K 0 := [y k τ ]; K 1 r G If τ / T dec T enc, return (C := [y], K b ) and set T enc := T enc {τ}. Otherwse, return. DecO(τ, C := [y], K): K := [y { k τ ] 1 f Return K = K τ / T enc 0 otherwse T dec := T dec {τ}. G 2.,G 2..1,G 2..2,G 2..3 Fg. 7. Games G 2. (for 0 λ),g 2..1, G 2..2 and G 2..3 (for 0 λ 1) for the proof of Lemma 6. For all τ {0, 1} λ, we denote by τ the -bt prefx of τ. In each procedure, the components nsde a sold (dotted, gray) frame are only present n the games marked by a sold (dotted, gray) frame. We ntroduce an ntermedate game G 2..0 where EncO(τ) s computed as n G 2..1 f τ +1 = 0, and as n G 2. f τ +1 = 1. Setup, DecO are as n G We buld adversares B 2..0 and B 2..0 such that T(B 2..0 ) T(B 2..0 ) T(A) + (Q enc + Q dec ) poly(λ) wth poly(λ) ndependent of T(A), and Clam 1: Adv 2. Adv 2..0 Adv Qenc-mddh U 3,k,GGen (B 2..0 ). Clam 2: Adv 2..0 Adv 2..1 Adv Qenc-mddh U 3k,k,GGen (B 2..0 ). Ths mples the lemma by Lemma 3 (self-reducblty of U 3k,k -MDDH), and Lemma 1 (U 3k,k - MDDH U k -MDDH). Let us prove Clam 1. Upon recevng a challenge (G, [M 0 ] G 3k k, [H] := [h 1... h Qenc ] G 3k Qenc ) for the Q enc -fold U 3k,k -MDDH Assumpton wth respect to M 0 r U 3k,k, B 2..0 does as follows: Setup: B 2..0 pcks M r U 3k,k, k 1,0,..., k λ,1 r Z 3k, and computes pk as descrbed n Fgure 7. For each τ uered to EncO or DecO, t computes on the fly RF (τ ) and k τ := k τ +M RF (τ ), where k τ := λ j=1 k j,τ j, RF : {0, 1} Z 2k s a random functon, and τ denotes the -bt prefx of τ (see Fgure 7). Note that B 2..0 can compute effcently M from M. EncO: To smulate the oracle EncO(τ) on ts j th uery, for j = 1,..., Q enc, B 2..0 computes [y] as follows: f τ +1 = 0 : r r Z k ; [y] := [Mr + h j ] f τ +1 = 1 : [y] r G 3k 14

15 Ths way, B 2..0 smulates EncO as n G 2..0 when [h j ] := [M 0 r 0 ] wth r 0 r Z k, and as n G 2. when [h j ] r G 3k. DecO: Fnally, B 2..0 smulates DecO as descrbed n Fgure 7. Therefore, Adv 2. Adv 2..0 Adv Qenc-mddh U 3k,k,GGen (B 2..0 ). To prove Clam 2, we buld an adversary B 2..0 aganst the Q enc-fold U 3k,k -MDDH Assumpton wth respect to a matrx M 1 r U 3k,k, ndependent from M 0, smlarly than B Lemma 8 (G 2..1 to G 2..2 ). For all 0 λ 1, Adv 2..1 Adv Q dec + 2k, where Q dec s the number of tmes A ueres DecO. Here, we use a varant of the Cramer-Shoup nformaton-theoretc argument to move from RF to RF +1, thereby ncreasng the entropy of k τ computed by Setup. For the sake of readablty, we proceed n two steps: n Lemma 8, we move from RF to an hybrd between RF and RF +1, and n Lemma 9, we move to RF +1. Proof of Lemma 8. In G 2..2, we decompose span(m ) nto two subspaces span(m 0 ) and span(m 1 ), and we ncrease the entropy of the components of k τ whch le n span(m 0 ). To argue that G 2..1 and G 2..2 are statstcally close, we use a Cramer-Shoup argument [11]. Let us frst explan how the matrces M 0 and M 1 are sampled. Note that wth probablty at least 1 2k over the random cons of Setup, (M M 0 M 1 ) forms a bass of Z 3k. Therefore, we have span(m ) = Ker(M ) = Ker ( (M M 1 ) ) Ker ( (M M 0 ) ). We pck unformly M 0 and M 1 n Z 3k k that generate Ker ( (M M 1 ) ) and Ker ( (M M 0 ) ), respectvely (see Fgure 1.1). Ths way, for all τ {0, 1} λ, we can wrte M RF (τ ) := M 0RF (0) (τ ) + M 1RF (1) (τ ), where RF (0), RF (1) : {0, 1} Z k are ndependent random functons. We defne RF (0) +1 : {0, 1}+1 Z k as follows: RF (0) +1 (τ +1) := { RF (0) (τ ) f τ +1 = 0 RF (0) (τ ) + RF (0) (τ ) f τ +1 = 1 where RF (0) : {0, 1} Z k s a random functon ndependent from RF (0). Ths way, RF (0) +1 s a random functon. We show that the outputs of EncO and DecO are statstcally close n G 2..1 and G We decompose the proof n two cases (delmted wth ): the ueres wth a tag τ {0, 1} λ such that τ +1 = 0, and the ueres wth a tag τ such that τ +1 = 1. Queres wth τ +1 = 0: The only dfference between G 2..1 and G 2..2 s that Setup computes k τ usng the random functon RF (0) n G 2..1, whereas t uses the random functon RF (0) +1 n G 2..2 (see Fgure 7). Therefore, by defnton of RF (0) +1, for all τ {0, 1}λ such that τ +1 = 0, k τ s the same n G 2..1 and G 2..2, and the outputs of EncO and DecO are dentcally dstrbuted. 15

16 Queres wth τ +1 = 1: Observe that for all y span(m, M 1 ) and all τ {0, 1} λ such that τ +1 = 1, G 2..2 {}}{ ( ) y k τ + M 0RF (0) (τ ) + M 1RF (1) (τ ) + M 0RF (0) (τ ) ( ) = y k τ + M 0RF (0) (τ ) + M 1RF (1) (τ ) + y M 0RF (0) (τ ) }{{} =0 G 2..1 { ( }} ) { = y k τ + M 0RF (0) (τ ) + M 1RF (1) (τ ) where the second eualty uses the fact that M M 0 = M 1 M 0 = 0 and thus y M 0 = 0. Ths means that: the output of EncO on any nput τ such that τ +1 = 1 s dentcally dstrbuted n G 2..1 and G 2..2 ; the output of DecO on any nput (τ, [y], K) where τ +1 = 1, and y span(m, M 1 ) s the same n G 2..1 and G Henceforth, we focus on the ll-formed ueres to DecO, namely those correspondng to τ +1 = 1, and y / span(m, M 1 ). We ntroduce ntermedate games G 2..1.j, and G 2..1.j for j = 0,..., Q dec, defned as follows: G 2..1.j : DecO s as n G 2..1 except that for the frst j tmes t s uered, t outputs 0 to any ll-formed uery. EncO s as n G G 2..1.j : DecO as n G 2..2 except that for the frst j tmes t s uered, t outputs 0 to any ll-formed uery. EncO s as n G We show that: G 2..1 G s G s... s G 2..1.Qdec G 2..1.Q dec s G 2..1.Q dec 1 s... s G G 2..2 where we denote statstcal closeness wth s and statstcal eualty wth. It suffces to show that for all j = 0,..., Q dec 1: Clam 1: n G 2..1.j, f the j + 1-st uery s ll-formed, then DecO outputs 0 wth overwhelmng probablty 1 1/ (ths mples G 2..1.j s G 2..1.j+1, wth statstcal dfference 1/); Clam 2: n G 2..1.j, f the j + 1-st uery s ll-formed, then DecO outputs 0 wth overwhelmng probablty 1 1/ (ths mples G 2..1.j s G 2..1.j+1, wth statstcal dfference 1/) where the probabltes are taken over the random cons of Setup. Let us prove Clam 1. Recall that n G 2..1.j, on ts j + 1-st uery, DecO(τ, [y], K) computes K := [y k τ ], where k τ := ( k τ + M 0 RF(0) (τ ) + M 1 RF(1) (τ ) ) (see Fgure 7). We prove that f (τ, [y], K) s ll-formed, then K s completely hdden from A, up to ts j + 1-st uery to DecO. The reason s that the vector k +1,1 n sk contans some entropy that s hdden from A. Ths entropy s released on the j + 1-st uery to DecO f t s ll-formed. More formally, we use the fact that the vector k +1,1 r Z 3k s dentcally dstrbuted as k +1,1 + M 0 w, where k +1,1 r Z 3k, and w r Z k. We show that w s completely hdden from A, up to ts j + 1-st uery to DecO. 16

17 The publc key pk does not leak any nformaton about w, snce M (k +1,1 + M 0w ) = M k +1,1. Ths s because M M 0 = 0. The outputs of EncO also hde w. For τ such that τ +1 = 0, k τ s ndependent of k +1,1, and therefore, so does EncO(τ). For τ such that τ +1 = 1, and for any y span(m, M 1 ), we have: y (k τ + M 0w ) = y k τ (2) snce M M 0 = M 1 M 0 = 0, whch mples y M 0 = 0. The frst j outputs of DecO also hde w. For τ such that τ +1 = 0, k τ s ndependent of k +1,1, and therefore, so does DecO([y], τ, K). For τ such that τ +1 = 1 and y span(m, M 1 ), the fact that DecO(τ, [y], K) s ndependent of w follows readly from Euaton (2). For τ such that τ +1 = 1 and y / span(m, M 1 ), that s, for an ll-formed uery, DecO outputs 0, ndependently of w, by defnton of G 2..1.j. Ths proves that w s unformly random from A s vewpont. Fnally, because the j+1-st uery (τ, [y], K) s ll-formed, we have τ +1 = 1, and y / span(m, M 1 ), whch mples that y M 0 0. Therefore, the value K = [y (k τ + M 0w)] = [y k τ + y M 0 w] }{{} 0 computed by DecO s unformly random over G from A s vewpont. Thus, wth probablty 1 1/ over K r G, we have K K, and DecO(τ, [y], K) = 0. We prove Clam 2 smlarly, argung than n G 2..1.j, the value K := [y k τ ], where k τ := ( k τ + M 0 RF(0) +1 (τ +1) + M 1 RF(1) (τ ) ), computed by DecO(τ, [y], K) on ts j + 1-st uery, s completely hdden from A, up to ts j + 1-st uery to DecO, f (τ, [y], K) s ll-formed. The argument goes exactly as for Clam 1. Lemma 9 (G 2..2 to G 2..3 ). For all 0 λ 1, Adv 2..2 Adv Q dec, where Q dec s the number of tmes A ueres DecO. Proof of Lemma 9. In G 2..3, we use the same decomposton span(m ) = span(m 0, M 1 ) as that n G The entropy of the components of k τ that le n span(m 1 ) ncreases from G 2..2 to G To argue that these two games are statstcally close, we use a Cramer-Shoup argument [11], exactly as for Lemma 8. We defne RF (1) +1 {0, 1}+1 Z k as follows: RF (1) +1 (τ +1) := { RF (1) (τ ) + RF (1) (τ ) f τ +1 = 0 RF (1) (τ ) f τ +1 = 1 17

18 where RF (1) : {0, 1} Z k s a random functon ndependent from RF (1). Ths way, RF (1) +1 s a random functon. We show that the outputs of EncO and DecO are statstcally close n G 2..1 and G We decompose the proof n two cases (delmted wth ): the ueres wth a tag τ {0, 1} λ such that τ +1 = 0, and the ueres wth tag τ such that τ +1 = 1. Queres wth τ +1 = 1: The only dfference between G 2..2 and G 2..3 s that Setup computes k τ usng the random functon RF (1) n G 2..2, whereas t uses the random functon RF (1) +1 n G 2..3 (see Fgure 7). Therefore, by defnton of RF (1) +1, for all τ {0, 1}λ such that τ +1 = 1, k τ s the same n G 2..2 and G 2..3, and the outputs of EncO and DecO are dentcally dstrbuted. Queres wth τ +1 = 0: Observe that for all y span(m, M 0 ) and all τ {0, 1} λ such that τ +1 = 0, G 2..3 {}}{ ( ) y k τ + M 0RF (0) +1 (τ +1) + M 1RF (1) (τ ) + M 1RF (1) (τ ) ( ) = y k τ + M 0RF (0) +1 (τ +1) + M 1RF (1) (τ ) + y M 1RF (1) (τ ) }{{} =0 G 2..2 { ( }} ) { = y k τ + M 0RF (0) +1 (τ +1) + M 1RF (1) (τ ) where the second eualty uses the fact M M 1 = M 0 M 1 = 0, whch mples y M 1 = 0. Ths means that: the output of EncO on any nput τ such that τ +1 = 0 s dentcally dstrbuted n G 2..2 and G 2..3 ; the output of DecO on any nput (τ, [y], K) where τ +1 = 0, and y span(m, M 0 ) s the same n G 2..2 and G Henceforth, we focus on the ll-formed ueres to DecO, namely those correspondng to τ +1 = 0, and y / span(m, M 0 ). The rest of the proof goes smlarly than the proof of Lemma 8. See the latter for further detals. Lemma 10 (G 2..3 to G 2.+1 ). For all 0 λ 1, there exsts an adversary B 2..3 such that T(B 2..3 ) T(A) + (Q enc + Q dec ) poly(λ) and Adv 2..3 Adv Adv mddh U k,ggen (B 2..3) where Q enc, Q dec are the number of tmes A ueres EncO, DecO, respectvely, and poly(λ) s ndependent of T(A). Ths transton s symmetrc to the transton between G 2. and G 2..1 (cf. Lemma 7): we use the MDDH Assumpton to tghtly swtch the dstrbuton of all the challenge cphertexts n two steps; frst, by changng the dstrbuton of all the cphertexts wth a tag τ such that τ +1 = 0, and then, the dstrbuton of those wth a tag τ such that τ +1 = 1, usng the MDDH Assumpton wth respect to an ndependent matrx for each step. Proof of Lemma 10. Frst, we use the fact that for all τ {0, 1} λ, M 0 RF(0) +1 (τ +1)+M 1 RF(1) +1 (τ +1) s dentcally dstrbuted to M RF +1 (τ +1 ), where RF +1 : {0, 1} +1 Z 2k s a random functon. Ths 18

19 s because (M 0, M 1 ) s a bass of span(m ). That means A s vew can be smulated only knowng M, and not M 0, M 1 explctly. Then, to go from G 2..3 to G 2.+1, we swtch the dstrbuton of the vectors [y] sampled by EncO, usng the Q enc -fold U 3k,k -MDDH Assumpton (whch s euvalent to the U k -MDDH Assumpton, see Lemma 1) twce: frst wth respect to a matrx M 0 r U 3k,k for cphertexts wth τ +1 = 0, then wth respect to an ndependent matrx M 1 r U 3k,k for cphertexts wth τ +1 = 1 (see the proof of Lemma 7 for further detals). Lemma 6 follows readly from Lemmas Lemma 11 (G 2.λ ). Adv 2.λ Qenc. Proof of Lemma 11. We show that the jont dstrbuton of all the values K 0 computed by EncO s statstcally close to unform over G Qenc. Recall that on nput τ, EncO(τ) computes K 0 := [y (k τ + M RF λ (τ))], where RF λ : {0, 1} λ Z 2k s a random functon, and y r Z 3k (see Fgure 6). We make use of the followng propertes: Property 1: all the tags τ uered to EncO, such that EncO(τ), are dstnct. Property 2: the outputs of DecO are ndependent of {RF(τ) : τ T enc }. Ths s because for all ueres (τ, [y], K) to DecO such that τ T enc, DecO(τ, [y], K) = 0, ndependently of RF λ (τ), by defnton of G 2.λ. Property 3: wth probablty at least 1 Qenc over the random cons of EncO, all the vectors y sampled by EncO are such that y M 0. We deduce that the jont dstrbuton of all the values RF λ (τ) computed by EncO s unformly random over ( Z 2k ) Qenc (from Property 1), ndependent of the outputs of DecO (from Property 2). Fnally, from Property 3, we get that the jont dstrbuton of all the values K 0 computed by EncO s statstcally close to unform over G Qenc, snce: K 0 := [y (k τ + M RF λ (τ)) = [y k τ + y M RF }{{} λ (τ)]. 0 w.h.p. Ths means that the values K 0 and K 1 are statstcally close, and therefore, Adv 3 Qenc. Fnally, Theorem 1 follows readly from Lemmas Mult-cphertext CCA-secure Publc Key Encrypton scheme 4.1 Our constructon We now descrbe the optmzed IND-CCA-secure PKE scheme. Compared to the PCA-secure KEM from Secton 3, we add an authentcated (symmetrc) encrypton scheme (Enc AE, Dec AE ), and set the KEM tag τ as the hash value of a sutable part of the KEM cphertext (as explaned n the ntroducton). A formal defnton wth hghlghted dfferences to our PCA-secure KEM appears n Fgure 8. We prove the securty under the U k -MDDH Assumpton, whch admts a tght reducton to the standard k-ln Assumpton. 19