In this section, we prove the security properties of our main construction. Throughout the proof, we continue to use the notational conventions of Sect. 5.
Theorem 6.1
The construction in Sect. 5 satisfies the correctness properties for a homomorphic encryption scheme, is \({\mathcal {T}} _{\mathbb {H}} \)-unlinkable and \({\mathcal {T}} _{\mathbb {H}} \)-HCCA-secure, under the RG-DDH assumption.
Since the proof is rather lengthy, we first give a high-level conceptual overview of the important steps. The correctness properties follow from straightforward inspection of the scheme’s routines. We now focus on the HCCA security requirement. Later, we will show how the arguments used to prove HCCA security can be very easily modified to show the unlinkability requirement.
Rigged Ciphertexts (\({{\textsf {RigEnc}}}\) and \({{\textsf {RigExtract}}}\))
To prove HCCA security, we must demonstrate suitable \({{\textsf {RigEnc}}}\) and \({{\textsf {RigExtract}}}\) procedures for use in the HCCA security experiment (Definition 3.1). First, we define some useful subroutines that are common to both the “rigged” and standard encryption procedures, so that the distinction between rigged and standard ciphertexts is clearer:
Intuitively, the \(D E ^\mu \) component is the core of our scheme’s non-malleability, following the Cramer–Shoup paradigm, as explained in the scheme’s motivation above. Thus, \({{\textsf {GenCiph}}} _{pk} ((m_1, \ldots , m_n), \mu )\) generates a ciphertext with plaintext \(\vec {m}\), which is non-malleable with respect to the quantity \(\mu \). Then \({{\textsf {Integrity}}} _{sk} (\zeta ,u,\mu )\) determines whether the given ciphertext encodes the specified non-malleability quantity \(\mu \).
Using these subroutines, we can rewrite the scheme’s \({{\textsf {Enc}}}\) and \({{\textsf {Dec}}}\) routines as follows:
Now, we define the \({{\textsf {RigEnc}}}\) and \({{\textsf {RigExtract}}}\) procedures for use in our security proof:
Intuitively, a rigged ciphertext is one whose non-malleability value \(\mu \) is a random value, rather than a function of the message as in the normal scheme. If a purported ciphertext is observed which encodes the same value of \(\mu \) (S), we conclude that the ciphertext in question was derived from the rigged one. By inspecting and comparing the purported plaintexts of the two ciphertexts, we can determine the transformation that was applied.
Proof Overview
Recall that to prove HCCA security we must show that the advantage of any adversary in the HCCA game (with \({{\textsf {RigEnc}}}\) and \({{\textsf {RigExtract}}}\) as described above) is negligible. We do so by considering the following sequence of hybrid interactions, which at this high level follow the general approach used by Cramer and Shoup to show the CCA security of their scheme:
Hybrid 0 This hybrid is simply the HCCA game, using \({{\textsf {RigEnc}}}\) and \({{\textsf {RigExtract}}}\) from above.
Hybrid 1 (Alternative Encryption) This hybrid is the same as above, except in how the challenge ciphertext is generated. Recall that in the HCCA game, the adversary submits a plaintext \({\textsf {msg}}\) and receives the challenge ciphertext \({\zeta ^*}\), generated either via \({{\textsf {Enc}}} _{pk} ({\textsf {msg}})\) or \({{\textsf {RigEnc}}} _{pk} \). In either case, \({\zeta ^*}\) is generated by a suitable call to the \({{\textsf {GenCiph}}}\) subroutine.
Hybrid 1 differs from Hybrid 0 in that this particular call to \({{\textsf {GenCiph}}}\) is replaced with an alternative version (called \({{\textsf {AltGenCiph}}}\)), as follows: Instead of using the same random exponent \(x \) in ciphertext components \(g _{1} ^{(x +z_{1})u}, \ldots , g _{4} ^{(x +z_{4})u}\) and the same random exponent \(y \) in components \(g _{1} ^{y u}, \ldots , g _{4} ^{y u}\), the alternate procedure uses independently random exponents for each of these components. This is analogous to the first step in the CCA-security proof of standard Cramer–Shoup: the challenge ciphertext is generated as \((g _{1} ^{x_{1}}, g _{2} ^{x_{2}}, \ldots )\) instead of \((g _{1} ^{x}, g _{2} ^{x}, \ldots )\).
This alternative way of generating the challenge ciphertext must then use the private key instead of the public key to ensure that the resulting ciphertext still decrypts successfully. A corresponding change is also made in the way the auxiliary CSL ciphertext is generated.
Hybrids 0 and 1 are indistinguishable by the DDH assumption in \({\mathbb {G}}\) and \(\widehat{{\mathbb {G}}}\). Furthermore, if \({\zeta ^*}\) denotes the challenge ciphertext in Hybrid 1, then we show that \(({pk}, {\zeta ^*})\) are distributed independently of the values \((u, \mu , b)\), where \(u \) and \(\mu \) are values chosen during ciphertext generation, and b is the choice bit in the HCCA game. Again, this reasoning is analogous to that of the standard Cramer–Shoup proof: there, the modified challenge ciphertext is distributed independently of the choice bit b.
Hybrid 2
(Alternative Encryption
\(+\)
Decryption) It is not enough that \(({pk}, {\zeta ^*})\) are distributed independent of the choice bit b. The adversary’s view also includes responses to oracle queries, which are implemented using the private key and may therefore leak information about b. Hybrid 2 addresses the potential information leaked by these decryption-like oracles.
In the security proof for Cramer–Shoup, these oracle queries are handled in the following way. Define a Cramer–Shoup ciphertext as bad if it has the form \((g _{1} ^{x_{1}}, g _{2} ^{x_{2}}, \ldots )\), where \(x_{1} \ne x_{2} \). Using a purely statistical argument, Cramer and Shoup show that the decryption oracle will respond with \(\bot \) with overwhelming probability,Footnote 16 in response to any bad ciphertext query. Thus we may replace the decryption oracle with an oracle which simply checks whether the query is in the range of \({{\textsf {Enc}}} _{pk} (\cdot )\), and if so, returns the appropriate value of m. Of course, this oracle would require exponential time, but, crucially, it can be implemented using the public key only. In other words, the responses from oracle queries cannot leak more information than \({pk} \), which we already established was distributed independently of the choice bit b, so the adversary’s entire view is independent of the choice bit.
Our proof follows a similar approach of defining alternative (exponential-time) decryption procedures, which use only the public key. Like the proof of Cramer–Shoup, the bulk of our proof centers on defining when a query is bad, and then showing that the relevant oracles will respond with \(\bot \) with overwhelming probability on all bad queries.
However, our situation is considerably more complicated than the one arising in the Cramer–Shoup security proof:
-
In the Cramer–Shoup case, a ciphertext of the form \((g _{1} ^{x_{1}}, g _{2} ^{x_{2}}, \ldots )\) has either \(x_{1} = x_{2} \) or \(x_{1} \ne x_{2} \). The space of possible values \((x_{1}, x_{2})\) is 2-dimensional. Our situation is complicated by the fact that we have an analogous 4-dimensional space. We also have two places in the ciphertext (corresponding to randomness \(x \) and \(y \)) where we must characterize these encryption exponents.
More discussion of the relevant subtleties is deferred to Sect. 6.5, where the required linear-algebraic understanding has been developed.
-
In the HCCA game, \({{\textsc {dec}}}\) queries are answered differently depending on the choice bit b. We must show an indistinguishable (exponential-time) alternative oracle which uses only \({pk}\) (and in particular, not b). Looking ahead, the alternative oracle will simply check whether the query ciphertext is in the range of \({{\textsf {Enc}}} _{pk} (\cdot )\) or in the range of \({{\textsf {CTrans}}} _{pk} ({\zeta ^*}, \cdot )\). The analysis must account for why any other purported ciphertext would cause a \({{\textsc {dec}}}\) query to output \(\bot \) with overwhelming probability.
Unlinkability We have given the outline of how we prove the HCCA security of our construction. To prove unlinkability, we apply the reasoning from the HCCA proof in a similar way.
Consider the unlinkability experiment (Definition 3.2). Here, the adversary must provide a challenge ciphertext \(\zeta \), to which the condition \({{\textsf {Dec}}} _{sk} (\zeta ) \ne \bot \) is checked. If the check succeeds, then the game continues, and the ciphertext is either transformed via \({{\textsf {CTrans}}}\), or reencrypted.
Now consider replacing the \({{\textsf {Dec}}}\) oracle with the (exponential-time) alternate decryption oracle used in Hybrid 2 of the HCCA proof. By the same argument as in that proof, we see that this hybrid experiment is indistinguishable from the original experiment. However, now when the adversary provides a challenge ciphertext \(\zeta \), the condition that is checked is “is \(\zeta \) in the range of \({{\textsf {Enc}}} _{pk} (\cdot )\)?”
We can now apply the straightforward correctness property of \({{\textsf {CTrans}}}\); namely, that the two distributions \({{\textsf {Enc}}} _{pk} (T({{\textsf {Dec}}} _{sk} (\zeta )))\) and \({{\textsf {CTrans}}} _{pk} (\zeta ,T)\) are identical. As such, the adversary has no advantage in the unlinkability game (after replacing the decryption oracle with the alternative one from the HCCA proof).
Linear Algebra Characterization of Our Scheme
Before proceeding to the full details of the security proof, we first give an alternate characterization of our construction using linear algebra, which will be vitally useful in the security proof.
Public-Key Constraints First we examine what information is revealed to the adversary about the private key by the public key.
Let \(({\vec {a}},{\vec {b}})\) be a CSL private key and \((\widehat{g} _{1},\widehat{g} _{2},A,B)\) be the corresponding CSL public key. Also let \(({\vec {c}} _1, \ldots , {\vec {c}} _n,{\vec {d}},{\vec {e}})\) be a private key and \((g _{1},\ldots ,g _{4},C _1,\ldots ,C _n,D,E)\) be the corresponding public key. Then the relationship between the private and public keys is given by the following linear equations (the first equation is in the field of order q, and the second is in the field of order p):Footnote 17
$$\begin{aligned} \begin{bmatrix} {\vec {1}}&\\&{\vec {1}} \end{bmatrix} \begin{bmatrix} \widehat{G}&\\&\widehat{G} \\ \end{bmatrix} \begin{bmatrix} {\vec {a}} ^\top \\ {\vec {b}} ^\top \end{bmatrix}&= \begin{bmatrix} \log A \\ \log B \end{bmatrix}, \text{ where } \widehat{G} = \begin{bmatrix} \log \widehat{g} _{1}&0 \\ 0&\log \widehat{g} _{2} \end{bmatrix} \nonumber \\ \begin{bmatrix} {\vec {1}} \\&\ddots \\&{\vec {1}} \end{bmatrix} \begin{bmatrix} G \\&\ddots \\&G \\ \end{bmatrix} \begin{bmatrix} {\vec {c}} _1^\top \\ \vdots \\ {\vec {c}} _n^\top \\ {\vec {d}} ^\top \\ {\vec {e}} ^\top \\ \end{bmatrix}&= \begin{bmatrix} \log C _1 \\ \vdots \\ \log C _n \\ \log D \\ \log E \\ \end{bmatrix}, \text{ where } G = \begin{bmatrix} \log g _{1}&\cdots&0 \\ \vdots&\ddots&\vdots \\ 0&\cdots&\log g _{4} \end{bmatrix} \end{aligned}$$
(6.1)
We call these constraints the public-key constraints.
Strands We introduce the notion of strands, which allow us to characterize the linear-algebraic dependence of ciphertext on the public key and the challenge ciphertext.
Definition 6.2
Let \(U = (V_{1},V_{2},A_V,B_V)\) be a CSL ciphertext. The CSL strand of \(U \) with respect to a public key \((\widehat{g} _{1},\widehat{g} _{2},A,B)\) is:
$$\begin{aligned} {\vec {v}}&= (v_{1}, v_{2}), \text{ where } v_{j} = \log _{\widehat{g} _{j}} V_{j} \end{aligned}$$
Observe that:
-
Ciphertexts generated by \({{\textsf {MEnc}}} _{\widehat{pk}} \) have a strand (with respect to \({\widehat{pk}}\)) where \(v_{1} = v_{2} \); that is, the strand is a scalar multiple of the all-ones vector \({\vec {1}}\).
-
If the CSL strand of \(U\) (w.r.t. \({\widehat{pk}}\)) is \({\vec {v}}\), then \({{\textsf {MCTrans}}} _{\widehat{pk}} (U,T_\sigma )\) produces a ciphertext whose strand (w.r.t. \({\widehat{pk}}\)) is \({\vec {v}} +r{\vec {1}} \), for a random choice \(r \in {\mathbb {Z}}_q \).
For ciphertexts in the main scheme, we define a similar notion of strands. However, in such a ciphertext, the first strand is “masked” by \(u \) and \(z_{i} \)’s, and the second strand is masked by \(u \).
Definition 6.3
Let \(\zeta = ({\vec {X}},{\vec {C}} _X,P_{X};{\vec {Y}},{\vec {C}} _Y,P_{Y};U)\) be a ciphertext in the main scheme. The strands of \(\zeta \) with respect to a public key \((g _{1},\ldots ,g _{4},C _1,\ldots , C _n, D,E)\) and a value \(u \in \widehat{{\mathbb {G}}} \) are:
$$\begin{aligned} {\vec {x}}&= (x_{1}, \ldots , x_{4}), \text{ where } x_{i} = (\log _{g_{i}} X_{i})/u- z_{i} \\ {\vec {y}}&= (y_{1}, \ldots , y_{4}), \text{ where } y_{i} = (\log _{g_{i}} Y_{i})/u \end{aligned}$$
Again, we have the following observations:
-
In ciphertexts generated by \({{\textsf {Enc}}} _{pk} \), both strands (with respect to \({pk}\) and \(u = {{\textsf {MDec}}} _{\widehat{sk}} (U)\), where \(U\) is the final component of the ciphertext) are scalar multiples of the all-ones vector.
-
If the strands of \(\zeta \) are \({\vec {x}}\) and \({\vec {y}}\) (w.r.t. \({pk}\) and \(u\)), then \({{\textsf {CTrans}}} _{pk} (\zeta ,T_{\vec {\tau }})\) produces a ciphertext whose two strands (w.r.t. \({pk}\) and \(\sigma u \), where \(\sigma \) is the value chosen in \({{\textsf {CTrans}}}\)) are \({\vec {x}} +s{\vec {y}} \) and \(t{\vec {y}} \), for a random choice of \(s \in {\mathbb {Z}}_p, t\in {\mathbb {Z}}^*_p \).
Looking ahead, one way to interpret the role of \({\vec {z}}\) and \(u\) in our construction is that they ensure that any way of modifying a ciphertext’s strands other than \(({\vec {x}},{\vec {y}}) \leadsto ({\vec {x}} +s{\vec {y}}, t{\vec {y}})\) will cause the ciphertext to be invalid.
Decryption Constraints Let \({\widehat{sk}} = ({\vec {a}},{\vec {b}})\) be a CSL private key, let \(U = (V_{1},V_{2},A_V,B_V)\) be a CSL ciphertext, and let \({\vec {v}} \) be its strand with respect to the corresponding public key. Then \({{\textsf {MDec}}} _{\widehat{sk}} (U) = u \ne \bot \) if and only if the following constraints hold in the field of order q:
$$\begin{aligned} \begin{bmatrix} {\vec {v}}&\\&{\vec {v}} \\ \end{bmatrix} \begin{bmatrix} \widehat{G}&\\&\widehat{G} \\ \end{bmatrix} \begin{bmatrix} {\vec {a}} ^\top \\ {\vec {b}} ^\top \end{bmatrix} = \begin{bmatrix} \log (A_V/u) \\ \log B_V \\ \end{bmatrix} \end{aligned}$$
(6.2)
Similarly, let \({sk} = ({\widehat{sk}},{\vec {c}} _1, \ldots , {\vec {c}} _n,{\vec {d}}, {\vec {e}})\) be a private key and \(\zeta = ({\vec {X}},{\vec {C}} _X,P_{X};{\vec {Y}},{\vec {C}} _Y,P_{Y};U)\) be a ciphertext such that \({{\textsf {MDec}}} _{\widehat{sk}} (U) = u \ne \bot \). Let \({\vec {x}} \) and \({\vec {y}} \) denote the strands of \({\zeta ^*}\) with respect to the public key and \(u\).
Then \({{\textsf {PurpMsg}}} _{sk} (\zeta ,u) = (m_1, \ldots , m_n)\) and \({{\textsf {Integrity}}} _{sk} (\zeta , u, \mu ) = 1\) if and only if \({\vec {y}} \) is a nonzero vector and the following constraints hold in the field of order p:
$$\begin{aligned} \begin{bmatrix} {\vec {x}}&\\&\ddots&\\&{\vec {x}} \\ {\vec {y}}&\\&\ddots&\\&{\vec {y}} \\&&{\vec {x}}&\mu {\vec {x}} \\&&{\vec {y}}&\mu {\vec {y}} \\ \end{bmatrix} \begin{bmatrix} G&\\&\ddots&\\&G \\ \end{bmatrix} \begin{bmatrix} {\vec {c}} _1^\top \\ \vdots \\ {\vec {c}} _n^\top \\ {\vec {d}} ^\top \\ {\vec {e}} ^\top \\ \end{bmatrix} = \begin{bmatrix} \log (C_{X,1}/m_1) \\ \vdots \\ \log (C_{X,n}/m_n) \\ \log C_{Y,1} \\ \vdots \\ \log C_{Y,n} \\ \log P_{X} \\ \log P_{Y} \\ \end{bmatrix} \end{aligned}$$
(6.3)
We call each constraint in these systems of equations a decryption constraint, and refer to them by the name of the ciphertext component that is involved in the right-hand side (\(A_V\), \(P_{X}\), etc.).
Ciphertexts generated by \({{\textsf {GenCiph}}}\) have strands that are scalar multiples of the all-ones vector. As such, the corresponding decryption constraints are linearly dependent on the public-key constraints. Thus, such a ciphertext does not provide any additional information about the private key to the adversary, which is logical since these ciphertexts are generated with the public key alone.
Looking ahead, in Hybrid 1 the challenge ciphertext will be generated in an alternative way, so that its decryption constraints are linearly independent of the public-key constraints with high probability. The linear independence helps to information-theoretically hide the plaintext and other information contained in the ciphertext, but also gives the adversary more constraints on the private key. The fact that ciphertexts in our scheme give constraints relating to both \({\vec {x}} \) and \({\vec {y}} \) is one of the reasons our construction uses four generators \(g _{1}, \ldots , g _{4} \) instead of the typical two generators in the Cramer–Shoup construction. We need a large enough vector space so that \(\{{\vec {1}}, {\vec {x}}, {\vec {y}} \}\) can all be linearly independent (in fact, they must also be linearly independent of \({\vec {z}}\) for additional reasons).
Correctness Properties Under this linear-algebraic interpretation of our scheme, it is easy to see the correctness of the homomorphic transformation operations.
Lemma 6.4
For all keypairs \(({\widehat{pk}},{\widehat{sk}})\), all (purported) CSL ciphertexts \(U\), and all \(U '\) in the support of \({{\textsf {MCTrans}}} (U,T_\sigma )\), we have \({{\textsf {MDec}}} _{\widehat{sk}} (U ')= T_\sigma ( {{\textsf {MDec}}} _{\widehat{sk}} (U) )\).
Proof
If \({\vec {v}}\) is the CSL strand of \(U\), then the strand of \(U '\) is \({\vec {v}} + r {\vec {1}} \) for some \(r\in {\mathbb {Z}}_q \). Consider any decryption constraint on \(U '\). The left-hand side of the constraint is the left-hand side of the corresponding constraint from \(U\) plus r times the left-hand side of the corresponding public-key constraint. By the definition of \({{\textsf {MCTrans}}}\), the right-hand side of the constraint is also a combination of the right-hand sides of these two constraints with the same coefficients (with one of the constraints being further offset by \(\sigma \)). \(\square \)
Lemma 6.5
For all keypairs \(({pk},{sk})\), all (purported) ciphertexts \(\zeta \), and all \(\zeta '\) in the support of \({{\textsf {CTrans}}} _{pk} (\zeta , T_{\vec {\tau }})\), we have \({{\textsf {Dec}}} _{sk} (\zeta ')= T_{\vec {\tau }} ( {{\textsf {Dec}}} _{sk} (\zeta ) )\).
Proof
First, by the above lemma, the CSL component of \(\zeta \) ’ will fail to decrypt if and only if the CSL component of \(\zeta \) fails to decrypt.
Otherwise, the two strands of \(\zeta '\) (with respect to the decryption of its CSL component) are linear combinations of the strands of \(\zeta \) (with respect to the decryption of its CSL component). A similar argument to above shows that a decryption check fails on \(\zeta '\) if and only if the same check fails on \(\zeta \); and that the ratios of the purported plaintexts are \({\vec {\tau }} \). \(\square \)
Hybrid 1: Alternate Encryption
As outlined above, we consider a hybrid interaction wherein \({{\textsf {GenCiph}}}\) is replaced by an alternative procedure when generating the challenge ciphertext \({\zeta ^*}\). We now describe this procedure \({{\textsf {AltGenCiph}}}\). As a component, it uses \({{\textsf {AltMEnc}}}\), a corresponding alternate encryption procedure for the CSL scheme. Both of these procedures use the secret key instead of the public keys to generate ciphertexts.
Using the terminology of the previous section, we see that these alternate encryption procedures generate a ciphertext whose strands are random, whereas standard ciphertexts have strands which are scalar multiples of all-ones vectors. The remainder of the ciphertexts are “reverse-engineered” using the private key to ensure that the decryption constraints are satisfied.
Hybrid 1 Formally, we define a Hybrid challenge oracle, as follows:
\(\underline{\widehat{{\mathcal {O}}}^{{\textsf {hyb-1}}}_{\lambda ,b}:}\)
All queries are answered identically to \({\mathcal {O}}^{{\mathcal {E}},{{\textsf {RigEnc}}},{{\textsf {RigExtract}}}}_{\lambda ,b} \), except that when responding to a \({{\textsc {challenge}}}\) query, the implicit call to \({{\textsf {GenCiph}}} _{pk} \) (from either \({{\textsf {RigEnc}}}\) or \({{\textsf {Enc}}}\)) is replaced with an identical call to \({{\textsf {AltGenCiph}}} _{sk} \).
Lemma 6.6
Let \({\mathcal {E}} \) denote our main construction. For every non-uniform PPT adversary \({{\mathcal {A}}}\) and \(b \in \{0,1\}\), we have
$$\begin{aligned} \Pr [ {{\mathcal {A}}} ^{{\mathcal {O}}^{{\mathcal {E}},{{\textsf {RigEnc}}},{{\textsf {RigExtract}}}}_{\lambda ,b}}(1^\lambda ) = 1] \approx \Pr [ {{\mathcal {A}}} ^{\widehat{{\mathcal {O}}}^{{\textsf {hyb-1}}}_{\lambda ,b}}(1^\lambda ) = 1] \end{aligned}$$
under the RG-DDH assumption.
Proof
Under the RG-DDH assumption, the following two distributions are indistinguishable (the proof of their indistinguishability is left as an exercise for the reader):
Now consider a simulator which receives a sample from either \({\mathcal {D}}_0\) or \({\mathcal {D}}_1\); say:
$$\begin{aligned} \Big ( ({\mathbb {G}},g,p,\widehat{{\mathbb {G}}},\widehat{g},q);~ \widehat{g} _{1}, \widehat{g} _{2}; ~ V_{1}, V_{2}; ~ g _{1}, \ldots , g _{4}; ~ \overline{X}_{1}, \ldots , \overline{X}_{4}; ~ \overline{Y}_{1}, \ldots , \overline{Y}_{4} \Big ) \end{aligned}$$
The simulator then simulates the HCCA game with \({{\mathcal {A}}}\). It uses \((\widehat{g} _{1},\widehat{g} _{2})\) as the corresponding part of the CSL public key, and generates the remainder of the keypair (\({\vec {a}},{\vec {b}} \)) honestly. To simulate the encryption of \(u ^*\) from the challenge ciphertext with this keypair, the simulator uses \({{\textsf {AltMEnc}}}\) with the input values \(V_{1},V_{2} \).
Similarly, we take \((g _{1},\ldots ,g _{4})\) as the corresponding part of the public key and generate the remainder of the keypairs (\({\vec {c}} _i\), \({\vec {d}} \), \({\vec {e}} \)) honestly. To simulate the encryption of the challenge ciphertext, we use \({{\textsf {AltGenCiph}}}\) with these private keys and the input values \(\overline{X}_{1},\ldots ,\overline{X}_{4},\overline{Y}_{1},\ldots ,\overline{Y}_{4} \).
If the above tuple is sampled according to \({\mathcal {D}}_0\), then the challenge ciphertext is statistically indistinguishable from one generated using \({{\textsf {GenCiph}}}\) (the distribution is identical when conditioned to avoid the negligible-probability event that \(\overline{Y}_{1} =\cdots =\overline{Y}_{4} =1\)). If the above tuple is instead sampled according to \({\mathcal {D}}_1\), then the challenge ciphertext is distributed identically to an encryption from \({{\textsf {AltGenCiph}}}\).
The rest of this simulation of the HCCA game can be implemented in polynomial time, so the claim follows from the RG-DDH assumption. \(\square \)
Lemma 6.7
In the Hybrid 1 experiment, conditioned on an overwhelming probability event, the values \(({\zeta ^*}, {pk})\) are distributed independently of the values \((u, b)\), where \(u \in \widehat{{\mathbb {G}}} \) is the randomness chosen when generating \({\zeta ^*}\), and b is the choice bit in the game.
Further, when \(b=1\), the value \(\mu \in {\mathbb {Z}}_p \) used to generate \({\zeta ^*}\) is chosen at random, and we have that \(({\zeta ^*}, {pk})\) are distributed independently of \((u, \mu )\).
Proof
Given a CSL ciphertext from \({{\textsf {AltMEnc}}}\) with strand \({\vec {v}} \), the set \(\{{\vec {v}},{\vec {1}} \}\) forms a basis for the 2-dimensional space of CSL strands, with overwhelming probability. The adversary’s view of the CSL private key \(({\vec {a}},{\vec {b}})\) is constrained by the public key constraints in Eq. (6.1) and the decryption constraints given by \({\zeta ^*}\) in Eq. (6.3), that is:
$$\begin{aligned} \begin{bmatrix} {\vec {1}}&\\&{\vec {1}} \\ {\vec {v}}&\\&{\vec {v}} \\ \end{bmatrix} \begin{bmatrix} \widehat{G}&\\&\widehat{G} \\ \end{bmatrix} \begin{bmatrix} {\vec {a}} ^\top \\ {\vec {b}} ^\top \end{bmatrix} = \begin{bmatrix} \log A \\ \log B \\ \log (A_V/u) \\ \log B_V \end{bmatrix}. \end{aligned}$$
Note that the leftmost matrix has full rank when \({\vec {v}} \) and \({\vec {1}} \) are linearly independent.
Similarly, let \({\zeta ^*}\) be a ciphertext generated by \({{\textsf {AltGenCiph}}}\). For every
\(u \in \widehat{{\mathbb {G}}} \), we have that, with overwhelming probability, \(\{{\vec {x}},{\vec {y}},{\vec {1}},{\vec {z}} \}\) form a basis for the 4-dimensional space of strands, where \({\vec {x}}\) and \({\vec {y}}\) are the strands of the challenge ciphertext with respect to \(u\),Footnote 18 and \({\vec {z}}\) is the fixed parameter of the scheme (recall that we require \({\vec {z}} \) to be linearly independent of \({\vec {1}} \)). Then the adversary’s view of the private key is constrained as follows:
$$\begin{aligned} \begin{bmatrix} {\vec {1}} \\&\ddots \\&&{\vec {1}} \\ {\vec {x}}&\\&\ddots&\\&{\vec {x}} \\ {\vec {y}}&\\&\ddots&\\&{\vec {y}} \\&&{\vec {x}}&\mu {\vec {x}} \\&&{\vec {y}}&\mu {\vec {y}} \\ \end{bmatrix} \begin{bmatrix} G&\\&\ddots&\\&G \\ \end{bmatrix} \begin{bmatrix} {\vec {c}} _1^\top \\ \vdots \\ {\vec {c}} _n^\top \\ {\vec {d}} ^\top \\ {\vec {e}} ^\top \\ \end{bmatrix} = \begin{bmatrix} \log C _1 \\ \vdots \\ \log C _n \\ \log D \\ \log E \\ \log (C_{X,1}/m_1) \\ \vdots \\ \log (C_{X,n}/m_n) \\ \log C_{Y,1} \\ \vdots \\ \log C_{Y,n} \\ \log P_{X} \\ \log P_{Y} \end{bmatrix}, \end{aligned}$$
where \((m_1, \ldots , m_n)\) and \(\mu \) were the inputs to \({{\textsf {AltGenCiph}}}\). Note that when \(\{{\vec {1}},{\vec {x}},{\vec {y}} \}\) are linearly independent, the leftmost matrix has full rank for every
\(\mu \in {\mathbb {Z}}_p \).
The overwhelming event mentioned in the statement of the lemma is that \(\{{\vec {1}}, {\vec {v}} \}\) and \(\{{\vec {1}},{\vec {x}},{\vec {y}},{\vec {z}} \}\) are basis sets of their respective vector spaces. Hereafter, we condition on this event.
When \(b=0\) in the HCCA game, the challenge ciphertext is generated with \((m_1, \ldots , m_n)\) and \(\mu = {\textsf {H}} ({{\textsf {canonize}}} (m_1, \ldots , m_n))\), where \((m_1, \ldots , m_n)\) was provided by the adversary. The value \(u \) is chosen at random in \(\widehat{{\mathbb {G}}}\); for every \(u \in \widehat{{\mathbb {G}}} \) there are an equal number of solutions for the private keys in this system of equations, since the leftmost matrix has full rank. In other words, after fixing \(b=0\) and fixing \(({\zeta ^*}, {pk})\), every possible \(u \in \widehat{{\mathbb {G}}} \) is equally likely.
When \(b=1\) in the HCCA experiment, the challenge ciphertext is generated using \({{\textsf {RigEnc}}}\); that is, with \((m_1, \ldots , m_n) = (1, \ldots 1)\) and \(\mu \) is chosen at random. Again \(u \) is chosen at random in \(\widehat{{\mathbb {G}}}\). For every \(u \in \widehat{{\mathbb {G}}} \) and \(\mu \in {\mathbb {Z}}_p \), there are an equal number of solutions for the private keys in this system of equations, since again the leftmost matrix is nonsingular. Thus fixing \(b=1\) and fixing \(({\zeta ^*}, {pk})\), every possible setting of \((u \in \widehat{{\mathbb {G}}}, \mu \in {\mathbb {Z}}_p)\) is equally likely.
Finally, by the same reasoning, there are an equal number of solutions for the private keys consistent with \(b=0\) as for \(b=1\). Thus \(({\zeta ^*}, {pk})\) is distributed independently of b. \(\square \)
Hybrid 2: Alternative Encryption \(+\) Decryption
As outlined above, we next consider a hybrid in which \({{\textsc {dec}}} \) and \({{\textsc {rigextract}}} \) queries are answered in a different way. In this section, we let \({\zeta ^*}\) denote the challenge ciphertext in the Hybrid 1 experiment, which was generated using \({{\textsf {AltGenCiph}}}\) (called from either \({{\textsf {Enc}}}\) or \({{\textsf {RigEnc}}}\)).
Bad Queries Our arguments in this section generally follow the same structure. The adversary’s view induces a set of public-key constraints and decryption constraints (from \({\zeta ^*}\)) on the private key values.
In the HCCA security experiment, fix a public key pk and, if a \({{\textsc {challenge}}}\) query has been made, fix a challenge ciphertext \({\zeta ^*} \) as well. Call a query \(\zeta \) to \({{\textsc {dec}}} (\cdot )\) or a query \((\zeta ', \zeta )\) to \({{\textsc {rigextract}}} (\cdot ,\cdot )\) a bad query if the oracle responds with \(\bot \) with overwhelming probability, taken over private keys that are consistent with the public key and \({\zeta ^*}\).
The simplest way a ciphertext can be bad is if one of its decryption integrity constraints (Eqs. 6.2 and 6.3) is linearly independent of the constraints given by the public key and challenge ciphertext. In that case, only a negligible fraction of consistent private keys are further consistent with these linearly independent constraints. Thus much of this section involves showing that ciphertexts not of a certain form have linearly independent decryption constraints and are therefore bad.
Hybrid 2 We define Hybrid 2 to be identical to Hybrid 1, except that oracle queries of the following form are handled using the following (exponential-time) procedures. More formally, define the following stateful oracle:
To prove the indistinguishability of Hybrids 1 and 2, it suffices to show that the alternative oracles’ responses match those of the standard oracles, with overwhelming probability. In particular, we establish the following: (1) that these alternative oracles respond with \(\bot \) if and only if the query was a bad query as identified above; and (2) that on non-bad queries these alternative oracles give the same response as do the normal oracles.
Properties of CSL Decryption The CSL auxiliary encryption scheme is clearly malleable, being a simple variant of the ElGamal scheme. However, we show that it is malleable only in the following restricted sense. Even when the plaintext of a CSL ciphertext is information-theoretically hidden (i.e., distributed independently of one’s view), it is possible to determine the relationship between two ciphertexts using an exponential-time procedure. This limitation on CSL’s malleability turns out to be crucial in our analysis of the main scheme.
In the next two lemmas, let \(U ^*\) be the CSL ciphertext that was generated in response to a \({{\textsc {challenge}}}\) query in Hybrid 1, using \({{\textsf {AltMEnc}}}\) on input \(u ^*\).
Lemma 6.8
Fix a CSL public key \((\widehat{g} _{1},\widehat{g} _{2},A,B)\) and challenge ciphertext \(U ^* = (V_{1} ^*,V_{2} ^*,A_V ^*,B_V ^*)\), and let \(U = (V_{1},V_{2},A_V,B_V)\) be an additional given CSL ciphertext. Then with overwhelming probability there exist values \(\pi = \pi (U)\) and \(\sigma =\sigma (U)\) such that the purported plaintext of \(U\) is \(\sigma \cdot {{\textsf {MDec}}} _{\widehat{sk}} (U ^*)^\pi \), for all private keys \({\widehat{sk}}\) consistent with the public key and with the decryption constraints of \(U ^*\).
Note that even though the “correct” value of \({{\textsf {MDec}}} _{\widehat{sk}} (U ^*)\) is distributed independently of public key and \(U ^*\), the values \(\pi \) and \(\sigma \) are nevertheless fixed.
Proof
Let \({\vec {v}} ^*\) be the strand of \(U ^*\), and let \({\vec {v}} \) be the strand of \(U\). As before, we condition on the overwhelming probability event that \(\{{\vec {1}},{\vec {v}} ^*\}\) form a basis for the space of strands. Then we may write \({\vec {v}} = \pi {\vec {v}} ^* + \epsilon {\vec {1}} \) for some unique \(\pi , \epsilon \). Set \(\sigma = A_V/ (A_V ^*)^\pi A ^\epsilon \). The purported plaintext of \(U\) is computed as follows:
$$\begin{aligned} \frac{A_V}{ V_{1} ^{a_{1}} V_{2} ^{a_{2}} } = \frac{A_V}{ \left[ (V_{1} ^*)^{a_{1}} (V_{2} ^*)^{a_{2}} \right] ^\pi \left[ \widehat{g} _{1} ^{a_{1}} \widehat{g} _{2} ^{a_{2}} \right] ^\epsilon } = \frac{A_V}{ \left[ A_V ^* / {{\textsf {MDec}}} _{\widehat{sk}} (U ^*) \right] ^\pi A ^\epsilon } = \sigma \cdot {{\textsf {MDec}}} _{\widehat{sk}} (U ^*)^\pi \end{aligned}$$
\(\square \)
Lemma 6.9
Let \(U\) be a CSL ciphertext with \(\pi \) and \(\sigma \) as above, and suppose that \({{\textsf {MDec}}} _{\widehat{sk}} (U) \ne \bot \) with noticeable probability over the choice of private keys \({\widehat{sk}}\) consistent with \({\widehat{pk}} \) and \(U ^*\). Then
$$\begin{aligned} \text{ If } \pi = 0&\text{ then } U \text{ is } \text{ in } \text{ the } \text{ support } \text{ of } {{\textsf {MEnc}}} _{\widehat{pk}} (\sigma ). \\ \text{ If } \pi = 1&\text{ then } U \text{ is } \text{ in } \text{ the } \text{ support } \text{ of } {{\textsf {MCTrans}}} (U ^*,T_\sigma ). \end{aligned}$$
Proof
As above, let \({\vec {v}} = \pi {\vec {v}} ^* + \epsilon {\vec {1}} \) be the CSL strand of \(U\), where \({\vec {v}} ^*\) is the CSL strand of \(U ^*\). Then \(\Pr [ {{\textsf {MDec}}} _{\widehat{sk}} (U) = \bot ] \in \{0,1\}\), since \({{\textsf {MDec}}} (U) \ne \bot \) if and only if \(B_V = (B_V ^*)^\pi B^\epsilon \), regardless of the private key.
If \(\pi =0\), then the strand of \(U\) is a multiple of \({\vec {1}}\), say, \({\vec {v}} = v{\vec {1}} \). Then it is straightforward to see that \(U\) decrypts to \(\sigma \) with non-negligible probability only if \(U = {{\textsf {MEnc}}} _{\widehat{pk}} (\sigma ; v)\).
If \(\pi =1\), then \({\vec {v}} = {\vec {v}} ^* + \epsilon {\vec {1}} \). Then it is straightforward to check that \(U\) decrypts to \(\sigma u ^*\) only if \(U = {{\textsf {MCTrans}}} (U ^*, T_\sigma ; \epsilon )\). \(\square \)
Classifying Bad Queries All of the oracles whose behavior is different between Hybrids 1 and 2 involve calls to \({{\textsf {Integrity}}} _{sk} \) to check certain decryption constraints. We extend the definition of bad queries to these calls to \({{\textsf {Integrity}}}\). A pair \((\zeta ,\mu )\) is integrity-bad if \({{\textsf {Integrity}}} _{sk} (\zeta , {{\textsf {MDec}}} _{\widehat{sk}} (U), \mu ) = 0\), where U is the CSL ciphertext contained in \(\zeta \), with overwhelming probability over the choice of private keys consistent with the public key and challenge ciphertext. For convenience of notation, we assume \({{\textsf {Integrity}}} _{sk} (\zeta ,\bot ,\mu ) = 0\).
Throughout this section, we use the following standard notation to refer to the public key and ciphertexts being considered:
-
\({pk} = (g _{1},\ldots , g _{4},C _1, \ldots , C _n,D,E)\) is the public key.
-
\({\zeta ^*} = ({\vec {X}} ^*, {\vec {C}} _X ^*, P_{X} ^*; {\vec {Y}} ^*, {\vec {C}} _Y ^*, P_{Y} ^*; U ^*)\) is the challenge ciphertext generated using \({{\textsf {AltGenCiph}}}\), with random choice of \(\mu ^*\).
-
\(\zeta = ({\vec {X}}, {\vec {C}} _X, P_{X}; {\vec {Y}}, {\vec {C}} _Y, P_{Y}; U)\) is a purported ciphertext given as a query to an oracle.
Lemma 6.10
A pair \((\zeta ,\mu )\) is integrity-bad unless there exists \(\sigma \in \widehat{{\mathbb {G}}} \) such that one of the following cases holds:
-
1.
\(U \) is in the support of \({{\textsf {MEnc}}} _{\widehat{pk}} (\sigma )\); and there exists \(x \in {\mathbb {Z}}_p, y \in {\mathbb {Z}}^*_p \) such that \(X_{j} = g_{j} ^{ (x+z_{j}) \sigma }\) and \(Y_{j} = g_{j} ^{y\sigma }\), for \(j = 1, \ldots , 4\) (similar to ciphertexts generated by \({{\textsf {GenCiph}}}\))
-
2.
\(U \) is in the support of \({{\textsf {MCTrans}}} (U ^*, T_\sigma )\); and there exists \(s \in {\mathbb {Z}}_p, t \in {\mathbb {Z}}^*_p \) such that \(X_{j} = (X_{j} ^* (Y_{j} ^*)^s)^\sigma \) and \(Y_{j} = (Y_{j} ^*)^{t\sigma }\), for \(j = 1, \ldots , 4\); and \(\mu = \mu ^*\) (similar to ciphertexts generated by applying \({{\textsf {CTrans}}}\) to \({\zeta ^*}\)).
Note that all of the relationships listed in Lemma 6.10 refer to components of \({pk} \), \({\zeta ^*}\), and \(\zeta \). These values are well defined from the point of view of the adversary. In particular, there is no reference to values like \(u ^*\) or \(\mu ^*\), which are distributed independently of the adversary’s view.
Proof
The random choice of \(u ^*\) used to generate \({\zeta ^*}\) is independent of the adversary’s view (Lemma 6.7). However, \(u ^*\) is related to the fixed values \({\vec {X}} ^*\) and \({\vec {Y}} ^*\) via \(X_{j} ^* = g_{j} ^{(x_{j} ^* + z_{j})u ^*}\) and \(Y_{j} ^* = g_{j} ^{y_{j} ^*u ^*}\), where \({\vec {x}} ^*\) and \({\vec {y}} ^*\) are the (unknown) strands of \({\zeta ^*}\).
Similarly, when submitting a ciphertext \(\zeta \) to an oracle, the adversary supplies the fixed components \(U\), \({\vec {X}} \), and \({\vec {Y}} \). The CSL component \(U\) encodes a value \(u \) which is related to \(u ^*\) as \(u = \sigma (u ^*)^\pi \) for some \(\sigma \) and \(\pi \). As before, although \(u ^*\) (and perhaps subsequently \(u \)) may be distributed independently of the adversary’s view, the relationship between them—namely, \(\sigma \) and \(\pi \)—is well defined given the adversary’s view. Furthermore, the strands of \(\zeta \) are \({\vec {x}} \) and \({\vec {y}} \), which are related to the fixed values \({\vec {X}}\) and \({\vec {Y}}\) via \(X_{j} = g_{j} ^{(x _j+z_j)(\sigma (u ^*)^\pi )}\) and \(Y_{j} = g_{j} ^{y _j(\sigma (u ^*)^\pi )}\).
Thus each of the vectors \(({\vec {x}} ^*+{\vec {z}})u ^*\), \({\vec {y}} ^*u ^*\), \(({\vec {x}} +{\vec {z}})(\sigma (u ^*)^\pi )\), and \({\vec {y}} (\sigma (u ^*)^\pi )\) is well defined given \({pk}, {\zeta ^*}, \zeta \). With overwhelming probability in the Hybrid 1 experiment, the fixed vectors \(\{ ({\vec {x}} ^*+{\vec {z}})u ^*, {\vec {y}} ^*u ^*, {\vec {z}}, {\vec {1}} \}\) are a basis for the space of all strands. We condition on this event, and then we can write the fixed vectors \(({\vec {x}} +{\vec {z}})u \) and \({\vec {y}} u \) in terms of this basis as follows:
$$\begin{aligned} ({\vec {x}} + {\vec {z}})(\sigma (u ^*)^\pi )&= \alpha \Big (({\vec {x}} ^*+{\vec {z}})u ^*\Big ) + \beta ({\vec {y}} ^*u ^*) + \gamma {\vec {1}} + \delta {\vec {z}} \\ {\vec {y}} (\sigma (u ^*)^\pi )&= \alpha '\Big (({\vec {x}} ^*+{\vec {z}})u ^*\Big ) + \beta '({\vec {y}} ^*u ^*) + \gamma ' {\vec {1}} + \delta ' {\vec {z}} \end{aligned}$$
We have simply expressed fixed vectors in terms of a basis of four fixed vectors, so the coefficients of these linear combinations are also fixed given \({pk}\), \(\zeta \), and \({\zeta ^*}\). Solving explicitly for \({\vec {x}}\) and \({\vec {y}}\) in terms of the alternative basis \(\{{\vec {1}},{\vec {x}} ^*,{\vec {y}} ^*,{\vec {z}} \}\), we then have:
$$\begin{aligned} {\vec {x}}&= \frac{\gamma }{\sigma (u ^*)^\pi } {\vec {1}} + \frac{\alpha }{\sigma (u ^*)^{\pi -1}} {\vec {x}} ^* + \frac{\beta }{\sigma (u ^*)^{\pi -1}} {\vec {y}} ^* + \left( \frac{\alpha }{\sigma (u ^*)^{\pi -1}} + \frac{\delta }{\sigma (u ^*)^\pi } -1 \right) {\vec {z}} \nonumber \\ {\vec {y}}&= \frac{\gamma '}{\sigma (u ^*)^\pi } {\vec {1}} + \frac{\alpha '}{\sigma (u ^*)^{\pi -1}} {\vec {x}} ^* + \frac{\beta '}{\sigma (u ^*)^{\pi -1}} {\vec {y}} ^* + \left( \frac{\alpha '}{\sigma (u ^*)^{\pi -1}} + \frac{\delta '}{\sigma (u ^*)^\pi } \right) {\vec {z}} \end{aligned}$$
(6.4)
In summary, it would be convenient to characterize bad queries in terms of their strands. But a query \(\zeta \) may be derived in some arbitrary way from \({\zeta ^*}\), whose strands are (to some degree) information-theoretically hidden. Still, the relationship between the strands of \(\zeta \) and \({\zeta ^*}\) is well defined (given the adversary’s view) and can be uniquely described by the ten parameters \(\sigma \), \(\pi \), \(\alpha \), \(\beta \), \(\gamma \), \(\delta \), \(\alpha '\), \(\beta '\), \(\gamma '\), and \(\delta '\) described above. Our analysis proceeds by showing that only very specific settings of these ten parameters can lead to \(\zeta \) being a non-bad query. Any ciphertext \(\zeta \) of the wrong form will fail one of its decryption constraints with overwhelming probability over the independent randomness in the private key.
The relevant constraints and linear dependence. Hereafter, we will assume that all of the decryption constraints on \(\zeta \) are satisfied with non-negligible probability and use this fact to deduce that \(\zeta \) must have one of the two desired forms.
The most relevant decryption constraints are the following, which involve the \(P_{X}\) and \(P_{Y}\) components of the ciphertext:
$$\begin{aligned} \begin{bmatrix} {\vec {x}}&\mu {\vec {x}} \\ {\vec {y}}&\mu {\vec {y}} \end{bmatrix} \begin{bmatrix} G \\&G \end{bmatrix} \begin{bmatrix} {\vec {d}} ^\top \\ {\vec {e}} ^\top \end{bmatrix} \overset{\scriptstyle {\text {?}}}{=} \begin{bmatrix} \log P_{X} \\ \log P_{Y} \end{bmatrix} \end{aligned}$$
(6.5)
These constraints involve the \({\vec {d}}\) and \({\vec {e}}\) components of the private key, which, from the adversary’s view, are constrained by the public key and challenge ciphertext \({\zeta ^*}\) as follows:
$$\begin{aligned} \begin{bmatrix} {\vec {1}} \\&{\vec {1}} \\ {\vec {x}} ^*&\mu ^* {\vec {x}} ^* \\ {\vec {y}} ^*&\mu ^* {\vec {y}} ^* \end{bmatrix} \begin{bmatrix} G \\&G \end{bmatrix} \begin{bmatrix} {\vec {d}} ^\top \\ {\vec {e}} ^\top \end{bmatrix} = \begin{bmatrix} \log D \\ \log E \\ \log P_{X} ^* \\ \log P_{Y} ^* \end{bmatrix} \end{aligned}$$
(6.6)
In order for Eq. (6.5) to be satisfied with non-negligible probability, the following conditions must hold:
-
First, the two constraints in Eq. (6.5) must be linear combinations of the public constraints in Eq. (6.6). As described above, a linearly independent decryption constraint can only be satisfied with negligible probability, since the “correct” value of the left-hand side will be randomly distributed, while the ciphertext provides a fixed value for the right-hand side. The constraint would only hold with negligible probability.
-
Not only must the constraints of Eq. (6.5) be linearly dependent on those of Eq. (6.6), but the coefficients of this linear dependence must be well defined from the adversary’s view. Recall that the value \(u ^*\) is distributed independently of the adversary’s view. So if a constraint was linearly dependent on the equations in Eq. (6.6), but one of the coefficients of that dependence was, say, \(u ^*\), then the new decryption constraint could not hold with non-negligible probability. In this case, there would be a different “correct” value of the constraint on the left-hand side for each different choice of \(u ^* \in \widehat{{\mathbb {G}}} \). Again, the right-hand side of the constraint would be fixed with respect to \(u ^*\), and equality could only happen with negligible (\(1/|\widehat{{\mathbb {G}}} |\)) probability.
In short, \([{\vec {x}}\ \mu {\vec {x}} ]\) and \([{\vec {y}}\ \mu {\vec {y}} ]\) must be fixed linear combinations of \(\{ [{\vec {1}} \vec {0}], [\vec {0} {\vec {1}} ], [{\vec {x}} ^*\ \mu ^*{\vec {x}} ^*], [{\vec {y}} ^*\ \mu ^*{\vec {y}} ^*]\}\). If we substitute for \({\vec {x}}\) and \({\vec {y}}\) according to the relationships in Eq. (6.4), we have that the following expressions must be fixed linear combinations of \(\{ [{\vec {1}}\ \vec {0}], [\vec {0}\ {\vec {1}} ], [{\vec {x}} ^*\ \mu ^*{\vec {x}} ^*], [{\vec {y}} ^*\ \mu ^*{\vec {y}} ^*]\}\):
$$\begin{aligned}{}[{\vec {x}}\ \mu {\vec {x}} ]&= \frac{\gamma }{\sigma (u ^*)^\pi } [{\vec {1}}\ \mu {\vec {1}} ] + \frac{1}{\sigma (u ^*)^{\pi -1}} \Big ( \alpha [{\vec {x}} ^* \ \mu {\vec {x}} ^*] + \beta [{\vec {y}} ^*\ \mu {\vec {y}} ^*] \Big ) \nonumber \\&\quad + \left( \frac{\alpha u ^* + \delta }{\sigma (u ^*)^\pi } - 1 \right) [{\vec {z}}\ \mu {\vec {z}} ] \nonumber \\ [{\vec {y}}\ \mu {\vec {y}} ]&= \frac{\gamma '}{\sigma (u ^*)^\pi } [{\vec {1}}\ \mu {\vec {1}} ] + \frac{1}{\sigma (u ^*)^{\pi -1}} \Big ( \alpha ' [{\vec {x}} ^* \ \mu {\vec {x}} ^*] + \beta ' [{\vec {y}} ^*\ \mu {\vec {y}} ^*] \Big ) + \frac{\alpha ' u ^* + \delta '}{\sigma (u ^*)^\pi } [{\vec {z}}\ \mu {\vec {z}} ] \end{aligned}$$
(6.7)
In particular, these expressions must be linear combinations whose coefficients are fixed over random choice of
\(u ^*\).
We now break down the analysis of these constraints according to the value of \(\pi \).
The case of
\(\pi =0\). In this case, if the CSL component \(U\) is to be decrypted successfully, then \(U\) must be in the support of \({{\textsf {MEnc}}} _{{\widehat{pk}}}(\sigma )\), from Lemma 6.9.
Substituting \(\pi =0\) in Eq. (6.7) leaves the following expression:
$$\begin{aligned}{}[{\vec {x}}\ \mu {\vec {x}} ]&= \frac{\gamma }{\sigma } [{\vec {1}}\ \mu {\vec {1}} ] + \frac{u ^*}{\sigma } \Big ( \alpha [{\vec {x}} ^* \ \mu {\vec {x}} ^*] + \beta [{\vec {y}} ^*\ \mu {\vec {y}} ^*] \Big ) + \left( \frac{\alpha u ^* + \delta }{\sigma } - 1 \right) [{\vec {z}}\ \mu {\vec {z}} ] \\ [{\vec {y}}\ \mu {\vec {y}} ]&= \frac{\gamma '}{\sigma } [{\vec {1}}\ \mu {\vec {1}} ] + \frac{u ^*}{\sigma } \Big ( \alpha ' [{\vec {x}} ^* \ \mu {\vec {x}} ^*] + \beta ' [{\vec {y}} ^*\ \mu {\vec {y}} ^*] \Big ) + \left( \frac{\alpha ' u ^* + \delta '}{\sigma } \right) [{\vec {z}}\ \mu {\vec {z}} ] \end{aligned}$$
Again, this expression must be a fixed linear combination of \(\{ [{\vec {1}}\ \vec {0}], [\vec {0}\ {\vec {1}} ], [{\vec {x}} ^*\ \mu ^*{\vec {x}} ^*], [{\vec {y}} ^*\ \mu ^*{\vec {y}} ^*]\}\). However, \([{\vec {z}}\ \mu {\vec {z}} ]\) is linearly independent of the required set, so the coefficients of \([{\vec {z}}\ \mu {\vec {z}} ]\) in the above expression must be zero with non-negligible probability over the choice of \(u ^*\). This is only possible when \(\alpha = \alpha ' = \delta ' = 0\) and \(\delta =\sigma \). Furthermore, the other coefficients in which \(u ^*\) appears must be fixed with non-negligible probability over the choice of \(u ^*\). This is only possible when further \(\beta =\beta '=0\). Then we must have \(\gamma ' \ne 0\), since otherwise \({\vec {y}} \) is the all-zeroes vector and the ciphertext is rejected outright.
Substituting these values, we have that \({\vec {x}} = (\gamma /\sigma ){\vec {1}} \) for some \(\gamma \), and \({\vec {y}} = (\gamma '/\sigma ){\vec {1}} \) for some \(\gamma ' \ne 0\). In terms of the original values from the ciphertext, this implies that there exists a fixed
\(x \in {\mathbb {Z}}_p \) and \(y\in {\mathbb {Z}}^*_p \) such that \(X_{j} = g_{j} ^{ (x+z_{i})\sigma }\) and \(Y_{j} = g_{j} ^{ y\sigma }\) for all j. In addition, we have shown that \(U\) is in the support of \({{\textsf {MEnc}}} _{\widehat{pk}} (\sigma )\). This is the first desired case from the lemma statement.
The case of
\(\pi =1\). In this case, if the CSL component \(U\) is to be decrypted successfully, then \(U\) must be in the support of \({{\textsf {MCTrans}}} _{{\widehat{pk}}}(U ^*, T_\sigma )\), from Lemma 6.9.
Substituting \(\pi =1\) in Eq. (6.7) leaves the following expression:
$$\begin{aligned}{}[{\vec {x}}\ \mu {\vec {x}} ]&= \frac{\gamma }{\sigma u ^*} [{\vec {1}}\ \mu {\vec {1}} ] + \frac{1}{\sigma } \Big ( \alpha [{\vec {x}} ^* \ \mu {\vec {x}} ^*] + \beta [{\vec {y}} ^*\ \mu {\vec {y}} ^*] \Big ) + \left( \frac{\alpha u ^* + \delta }{\sigma u ^*} - 1 \right) [{\vec {z}}\ \mu {\vec {z}} ] \\ [{\vec {y}}\ \mu {\vec {y}} ]&= \frac{\gamma '}{\sigma u ^*} [{\vec {1}}\ \mu {\vec {1}} ] + \frac{1}{\sigma } \Big ( \alpha ' [{\vec {x}} ^* \ \mu {\vec {x}} ^*] + \beta ' [{\vec {y}} ^*\ \mu {\vec {y}} ^*] \Big ) + \frac{\alpha ' u ^* + \delta ' }{\sigma u ^*} [{\vec {z}}\ \mu {\vec {z}} ] \end{aligned}$$
As in the previous case, the coefficients of \([{\vec {z}}\ \mu {\vec {z}} ]\) must be zero with non-negligible probability over the choice of \(u ^*\). This is only possible when \(\alpha ' = \delta = \delta '=0\) and \(\alpha =\sigma \). Then, the other coefficients in which \(u ^*\) appears must be fixed with non-negligible probability over the choice of \(u ^*\). This is only possible when further \(\gamma =\gamma ' = 0\). Then we must have \(\beta ' \ne 0\), since otherwise \({\vec {y}} \) is the all-zeroes vector and the ciphertext is rejected outright. Since \(\beta '\) is nonzero, we must have that \(\mu = \mu ^*\); otherwise \([{\vec {y}}\ \mu {\vec {y}} ] = (\beta '/\sigma )[{\vec {y}} ^*\ \mu {\vec {y}} ^*]\) would be linearly independent of the allowed basis vectors.
Substituting these values, we have that \({\vec {x}} = {\vec {x}} ^* + (\beta /\sigma ){\vec {y}} ^*\) for some \(\beta \), and \({\vec {y}} = (\beta '/\sigma ){\vec {y}} ^*\) for some \(\beta ' \ne 0\). In terms of the original values from the ciphertext, this implies that there exists a fixed
\(s \in {\mathbb {Z}}_p \) and \(t\in {\mathbb {Z}}^*_p \) such that \(X_{j} = (X_{j} ^*(Y_{j} ^*)^s)^\sigma \) and \(Y_{j} = (Y_{j} ^*)^{t\sigma }\) for all j. In addition, we have shown that \(\mu = \mu ^*\) and that \(U\) is in the support of \({{\textsf {MCTrans}}} _{{\widehat{pk}}}(U ^*, T_\sigma )\). This is the second desired case from the lemma statement.
The case of
\(\pi \not \in \{0,1\}\). We have assumed that the ciphertext satisfies its decryption constraints with non-negligible probability, so it suffices to show a contradiction. This would prove that all oracle queries having \(\pi \not \in \{0,1\}\) are in fact bad queries. We now establish the desired contradiction, after conditioning the entire Hybrid 1 HCCA experiment on an overwhelming-probability event.
First, recall the expressions in Eq. (6.7), in particular the expression for \([{\vec {y}}\ \mu {\vec {y}} ]\). By the same reasoning as in the previous two cases, we must have \(\alpha '=\delta '=0\) so that the coefficient of \([{\vec {z}}\ \mu {\vec {z}} ]\) is zero. Suppose \(\mu \ne \mu ^*\). Then \([{\vec {y}} ^*\ \mu {\vec {y}} ^*]\) in the expression in Eq. (6.7) is linearly independent of the allowed basis for this expression. Thus the coefficient of \([{\vec {y}} ^*\ \mu {\vec {y}} ^*]\) in the expression must be zero, which is only possible when \(\beta '=0\). Then since \((u ^*)^\pi \) is uniformly distributed in \(\widehat{{\mathbb {G}}}\), we must have \(\gamma ' = 0\) to fix the remaining coefficient in the expression. But then, \({\vec {y}} \) is the all-zeroes vector and the ciphertext is rejected outright.
Therefore we must have \(\alpha '=\delta '=0\) as well as \(\mu = \mu ^*\). We now consider the decryption constraints on \(P_{Y}\) and \(C_{Y,1}\), which are as follows (substituting for \({\vec {y}} \) given that \(\alpha '=\delta '=0\)):
$$\begin{aligned} \begin{bmatrix} \log C_{Y,1} \\ \log P_{Y} \end{bmatrix}&\overset{\scriptstyle {\text {?}}}{=} \begin{bmatrix} {\vec {y}} \\&{\vec {y}}&\mu {\vec {y}} \end{bmatrix} \begin{bmatrix} G \\&G \\&G \end{bmatrix} \begin{bmatrix} {\vec {c}} _1^\top \\ {\vec {d}} ^\top \\ {\vec {e}} ^\top \end{bmatrix} \\&= \begin{bmatrix} \frac{\gamma '}{\sigma (u ^*)^\pi }&0&\frac{\beta '}{\sigma (u ^*)^{\pi -1}}&0 \\ 0&\frac{\gamma '}{\sigma (u ^*)^\pi }&0&\frac{\beta '}{\sigma (u ^*)^{\pi -1}} \end{bmatrix} \begin{bmatrix} {\vec {1}} \\&{\vec {1}}&\mu ^* {\vec {1}} \\ {\vec {y}} ^* \\&{\vec {y}} ^*&\mu ^* {\vec {y}} ^* \end{bmatrix} \begin{bmatrix} G \\&G \\&G \end{bmatrix} \begin{bmatrix} {\vec {c}} _1^\top \\ {\vec {d}} ^\top \\ {\vec {e}} ^\top \end{bmatrix} \\&= \begin{bmatrix} \frac{\gamma '}{\sigma (u ^*)^\pi }&0&\frac{\beta '}{\sigma (u ^*)^{\pi -1}}&0 \\ 0&\frac{\gamma '}{\sigma (u ^*)^\pi }&0&\frac{\beta '}{\sigma (u ^*)^{\pi -1}} \end{bmatrix} \begin{bmatrix} \log C _1 \\ \log (D E ^{\mu ^*}) \\ \log C_{Y,1} ^* \\ \log P_{Y} ^* \end{bmatrix} \end{aligned}$$
We can simplify these constraints and write them as follows:
$$\begin{aligned} \begin{array}{rrr} (\sigma \log P_{Y})(u ^*)^\pi &{} {} - (\beta '\sigma \log P_{Y} ^*)u ^* &{} {} - (\gamma ' \log (D E ^{\mu ^*})) = 0 \\ (\sigma \log C_{Y,1})(u ^*)^\pi &{} {} - (\beta '\sigma \log C_{Y,1} ^*)u ^* &{} {} - (\gamma ' \log C _1) = 0 \end{array} \end{aligned}$$
Note that these are polynomials in \(u ^*\) of degree \(\pi \), whose coefficients are fixed. No terms collect together, as \(\pi \not \in \{0,1\}\). We are assuming that these two polynomials in \(u ^*\) are simultaneously satisfied with non-negligible probability. However, this assumption results in a contradiction, after conditioning the entire interaction on an overwhelming-probability event:
-
If one of the polynomials is not identically zero but has some coefficient equal to zero, then that polynomial is equivalent to (i.e, has the same roots as) an affine function of one of the terms \(\{ u ^*, (u ^*)^\pi , (u ^*)^{\pi -1}\}\), with otherwise fixed coefficients. Since \(u ^*\) is uniform in \(\widehat{{\mathbb {G}}}\), then each of \(\{ u ^*, (u ^*)^\pi , (u ^*)^{\pi -1}\}\) is also distributed uniformly (though their joint distribution is not uniform). We have an affine function of one term, which is uniformly distributed, so the equation is satisfied with only negligible probability.
-
If neither polynomial has a zero coefficient, and the two polynomials are not scalar multiples of each other, then some linear combination of the constraints is an affine function in one of the terms \(\{ u ^*, (u ^*)^\pi \}\), otherwise with fixed coefficients. Whenever the two original polynomial equations are simultaneously satisfied, this linear combination of the two is also satisfied. For the same reason as the previous case, however, this affine function can only be satisfied with negligible probability.
-
If neither polynomial has a zero coefficient, and the two polynomials are scalar multiples of each other, then their pairs of corresponding coefficients have the same ratios. In particular, we have the following equality (after cancelation):
$$\begin{aligned} \frac{\log (D E ^{\mu ^*})}{\log C _1} = \frac{\log P_{Y} ^*}{\log C_{Y,1} ^*} \end{aligned}$$
The challenge ciphertext (including the components \(P_{Y} ^*\) and \(C_{Y,1} ^*\)) is generated after \(C _1\), \(D \), \(E \), and \(\mu ^*\) are fixed. Thus it is only with negligible probability over the randomness of \({{\textsf {AltGenCiph}}}\) that \(C_{Y,1} ^*\) and \(P_{Y} ^*\) satisfy this condition. We therefore condition the entire HCCA experiment on this event not happening.
-
The only other remaining case is that one polynomial is identically zero. Since \(\sigma \ne 0\) (it is from \(\widehat{{\mathbb {G}}} \), a subgroup of \({\mathbb {Z}}^*_p \)), we must have either \(P_{Y}\) or \(C_{Y,1}\) equal to zero. It is straightforward to see that either of these events happens only with negligible probability over the randomness of the key generation. We therefore condition the entire HCCA experiment on this event not happening.
We have reached a contradiction by assuming that a ciphertext with parameter \(\pi \not \in \{0,1\}\) satisfies its decryption constraints with non-negligible probability. Thus ciphertexts with this property are always bad queries to \({{\textsf {Integrity}}}\). \(\square \)
We now use this characterization of integrity-bad values to show that the alternate oracles in Hybrid 2 give responses that are consistent with the normal oracles in Hybrid 1.
Lemma 6.11
Let \({\mathcal {E}} \) denote our main construction. For every non-uniform PPT adversary \({{\mathcal {A}}}\) and \(b \in \{0,1\}\), we have (unconditionally):
$$\begin{aligned} \Pr [ {{\mathcal {A}}} ^{\widehat{{\mathcal {O}}}^{{\textsf {hyb-1}}}_{\lambda ,b}}(1^\lambda ) = 1 ] \approx \Pr [ {{\mathcal {A}}} ^{\widehat{{\mathcal {O}}}^{{\textsf {hyb-2}}}_{\lambda ,b}}(1^\lambda ) = 1 ]. \end{aligned}$$
Proof
We prove the claim by showing that the oracle responses in Hybrid 2 match those of Hybrid 1, with overwhelming probability. More specifically, we will establish two claims about Hybrid 2:
-
The alternative oracles (\({{\textsc {dec}}}\) and \({{\textsc {rigextract}}}\)) return \(\bot \) if and only if the query was a bad query, or some other negligible-probability event happens (i.e., the adversary has solved discrete logarithm or found a hash collision).
-
For non-bad queries, the alternative oracles’ responses match those of Hybrid 1.
Hence, the two hybrids agree on responses to non-bad oracle queries. For bad oracle queries, we point out that the alternative oracles in Hybrid 2 do not use the secret key at all. So the adversary’s view contains no information about the secret key beyond public information \({pk} \) and \({\zeta ^*} \). Bad queries are defined as queries to which \(\bot \) is the correct answer, with overwhelming probability over the secret key conditioned on \({pk} \) and \({\zeta ^*} \). This describes the situation now in Hybrid 2, and so we get that oracle answers to bad queries are consistent with Hybrid 1 with overwhelming probability.
We proceed by considering a non-bad query. The alternative oracles that we consider (\({{\textsc {dec}}}\) and \({{\textsc {rigextract}}}\)) both invoke the \({{\textsf {Integrity}}}\) subroutine (\({{\textsf {Integrity}}}\) may be called twice while servicing a \({{\textsc {dec}}}\) query: once from \({{\textsf {Dec}}}\) and once from \({{\textsf {RigExtract}}}\)). Assuming the initial oracle query is non-bad, each call to \({{\textsf {Integrity}}}\) must involve a \((\zeta , \mu )\) pair which is not integrity-bad. So we may apply the characterization of Lemma 6.10 with respect to the queried ciphertexts.
We establish the above claims about Hybrid 2, considering 3 cases of queries:
\({{\textsc {dec}}}\)
queries when
\(b=0\). In this case, the challenge ciphertext \({\zeta ^*}\) was generated using \({{\textsf {AltGenCiph}}} _{sk} ( (m^*_1, \ldots , m^*_n), \mu ^*)\), where \({{\textsf {msg}} ^*} = (m^*_1, \ldots , m^*_n)\) is the plaintext given by the adversary in its \({{\textsc {challenge}}}\) query, and \(\mu ^* = {\textsf {H}} ( {{\textsf {canonize}}} (m^*_1, \ldots , m^*_n))\).
In Hybrid 1, these queries are answered using the standard \({{\textsf {Dec}}}\) oracle. On input query \(\zeta \), it computes the purported plaintext \((m_1, \ldots , m_n)\) and calls \({{\textsf {Integrity}}}\) using the value \(\mu = {\textsf {H}} ({{\textsf {canonize}}} (m_1, \ldots , m_n))\). By our assumption, \((\zeta ,\mu )\) is not integrity-bad. As such, it satisfies either case 1 or case 2 of Lemma 6.10:
-
In case 1, the \({\vec {X}}\), \({\vec {Y}}\), and \(U\) components of \(\zeta \) are as they would be if generated by \({{\textsf {Enc}}} _{pk} (\cdot )\). It is straightforward to verify that the remaining components of \(\zeta \) lead to a purported plaintext \((m_1, \ldots , m_n)\) and satisfied integrity constraints with \(\mu = {\textsf {H}} ({{\textsf {canonize}}} (m_1, \ldots , m_n))\) if and only \(\zeta \) is in the support of \({{\textsf {Enc}}} _{pk} (m_1, \ldots , m_n)\). The oracle’s response in this case is \((m_1, \ldots , m_n)\).
-
In case 2, the \({\vec {X}}\), \({\vec {Y}}\), and \(U\) components of \(\zeta \) are as they would be if generated by \({{\textsf {CTrans}}} _{pk} ({\zeta ^*},\cdot )\). In case 2, we must also have \(\mu = \mu ^*\). By the collision resistance of \({\textsf {H}}\), this implies \({{\textsf {canonize}}} (m_1, \ldots , m_n) = {{\textsf {canonize}}} (m^*_1, \ldots , m^*_1)\) with overwhelming probability; that is, \({\vec {\tau }} = (m^*_1,\ldots , m^*_n) * (m_1, \ldots , m_n)^{-1} \in {\mathbb {H}} \) so \(T_{\vec {\tau }} \) is an allowed transformation. Then the \({\vec {C}} _X\) components are as they would be if generated by \({{\textsf {CTrans}}} _{pk} ({\zeta ^*}, T_{\vec {\tau }})\). It is straightforward to see that the remaining integrity constraints are satisfied if and only if \(\zeta \) is in the support of \({{\textsf {CTrans}}} _{pk} ({\zeta ^*}, T_{\vec {\tau }})\). The oracle’s response in this case is \({\vec {\tau }} * (m^*_1, \ldots , m^*_n)\).
Summarizing, the only non-bad queries in this case are those ciphertexts in the supports of \({{\textsf {Enc}}} _{pk} (\cdot )\) and \({{\textsf {CTrans}}} _{pk} ({\zeta ^*},\cdot )\). We see that the responses given in Hybrid 2 match those described above for queries of the specified form.
\({{\textsc {dec}}}\)
queries when
\(b=1\). In this case, the challenge ciphertext \({\zeta ^*} \) was generated using \({{\textsf {AltGenCiph}}} _{sk} ((1,\ldots ,1), \mu ^*)\) for a random choice of \(\mu ^*\).
In Hybrid 1, these queries are answered using a combination of \({{\textsf {RigExtract}}}\) and \({{\textsf {Dec}}}\). On input query \(\zeta \), it first calls \({{\textsf {Integrity}}}\) with value \(\mu ^*\). If this fails, then \({{\textsf {Integrity}}}\) is called with a value \(\mu \) derived from the ciphertext’s purported plaintext. Again by our assumption, one of the pairs \((\zeta , \mu ^*)\), \((\zeta , \mu )\) must not be integrity-bad: Lemma 6.10.
-
If \(\zeta \) satisfies case 1 of Lemma 6.10, then the ciphertext information-theoretically fixes at most one value \(\mu \) such that \({{\textsf {Integrity}}} _{sk} (\zeta ,\cdot ,\mu )\) can return 1. Since \(\mu ^*\) is distributed independently of the adversary’s view, the first call to \({{\textsf {Integrity}}}\) which uses \(\mu ^*\) will fail with overwhelming probability.
Then \({{\textsf {RigExtract}}}\) calls \({{\textsf {Dec}}}\) directly, and the analysis is identical to the previous case. We must have that \(\zeta \) is in the support of \({{\textsf {Enc}}} _{pk} (m_1, \ldots , m_n)\), and the final oracle response is \((m_1, \ldots , m_n)\).
-
If \(\zeta \) satisfies case 2 of Lemma 6.10, then indeed \((\zeta , \mu ^*)\) may not be integrity-bad. Then the \({\vec {X}}\), \({\vec {Y}}\), and \(U\) components of \(\zeta \) are as they would be if generated by \({{\textsf {CTrans}}} _{pk} ({\zeta ^*},\cdot )\). It is straightforward to verify that \({{\textsf {Integrity}}}\) succeeds only if the ciphertext components \({\vec {C}} _Y\), \(P_{X}\), and \(P_{Y}\) are further consistent with \({{\textsf {CTrans}}} _{pk} ({\zeta ^*},\cdot )\). Finally, \({{\textsf {RigExtract}}}\) verifies that the purported plaintext of \(\zeta \) is \({\vec {\tau }} \in {\mathbb {H}} \). These events happen if and only if \(\zeta \) is in the support of \({{\textsf {CTrans}}} _{pk} ({\zeta ^*},T_{\vec {\tau }})\) for \(T_{\vec {\tau }} \in {\mathcal {T}} \). In this case, the oracle response is \({\vec {\tau }} * (m^*_1, \ldots , m^*_n)\). However, if the oracle reaches the point where it passes \(\zeta \) to \({{\textsf {Dec}}}\), then the oracle will call \({{\textsf {Integrity}}}\) on a value \(\mu \) derived from the purported plaintext of \(\zeta \). As in the previous case, a ciphertext whose \({\vec {X}}\), \({\vec {Y}}\), and \(U\) components satisfy case 2 of Lemma 6.10 information-theoretically fixes a purported plaintext, and thus this value \(\mu \). Only with negligible probability will this fixed value \(\mu \) equal \(\mu ^*\), which is distributed independently of the adversary’s view. Thus the second call to \({{\textsf {Integrity}}}\) cannot succeed with more than negligible probability.
As in the \(b=0\) case, the only non-bad queries are those ciphertexts in the supports of \({{\textsf {Enc}}} _{pk} (\cdot )\) and \({{\textsf {CTrans}}} _{pk} ({\zeta ^*},\cdot )\). Again, the responses in this case match those of Hybrid 2 oracle.
\({{\textsc {rigextract}}}\) queries: In Hybrid 1, the oracle is implemented as follows. On input \((\zeta ,\zeta ')\), it finds \((\zeta ',S)\) recorded internally, then calls \({{\textsf {RigExtract}}}\), which in turn calls \({{\textsf {Integrity}}}\) using value S. This value S was chosen at random during a previous \({{\textsc {rigenc}}}\) query. By our assumption, \((\zeta , S)\) is not integrity-bad.
-
If the query satisfies case 1 of Lemma 6.10, then by analogous reasoning as in the previous cases, \(\zeta \) must be in the support of \({{\textsf {CTrans}}} _{pk} (\zeta ', T_{\vec {\tau }})\) (equivalently, the support of \({{\textsf {GenCiph}}} _{pk} ({\vec {\tau }},S)\)) for some \(T_{\vec {\tau }} \in {\mathcal {T}} \). The oracle’s response in this case is \(T_{\vec {\tau }} \).
-
If the query satisfies case 2 of Lemma 6.10, then we must have \(\mu ^*\) (used to generate the challenge ciphertext \({\zeta ^*}\)) equal to S (used to generate rigged ciphertext \(\zeta '\) in a previous \({{\textsc {rigenc}}}\) query). We consider two cases, depending on b:
When \(b=1\), consider that \(\zeta '\) was generated using \({{\textsf {GenCiph}}}\) rather than \({{\textsf {AltGenCiph}}}\). Therefore, the value S is information-theoretically fixed given \({pk}\) and \(\zeta '\). Then \(\mu ^* = S\) only with negligible probability, since S is fixed and \(\mu ^*\) is distributed independently at random.
When \(b=0\), \(\mu ^*\) is computed as \({\textsf {H}} ({{\textsf {canonize}}} (m_1^*, \ldots , m_n^*))\), where \({{\textsf {msg}} ^*} = (m_1^*, \ldots , m_n^*)\) is the plaintext given by the adversary in its \({{\textsc {challenge}}}\) query. We argue that \(\mu ^* = S\) can happen only with negligible probability. If \(\zeta '\) was generated after the \({{\textsc {challenge}}}\) query, then \(\mu ^* = S\) with negligible probability simply because \(\mu ^*\) is fixed before S is chosen at random. Otherwise, if \(\zeta '\) is generated after the \({{\textsc {challenge}}}\) query, then information about S is given to the adversary, although only “in the exponent” of \({\mathbb {G}}\). Here it is important that the challenge oracle does not reveal S to the adversary in \({{\textsc {rigenc}}}\) queries. For the adversary to be given a random S in the exponent and subsequently be able to specify \((m_1^*, \ldots , m_n^*)\) such that \(S = {\textsf {H}} ({{\textsf {canonize}}} (m_1^*, \ldots , m_n^*))\), the adversary must essentially solve the discrete logarithm problem in \({\mathbb {G}}\).Footnote 19 In a group such as \({\mathbb {G}}\) in which the DDH assumption holds, this can only happen with negligible probability.
In summary, the only non-bad queries here are those in which \(\zeta \) is in the support of \({{\textsf {CTrans}}} _{pk} (\zeta ',T)\) for \(T \in {\mathcal {T}} \). Clearly the output of the alternate Hybrid 2 oracle is consistent with the Hybrid 1 oracle in this case. \(\square \)
Completing the Proof
We can now complete the proof of HCCA security:
Proof of Theorem 6.1
By Lemmas 6.6 and 6.11, we have that
$$\begin{aligned} \Pr \left[ {{\mathcal {A}}} ^{{\mathcal {O}}^{{\mathcal {E}},{{\textsf {RigEnc}}},{{\textsf {RigExtract}}}}_{\lambda ,b}}(1^\lambda ) = 1 \right] \approx \Pr \left[ {{\mathcal {A}}} ^{\widehat{{\mathcal {O}}}^{{\textsf {hyb-2}}}_{\lambda ,b}}(1^\lambda ) = 1 \right] \end{aligned}$$
for all adversaries \({{\mathcal {A}}}\) and \(b\in \{0,1\}\). It suffices to show that the adversary’s advantage in Hybrid 2 is zero; that is,
$$\begin{aligned} \Pr \left[ {{\mathcal {A}}} ^{\widehat{{\mathcal {O}}}^{{\textsf {hyb-2}}}_{\lambda ,0}}(1^\lambda ) = 1 \right] = \Pr \left[ {{\mathcal {A}}} ^{\widehat{{\mathcal {O}}}^{{\textsf {hyb-2}}}_{\lambda ,1}}(1^\lambda ) = 1 \right] \end{aligned}$$
In Hybrid 2, the adversary sees only the public key, challenge ciphertext, and responses to \({{\textsc {dec}}}\), \({{\textsc {rigenc}}}\), \({{\textsc {rigextract}}}\) queries. However, responses to these three kinds of queries are computed using only the public key, challenge plaintext, and challenge ciphertext. Thus, the adversary’s entire view is a function of the public key and challenge ciphertext. From Lemma 6.7, we see that the public key and challenge ciphertext (hence, the adversary’s entire view) are distributed independently of the choice bit b.