Encryption Mechanisms for Receipt-Free and Perfectly Private Verifiable Elections

Abstract

We design new encryption mechanisms that enable the design of the first universally verifiable voting schemes, supporting both receipt-freeness and everlasting privacy without assuming the existence of an anonymous channel.

Our schemes support the two most traditional election tallying methods: One is additively homomorphic, supporting elections in which votes simply need to be added, but decryption is only efficient for a message space of polylogarithmic size. The other is randomizable, is compatible with traditional mixnet-based tallying methods, and supports efficient message encoding, which makes it compatible with virtually any election type.

Our approach builds on the recently proposed traceable receipt-free encryption (TREnc) primitive to support the design of a perfectly private audit trail. In particular, we propose two TREnc that are secure under SXDH and rely on a public coin CRS (or on the random oracle model). This improves on previous TREnc mechanisms that required a structured CRS and is of independent interest. A prototype implementation of our mechanisms is proposed, which shows that ballot preparation and verification can be executed in less than a second.

Appendices

Scheme Description for Complex Ballots

• Gen(\(1^\lambda \)): Choose bilinear groups (\(\mathbb {G},\hat{\mathbb {G}}, \mathbb {G}_T\)) of prime order \(p>2^{\textsf {poly}(\lambda )}\) together with \(g, h, g_1, h_1 \overset{\$}{\leftarrow }\ \mathbb {G}\) and \(\hat{g}, \hat{h} \overset{\$}{\leftarrow }\ \hat{\mathbb {G}}\).

  1. 1.

     Pick random \(\{(\alpha _i, \beta _i)\}_{i=1}^2 \overset{\$}{\leftarrow }\ \mathbb {Z}_p\) and set \(\{\hat{f}_i\}_{i=1}^2 = \hat{g}^{\alpha _i}\hat{h}^{\beta _i}\). Pick random \( \alpha , \beta \overset{\$}{\leftarrow }\ \mathbb {Z}_p\) and set \( f = g^\alpha h^\beta \).

  2. 2.

     Generate Groth-Sahai CRS \(\textbf{u} = (\vec {u}_1, \vec {u}_2) \in \mathbb {G}^4\), \(\textbf{u}' = (\vec {u}_1', \vec {u}_2') \in \mathbb {G}^4\) and \(\textbf{v} = (\vec {v}_1, \vec {v}_2) \in \mathbb {\hat{G}}^4\) to commit to groups elements of \(\mathbb {G}\) and \(\mathbb {\hat{G}}\), where \(\vec {u}_1' = (u_{11}', u_{12}') = (g, h)\), \(\vec {u}_2' = (u_{21}', u_{22}') = (g_1, h_1)\), \(\vec {v}_1 = (v_{11}, v_{12})\), and \(\vec {v}_2 = (v_{21}, v_{22})\) are generated in the perfect NIWI mode.

  3. 3.

     Pick random \({k}_1, {k}_2 \leftarrow {\mathbb {G}}\) that will be used as a verification key for the LHSP signature.

  The private key is \( \textsf {SK}= (\alpha _1, \beta _1, \alpha _2, \beta _2, \alpha , \beta )\) and the public key \(\textsf {PK}= (g, h,g_1, h_1, \hat{g}, \hat{h}, f, \hat{f}_1, \hat{f}_2, {k}_1, {k}_2, \textbf{u}, \textbf{v}, \textbf{u}')\).

• Enc(PK, M): To encrypt a message \(M \in \mathbb G\), first run \(\textsf {LGen}(\textsf {PK})\): Generate a key pair (\({\textsf {osk},\textsf {opk}}\)) for the one-time linearly homomorphic signature from the public generators \(\hat{g}, \hat{h}\) in order to sign vectors of dimension 3. Let the signing key \({\textsf {lk}= \textsf {osk}} = \{(\eta _i,\zeta _i)\}_{i=1}^{3}\), the corresponding public key is \({\textsf {opk}} = \{\hat{y}_i\}_{i=1}^{3}\). Then, conduct the following steps of \(\textsf {LEnc}(\textsf {PK}, \textsf {lk}, M)\):

  1. 1.

       :

     1. (a)

        For random \( r, s \overset{\$}{\leftarrow }\ \mathbb {Z}_p\), compute the commitments \({d}_1 = Mg^rh^s \in \mathbb G, {d}_2 = g_1^rh_1^s \in \mathbb G\) and the openings \(\hat{R} = \hat{g}^r \in \hat{\mathbb G}, \hat{S} = \hat{g}^s \in \hat{\mathbb G}\). Randomly choose \(\theta , \gamma \overset{\$}{\leftarrow }\ \mathbb {Z}_p\), compute the ciphertexts of M, \(\hat{R}\), and \(\hat{S}\) respectively as \(\textbf{c}_m = (c_m^0, c_m^1, c_m^2) = (Mf^\theta , g^\theta , h^\theta )\), \( \textbf{c}_r =(c_r^0, c_r^1, c_r^2)=(\hat{R}\hat{f}_1^\gamma , \hat{g}^\gamma , \hat{h}^\gamma )\), and \(c_s =\hat{S}\hat{f}_2^\gamma \).

     2. (b)

        Commit to the openings using the Groth-Sahai CRS by computing \(\textbf{C}_{M} = \iota _1(M)\vec {u}_1^{z_1}\vec {u}_2^{z_2}\), \(\textbf{C}_{\hat{R}}=\iota _1(\hat{R})\vec {v}_1^{r_1}\vec {v}_2^{r_2}\), and \(\textbf{C}_{\hat{S}} =\iota _1(\hat{S})\vec {v}_1^{t_1}\vec {v}_2^{t_2}\) for random \(z_1,z_2, r_1, r_2, t_1, t_2 \overset{\$}{\leftarrow }\ \mathbb {Z}_p\). For the sake of simplicity, from now we denote the GS commitments as \(\textbf{C}_{M} = \textsf {Com}(\textbf{u}, M), \textbf{C}_{\hat{R}} = \textsf {Com}(\textbf{v}, \hat{R})\), and \(\textbf{C}_{\hat{S}} = \textsf {Com}(\textbf{v}, \hat{S})\). Next, derive the commitments \(\textbf{C}_{f} = \iota _1(c_m^0)/\textbf{C}_M\), \(\textbf{C}_{\hat{f}_1} = \iota _2(c_r^0)/\textbf{C}_{\hat{R}}\), and \(\textbf{C}_{\hat{f}_2} =\iota _2(c_s)/\textbf{C}_{\hat{S}}\).

     3. (c)

        To allow simulating the proof, set the bit \(\bar{b}=1\) and compute \(G = g^{\bar{b}} \in \mathbb G\) and \(\hat{G} = \hat{g}^{\bar{b}} \in \hat{\mathbb G}\). Commit to G, \(\hat{G}\) to have \(\textbf{C}_G = \textsf {Com}(\textbf{u}, G)\), \(\textbf{C}_{\hat{G}} =\textsf {Com}(\textbf{v}, \hat{G})\). Compute GS proof \(\pi _b\) such that \(e(g, {\hat{G}}) = e({G}, \hat{g})\).

     4. (d)

        To ensure CT is well-formed, the proof \(\pi _\theta \) is computed to make sure that \((c_m^1, c_m^2, c_m^0/M)\) and \((c_r^1, c_r^2, c_r^0/\hat{R}, c_s/\hat{S})\) are in the form of \((g, h, f)^\theta \) and \((\hat{g}, \hat{h}, \hat{f}_1, \hat{f}_2)^\gamma \) respectively. To do that, commit also to \(\hat{G}^\theta \) and \({G}^\gamma \) such that \(\textbf{C}_{\theta } = \textsf {Com}(\textbf{v}, \hat{G}^\theta )\) and \(\textbf{C}_{\gamma }=\textsf {Com}(\textbf{u}, {G}^\gamma )\), and compute a GS proof \(\pi _\theta \) that

        $$\begin{aligned} e(c_m^1, {\hat{G}}) = e(g, {\hat{G}^\theta }), & e(c_m^2,{\hat{G}}) = e(h, {\hat{G}^\theta }), & e({{G}}, c_r^1) = e({G^\gamma }, \hat{g}), \\ e({{G}}, c_r^2) = e({G^\gamma }, \hat{h}) , & e({f^\theta }, {\hat{G}}) = e(f, {\hat{G}^\theta }), & e( {{G}}, {\hat{f}_1^\gamma }) = e({G^\gamma }, \hat{f}_1), \\ & e({G}, {\hat{f}_2^\gamma }) = e({G^\gamma }, \hat{f}_2). \end{aligned}$$
     5. (e)

        Return \(CT= (\textbf{c}_m, \textbf{c}_r, c_s, \textbf{C}_G, \textbf{C}_\theta , \textbf{C}_\gamma , \pi _b, \pi _\theta ) \in \mathbb {G}^{27} \times \hat{\mathbb {G}}^{26}\).

  2. 2.

       :

     1. (a)

        The proof of the openings for commitments: The proof of openings \(\pi _{open}\) needs to make sure that the values committed in \(\textbf{C}_M, \textbf{C}_{\hat{R}}, \textbf{C}_{\hat{S}}, \) \( \textbf{C}_{\hat{G}}\) in CT are the openings of the commitments. In other words, \(\textbf{C}_M, \textbf{C}_{\hat{R}}, \textbf{C}_{\hat{S}}\), and \( \textbf{C}_{\hat{G}}\) must ensure that \(e({M}, \hat{g})\cdot e({g}, {\hat{R}})\cdot e({h}, {\hat{S}}) = e(d_1, {\hat{G}})\) and \(e({g_1}, {\hat{R}})\cdot e(h_1, {\hat{S}}) = e(d_2, {\hat{G}})\).

     2. (b)

        Traceability property: Sign each row of the matrix T using \({\textsf {lk}= \textsf {osk}}\) to have signatures \({\sigma }_1, {\sigma }_2, {\sigma }_3\), where \({\sigma }_i = ({Z}_i, {R}_i) \in \mathbb {{G}}^2\) for \(i = 1, 2, 3\).

        $$\begin{aligned} T= \begin{pmatrix} {g} &{} {d}_1 &{} {d}_2\\ 1 &{} {g} &{} {g}_1\\ 1 &{} {h} &{} {h}_1 \end{pmatrix} \end{aligned}$$

        Next, commit to \({\sigma }_1\) using \(\textbf{u}'\) with \(\textbf{C}_{Z} = \textsf {Com}(\mathbf {u'}, Z_1)\) and \(\textbf{C}_{R} = \textsf {Com}(\mathbf {u'}, R_1)\). To ensure that \({\sigma }_1\) is a valid one-time LHSP signature on \(({g}, {d}_1, {d}_2)\), compute the proof \({\pi }_{sig} \in \hat{\mathbb {G}}^2\) such that \(e({Z_1}, \hat{g}) \cdot e({R_1}, \hat{h}) = e(g, \hat{y}_1) \cdot e(d_1, \hat{y}_2) \cdot e(d_2, \hat{y}_3)\).

     3. (c)

        TCCA security: Set \(\hat{A}=1_{\hat{\mathbb G}}, \hat{B} =1_{\hat{\mathbb G}},\) \(\hat{X} = \hat{g}/\hat{G} = \hat{g}^{1-\bar{b}}\), and \(\tau = \textsf {Hash}({\textsf {opk}})\). Commit to \(\hat{A}\) and \(\hat{B}\) using CRS \(\textbf{v}\). Compute the proof \({\pi }_{ss}\) that \(e(g, {\hat{A}}) \cdot e(h, {\hat{B}}) = e(k_1 k^\tau _2, \hat{g}/{\hat{G}})\).

     4. (d)

        Return \(D = ({d}_1, {d}_2, \textbf{C}_M, \textbf{C}_{\hat{R}}, \textbf{C}_{\hat{S}}, \textbf{C}_{\hat{G}}, \textbf{C}_{{Z}}, \textbf{C}_{{R}}, \textbf{C}_{\hat{A}}, \textbf{C}_{\hat{B}}, {\pi }_{open}, {\sigma }_2,\)

        \({\sigma }_3, \pi _{sig}, {\pi }_{ss}, {\textsf {opk}})\in \mathbb {G}^{20} \times \hat{\mathbb {G}}^{19}\).

  At the end of the encryption, output \(C = (CT, D)\in \mathbb {G}^{47} \times \hat{\mathbb {G}}^{45}\).

• Trace(PK, C): Parse \(\textsf {PK}\) and C as above, and output opk in the obvious way.

• Rand(PK, C): If \(\textsf {PK}\) and \(C= (CT, D)\) do not parse as the outputs of Gen and Enc, abort. Otherwise, conduct the similar steps as presented in \(\textsf{Rand}(\textsf {PK}, C\)) (Sect. 3.1). At the end of the randomization, output the ciphertext \(C' = (CT', D')\).

• Ver (PK, C): First, abort and output 0 if either \(\textsf {PK}\) or C fails to parse correctly. Second, verify the validity of the signatures \(\sigma _2\) and \(\sigma _3\) on the 2 last rows of the matrix T, and output 0 if it does not hold. Third, verify all the provided GS proofs \(\pi _b, \pi _{\theta }, \pi _{open}, \pi _{sig}\), and \(\pi _{ss}\) regarding their the corresponding equations. The first two proofs will be privately verified, which concerns the CPA encryption part, while the others will be checked publicly on PB. If at least one of these checks fails, output 0; otherwise, output 1.

• Dec(SK, C): If Ver(PK, C) = 0, output \(\bot \). Otherwise, given \(\textsf {SK}= (\alpha _1, \beta _1, \alpha _2, \beta _2, \alpha , \beta )\) and \((\textbf{c}_m = (c_m^0, c_m^1, c_m^2), \textbf{c}_r =(c_r^0, c_r^1, c_r^2), c_s)\) included in CT, output \(M = c_m^0 \cdot {c_m^1}^{-\alpha } \cdot {c_m^2}^{-\beta }\), \(\hat{R} = c_r^0 \cdot {c_r^1}^{-\alpha _1} \cdot {c_r^2}^{-\beta _1}\), and \(\hat{S} = c_s \cdot {c_r^1}^{-\alpha _2} \cdot {c_r^2}^{-\beta _2}\).

The security analysis of this second scheme directly follows that of our first construction.

Deferred Proofs

1.1 Correctness

The construction satisfies TREnc’s correctness as defined in Definition 2.1.

• Correctness of encryption compatibility By construction, we define \(\textsf {Enc}\) such that the distributions of \(\textsf {Enc}(\textsf {PK}, m)\) and \(\textsf {LEnc}(\textsf {PK}, \textsf {LGen}(\textsf {PK}), m)\) are identical.

• Correctness of link traceability For every \(\textsf {PK}\) in the range of \(\textsf {Gen}\), the scheme runs \({\textsf {LGen}(\textsf {PK})}\) to output a key pair (\({\textsf {osk}, \textsf {opk}}\)) for the one-time linearly homomorphic signature, where \(\textsf {opk}= f(\textsf {osk})\) for a deterministic function f. Then, for every \(\textsf {lk}= \textsf {osk}\) in the range of \({\textsf {LGen}(\textsf {PK})}\), \(\textsf {LEnc}(\textsf {PK}, \textsf {lk}, m)\) produces a ciphertext C, where \(\textsf {Trace}(\textsf {PK}, C) = f(\textsf {osk}) = \textsf {opk}\). That is, \( \textsf {Trace}(\textsf {PK}, \textsf {LEnc}(\textsf {PK}, \textsf {lk}, \cdot ))\) is the constant function \(f(\textsf {osk}) = \textsf {opk}\).

• Correctness of publicly traceable randomization As described in 3.1, the trace \(\textsf {opk}\) is kept unchanged in randomization step. Thus, we have \(\textsf {Trace}(\textsf {PK}, C)\) \( = \textsf {Trace}(\textsf {PK}, \textsf {Rand}(\textsf {PK}, C))\) by definition. Additionally, in \( \textsf {Rand}\) algorithm, we honestly randomize the CPA part of the ciphertext, where \(\textbf{c}'_m =\textbf{c}_m \cdot (f_1,g_1,h_1)^{\theta '} = (Mf_1^{\theta +\theta '}, g_1^{\theta +\theta '}, h_1^{\theta +\theta '})\) with \(\theta ' \overset{\$}{\leftarrow }\ \mathbb {Z}_p\). Obviously, \(\textbf{c}'_m\) is distributed exactly as a fresh CPA encryption of m since \(\theta +\theta '\) is random over \(\mathbb Z_p\). There exists no random \(\theta '\) that can modify the message, even the coin might not have been taken from a uniform distribution. Hence, \({\textsf {Dec}(\textsf {SK}, C) = \textsf {Dec}(\textsf {SK}, \textsf {Rand}(\textsf {PK}, C))}\).

• Correctness of honest verifiability Given a ciphertext C in an honest range of \({\textsf {Enc}(\textsf {PK}, m)}\), there exists random coins that explain how to compute the ciphertext. This always leads to valid GS proofs and valid LHSP signatures. Based on that, we have verifiability since all the verification equations are satisfied. In other words, thanks to the perfect correctness of GS proofs and LHSP signatures, if C is honestly generated, for all the coins, we have validity or \(\textsf {Ver}(\textsf {PK}, \textsf {Enc}(\textsf {PK}, m)) = 1\).

1.2 Strong Randomizability

Theorem 3.1. The TREnc is perfectly strongly randomizable. More precisely, for every \(c \in \textsf{LEnc}(\textsf {PK}, \textsf {lk}, m)\) with \({\textsf {pk}}\) in the range of \(\textsf{Gen}\) and \(\textsf {lk}\) in the range of \(\textsf{LGen}(\textsf {PK})\), the distributions \(\{\textsf{Rand}(\textsf {PK}, c)\}\) and \(\{\textsf {LEnc}(\textsf {PK}, \textsf {lk}, m)\}\) are identical.

Proof

Given a ciphertext \(C= (CT, D)\) in the range of \(\textsf{Enc}(\textsf {PK}, m)\), for some message m and internal link key \(\textsf {lk}=\textsf {osk}\), the perfect correctness of honest verifiability of our TREnc implies that C is valid. It is easy to see that the opening values R, Q are fully redistributed as uniform group elements during rerandomization. The CPA part is then also fully rerandomized and distributed as a fresh CPA part. In the WI mode, valid GS-proofs can also be perfectly rerandomized and fully redistributed after adaptation. Finally, the LHSP signatures on the last two rows of the T-matrix are deterministic. The indistinguishability is actually perfect.

1.3 TCCA Security

Theorem 3.2. The above scheme is TCCA-secure under the SXDH assumption and the collision resistance of the hash function. More precisely, we have \(\big \vert \Pr [\textsf {Exp}_\mathcal {A}^{tcca }(\lambda ) =1]-\frac{1}{2}\big \vert \le \epsilon _{cr} + 6\epsilon _{sxdh} + \frac{4}{p}\).

Proof

We consider a sequence of games. In Game i, we denote by \(S_i\) the event that an adversary \(\mathcal {A}\) wins by correctly guessing the internal random bit b of the game, which makes the game output 1.

• \(\textsf {Game}_{1}(\lambda )\): This is the real game as described in the experiment Fig. 1. By definition, \(\Pr [S_1] = \Pr [\textsf {Exp}_\mathcal {A}^{tcca }(\lambda ) =1]\).

• \(\textsf {Game}_{2}(\lambda )\): In this game, we introduce a failure event \(F_2\) which causes this game to abort and output a random bit if the adversary produces two valid ciphertexts C and \(C'\) as output of \(\textsf {Enc}\) such that \(\textsf {Hash}({\textsf {opk}}) = \textsf {Hash}({\textsf {opk}'})\) but \({\textsf {opk}} \ne {\textsf {opk}'}\). This even prevents the situation when \(\mathcal {A}\) can successfully use the same tag with different signatures in decryption queries after the challenge phase. \(F_2\) implies a collision on the hash function, so \(\Pr [F_2] = \epsilon _{cr}\). We thus have, \(\mid \Pr [S_2] - \Pr [S_1] \mid \le \Pr [F_2] = \epsilon _{cr}\).

• \(\textsf {Game}_{3}(\lambda )\): This game is as Game 2 except that we introduce a failure event which occurs during the challenge phase if \(\mathcal {A}\) can produce the valid ciphertexts \({C}_0, {C}_1\) but \((\hat{\sigma }_2^{(0)}, \hat{\sigma }_3^{(0)}) \ne (\hat{\sigma }_2^{(1)}, \hat{\sigma }_3^{(1)})\). The event should be aborted since the challenge ciphertext \(C^*\) has the same values of \((\hat{\sigma }_2^*, \hat{\sigma }_3^*\)) as the ones in \({C}_0\) or \({C}_1\). This causes a distinguishability between them. Obviously, \(\mid \Pr [S_0] - \Pr [S_1] \mid \) is bounded by the probability that \((\hat{\sigma }_2^{(0)}, \hat{\sigma }_3^{(0)})\) and \( (\hat{\sigma }_2^{(1)}, \hat{\sigma }_3^{(1)})\) are 2 distinct signatures on the same vector. Thus, \(\mid \Pr [S_3] - \Pr [S_2] \mid \le \epsilon _{sxdh}\).

• \(\textsf {Game}_{4}(\lambda )\): This game is the same as Game 3 except in the way we generate the challenge ciphertext \(C^*\) from \({C}_b\) in the randomization step. When we generate PK, we compute \(\hat{f}_1, \hat{f}_2\) in such a way that they are corresponding verification keys for a signing key sk\(_{{\textsf {lhsp}}}\) of a one-time linearly homomorphic signature in order to sign vectors of dimension \(n = 2\), given the common public parameters \(\hat{g}, \hat{h}\). We keep in memory sk\(_{{\textsf {lhsp}}}\) and output pk\(_{{\textsf {lhsp}}} = \{\hat{f}_1, \hat{f}_2\}\). Since the distribution of the output is not changed, it is indistinguishable from \(\mathcal {A}\)’s view. The simulated randomization is as follows:

  1. 1.

     Randomizing \(D^*\)

     1. (a)

        For the proof of openings \({\pi }^*_{open}\)

        • Randomize the commitments \(\hat{d}_1^*=\hat{d}_1^{(b)} \cdot \hat{g}_1^{r^*}\hat{h}_1^{q^*}\), \(\hat{d}_2^*=\hat{d}_2^{(b)} \cdot \hat{g}_2^{r^*}\hat{h}_2^{q^*}\) for \(r^*, q^* \overset{\$}{\leftarrow }\ \mathbb {Z}_p\).

        • Switch \(\bar{b}=0\), then we have \(G^* = g^{\bar{b}} = 1_{\mathbb {G}} \in \mathbb G\). Re-compute the commitment of \(G^*\) by \(\textbf{C}_G^*= \textsf {Com}(\textbf{u},1_{\mathbb {G}})\). Since CRS \(\textbf{u}\) is generated in the perfect NIWI mode, the resulting commitments and proofs are distributed among all the possible group elements that satisfy the verification equation. That means, it is not able to distinguish between \(\textbf{C}_G= \textsf {Com}(\textbf{u}, g)\) and \(\textbf{C}_G^*= \textsf {Com}(\textbf{u}, 1_{\mathbb {G}})\).

        • Similarly, update randomized commitments \(\textbf{C}_M^*= \textsf {Com}(\textbf{u}, 1_{\mathbb {{G}}})\), \(\textbf{C}_{R}^* =\textsf {Com}(\textbf{u}, 1_{\mathbb {{G}}})\), and \(\textbf{C}_{Q}^*= \textsf {Com}(\textbf{u}, 1_{\mathbb {{G}}})\). The Eqs. 4.a and 4.b are verified as valid since both sides of the equations are equal to 1. Then, update the simulated proof \(\pi ^*_{open} = (\pi ^*_{4.a}, \pi ^*_{4.b})\) with corresponding randomness. Since GS proof is WI, the simulated proof cannot be distinguished from a real one.

     2. (b)

        For the proof of signature \(\pi ^*_{sig}\), it is done as usual as Rand would do.

     3. (c)

        For the proof of simulation soundness \({\pi }^*_{ss}\)

        • Since \(\bar{b}\) is switched to 0, \(X^* = g^{1-\bar{b}} = g \in \mathbb G\). Adapt the commitment of \(X^*\) to be \(\textbf{C}_X^* = \iota _1(g)/\textbf{C}_G^* = \textsf {Com}(\textbf{u}, g)\).

        • We simulate the proof \({\pi }^*_{ss}\) by resigning the message \((X^*, {X^*}^{\tau ^*})\) from scratch using the secret key sk\(_{{\textsf {lhsp}}}\) at step 2c. That is, when we randomize \(\textbf{C}_A^{(b)}, \textbf{C}_B^{(b)}\) from an adversary, first computing the LHSP signature \((A^*, B^*)\) on \((X^*, {X^*}^{\tau ^*})\). In other words, \((A^*, B^*) = \texttt {Sign(}{\textsf {sk}}_{{\textsf {lhsp}}}, (X^*, {X^*}^{\tau ^*}))\), where \({\tau ^*} = \textsf {Hash}({\textsf {opk}}_0) = \textsf {Hash}({\textsf {opk}}_1) ={\tau ^{b}} \). The Eq. 7 is still valid since \(\hat{f}_1, \hat{f}_2\) was generated as the public verification keys corresponding to sk\(_{{\textsf {lhsp}}}\). Indeed, since \(\textbf{C}_A', \textbf{C}_B'\) computed in Rand and \(\textbf{C}_A^*, \textbf{C}_B^*\) are indistinguishable under NIWI CRS, their distributions are exactly the same in the adversary’s view.

        • Commit to \((A^*, B^*)\) by computing \(\textbf{C}^*_A = \textsf {Com}(\textbf{u}, A^*)\), \(\textbf{C}^*_B = \textsf {Com}(\textbf{u}, B^*)\), then adapt the correspondingly simulated proof \({\pi }_{ss}^*\). As a side effect, \({\pi }^*_{ss}\) is a valid proof of a false statement, where X is no longer equal to \(1_{\mathbb {G}}\) as in Enc.

     4. (d)

        For the proof \(\pi _{01}^*\), since \(\textbf{C}_M^*= \textsf {Com}(\textbf{u}, 1_{{\mathbb {G}}})\), we update \(\textbf{C}_{\hat{M}^*} = \textsf {Com}(\textbf{v}, 1_{\hat{\mathbb {G}}})\). The Eq. 8 is valid as both sides of the equations are equal to 1. Then, compute the simulated proof \(\pi _{01}^*\) accordingly.

  2. 2.

     Randomizing \(CT^*\)

     • Parse the CPA encryption part and randomize it as Rand at step 1a.

     • Since \(\bar{b} = 0\), recompute \(\hat{H} = \hat{h}^{\bar{b}} = 1\) and \(\hat{H}^\theta = 1\). Compute the corresponding commitments \(\textbf{C}^*_{\hat{H}} = \textsf {Com}(\textbf{v}, 1_{\hat{\mathbb {{G}}}})\) and \(\textbf{C}^*_\theta = \textsf {Com}(\textbf{v}, 1_{\hat{\mathbb {{G}}}})\). The verification Eqs. 2 and 3 are all valid since both sides are equal to 1. As a consequence, the encryption part is no more in the range of the honest CPA encryptions of Dec(SK, \(C_b\)) except with probability 1/p. Next, compute the proof \(\pi ^*_b\) and \(\pi ^*_\theta \) as in Enc.

  Game 3 and Game 4 abort in the same cases. When both games do not abort, their views are exactly the same thanks to the perfect witness indistinguishability of GS proofs. Particularly, the distributions of \(\pi ^*_{ss}\) and randomized \(\pi '_{ss}\) are indistinguishable. We thus have \(\Pr [S_4] = \Pr [S_3]\).

• \(\textsf {Game}_{5}(\lambda )\): This game is as the previous game except that the Groth Sahai CRS \(\textbf{u}\) and \(\textbf{v}\) of the public key are now generated in the extractable mode. Namely, we pick \(\vec {u}_1 \overset{\$}{\leftarrow }\ \mathbb {G}^2\), \(\gamma \overset{\$}{\leftarrow }\ \mathbb {Z}_p\), and compute \(\vec {u}_2 = \vec {u}^\gamma _1\). The CRS forms a random DH tuple over \(\mathbb {G}\). Thus, \(\mid \Pr [S_5] - \Pr [S_4] \mid \le 2\epsilon _{sxdh}\).

• \(\textsf {Game}_{6}(\lambda )\): We bring the following modification to the previous game. When sampling CRS \(\textbf{u} = (\vec {u}_1, \vec {u}_1^\gamma )\), we compute \(\vec {u}_1 = (u_{11}, u_{12})\), where \(u_{12} = u_{11}^\mu \) with \(\mu \overset{\$}{\leftarrow }\ \mathbb {Z}_p\). As per [23], the distribution of the public key is unchanged, but we keep \(\mu \) as an ElGamal secret key to extract the committed group elements of the Groth-Sahai commitments. Moreover, when receiving \(\textbf{C}_A^{(b)}, \textbf{C}_B^{(b)}, \textbf{C}_G^{(b)}\) from the adversary, we extract some \(A^{(b)}, B^{(b)}, G^{(b)} \in \mathbb G\). Here, we introduce a failure event \(F_6\) when \(\mathcal {A}\) can produce a valid signature satisfying Eq. 7 when \(G^{(b)}\ne g\) (and then \(\hat{H}^{(b)}\ne \hat{h}\)) in at least one of the following situations: in any pre-challenge decryption query, in the challenge phase with \({C}_0\) or \({C}_1\). In other words, we reject all the valid ciphertexts in the sense of Game 5 for which \({\pi }^{(b)}_{ss}\) is a valid proof for a false statement. As a result, we abort and output 0 if the adversary can successfully create a valid but dishonest signature \((A^{(b)}, B^{(b)})\) on a message different from (1, 1). We have \(\mid \Pr [S_6] - \Pr [S_5] \mid \le \Pr [F_6]\).

  To compute \(\Pr [F_6]\), let \((A^\dagger , B^\dagger )\) the honest signature on \(g/{G^{(b)}}\), \((A^\dagger , B^\dagger ) = \texttt {Sign(}{\textsf {sk}}_{{\textsf {lhsp}}}, (g/{G^{(b)}}, {g/{G^{(b)}}}^\tau )\). There are 2 cases that \(F_6\) can occur: (1) The adversary \(\mathcal {A}\) can correctly guess \((A^{(b)}, B^{(b)}) = (A^\dagger , B^\dagger )\) with a probability of 1/p or (2) \((A^{(b)}, B^{(b)}) \ne (A^\dagger , B^\dagger )\) is a valid but dishonest signature on \((g/{G^{(b)}}, (g/{G^{(b)}})^\tau )\). Considering the second case, we have both \((A^\dagger , B^\dagger )\) and \((A^{(b)}, B^{(b)})\) satisfying Eq. 7 with the same right-hand side member. This implies an SXDH distinguisher. We thus have \(\Pr [F_6] \le 1/p + (1-1/p)\epsilon _{sxdh} \le 1/p + \epsilon _{sxdh}\), therefore \(\mid \Pr [S_6] - \Pr [S_5] \mid \le 1/p + \epsilon _{sxdh}\).

• \(\textsf {Game}_{7}(\lambda )\): This game is the same as Game 6 except that we introduce a failure event when \(\mathcal {A}\) can produce a valid signature when \(G^{(i)}\ne g\) in post-challenge decryption query with Trace(PK, \(C^{(i)}\)) \(\ne \) opk \(^*\). Similarly to the previous game, when receiving \(\textbf{C}_A^{(i)}, \textbf{C}_B^{(i)}, \textbf{C}_G^{(i)}\) from the adversary for a decryption query, we extract some \(A^{(i)}, B^{(i)}, G^{(i)} \in \mathbb G\). Since \(\mathcal {A}\) has to use a different tag \(\tau \ne \tau ^*\) for post-challenge decryption queries, the message \((X^{(i)}, X^{{(i)}^\tau }) = (g/G^{(i)}, {g/G^{(i)}}^\tau )\) is not in span\(\langle (X^*, {X^*}^{\tau ^*}) \rangle \). Thanks to the unforgeability of the LHSP signature, the validity of Eq. 7 implies trivial, when \(X^{(i)} = 1\) and \(G^{(i)} = g\). Hence, after observing a simulated proof \({\pi }^*_{ss}\) for a false statement in Game 6, the adversary is not able to validate another falsely simulated proof for a false statement. Thus, \(\mid \Pr [S_7] - \Pr [S_6] \mid \le 1/p + \epsilon _{sxdh}\).

• \(\textsf {Game}_{8}(\lambda )\): Up to this point, if the game does not abort, all the ciphertexts from an adversary can not contain a valid signature of a message different to \((1_{\mathbb G}, 1_{\mathbb G})\). That means all the ciphertexts that will be decrypted are honest and do not reveal any information of SK, except those provided in the challenge phase. In this game, we bring another modification in the way we generate the CPA encryption part. To make sure the challenge ciphertext \(C^*\) does not contain any information of which \(C_b\) is used in randomization, let us call \(G_1 = g_1^{\theta ^*} \in \mathbb G\), \(H_1 = h_1^{\theta ^*} \in \mathbb G\), since \(f_1 = g_1^{\alpha _1}h_1^{\beta _1}\) we compute \(F_1 = G_1^{\alpha _1}H_1^{\beta _1}\) using the secret key SK \(= (\alpha _1, \beta _1)\). \((g_1, h_1, G_1, H_1)\) forms a random DDH tuple over \(\mathbb G\). The challenge ciphertext in Game 4 is then \(\textbf{c}^*_m =(c_0^*, c_1^*, c_2^*) = \textbf{c}_m^{(b)} \cdot (f_1, g_1, h_1)^{\theta ^*}= \textbf{c}_m \cdot (F_1, G_1, H_1)\). Now, instead of choosing \(G_1, H_1\) like this, we pick random \(G_1, H_1 \overset{\$}{\leftarrow }\ \mathbb G\) and compute \(F_1 = G_1^{\alpha _1}H_1^{\beta _1}\), the tuple \((g_1, h_1, G_1, H_1)\) is a random quadruple in \(\mathbb G\). As a result, \(\textbf{c}^*_m =(c_0^*, c_1^*, c_2^*) = \textbf{c}_m \cdot (F_1, G_1, H_1)\) is no more in the range of the honest CPA encryptions of Dec(SK, \(C_b\)) except with probability 1/p. Consequently, \(\pi ^*_\theta \) is a proof of a false statement but valid since \(\hat{H} = \hat{H}^{\theta ^*} = 1\) as set in Game 4. Obviously, \(\mid \Pr [S_8] - \Pr [S_7] \mid \le \epsilon _{sxdh}\) since the distinction between them is the distinction between a random DDH tuple and a random quadruple in \(\mathbb G\).

In fact, after observing the simulated proof \(\pi ^*_\theta \), the adversary is not able to do the same, i.e., setting \(\hat{H} = \hat{H}^{\theta ^*} = 1\). Since \(\pi ^*_b\) has to be valid, the soundness of GS proof shows that \((G, \hat{H})\) is in the form of \((g^{\bar{b}}, \hat{h}^{\bar{b}})\). However, \(G^{(b)} = g\) because \(G^{(b)} \ne g\) is aborted from Game 7. Therefore, \(\bar{b} = 1\) and \(\hat{H} = \hat{h} \ne 1\).

To conclude, we need to compute the \(\Pr [S_8]\). Firstly, we argue that A’s view in Game 8 is statistically independent of the hidden bit b. If the game aborts and outputs a random bit, the probability of returning 1 is 1/2. If there is no abort, that is, all the ciphertexts C for decryption queries are honest and Dec(SK, C)\( = (c_0 \cdot c_1^{-\alpha _1} \cdot c_2^{-\beta _1})\) does not reveal any additional information about the secret key SK, except what can be inferred from \(f_1 = g_1^{\alpha _1}{h}_1^{\beta _1}\) and \(F_1 = G_1^{\alpha _1}{H}_1^{\beta _1}\), where \(G_1, {H}_1\) are kept secret during the computation of the challenge ciphertext. Suppose that \(G_1 = g_1^y\) and \(H_1 = h_1^yf_1^z\) for random \( y, z \overset{\$}{\leftarrow }\ \mathbb Z_p\), we have \(F_1 = f_1^{y+z\beta }\). As a consequence, the computation of \(\textbf{c}^*_m = \textbf{c}_m^{(b)} \cdot (F_1, G_1, H_1) = (c_0^{(b)} \cdot f_1^{y+z\beta }, c_1^{(b)} \cdot g_1^y, c_2^{(b)} \cdot h_1^yf_1^z)\). If at least one of the two values (y, z) is 0, the probability that \(\mathcal {A}\) wins is \( P_1 \le 2/p + 1/p^2\). If both \(y, z \ne 0\), \(\textbf{c}^*_m\) is a random triple over \(\mathbb G^3\), \(\mathcal {A}\) wins with the probability of \(P_2 = 1/2 (1 - 2/p - 1/{p^2})\). Finally, the probability that \(\mathcal {A}\) wins in this game is \(\Pr [S_8] \le P_1 +P_2 \le 1/2 + 2/p\).

In summary, we have \(\big \vert \Pr [\textsf {Exp}_\mathcal {A}^{tcca }(\lambda ) =1]-\frac{1}{2}\big \vert \le \epsilon _{cr} + 6\epsilon _{sxdh} + \frac{4}{p}.\)

1.4 Traceability

Theorem 3.3. The above scheme is traceable (Fig. 1) under the SXDH assumption. More precisely, for any adversary \(\mathcal {A}\), we have \(\Pr [\textsf {Exp}_\mathcal {A}^{trace }(\lambda ) =1] \le 5 \epsilon _{sxdh} + \frac{1}{p}.\)

Proof

Let \(\mathcal {A}\) be an efficient adversary against the traceability of our scheme. We consider a sequence of games. In Game i, we denote by \(S_i\) the event that \(\mathcal {A}\) wins by correctly guessing the internal random bit b of the game, which makes the game output 1.

• \(\textsf {Game}_{1}(\lambda )\): This is the real game as described in the experiment Fig. 1, where (PK, SK) \(\overset{}{\leftarrow } \textsf {Gen}(1^\lambda )\). Then, \((m, {\textsf {st}}) \overset{}{\leftarrow } \mathcal {A}_1\)(PK, SK), \(C=(CT, D) \overset{}{\leftarrow }\) Enc(PK,m), and \(C^*=(CT^*, D^*) \overset{}{\leftarrow } \mathcal {A}_2({\textsf {st}}, C)\). By definition, \(S_1\) occurs if Ver(PK, \(C^*\)) \(= 1\), Dec(SK, \(C^*\)) \(\ne m\), and opk \(^*\)= Trace(PK, \(C^*\))= Trace(PK, C) = opk. Thus, \(\Pr [S_1] = \Pr [\textsf {Exp}_\mathcal {A}^{trace }(\lambda ) =1]\).

• \(\textsf {Game}_{2}(\lambda )\): This game is as the real game except that the Groth Sahai CRSes \(\textbf{u} = (\vec {u}_1, \vec {u}_2)\in \mathbb {G}^4\) and \(\textbf{v} = (\vec {v}_1, \vec {v}_2), \textbf{v}' = (\vec {v}'_1, \vec {v}'_2) \in \mathbb {\hat{G}}^4\) of the public key are now generated in the extractable mode. In particular, instead of picking them uniformly at random, we pick them as random Diffie-Hellman tuples over the appropriate groups. Under the DDH assumptions in \(\mathbb {G}\) and \(\mathbb {\hat{G}}\), the adversary does not notice the difference. Thus, any adversary’s behavior to distinguish between Game 1 and Game 2 leads to a SXDH distinguisher. That means \(\mid \Pr [S_1] - \Pr [S_2] \mid \le 3\epsilon _{sxdh}\).

• \(\textsf {Game}_{3}(\lambda )\): We introduce one more modification to Game 2 in the way to generate the commitment key \(\hat{g}_1, \hat{h}_1, \hat{g}_2, \hat{h}_2\) of \(\textsf {PK}\). Instead of picking them all uniformly over \(\hat{\mathbb G}\), we pick a random scalar \(x \overset{\$}{\leftarrow }\ \mathbb Z_p\) and set \((\hat{g}_2, \hat{h}_2)=(\hat{g}_1, \hat{h}_1)^x\). This modification turns the perfectly hiding commitment \((\hat{d}_1,\hat{d}_2) = (\hat{g}^m,1)\cdot (\hat{g}_1,\hat{g}_2)^r\cdot (\hat{h}_1,\hat{h}_2)^q\) into an extractable commitment \((\hat{g}^m\hat{g}_1^r\hat{h}_1^q,(\hat{g}_1^r\hat{h}_1^q)^x)\). Moreover, the last two lines of the matrix T in Eq. (5) are now linearly dependent, so that the row space of T is now a 2-dimensional sub-space over \(\mathbb {\hat{G}}^3\). By the SXDH assumption, we have \(\mid \Pr [S_2] - \Pr [S_3] \mid \le \epsilon _{sxdh}\).

• \(\textsf {Game}_{4}(\lambda )\): This game is the same as the previous game except that we introduce a failure event, which causes the game to be aborted and output 0. When we generate \(C\leftarrow \textsf{Enc}(\textsf {PK},m)\) given m from \(\mathcal {A}_1\), we first compute \((\textsf {opk},\textsf {osk})\leftarrow \textsf{LGen}(\textsf {PK})\) and then \(C\leftarrow \textsf{LEnc}(\textsf {PK},\textsf {osk},m)\) as before, but we keep \(\textsf {osk}\). Then, as soon as we get \(C^*\) from \(\mathcal {A}_2\) with the commitment \((\hat{d}_1^*, \hat{d}_2^*)\), we extract the necessarily valid \(\hat{\sigma }_1^*= (\hat{Z}^*, \hat{R}^*)\) LHSP signature from the (now perfectly sound) GS proof and compare it to \(\hat{\sigma }_1^\dagger = \textsf{Sign}(\textsf {osk}, (\hat{g}, \hat{d}_1^*, \hat{d}_2^*))\). The failure event happens if \(\hat{\sigma }_1^*\ne \hat{\sigma }_1^\dagger \). Due to the property of the LHSP signature [28], if we have two distinct signatures on a same vector we can solve the DDH problem. We thus have \(\mid \Pr [S_3] - \Pr [S_4] \mid \le \epsilon _{sxdh}\).

We conclude by showing that \(\Pr [S_4] = 1/p\). Indeed, \(S_4\) is an event when \(\mathcal {A}\) wins by correctly guessing \(\hat{\sigma }_1^* = \textsf{Sign}(\textsf {osk}, (\hat{g}, \hat{d}_1^*, \hat{d}_2^*))\), but \(m\ne \textsf{Dec}(\textsf {SK},C^*)\). That is, \((\hat{g}, \hat{d}_1^*, \hat{d}_2^*)\) is not in the 2-dimensional linear span of the row vectors of T signed in C. Since \(\textsf {osk}\) contains enough entropy after C was given to the adversary, \(Z^\dagger \) is still unknown and uniform over \(\mathbb {G}\). Therefore the probability to have \(\hat{Z}^* = \hat{Z}\) is 1/p.

In summary, we have \(\Pr [\textsf {Exp}_\mathcal {A}^{trace }(\lambda ) =1] \le 5\epsilon _{sxdh} + \frac{1}{p}.\)

1.5 Verifiability

Theorem 3.4. The above TREnc is verifiable under the SXDH assumption. More precisely, for any adversary \(\mathcal {A}\), we have \(\Pr [\textsf {Exp}_\mathcal {A}^{ver }(\lambda ) =1] \le 3\epsilon _{sxdh}+\frac{1}{p}\).

Proof

Given (PK, SK) \(\leftarrow {\textsf {Gen}}(1^\lambda )\), we have to show that any ciphertext from \(\mathcal {A}\) which passes the verification equations is necessarily in the range of the honestly generated encryptions with overwhelming probability. In other words, \(\Pr [\textsf {Exp}_\mathcal {A}^{ver }(\lambda ) =1]\) is defined that if \(C \leftarrow \mathcal {A}\)(PK, SK) is not in the honest encryption range, the probability that it is considered as valid is negligible.

Let \(C = (CT, D) \leftarrow \mathcal {A}\)(PK, SK) satisfying \({\textsf {Ver}(\textsf {PK},} C) = 1\), where \(CT= (\textbf{c}_m, c_r, c_q, \textbf{C}_{\hat{H}}, \textbf{C}_\theta , \pi _b, \pi _\theta )\) and \(D = (\hat{d}_1, \hat{d}_2, \textbf{C}_{\hat{M}}, \textbf{C}_M, \textbf{C}_R, \textbf{C}_Q, \textbf{C}_G, \textbf{C}_{\hat{Z}}, \textbf{C}_{\hat{R}}, \textbf{C}_A, \) \(\textbf{C}_B, {\pi }_{open}, \hat{\sigma }_2, \hat{\sigma }_3, \pi _{sig}, {\pi }_{ss}, \pi _{01}, {\textsf {opk}})\).

To show that the CPA part of CT is well formed, we rely on the soundness of the proof related to the CRS \(\textbf{u},\textbf{v}\). As in the TCCA proof, we switch these CRSes to the extractable mode, which leads to a security loss of \(2\epsilon _{sxdh}\). Next, we extract a witness from the valid proofs associated with \(\textbf{u},\textbf{v}\). If \((A,B,X)\ne (1,1,1)\), we abort. That is, the adversary manages to produce a valid LHSP signature for the public key \((\hat{f}_1, \hat{f}_2)\). By generating this pair in the key generation so that we know a corresponding secret key, we can show that this happens with negligible probability \(\epsilon _{sxdh}+1/p\) from the LHSP unforgeability. From now on, we can thus assume that the extracted \(G=g\), \(\hat{H}=\hat{h}\). Therefore, the soundness of GS proofs allows extracting non-trivial witness from the satisfiability of Eq. (3), which shows that \(\textbf{c}_m = (c_0, c_1, c_2)\), \(c_r\) and \(c_q\) have the expected honest structure.

The LHSP signatures and the GS proof associated with the CRS \(\textbf{v}'\) can always be explained honestly, even if it is not efficient to compute their discrete log representation. The same happens for the perfectly hiding commitment \((\hat{d}_1, \hat{d}_2)\) since we can extract the opening in Eq. (4) with respect to \(\textbf{u},\textbf{v}\), which must be consistent with decryption of (M, R, Q). Moreover, \(M=g^m\) must be a bit thanks to Eq. (8).

To conclude, we have \(\Pr [\textsf {Exp}_\mathcal {A}^{ver }(\lambda ) =1] \le 3\epsilon _{sxdh}+\frac{1}{p}.\)