1 Introduction

Most cryptographic primitives are designed under the assumption that perfect uniform randomness is available. However, in practice, this is often not the case. The design of random number generators (RNGs), which are used to generate the required randomness, is a complex and difficult task, and several examples of RNGs failing in practice are known [20, 23, 24, 26, 27]. The consequences of this might be fatal, and the examples of attacks made possible by randomness failures are many (e.g. see [12, 13, 29, 32, 39]). To make matters worse, some cryptographic designs are particularly fragile with respect to randomness failures. An example of this, is the DSA signature scheme [33], which allows the signing key to be recovered from two signatures on different messages constructed using the same randomness. This property enabled the compromise of the security mechanisms in the Sony Playstation 3 [12], the theft of Bitcoins from wallets managed on Android devices [16], and the recovery of TLS server signing keys from virtualized servers [39]. The latter example highlights an important aspect: even if the used RNG is not flawed by itself, randomness failures might still occur when the RNG is used in virtualized environments which enable virtual machines (including the state of the RNG) to be cloned or reset. Given the risk of randomness failures occurring in practical systems, it is prudent to design cryptographic primitives that provide resilience against these to the extent that this is possible. While it is possible to address this via generic derandomization for primitives like signature schemesFootnote 1, this is not the case for other primitives like public key encryption, which inherently relies on randomness for security.

1.1 The Related Randomness Setting

Motivated by the challenge of designing public key encryption secure under randomness failure, Paterson et al. [34] introduced the notion of related randomness attack (RRA) security. This notion allows the adversary to control the randomness used in the encryption scheme, but still requires that messages encrypted under an honestly generated public key remain hidden, given that certain restrictions are placed on the adversary’s queries. More specifically, the RRA security game defines a set of initially well-distributed random values which are hidden to the adversary. Via an encryption oracle, the adversary will be able to request encryptions under public keys and on messages of his choice, using functions \(\phi \) of these random values. The adversary will furthermore have access to a challenge oracle, which, given two messages, consistently returns the encryption of the first or the second message under an honestly generated public key; the task of the adversary is to guess which of the messages is encrypted. However, even for the challenge encryptions, the adversary can specify functions \(\phi \) of the random values defined in the game, which will be used as randomness in the encryptions. The RRA model is inspired by the practical attacks illustrated by Ristenpart and Yilek [39], which exploits weaknesses of randomness generation in virtual machines, and furthermore captures as a special case the reset attacks by Yilek [43] in which encryptions using repeated random values are considered.

In [34], Paterson et al. showed several constructions of schemes secure in the RRA setting. Specifically, assuming the functions \(\phi \) are drawn from a function family \(\varPhi \) of output-unpredictable and collision-resistant functions (which are also necessary conditions for achieving RRA security), the simple randomized-encrypt-with-hash (REwH) scheme by Bellare et al. [6] is shown to achieve RRA security in the random oracle model (however, as will be explained below, this construction still suffers from limitations inherent to the RRA model). Furthermore, in the standard model, a generic construction based on a \(\varPhi \)-related key attack secure pseudo-random function (RKA-PRF) [7] and any standard encryption scheme, is shown to yield a RRA-secure encryption for functions \(\varPhi \). Using recent constructions of RKA-PRFs, e.g. [3], an encryption scheme RRA-secure for polynomial functions \(\varPhi \) can be obtained. Likewise, a generic construction based on a \(\varPhi \)-correlated input-secure (CIS) hash function [25], a standard PRF, and an encryption scheme, is shown to yield a RRA-secure encryption scheme for functions \(\varPhi \), albeit in a weaker honest-key model. Furthermore, the only known standard model construction of a CIS hash function only provides selective security for polynomial functions \(\varPhi \). In more recent work, Paterson et al. [35] showed a generic construction based on a reconstructive extractor and an encryption scheme, which yields security for hard-to-invert function families, but only in a selective security model in which the adversary is forced to commit to the functions used in the security game before seeing the public key. Furthermore, the concrete construction obtained in [35] only allows the adversary to maliciously modify the randomness used by his encryption oracle; the challenge oracle is required to use uniformly distributed randomness.

Hence, the best known construction achieving a reasonable level of security in the standard model, only obtains RRA-security for polynomial function families \(\varPhi \). However, it seems unlikely that the randomness relations encountered in practice can be expressed with a function class with such convenient algebraic structure. While obtaining security for more complex function classes is clearly desirable, it is challenging to construct provably secure schemes for function families without an algebraic structure that can be exploited in the proof. This challenge is additionally reflected by the current state-of-the-art RKA-secure PRFs [1, 3] which can only handle polynomial function families.

1.2 Our Results

First of all, we observe that if the function family \(\varPhi \) becomes sufficiently complex, RRA-security cannot be achieved for \(\varPhi \). More precisely, if \(\varPhi \) is sufficiently rich to be able to express the encryption function of the scheme we are considering, a direct attack against the scheme in the RRA setting becomes possible. The attack is relatively simple, and is based on the ability of the adversary to derive the randomness used in his challenge encryption with the help of his encryption oracle. Assuming the encryption scheme satisfies ordinary IND-CPA security, the attack does not violate the properties required to make the RRA-security notion meaningful, which are the equality-respecting property, output unpredictability, and collision resistance. The details of this are given in Sect. 4. At first, this might appear to contradict the results by Paterson et al. [34] regarding the REwH construction in the random oracle model. However, closer inspection reveals that the results from [34] implicitly assume that the functions \(\varPhi \) are independent of the random oracle, and hence, \(\varPhi \) will not be able to capture the encryption function of the REwH construction.

Considering the above, we revisit the security of the REwH construction in the random oracle model, and show that if additional restrictions are placed on the adversary, security can be obtained. More specifically, if the adversary respects indirect H-query uniqueness, which is a property requiring that the random oracle queries caused by the adversary’s encryption and challenge queries are all distinct, then RRA-security is obtained, even for function families \(\varPhi \) which are dependent on the random oracle, as long as the functions in \(\varPhi \) are output-unpredictable. The details of this are in Sect. 5. Our results are reminiscent of the results by Albrecht et al. [5] regarding cipher-dependent related-key attacks in the ideal cipher model.

However, the indirect H-query uniqueness property is an artificial restriction to place on the adversary, and the above result seems unsatisfactory. Furthermore, the above negative result suggests that, achieving security for function families that reflect more complex operations, which might be used in random number generators, could be difficult.

Hence, to overcome this difficulty, we propose a new notion which we denote related refreshable randomness security. In this notion, we bound the number of queries an adversary can make before new entropy is added to the system, but allow an unbounded total number of queries. We refer to the periods between refreshes as epochs. Furthermore, we allow the adversary to maliciously influence how entropy is added between epochs. This is implemented by giving the adversary access to a refresh oracle through which the adversary can submit update functions \(\psi \). These functions take as input the current random values and a update seed chosen uniformly at random, and output new random values which will be used in the security game. For this update mechanism to be meaningful, we restrict the functions \(\psi \) to come from a function family \(\varPsi \) in which all functions have the property, that their output has a certain level of min-entropy conditioned on the random values being updated (i.e. it is required that a certain amount of the entropy contained in the update seed, will be carried over to the output of the update function). With this requirement in place, we consider adversaries who makes at most n queries to their encryption and challenge oracles, before querying the refresh oracle. The details of the security model are given in Sect. 3.

The related refreshable randomness setting models the arguably realistic scenario in which an attacker only has limited time to interact with a system that is in a state where no new entropy is being added to the system, and highly correlated randomness values are used for encryption. This furthermore resembles the observations made in [39] regarding virtual machine reset attacks; the attacks were only possible in a relatively short window after the virtual machine was reset, before sufficient entropy was gathered from the network, clock synchronization, and similar sources.

The related refreshable randomness setting furthermore allows us to obtain positive results in the standard model. Specifically, we construct a scheme which is secure in the related refreshable randomness setting for arbitrary function families \(\varPhi \) and \(\varPsi \) satisfying certain output unpredictability and collision resistance properties. We do, however, require the size of the function families to be bounded by an a priori known bound of the form \(2^p\), where p is a polynomial in the security parameter. This allows us to capture a rich class of functions which include, for example, the set of all functions that can be described by circuits of polynomial size. Our construction is based on the same high-level approach as taken in [34, 43], and combines a standard encryption scheme with a PRF (see below for the details). However, by relying on a new construction of a (bounded) RKA-secure PRF, we are able to prove security in the related refreshable randomness setting for much more interesting function classes than considered in [34, 43]. Notably, in contrast to our scheme, the scheme from [43] is only reset secure (\(\varPhi = \{ \texttt {id} \}\)), and the scheme from [34] only achieves selective security for polynomial functions \(\varPhi \), and hence cannot capture non-algebraic functions such as bit-flipping and bit-fixing, which are highly relevant to randomness failures in practice. The full details can be found in Sect. 7.

1.3 Technique

As highlighted above, the main tool we use to obtain our standard model encryption scheme secure in the related refreshable randomness setting, is a new construction of a RKA-secure PRF. We consider this construction to be our main technical contribution. As an intermediate step, we construct (a variant of) a CIS hash function. This type of hash function was originally introduced by Goyal et al. [25]. While different security notions for CIS hash functions were introduced in [25], the one we will be concerned with here, is pseudo-randomness. This notion requires that, for a hash function \(H: D \rightarrow R\) and a randomly chosen value \(x \in D\), an adversary cannot distinguish an oracle which returns \(H(\phi (x))\) for adversarially chosen functions \(\phi \), from an oracle that returns a random value from R. In [25], a construction obtaining selective security for a polynomial function family \(\varPhi \) was shown. However, we show that by bounding the number of queries to the adversary’s oracle, we can obtain a construction achieving security for a class \(\varPhi \) of arbitrary functions that are output-unpredictable and collision-resistant, where the size of \(\varPhi \) is bounded a priori. This construction is in turn based on a new flavor of the leftover hash lemma [28] for correlated inputs that might depend on the description of the hash function. Then, by applying this CIS hash function H to the key of a standard PRF \(\texttt {prf}\), we obtain a new PRF \(\texttt {prf}'(k,x) := \texttt {prf}(H(k),x)\) that provides RKA security, as long as the adversary will only query a bounded number of different key derivation functions. However, the adversary is allowed to obtain an unbounded number of evaluation results under the derived keys. The detailed proofs of security can be found in Sect. 6.

Finally, we obtain a standard model encryption scheme in the related refreshable randomness setting via the same transformation used in [34, 43]: to encrypt a message m under public key pk using randomness r, we compute \(\mathtt {Enc} (pk,m; r')\), where \(r' = \texttt {prf}'(r,pk\Vert m)\). The security properties of the constructed PRF \(\texttt {prf}'\) allows us to prove security via a hybrid argument with respect to the epochs. Note, however, that the parameters of the scheme will grow linearly in the in the number of queries an adversary is allowed to make in each epoch, as a description of H must be included. See Sect. 7 for the details.

Our construction of a RKA-secure PRF, CIS hash function, and our new flavor of the leftover hash lemma, might find applications outside of related randomness security, and hence, might be of independent interest. For example, by directly applying our RKA-secure PRF in combination with the framework of Bellare et al. [8], we can obtain RKA-secure signatures, public key encryption, and identity-based encryption for function families of size bounded by \(2^p\) and with the appropriate collision-resistant and output-unpredictability properties. Security is only guaranteed for a bounded number of related key derivation queries, but the total number of allowed signatures, decryption queries, and key queries for identities, respectively, is unbounded. Furthermore, it is not hard to see that our PRF construction only requires the PRF keys to have high min-entropy (as opposed to being uniformly distributed), as long as the considered function family remains collision-resistant and output-unpredictable. This indicates that the construction can additionally tolerate leakage, and we conjecture that bounded leakage and tampering security as defined by Damgård et al. [18, 19], can be achieved.

1.4 Related Work

A number of works in the literature have considered security of various cryptographic primitives in the event of randomness failures. In the symmetric key setting, Rogaway and Shrimpton [40] considered the security of authenticated encryption in the case nonces are repeated, and Katz and Kamara [31] considered chosen randomness attacks which allows the adversary to freely choose the randomness, except for the challenge encryption. In the public key setting, Bellare et al. [6] considered hedged encryption, which remains secure as long as the joint distribution of messages and randomness contains sufficient entropy. Note that the security notion formalized for hedged encryption in [6], security against chosen distribution attacks (CDA), is incomparable to RRA-security which does not rely on message entropy. Furthermore, whereas RRA-security allows the adversary to obtain encryptions under maliciously chosen public keys using randomness related to the randomness of the challenge encryptions, there is no equivalent in CDA-security, and CDA-security does not allow messages and randomness to depend on the public key. Additionally, the known standard model constructions of CDA-secure schemes are only shown secure for block sources which require each message/randomness pair to have high min-entropy conditioned on all previous pairs, whereas the standard model RRA-secure schemes from [34, 35] and the schemes in this paper do not have similar restrictions. Vergnaud and Xaio [42] slightly strengthened the CDA-security considered in [6] by allowing the message/randomness pair to partly depend on the public key. Yilek [43] considered reset attacks in which encryptions with repeated randomness values might occur, and gave a construction based on a standard encryption scheme and a PRF. This is a special case of the RRA-setting. Bellare and Tackmann [11] introduced the notion of nonce-based public key encryption, and achieved a number of strong results. However, the constructions assume a stateful scheme, and is hence not applicable to a number of scenarios in which we are interested in related randomness security, e.g. virtual machine resets. Extending [6] and [11], Hoang et al. [30] considered security of hedged encryption and nonce-based public key encryption under selective opening attack.

Appelbaum and Widder [4] constructed a (bounded) RKA-secure PRF for additions, while Abdalla et al. [2] constructed a RKA-secure PRF for XORs from multilinear maps. In contrast, our PRF construction achieves security for arbitrary functions satisfying collision resistance and unpredictability, for a bounded number of related keys. We stress, however, that the bound is only on the number of keys, and that our construction remains secure for an unbounded number of PRF evaluations.

2 Preliminaries

2.1 Notation and Basic Notions

Throughout the paper we will use \(\lambda \in \mathbb {N}\) to denote the security parameter, which will sometimes be written in its unary representation, \(1^{\lambda }\). Furthermore, we sometimes suppress the dependency on \(\lambda \), when \(\lambda \) is clear from the context. We denote by \(y \leftarrow x\) the assignment of y to x, and by \(s \leftarrow _{\$} S\) we denote the selection of an element s uniformly at random from the set S. The notation [n] represents the set \(\{1,2,\ldots ,n \}\). For an algorithm A, we denote by \(y\leftarrow A(x;r)\) that A is run with input x and random coins r, and that the output is assigned to y. For a vector \(\varvec{x} = (x_1,x_2,\ldots )\), we denote by \(A(\varvec{x})\) the vector \((A(x_1),A(x_2),\ldots )\). For a random variable X defined over a set S, we denote by \(\texttt {H}_\infty (X)\) the min-entropy of X (i.e. \(\texttt {H}_\infty (X) = - \log _2 \max _{x\in S} \Pr [X = x]\)), and for two random variables X and Y defined over the same set S, we denote the statistical distance between X and Y as \(\varDelta [X,Y]\) (i.e. \(\varDelta [X,Y] = \frac{1}{2} \sum _{s \in S} |\Pr [X = s] - \Pr [Y = s]|\)).

2.2 t-wise Independent Hash Functions

One of the basic building blocks of our construction is t-wise independent hash functions, which we define here. We furthermore recall a tail inequality for t-wise independent variables due to Bellare and Rompel [10], which we will make use of in our proofs of security.

Definition 1

( t-wise independent hash function family). Let \(\mathcal {H} = \{H \, | \, H: D \rightarrow R \}\) be a family of hash functions. \(\mathcal {H} \) is said to be a t-wise independent hash function family, if for all mutually distinct \(x_1, \dots , x_t \in D\) and all \(y_1,\dots ,y_t \in R\), it holds that \(\Pr _{H \leftarrow _{\$}\mathcal {H}}[ H(x_1) = y_1 \wedge \cdots \wedge H(x_t) = y_t] = \frac{1}{|R|^t}.\)

Theorem 1

(Tail inequality[10]). Let t be an even integer larger than 8, and let \(X_1,\ldots ,X_n\) be t-wise independent variablesFootnote 2 assuming values in the interval [0, 1]. Furthermore, let \(X = X_1 + \ldots + X_n\), \(\mu = \mathtt {E}[X]\), and \(\epsilon < 1\). Then

$$ \Pr [|X - \mu | \ge \epsilon \mu ] \le \left( \frac{t}{\epsilon ^2 \mu } \right) ^{t/2}. $$

2.3 Output Unpredictability and Collision Resistance

We will consider function families which are output-unpredictable and collision-resistant. These properties were originally defined by Bellare and Kohno [9] in the context of RKA security, and used by Paterson et al. [34] in the context of RRA security. The following definitions are slightly simplified compared to [9, 34].

Definition 2

(Output unpredictability). Let \(\varPhi = \{\phi :D \rightarrow R \}\) be a family of functions with domain \(D = D_\lambda \) and range \(R = R_\lambda \). The output unpredictability of \(\varPhi \) is defined as \(\mathsf {UP}^{\varPhi }(\lambda ) = \max _{\phi \in \varPhi , y \in R} \Pr [ x \leftarrow _{\$}D : \phi (x) = y ]\). When \(\mathsf {UP}^{\varPhi }(\lambda ) < \epsilon \) for a negligible function \(\epsilon = \epsilon (\lambda )\), we simply say that \(\varPhi \) is output-unpredictable.

Definition 3

(Collision resistance). Let \(\varPhi = \{\phi :D \rightarrow R \}\) be a family of functions with domain \(D = D_\lambda \) and range \(R = R_\lambda \). The collision resistance of \(\varPhi \) is defined as \(\mathsf {CR}^{\varPhi }(\lambda ) = \max _{\phi _1,\phi _2 \in \varPhi , \phi _1 \ne \phi _2} \Pr [ x \leftarrow _{\$}D: \phi _1(x) = \phi _2(x) ]\). When \(\mathsf {CR}^{\varPhi }(\lambda ) < \epsilon \) for a negligible function \(\epsilon = \epsilon (\lambda )\), we simply say that \(\varPhi \) is collision-resistant.

2.4 Pseudorandom Function

A pseudorandom function \(\mathtt {F}\) is given by the following three algorithms: \(\mathtt {F}.\mathtt {Setup} (1^\lambda )\) which on input the security parameter, returns public parameters par (required to describe a domain D and a range R); \(\mathtt {F}.\mathtt {KeyGen} (par)\) which, on input par, returns a key k; and \(\mathtt {F}.\mathtt {Eval} (par,k,x)\) which, on input par, key k, and input \(x \in D\), returns an output value \(y\in R\). For notational convenience, we will sometimes suppress par from the input.

We will consider the security of a pseudorandom function in a multi-key setting. This is for convenience only; by a standard hybrid argument, it is easily seen that this definition is equivalent to a definition considering a single key, as also shown by Bellare et al. [15]. We define security via the security game shown in Fig. 1.

Definition 4

Let the advantage of an adversary \(\mathcal {A} \) playing the security game in Fig. 1 with respect to a pseudorandom function \(\mathtt {F} = (\mathtt {Setup}, \mathtt {KeyGen},\mathtt {Eval})\) be defined as \(\mathtt {Adv} ^{\mathtt {PRF}}_{\mathtt {F},\mathcal {A}}(\lambda ) = 2\left| \Pr [\textsc {PRF}^{\mathtt {F}}_{\mathcal {A}}(\lambda ) \Rightarrow 1] - \frac{1}{2} \right| \). \(\mathtt {F}\) is said to be secure if for all PPT adversaries \(\mathcal {A} \), \(\mathtt {Adv} ^{\mathtt {PRF}}_{\mathtt {F},\mathcal {A}}(\lambda )\) is negligible in the security parameter \(\lambda \).

Fig. 1.
figure 1

Game defining security of a pseudorandom function.

Full size image

2.5 Public Key Encryption

A public key encryption (PKE) scheme \(\mathtt {PKE} \) is defined by the following four algorithms: \(\mathtt {PKE}.\mathtt {Setup} (1^\lambda )\) which on input the security parameter, returns public parameters par; \(\mathtt {PKE}.\mathtt {KeyGen} (par)\) which on input par, returns a public/private key pair (pksk); \(\mathtt {PKE}.\mathtt {Enc} (par,pk,m)\) which on input par, public key pk, and message m, returns an encryption c of m under pk; and \(\mathtt {PKE}.\mathtt {Dec} (par,sk,c)\) which on input par, private key sk, and ciphertext c, returns either a message m or the error symbol \(\bot \). For convenience, we often suppress par from the input.

We require that a PKE scheme satisfies perfect correctness, that is, for all \(\lambda \), all \(par \leftarrow \mathtt {PKE}.\mathtt {Setup} (1^\lambda )\), all \((pk,sk) \leftarrow \mathtt {PKE}.\mathtt {KeyGen} (par)\), and all \(m \in \mathcal {M} (pk)\), it holds that \(\mathtt {PKE}.\mathtt {Dec} (sk,\mathtt {PKE}.\mathtt {Enc} (pk,m)) = m\).Security of a PKE scheme is defined via the game shown in Fig. 2.

Fig. 2.
figure 2

Game defining \(\mathtt {IND}\text {-}\mathtt {CCA}\) security for a PKE scheme.

Full size image

Definition 5

( \(\mathtt {IND}\text {-}\mathtt {CCA}\) security). Let the advantage of an adversary \(\mathcal {A}\) playing the \(\mathtt {IND}\text {-}\mathtt {CCA}\) game with respect to a PKE scheme \(\mathtt {PKE} = (\mathtt {Setup}, \mathtt {KeyGen}, \mathtt {Enc}, \mathtt {Dec})\), be defined as: \(\mathtt {Adv} ^{\mathtt {IND}\text {-}\mathtt {CCA}}_{\mathtt {PKE},\mathcal {A}}(\lambda ) = 2 \left| \Pr [{\mathrm{IND}\text {-}\mathrm{CCA}}^\mathtt {PKE} _\mathcal {A} (\lambda ) \Rightarrow 1] - \frac{1}{2} \right| . \) A scheme \(\mathtt {PKE} \) is said to be \(\mathtt {IND}\text {-}\mathtt {CCA}\) secure, if for all PPT adversaries \(\mathcal {A}\), \(\mathtt {Adv} ^{\mathtt {IND}\text {-}\mathtt {CCA}}_{\mathtt {PKE},\mathcal {A}}(\lambda )\) is negligible in the security parameter \(\lambda \).

Fig. 3.
figure 3

Game defining indistinguishability under related refreshable randomness and chosen ciphertext attacks (\(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\)).

Full size image

3 Related Refreshable Randomness Security

We will firstly define our new notion of related refreshable randomness security. This builds upon the RRA-security notion defined by Paterson et al. [34], but models a setting in which the adversary has limited time to attack a system before new entropy is added to the system. As in the original RRA security game, we consider a polynomial number of randomness values \(r_i\), and give the adversary access to an encryption oracle Enc which returns encryptions under public keys and messages of the adversary’s choice, and a challenge left-or-right oracle LR, which consistently returns the encryption of either the first or the second message of two submitted messages \(m_0\), \(m_1\), under an honestly generated challenge public key \(pk^*\). However, for both oracles, the adversary can not only specify which random value \(r_i\) to be used, but also a function \(\phi \) which will be applied to \(r_i\) before it is used (i.e. the used randomness will be \(\phi (r_i)\)). We furthermore introduce an additional oracle, Refresh, which allows the adversary to submit a function \(\psi \) that will be used to refresh the random values \(r_i\). The function \(\psi \) takes two inputs: the randomness \(r_i\) which is to be refreshed, and a seed s. Here, the seed s will be drawn uniformly at random from a seed space \(\mathcal {S} \), and \(\psi : \mathcal {R} \times \mathcal {S} \rightarrow \mathcal {R} \), where \(\mathcal {R} \) is the randomness space of the encryption scheme. The full security game is defined in Fig. 3. Note that while the security game shown in Fig. 3 is only defined for a single random value r, this is equivalent to a model defined for a polynomial number of randomness values \(r_i\) (see the full version of the paper).

Note that, by itself, introducing the Refresh oracle does not achieve the intended goal, as the adversary is not forced to query Refresh. However, we will consider a class of adversaries which make at most n \(\textsc {Enc}\) and \(\textsc {LR}\) queries between each call to \(\textsc {Refresh}\) (but is allowed to make an unrestricted number of queries to \(\textsc {Dec}\)). We will furthermore parameterize this class of adversaries by function families \(\varPhi \) and \(\varPsi \) from which an adversary is allowed to choose related randomness functions \(\phi \) and refresh functions \(\psi \), respectively, and will refer to adversaries in this class as \((n,\varPhi ,\varPsi )\)-restricted adversariesFootnote 3. In the following definitions and proofs, we need to refer to the execution of an adversary in between two calls to Refresh, which we will denote an epoch Footnote 4.

As in the case of RRA-security, since the defined oracles let the adversary control the randomness in the challenge encryptions, a few natural restrictions must be placed on the adversary’s queries to obtain a meaningful definition of security. Specifically, we require that an adversary is equality respecting. This is reminiscent of the restriction defined for deterministic encryption schemes [38].

Definition 6

(Equality-respecting adversary). Consider a \((n,\varPhi ,\varPsi )\)-restricted adversary \(\mathcal {A}\) playing the \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) security game for security parameter \(\lambda \). Let \(\mathcal {M}_\mathtt {Enc} ^{\phi ,\delta }\) denote the set of messages \(\mathcal {A}\) submits to the Enc oracle for challenge public key \(pk^*\) and related randomness function \(\phi \in \varPhi \) in refresh epoch \(\delta \). Furthermore, let \((m^{\phi ,\delta ,1}_0,m^{\phi ,\delta ,1}_1), \ldots , (m^{\phi ,\delta ,q_\phi }_0,m^{\phi ,\delta ,q_\phi }_1)\) denote the messages \(\mathcal {A}\) submits to the LR oracle for function \(\phi \) in refresh epoch \(\delta \). Then \(\mathcal {A}\) is said to be equality-respecting if, for all \(\phi \in \varPhi \), for all refresh epochs \(\delta \), and for all \(i,j \in [q_\phi ]\) s.t. \(i \ne j\),

$$ m^{\phi ,\delta ,i}_0 = m^{\phi ,\delta ,j}_0 \Leftrightarrow m^{\phi ,\delta ,i}_1 = m^{\phi ,\delta ,j}_1 \quad \text {and} \quad m^{\phi ,\delta ,i}_0,m^{\phi ,\delta ,j}_1 \not \in \mathcal {M}_\mathtt {Enc} ^{\phi ,\delta }. $$

With this definition in place, we are ready to define our notion of security.

Definition 7

( \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) Security). Let the advantage of an adversary \(\mathcal {A}\) playing the \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) game with respect to a public key encryption scheme \(\mathtt {PKE} = (\mathtt {PKE}.\mathtt {Setup}, \mathtt {PKE}.\mathtt {KeyGen}, \mathtt {PKE}.\mathtt {Enc}, \mathtt {PKE}.\mathtt {Dec})\), be defined as:

A scheme \(\mathtt {PKE} \) is said to be \((n,\varPsi ,\varPhi )\)-\(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) secure, if for all PPT \((n,\varPhi ,\varPsi )\)-restricted and equality-respecting adversaries \(\mathcal {A}\), \(\mathtt {Adv} ^{\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}}_{\mathtt {PKE},\mathcal {A}}(\lambda )\) is negligible in the security parameter \(\lambda \).

The original RRA-security notion defined in [34] can be obtained from the above definition by not allowing the adversary access to the Refresh oracle (i.e. considering only the first refresh epoch) and considering an unbounded value n. In this case, \(\varPsi \) is irrelevant, and we simply write \(\varPhi \)-\(\mathtt {IND}\text {-}\mathtt {RR}\text {-}\mathtt {CCA}\) security to denote this security notionFootnote 5. Lastly, note that ordinary \(\mathtt {IND}\text {-}\mathtt {CCA}\) security can be obtained from the above definition by setting \(n =1\), \(\varPhi = \{\texttt {id}\}\), and \(\varPsi = \{\texttt {id}_2: (r,s) \rightarrow s \}\) (assuming \(\mathcal {S} = \mathcal {R} \)).

3.1 Basic Function Family Restrictions

Unsurprisingly, related randomness security for all function families \(\varPhi \) and \(\varPsi \) is not achievable. This is similar to the security notions for related key attacks (e.g. see [7]), which must restrict the class of related-key deriving functions that can be applied to the private key, in order to become achievable. We will now establish basic restriction which must be placed on \(\varPhi \) and \(\varPsi \) to make the \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) notion defined above achievable.

The two basic properties we consider are output-unpredictability and collision-resistance of the functions in \(\varPhi \). However, as the \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) security game allows the adversary to update the challenge randomness using the functions \(\varPsi \), we will consider output-unpredictability and collision-resistance of \(\varPhi \) with respect to \(\varPsi \) i.e. the functions in \(\varPhi \) must be output-unpredictable and collision-resistant, even when the input is modified using functions from \(\varPsi \). In the following definitions we will use the notation \(\overline{\varPsi }^q\) to denote the q-closure of the functions in \(\varPsi \). More specifically, each function \(\overline{\psi } \in \overline{\varPsi }^q\) corresponds to q updates of a randomness value r using q functions \(\psi _1,\ldots ,\psi _q \in \varPsi \), and will take as input r and q seeds \(\overline{s} = (s_1,\ldots ,s_q)\) and return \(\overline{\psi }(r,\overline{s}) = \psi _q(\psi _{q-1}( \cdots \psi _1(r,s_1) \cdots , s_{q-1}),s_q)\). As the seeds \(s_i\) are elements of \(\mathcal {S} \), we have that \(\overline{\psi }: \mathcal {R} \times \mathcal {S} ^{q} \rightarrow \mathcal {R} \).

Definition 8

(Output-unpredictability of \(\varPhi \) w.r.t. \(\varPsi \) ). Let \(\varPhi = \{\phi : \mathcal {R} \rightarrow \mathcal {R} \}\) and \(\varPsi = \{\psi :\mathcal {R} \times \mathcal {S} \rightarrow \mathcal {R} \}\) be function families, where \(\mathcal {R} = \mathcal {R} _\lambda \) and \(\mathcal {S} = \mathcal {S} _\lambda \). For a positive integer q, the q-output-unpredictability of \(\varPhi \) with respect to \(\varPsi \) is defined as \(\mathsf {UP}^{\varPhi ,\varPsi }_q(\lambda ) = \max _{\phi \in \varPhi , \overline{\psi } \in \overline{\varPsi }^q, y \in \mathcal {R}} \Pr \left[ r \leftarrow _{\$}\mathcal {R}, \overline{s} \leftarrow _{\$}\mathcal {S} ^q : \phi (\overline{\psi }(r,\overline{s})) = y \right] \).

Definition 9

(Collision-resistance of \(\varPhi \) w.r.t. \(\varPsi \) ). Let \(\varPhi = \{\phi : \mathcal {R} \rightarrow \mathcal {R} \}\) and \(\varPsi = \{\psi :\mathcal {R} \times \mathcal {S} \rightarrow \mathcal {R} \}\) be function families, where \(\mathcal {R} = \mathcal {R} _\lambda \) and \(\mathcal {S} = \mathcal {S} _\lambda \). The collision-resistance of \(\varPhi \) with respect to \(\varPsi \) is defined as

$$\begin{aligned} \mathsf {CR}^{\varPhi ,\varPsi }_q(\lambda ) = \max _{\begin{array}{c} \phi _1,\phi _2 \in \varPhi , \overline{\psi } \in \overline{\varPsi }^q\\ \phi _1 \ne \phi _2 \end{array}} \Pr \left[ r \leftarrow _{\$}\mathcal {R}, \overline{s} \leftarrow _{\$}\mathcal {S} ^q : \phi _1(\overline{\psi }(r,\overline{s})) = \phi _2(\overline{\psi }(r,\overline{s})) \right] . \nonumber \end{aligned}$$

In [34], Paterson et al. showed that to achieve \(\varPhi \)-\(\mathtt {IND}\text {-}\mathtt {RR}\text {-}\mathtt {CCA}\) security, \(\varPhi \) is required to satisfy standard output-unpredictability and collision-resistance. Likewise, in the \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) setting, we can show that \(\varPhi \) must be output-unpredictability and collision-resistance w.r.t. \(\varPsi \) for security to be achievable.

Theorem 2

(Necessity of \(\varPhi \) output-unpredictability w.r.t. \(\varPsi \) ). Let \(\varPsi = \{\psi :\mathcal {R} \times \mathcal {S} \rightarrow \mathcal {R} \}\) be a function family, where \(\mathcal {R} = \mathcal {R} _\lambda \) and \(\mathcal {S} = \mathcal {S} _\lambda \), and suppose that there exist a positive integer \(q = \mathsf {poly}(\lambda )\) and a non-negligible function \(\epsilon = \epsilon (\lambda )\) such that \(\mathsf {UP}^{\varPhi ,\varPsi }_q(\lambda ) > \epsilon \). Then no PKE scheme can be \((n,\varPsi ,\varPhi )\)-\(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) secure for \(n \ge 1\).

Proof

(Sketch). The proof is straightforward. Let \(\phi \in \varPhi \), \(\overline{\psi } \in \overline{\varPsi }^q\), and \(y \in \mathcal {R} \) such that . These are guaranteed to exist since \(\mathsf {UP}^{\varPhi ,\varPsi }_q(\lambda ) > \epsilon \). Consider an adversary \(\mathcal {A}\) submitting functions corresponding to \(\overline{\psi }\) as Refresh queries, and \((\phi ,m_0,m_1)\) in a following LR query. Let c be the challenge ciphertext \(\mathcal {A}\) receives. Now, let \(\mathcal {A}\) check whether \(c = \mathtt {Enc} (pk^*,m_b;y)\) for \(b =0\) and \(b= 1\), and if so, return b. Otherwise, let \(\mathcal {A}\) return a random bit. It easily follows that such \(\mathcal {A}\) has advantage at least \(\epsilon \) which is assumed to be non-negligible, and hence the considered PKE scheme cannot be secure.   \(\square \) (Theorem 2 )

Theorem 3

(Necessity of \(\varPhi \) collision-resistance w.r.t. \(\varPsi \) ). Let \(\varPhi = \{\phi : \mathcal {R} \rightarrow \mathcal {R} \}\) and \(\varPsi = \{\psi :\mathcal {R} \times \mathcal {S} \rightarrow \mathcal {R} \}\) be function families, where \(\mathcal {R} = \mathcal {R} _\lambda \) and \(\mathcal {S} = \mathcal {S} _\lambda \). Suppose that there exist a positive integer \(q = \mathsf {poly}(\lambda )\) and a non-negligible function \(\epsilon = \epsilon (\lambda )\) such that \(\mathsf {CR}^{\varPhi ,\varPsi }_q(\lambda ) > \epsilon \). Then no PKE scheme can be \((n,\varPsi ,\varPhi )\)-\(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) secure for \(n \ge 2\).

The proof of this theorem is similar to the proof of Theorem 2 and is omitted.

Note that, without further assumptions on \(\varPsi \), queries to the Refresh oracle is not guaranteed to change the random value r used to respond to Enc and LR queries. In particular, if \(\varPsi = \{\texttt {id}_1 : (r,s) \rightarrow r\}\), the original value of r will be used in every refresh epoch, which essentially corresponds to removing the bound n on the number of Enc and LR queries. However, it is relatively easy to see that security cannot be achieved in this caseFootnote 6. Furthermore, the very idea behind introducing the \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) security notion is to show that a guarantee of new entropy is being added to the system with certain intervals, can be leveraged to provide stronger security properties. Hence, we will consider a function class \(\varPsi \) for which the output \(r' \leftarrow \psi (r,s)\) of all update functions \(\psi \in \varPsi \) is required to depend on the seed s, or more specifically, that \(\psi (r,s)\) will have a certain level of conditional min-entropy given r. We introduce this requirement implicitly via the following slightly stronger notions of output-unpredictability and collision-resistance of \(\varPhi \) w.r.t. \(\varPsi \). These notions require that the functions in \(\varPhi \) remain output-unpredictable and collision-resistant on input \(\psi (r',s)\), \(\psi \in \varPsi \), for a randomly chosen seed s and any value \(r'\), as opposed to a value of \(r'\) obtained by choosing the initial r at random and then modifying this using a chain of update functions \(\overline{\psi } \in \overline{\varPsi }^q\) and corresponding seeds \(\overline{s} \in \mathcal {S} ^q\). We refer to these notions as seed-induced output-unpredictability and collision-resistance.

Definition 10

(Seed-induced output-unpredictability of \(\varPhi \) w.r.t. \(\varPsi \) ). Let \(\varPhi = \{\phi : \mathcal {R} \rightarrow \mathcal {R} \}\) and \(\varPsi = \{\psi :\mathcal {R} \times \mathcal {S} \rightarrow \mathcal {R} \}\) be function families, where \(\mathcal {R} = \mathcal {R} _\lambda \) and \(\mathcal {S} = \mathcal {S} _\lambda \). The seed-induced output-unpredictability of \(\varPhi \) with respect to \(\varPsi \) is defined as

$$\begin{aligned} \mathsf {sUP}^{\varPhi ,\varPsi }(\lambda ) = \max _{\phi \in \varPhi , \psi \in \varPsi , r,y \in \mathcal {R}} \Pr \left[ s \leftarrow _{\$}\mathcal {S}: \phi (\psi (r,s)) = y \right] . \nonumber \end{aligned}$$

Definition 11

(Seed-induced collision-resistance of \(\varPhi \) w.r.t. \(\varPsi \) ). Let \(\varPhi = \{\phi : \mathcal {R} \rightarrow \mathcal {R} \}\) and \(\varPsi = \{\psi :\mathcal {R} \times \mathcal {S} \rightarrow \mathcal {R} \}\) be function families, where \(\mathcal {R} = \mathcal {R} _\lambda \) and \(\mathcal {S} = \mathcal {S} _\lambda \). The seed-induced collision-resistance of \(\varPhi \) with respect to \(\varPsi \) is defined as

$$\begin{aligned} \mathsf {sCR}^{\varPhi ,\varPsi }(\lambda ) = \max _{\begin{array}{c} \phi _1,\phi _2 \in \varPhi , \psi \in \varPsi , r \in \mathcal {R} \\ \phi _1 \ne \phi _2 \end{array}} \Pr \left[ s \leftarrow _{\$}\mathcal {S}: \phi _1(\psi (r,s)) = \phi _2(\psi (r,s)) \right] . \nonumber \end{aligned}$$

4 Restrictions on the Complexity of Function Families

We will now turn our attention to function families which satisfy the basic output-unpredictability and collision-resistant properties, but for which security nevertheless cannot be achieved.

More specifically, when \(\varPhi \) and \(\varPsi \) become rich enough to express the encryption function itself of a scheme, a direct attack against the scheme becomes possible. This is reminiscent of the results by Albrecht et al. [5] regarding cipher-dependent related-key attacks in the ideal cipher model. The attack is based on the ability of an adversary to force the challenge encryption to be constructed using a value which can be obtain through the Enc and LR oracles available to the adversary. This is captured by the following theorem.

Theorem 4

Let \(\mathtt {PKE} = (\mathtt {Setup},\mathtt {KeyGen},\mathtt {Enc},\mathtt {Dec})\) be a public key encryption scheme, and let \(\varPhi \) be a family of functions such that \(\mathtt {id} \in \varPhi \) and \(f(\mathtt {Enc} (pk,m,\cdot )) \in \varPhi \) for some public key pk, message m, and a mapping function \(f:\mathcal {C} \rightarrow \mathcal {R} \), where \(\mathcal {C}\) and \(\mathcal {R} \) are the ciphertext space and randomness space of \(\mathtt {PKE} \), respectively. Then \(\mathtt {PKE} \) cannot be \((n,\varPsi ,\varPhi )\)-\(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) secure for any \(n \ge 2\) and any function family \(\varPsi \).

Proof

The proof is straightforward. Since it is assumed that \(f(\mathtt {Enc} (pk,m;\cdot )) \in \varPhi _\lambda \), an adversary would be able to submit \(\phi (\cdot ) = f(\mathtt {Enc} (pk,m;\cdot ))\) and two distinct messages, \(m_0\) and \(m_1\), in a LR query to obtain the challenge encryption \(c^* = \mathtt {Enc} (pk^*,m_b;f(\mathtt {Enc} (pk,m;r))\), where \(pk^*\) is the challenge public key, b is the challenge bit, and r is the random value chosen in the \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) game. Then, by submitting \((pk,m,\mathtt {id})\) to his encryption oracle Enc, the adversary will obtain \(c_r = \mathtt {Enc} (pk,m;r)\) and can compute \(\tilde{r} = f(c_r)\). Finally, the adversary can compute \(c_0 = \mathtt {Enc} (pk^*,m_0;\tilde{r})\) and \(c_1 = \mathtt {Enc} (pk^*,m_1;\tilde{r})\), and by testing whether \(c_0 = c^*\) or \(c_1 = c^*\), he will learn the challenge bit b.   \(\square \)(Theorem 4 )

Note that the only functions required in the above attack, are \(f(\mathtt {Enc} (pk,m,\cdot ))\) and \(\mathtt {id}(\cdot )\). These functions are easily seen to be output-unpredictable assuming the underlying encryption scheme in the construction is IND-CPA secure, and that an appropriate mapping function f is chosen. They can likewise be seen to be collision-resistant under the same assumptions. Furthermore, it should be noted that the above theorem does not require the Refresh oracle to be queried, and hence is also true for the \(\mathtt {IND}\text {-}\mathtt {RR}\text {-}\mathtt {CCA}\) notion defined in [34].

While the above theorem holds for all encryption schemes in general, stronger results might hold for concrete schemes. In particular, even if \(f(\mathtt {Enc} (pk,m;\cdot )) \not \in \varPhi \), the structure of a concrete scheme might still allow an adversary to mount a similar attack to the above based on multiple queries to his LR and Enc oracles, for carefully selected functions. However, the \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) security notion bounds the information an adversary can extract before the randomness is refreshed, which will allow us to construct a generic conversion of a PKE scheme achieving \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) security for relatively large and complex function classes \(\varPhi \) and \(\varPsi \).Interestingly, the above theorem furthermore illustrates some of the limitations of the building blocks used in [34] to achieve related randomness security; see the full version of the paper for a brief discussion of this.

5 On the \(\mathtt {IND}\text {-}\mathtt {RR}\text {-}\mathtt {CCA}\) Security of REwH in the Random Oracle Model

In this section, we will revisit the \(\mathtt {IND}\text {-}\mathtt {RR}\text {-}\mathtt {CCA}\) security of the \(\mathtt {REwH} \) (Randomized-Encrypt-with-Hash) scheme in the random oracle model.

The \(\mathtt {REwH} \) scheme was introduced by Bellare et al. [6] to hedge against randomness failures, and was furthermore studied by Ristenpart and Yilek [39] in the context of virtual machine reset attacks. The basic idea of the scheme is to modify the encryption function of an existing encryption scheme to use randomness derived by hashing all the inputs to the encryption algorithm: the public key, the message, and the randomness. Assuming the hash function is a random oracle, the scheme will remain secure (in the sense of the security of the underlying encryption scheme), as long as this triple of inputs remains unpredictable to the adversary. The scheme is shown in Fig. 4.

Fig. 4.
figure 4

Scheme \(\mathtt {REwH} \) constructed from a PKE scheme \(\mathtt {PKE} \) and a hash family \(\mathcal {H} \).

Full size image

In [34], Paterson et al. showed that this scheme is additionally \(\varPhi \)-IND-RR-ATK secure assuming the underlying encryption scheme is IND-ATK secure, where ATK is either CPA or CCA, and \(\varPhi \) is both output-unpredictable and collision-resistant. Considering the impossibility result in the previous section, this might initially appear somewhat surprising. However, as already mentioned, the results in [34] implicitly assume that the functions in \(\varPhi \) are independent of the used random oracle i.e. the functions in \(\varPhi \) cannot capture the encryption function \(\mathtt {Enc} (pk,m;r) = \mathtt {Enc} '(pk,m;H(pk,m,r))\) of the \(\mathtt {REwH} \) construction, where \(\mathtt {Enc} '\) is the encryption function of the underlying encryption scheme.

In this section, we will consider \(\varPhi \) which might depend on the random oracle, i.e. we will assume that functions in \(\varPhi \) might access the random oracle. This is reminiscent of Albrecht et al. [5], who considered RKA-security of symmetric encryption in the ideal cipher model with RKA-functions that depend on the ideal cipher. To show security in this stronger setting, we need to place additional restrictions on the adversary (as shown by the direct attack in the previous section). Here, we will consider the following limitation of the adversary’s queries.

Definition 12

(Indirect H-query uniqueness). Consider an adversary \(\mathcal {A} \) interacting in the \(\varPhi \)-\(\mathtt {IND}\text {-}\mathtt {RR}\text {-}\mathtt {CCA}\) security game in the random oracle model. \(\mathcal {A} \) is said to respect indirect H-query uniqueness if, all random oracle queries caused by \(\mathcal {A} \)’s queries to his Enc and LR oracles, are unique.

Note that, in the above definition, \(\mathcal {A} \) is not restricted in terms of his queries directly to the random oracle; only the indirect queries caused by \(\mathcal {A} \)’s Enc and LR queries are restricted. With this definition in place, we can now show the following result for the \(\mathtt {REwH} \) construction.

Theorem 5

Let \(\mathtt {PKE} \) be an \(\mathtt {IND}\text {-}\mathtt {CCA} \) secure PKE scheme, and let \(\varPhi = \{\phi : \mathcal {R} \rightarrow \mathcal {R} \}\), be an output-unpredictable function family, where \(\mathcal {R} = \mathcal {R} _\lambda \) is the randomness space of \(\mathtt {PKE}.\mathtt {Enc} \). Then the \(\mathtt {REwH} \) scheme based on \(\mathtt {PKE} \) is \(\varPhi \)-\(\mathtt {IND}\text {-}\mathtt {RR}\text {-}\mathtt {CCA}\) secure against adversaries respecting indirect H-query uniqueness, assuming the hash function in the \(\mathtt {REwH} \) construction is modeled as a random oracle. More precisely, for all equality and indirect H-query uniqueness respecting adversaries \(\mathcal {A} \) making \(q_{lr} = q_{lr}(\lambda )\) LR queries, \(q_{enc} = q_{enc}(\lambda )\) Enc queries, and \(q_{RO} = q_{RO}(\lambda )\) random oracle queries, there exists an algorithm \(\mathcal {B} \) such that

$$ \mathtt {Adv} ^{\mathtt {IND}\text {-}\mathtt {RR}\text {-}\mathtt {CCA}}_{\mathtt {REwH},\mathcal {A}}(\lambda ) \le \mathtt {Adv} ^{\mathtt {IND}\text {-}\mathtt {CCA}}_{\mathtt {PKE},\mathcal {B}}(\lambda ) + 2q_{RO} (q_{lr} + q_{enc}) \cdot \mathsf {UP}^{\varPhi }(\lambda ). $$

The proof of the above theorem can be found in the full version of the paper.

Note that in the above theorem, collision resistance of \(\varPhi \) is not required. This is because the indirect H-query uniqueness property will prevent an adversary from submitting functions \(\phi _1\), \(\phi _2\) to his Enc and LR oracles, for which a collision \(\phi _1(r) = \phi _2(r)\) occurs, assuming the queried public keys and messages are the same. (If the submitted public keys and messages are different, indirect H-query uniqueness will not imply that a collision cannot occur, but this will not affect the proof, since the inputs to the random oracle will remain distinct).

The requirement that the adversary is indirect H-query uniqueness respecting might be considered to be somewhat artificial, in that there seems to be no reasonable argument for this assumption to hold for adversaries in the practical settings in which related randomness attacks might be a concern. In the following sections, we will explore the possibilities of achieving security in the standard model, under the arguably realistic assumption that the adversary can only mount a limited number of queries before new entropy is added to the system on which encryption is being done.

6 Bounded RKA and Correlated-Input Security from t-wise Independent Hash Functions

In this section, we show how to construct the building blocks needed for our standard-model \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\)-secure PKE scheme. More concretely, we will start out by showing a key-dependent variant of the leftover hash lemma for correlated inputs. This, in turn, allows us to show that a family of t-wise independent hash functions leads to a bounded correlated-input secure function family, in the sense that a bound for the number q of correlated inputs must be known a priori. Finally, we will then show how a PRF (with public parameters) that provides \(\mathtt {RKA}\)-security as long as an adversary makes at most q related key derivation queries, can be constructed from an ordinary PRF and a q bounded correlated-input secure function family. This type of PRF will be used to construct our \(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\)-secure PKE scheme in Sect. 7. We believe that each of the intermediate results might find other applications than the construction of related randomness secure PKE scheme, and hence, might be of independent interest.

6.1 Key-Dependent Leftover Hash Lemma for Correlated Inputs

The ordinary leftover hash lemma [28] requires that the input to the hash function is chosen independently of the description of the hash function (i.e. the hash key). The first key-dependent versions of the leftover hash lemma were shown in [21, 41], and was extended to consider leakage in [14]. A “crooked” version for block sources was shown in [38].

The version of the leftover hash lemma that we will show in the following, differs from the previous work in that we consider unrestricted inputs which can both be arbitrarily correlated and key-dependent. Our lemma is as follows.

Lemma 1

Let \(\mathcal {H}: D \rightarrow R\) be a family of t-wise independent hash functions where \(t > 8\) is an even number, and let \(\mathcal {X}\) be a family of collections of q (correlated) random variables \(\varvec{X} = (X_1,\ldots ,X_q)\) over D, such that \(\texttt {H}_\infty (X_i) \ge \gamma \) for all \(1 \le i \le q\), and \(\Pr [X_i = X_j] = 0\) for all \(1 \le i \ne j \le q\). Furthermore, let \(\epsilon , \delta > 0\) be such that

$$\begin{aligned} t \ge \log |\mathcal {X}| + q \log |R| + \log \frac{1}{\delta }, \quad \text {and} \quad \gamma \ge q \log |R| + 2 \log \frac{1}{\epsilon } + \log t + 2. \end{aligned}$$
(1)

Then, with probability \(1 - \delta \) over the choice of \(H \leftarrow _{\$}\mathcal {H} \),

$$ \varDelta [ H(\varvec{X}),(\underbrace{U_{R},\ldots ,U_R}_q) ] \le \epsilon $$

holds for all \(\varvec{X} \in \mathcal {X}\), where \(U_R\) denotes the uniform distribution on R.

Proof

(of Lemma 1). We start by considering a fixed collection of random variables \(\varvec{X} = (X_1,\ldots ,X_q)\) such that \(\texttt {H}_\infty (X_i) \ge \gamma \) for all \(1 \le i \le q\) and \(\Pr [X_i = X_j ] = 0\) for all \(1 \le i \ne j \le q\), and a fixed value \(\varvec{y} \in R^q\). Note that the condition of \(\varvec{X}\) implies that every coordinate of (an outcome of) \(\varvec{X}\) is always distinct. Therefore, due to the t-wise independence of \(\mathcal {H}\), and that \(q < t\), we must have that, for any \(\varvec{x}\) in the support of \(\varvec{X}\) (which is a subset of \(D^q\)),

$$\begin{aligned} \mathop {\Pr }\limits _{H \leftarrow _{\$}\mathcal {H}}[H(\varvec{x}) = \varvec{y}] = \frac{1}{|R|^q}. \end{aligned}$$
(2)

Now let \(I_{H(\varvec{x}) = \varvec{y}}\) be the indicator variable that takes on the value 1 if \(H(\varvec{x}) = \varvec{y}\) (and 0 otherwise), and let \(p_{\varvec{x}} = \Pr [\varvec{X} = \varvec{x}] \cdot I_{H(\varvec{x}) = \varvec{y}}\) and \(p = \sum _{\varvec{x} \in D^q} p_{\varvec{x}}\). The expected value of p (over the choice \(H \leftarrow _{\$}\mathcal {H} \)) is then

$$ \mathtt {E}[p] = \mathtt {E}[\sum _{\varvec{x} \in D^q} p_{\varvec{x}}] = \sum _{\varvec{x} \in D^q} \Pr [\varvec{X} = \varvec{x}] \cdot \mathtt {E}[I_{H(\varvec{x}) = \varvec{y}}] = \frac{1}{|R|^q}, $$

where the last equality follows from \(\mathtt {E}[I_{H(\varvec{x}) = \varvec{y}}] = \Pr _{H \leftarrow _{\$}\mathcal {H}}[H(\varvec{x}) = \varvec{y}] = |R|^{-q}\), which in turn follows from Eq. (2). Finally let \(P_{\varvec{x}} = 2^{\gamma } \cdot p_{\varvec{x}}\) and

$$ P = \sum _{\varvec{x} \in D^q} P_{\varvec{x}} = 2^{\gamma } p. $$

The expected value of P must then be \(\mathtt {E}[P] = 2^{\gamma } \cdot \mathtt {E}[p] = 2^{\gamma } \cdot |R|^{-q}\).

We will now apply the tail bound from Theorem 1 to P and \(\mathtt {E}[P]\) (note that the \(P_{\varvec{x}}\) values are t-wise independent due to \(\mathcal {H}\) (and thereby also \(I_{H(\varvec{x}) = \varvec{y}}\)) being t-wise independent over the choice of H). Doing so yields

$$\begin{aligned} \mathop {\Pr }\limits _{H \leftarrow _{\$}\mathcal {H}}[|P - \mathtt {E}[P]| \ge \epsilon \cdot \mathtt {E}[P]]\le & {} \left( \frac{t \cdot |R|^q}{\epsilon ^2 \cdot 2^\gamma } \right) ^{\frac{t}{2}}\\= & {} \left( \frac{1}{2^{\gamma - 2 \log \frac{1}{\epsilon } -\log t - q \log |R|} } \right) ^{\frac{t}{2}}\\\le & {} 2^{-t}, \end{aligned}$$

where the last inequality follows from the bound on \(\log |R|\) given in the theorem. Note that, due to the definition of P and p, we now have that, for any \(\epsilon > 0\),

$$\begin{aligned} \mathop {\Pr }_{H \leftarrow _{\$}\mathcal {H}}\left[ \left| \mathop {\Pr }\limits _{\varvec{x} \leftarrow \varvec{X}}[H(\varvec{x}) = \varvec{y}] - \frac{1}{|R|^q} \right| \ge \frac{\epsilon }{|R|^q} \right]= & {} \mathop {\Pr }\limits _{H \leftarrow _{\$}\mathcal {H}}\left[ \left| p - \frac{1}{|R|^q} \right| \ge \epsilon \cdot \frac{1}{|R|^q} \right] \\= & {} \mathop {\Pr }\limits _{H \leftarrow _{\$}\mathcal {H}}\left[ |P - \mathtt {E}[P]| \ge \epsilon \cdot \mathtt {E}[P] \right] \\\le & {} 2^{-t}. \end{aligned}$$

The above inequality holds for any value \(\varvec{y} \in R^q\) and any set \(\varvec{X} = (X_1,\ldots ,X_q)\) of random variables over \(D^q\), satisfying the criteria given in the theorem. Taking the union bound over all possible \(\varvec{y} \in R^q\) values and all collections \(\varvec{X} \in \mathcal {X}\), yields that with probability \(1 - |\mathcal {X}| \cdot |R|^q \cdot 2^{-t}\) over the choice of H, we have that \(|\Pr [H(\varvec{x}) = \varvec{y}] - |R|^{-q}| \le \epsilon |R|^{-q}\) for all choices of \(\varvec{y} \in R^q\) and \(\varvec{X} \in \mathcal {X}\). This immediately implies that the statistical distance between \(H(\varvec{X})\) and the uniform distribution over \(R^q\), is at most \(\epsilon \).

Finally, setting \(t \ge \log |\mathcal {X}| + q \log |R| + \log 1/\delta \) ensures that \(\delta \ge |\mathcal {X}| \cdot |R|^q \cdot 2^{-t}\), as required.   \(\square \)(Lemma 1 )

6.2 Correlated-Input Secure Functions

Firstly, we will formalize the security notion correlated-input pseudorandomness (\(\mathtt {CIPR} \)).

Definition 13

Let \(\mathcal {H} = \{H : D \rightarrow R \}\) be a family of (hash) functions with domain \(D = D_\lambda \) and range \(R = R_\lambda \), \(\varPhi = \{\phi : D \rightarrow D\}\) be a function family, and \(q = q(\lambda )\) be a positive polynomial. Then, for an adversary \(\mathcal {A} \), consider the security game shown in Fig. 5. In the game, it is required that all queries \(\phi \) submitted by \(\mathcal {A} \) belong to \(\varPhi \), and must be distinct with each other. The advantage of the adversary \(\mathcal {A} \) interacting with the security game with respect to \(\mathcal {H} \), is defined to be

$$ \mathtt {Adv} ^{\mathtt {CIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }(\lambda ) = 2 \left| \Pr [\textsc {CIPR}^{\mathcal {A}, \varPhi }_{\mathcal {H},q}(\lambda ) \Rightarrow 1] - \frac{1}{2} \right| . $$

\(\mathcal {H} \) is said to be \((q, \varPhi )\)-\(\mathtt {CIPR} \) secure, if for all PPT adversaries \(\mathcal {A} \), \(\mathtt {Adv} ^{\mathtt {CIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }(\lambda )\) is negligible in the security parameter \(\lambda \).

Fig. 5.
figure 5

Game defining correlated-input pseudorandomness (\(\mathtt {CIPR} \)) of a hash family \(\mathcal {H} \).

Full size image

The following theorem shows that a t-wise independent hash function family satisfies the above defined \(\mathtt {CIPR} \) notion.

Theorem 6

(Correlated-Input Pseudorandomness of t -wise Independent Hash Functions). Let \(t = t(\lambda )\), \(p = p(\lambda )\), and \(q = q(\lambda )\) be integer-valued positive polynomials such that t is always even and larger than 8. Let \(\mathcal {H} = \{H: D \rightarrow R \}\) be a family of t-wise independent hash functions with domain \(D = D_\lambda \) and range \(R = R_\lambda \), let \(\varPhi = \{\phi : D \rightarrow D\}\) be a function family such that \(|\varPhi | \le 2^p\), and let \(\mathsf {CR}^{\varPhi }(\lambda ) \le 1/(2 \genfrac(){0.0pt}1{q}{2})\). Furthermore, let \(\epsilon = \epsilon (\lambda )\) and \(\delta = \delta (\lambda )\) be any functions such that their range is [0, 1] and satisfy:

$$\begin{aligned} t \ge q \cdot (p + \log |R|) + \log \frac{1}{\delta } \quad \text {and} \quad \log \frac{1}{\mathsf {UP}^{\varPhi }(\lambda )} \ge q \log |R| + 2 \log \frac{1}{\epsilon } + \log t + 3. \end{aligned}$$
(3)

Then, for all computationally unbounded adversaries \(\mathcal {A} \) that make at most q queries, we have

$$ \mathtt {Adv} ^{\mathtt {CIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }(\lambda ) \le 2 \cdot |R|^{q-1} \cdot (\epsilon + \delta + \genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda )). $$

The above theorem immediately gives us the following corollary:

Corollary 1

Let \(t = t(\lambda )\), \(p = p(\lambda )\), and \(q = q(\lambda )\) be integer-valued positive polynomials such that t is always even and larger than 8. Let \(\mathcal {H} = \{H : D \rightarrow R\}\) be a family of t-wise independent hash functions with domain \(D = D_\lambda \) and range \(R = R_\lambda \) such that \(|D| \ge |R| = O(2^{\lambda })\). Let \(\varPhi = \{\phi : D \rightarrow D \}\) be a function family such that \(|\varPhi | \le 2^p\). Assume that

$$\begin{aligned} t&\ge pq + (2q - 1) \log |R| + \lambda , \nonumber \\ \mathsf {UP}^{\varPhi }(\lambda )&\le |R|^{-(3q -2) } \cdot 2^{-(2\lambda + O(\log \lambda ))}, \\ \mathsf {CR}^{\varPhi }(\lambda )&\le \genfrac(){0.0pt}1{q}{2}^{-1} \cdot |R|^{-(q-1)} \cdot 2^{-\lambda }. \nonumber \end{aligned}$$
(4)

Then, for all computationally unbounded adversaries \(\mathcal {A} \) that make at most q queries, and for sufficiently large \(\lambda \), we have

$$ \mathtt {Adv} ^{\mathtt {CIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }(\lambda ) \le 6 \cdot 2^{-\lambda }. $$

Proof

(of Corollary 1). We set \(\epsilon = \delta = |R|^{-(q-1)} \cdot 2^{-\lambda }\) in Theorem 6. Then, the assumption on t in Eq. (4) implies the condition required for t in Eq. (3). Furthermore, since p, q, and \(\log |R|\) are all polynomials of \(\lambda \), we have \(\log t = O(\log \lambda )\). This fact, combined with the assumption on \(\mathsf {UP}^{\varPhi }(\lambda )\) in Eq. (4), implies that \(\mathsf {UP}^{\varPhi }(\lambda )\) satisfies the condition required for it in Eq. (3) for all sufficiently large \(\lambda \). Therefore, we can now invoke Theorem 6: for all computationally unbounded adversaries \(\mathcal {A} \) that make at most q queries, and for all sufficiently large \(\lambda \), we have

$$\begin{aligned} \mathtt {Adv} ^{\mathtt {CIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }(\lambda )&\le 2 \cdot |R|^{q-1} \cdot (\epsilon + \delta + \genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda ))\\&\le 2 \cdot |R|^{q-1} \cdot (|R|^{-(q-1)} \cdot 2^{-\lambda } + |R|^{-(q-1)} \cdot 2^{-\lambda } + |R|^{-(q-1)} \cdot 2^{-\lambda })\\&= 6 \cdot 2^{-\lambda }, \end{aligned}$$

as required.   \(\square \)(Corollary 1 )

Now, we proceed to the proof of Theorem 6. The proof consists of two steps. Firstly, we will make use of our variant of the leftover hash lemma (Lemma 1) to show that a t-wise independent hash functions \(\mathcal {H} \) satisfies a weaker “non-adaptive” version of correlated-input pseudorandomness, which we denote \(\mathtt {naCIPR} \), in which an adversary has to submit all of his hash queries at once parallelly. Then we make use of complexity leveraging to move from \(\mathtt {naCIPR} \) security to the full \(\mathtt {CIPR} \) security (this step causes the loss factor \(|R|^{q-1}\) appearing in the upperbound of an adversary’s advantage shown in the theorem).

Proof

(of Theorem 6). We firstly consider the “non-adaptive” version of the \(\mathtt {CIPR} \) game shown in Fig. 5, in which an adversary \(\mathcal {A} \) has to submit its hash queries non-adaptively (i.e. parallelly). That is, an adversary \(\mathcal {A} \), on input \(1^{\lambda }\) and H, submits a set of functions \((\phi _i)_{i \in [q]}\) all at once to the hash oracle \(\textsc {Hash}\), and receives the set of answers \((h_i)_{i \in [q]}\) where each \(h_i\) is either the real hash value \(H(\phi _i(x))\) or a random value chosen uniformly from the range R of H. Let us denote by \(\mathtt {Adv} ^{\mathtt {naCIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }\) the advantage of an adversary \(\mathcal {A} \) in this game.

By using Lemma 1, we show that the advantage of any computationally unbounded non-adaptive adversary, is bounded as stated in the following lemma:

Lemma 2

Under the same setting as in Theorem 6, for all computationally unbounded adversaries \(\mathcal {A} \) that make at most \(q = q(\lambda )\) queries, we have

$$\begin{aligned} \mathtt {Adv} ^{\mathtt {naCIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }(\lambda ) \le 2 \left( \epsilon + \delta + \genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda ) \right) . \end{aligned}$$
(5)

Proof

(of Lemma 2). We first introduce several necessary definitions: for a security parameter \(\lambda \), a hash function \(H \in \mathcal {H} \), and a deterministic non-adaptive adversary \(\mathcal {A} \) that runs in the \(\mathtt {naCIPR} \) game and makes q queries, let \((\phi _1, \dots , \phi _q)\) be the functions submitted by \(\mathcal {A} (1^{\lambda },H)\) in \(\mathcal {A} \)’s non-adaptive parallel query.Footnote 7 Note that since we are considering a deterministic adversary \(\mathcal {A} \), once we fix \(\mathcal {A} \) and \(H \in \mathcal {H} \), the functions \((\phi _1, \dots , \phi _q)\) are determined without any ambiguity.

Let \(\mathsf {NoColl}_{\mathcal {A},H} \subseteq D\) be the subset of D that consists of “collision-free” elements with respect to \(\mathcal {A} \) and H, in the following sense:

$$ \mathsf {NoColl}_{\mathcal {A},H} := \Bigl \{~x \in D~\Big \vert ~\forall i,j \in [q]~\mathrm {s.t.}~i \ne j : \phi _i(x) \ne \phi _j(x)~\Bigr \}, $$

where each \(\phi _i\) is the i-th function that appears in \(\mathcal {A} \)’s parallel query on input \((1^{\lambda }, H)\). Note that if we pick \(x \in D\) uniformly at random, the probability that \(\phi _i(x) = \phi _j(x)\) occurs for some (ij) with \(1 \le i \ne j \le q\) is upperbounded by \(\genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda )\). This implies \(\Pr _{x \leftarrow _{\$}D}[x \in \mathsf {NoColl}_{\mathcal {A},H}] \ge 1-\genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda )\). Equivalently, we have

$$\begin{aligned} |\mathsf {NoColl}_{\mathcal {A},H}| \ge (1 - \genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda )) \cdot |D| \ge \frac{1}{2} \cdot |D|, \end{aligned}$$
(6)

where in the last inequality we use \(\mathsf {CR}^{\varPhi }(\lambda ) \le 1/(2 \genfrac(){0.0pt}1{q}{2})\).

Then, we define the random variable \(\varvec{X}_{\mathcal {A},H} = (X_1, \dots , X_q)\), defined over \(D^q\), as follows:

$$\begin{aligned} \varvec{X}_{\mathcal {A},H} = (X_1, \dots , X_q) := \Bigl \{ x \leftarrow _{\$}\mathsf {NoColl}_{\mathcal {A},H};~\forall i \in [q] : x_i \leftarrow \phi _i(x) : (x_1, \dots , x_q) \Bigr \}. \end{aligned}$$
(7)

We then define \(\mathcal {X}\) to be the set consisting of the random variables \(\varvec{X}_{\mathcal {A},H}\) for all possible deterministic non-adaptive adversaries \(\mathcal {A} \) and all hash functions \(H \in \mathcal {H} \). Namely, we define

$$\begin{aligned} \mathcal {X} := \bigcup _{\mathcal {A}} \Bigl \{~\varvec{X}_{\mathcal {A},H}~\Big \vert H \in \mathcal {H} \Bigr \}, \end{aligned}$$
(8)

where the union is taken over all possible non-adaptive adversaries \(\mathcal {A} \).

We note that each \(\phi _i\) in an adversary \(\mathcal {A} \)’s parallel query belongs to the set \(\varPhi \) (no matter what the adversary \(\mathcal {A} \) is and no matter what hash function \(H \in \mathcal {H} \) \(\mathcal {A} \) receives), and note also that \(|\varPhi | \le 2^q\) holds. Therefore, the number of distinct random variables \(\varvec{X}_{\mathcal {A},H}\) is at most \(2^{pq}\), namely, we have \(|\mathcal {X}| \le 2^{pq}\). Furthermore, note also that by definition, we have \(\Pr [X_i = X_j] = 0\) for all \(i \ne j \in [q]\) and all \(\varvec{X}_{\mathcal {A},H} = (X_1, \dots , X_q) \in \mathcal {X}\) (no matter what \(\mathcal {A} \) is and no matter what hash function \(H \in \mathcal {H} \) \(\mathcal {A} \) receives).

We now consider the min-entropy of each coordinate \(X_i\) of the random variables \(\varvec{X}_{\mathcal {A},H} \in \mathcal {X}\).By applying the lemma by Dodis and Yu [22, Lemma 1] and Eq. (6), for every \(\phi \in \varPhi \) and \(y \in D\), we have

$$\begin{aligned} \mathop {\Pr }\limits _{x \leftarrow _{\$}\mathsf {NoColl}_{\mathcal {A},H}}[\phi (x) = y] \le \frac{|D|}{|\mathsf {NoColl}_{\mathcal {A},H}|} \cdot \mathop {\Pr }\limits _{x \leftarrow _{\$}D}[\phi (x) = y] \le 2 \cdot \mathop {\Pr }\limits _{x \leftarrow _{\$}D}[\phi (x) = y].\quad \end{aligned}$$
(9)

Furthermore, by definition \(\max _{y \in D} \{ \Pr _{x \leftarrow _{\$}D}[\phi (x) = y] \} \le \mathsf {UP}^{\varPhi }(\lambda )\) holds for every \(\phi \in \varPhi \). By combining this with Eq. (9), for every \(i \in [q]\), we have

$$\begin{aligned} \texttt {H}_\infty (X_i)&= - \log \Bigl ( \max _{y \in D} \Bigl \{ \Pr _{x \leftarrow _{\$}\mathsf {NoColl}_{\mathcal {A},H}}[\phi _i(x) = y] \Bigr \} \Bigr ) \nonumber \\&\ge - \log \left( \max _{y \in D} \Bigl \{ 2 \cdot \Pr _{x \leftarrow _{\$}D}[\phi _i(x) = y] \Bigr \} \right) \ge \log \frac{1}{2 \mathsf {UP}^{\varPhi }(\lambda )}. \end{aligned}$$
(10)

In words, we have seen that for all random variables \(\varvec{X} = (X_1, \dots , X_q) \in \mathcal {X}\), the min-entropy of each \(X_i\) is lowerbounded by \(\log (1/2\mathsf {UP}^{\varPhi }(\lambda ))\).

For a number \(\epsilon ' > 0\), define the set \(\mathsf {GoodHash}_{\epsilon '} \subseteq \mathcal {H} \) by

$$ \mathsf {GoodHash}_{\epsilon '} := \Bigl \{~H \in \mathcal {H} ~\Big \vert ~\forall \varvec{X} \in \mathcal {X} : \varDelta [ H(\varvec{X}),(\underbrace{U_{R},\ldots ,U_R}_q) ] \le \epsilon '~\Bigr \}. $$

Recall that \(|\mathcal {X}| \le 2^{pq}\). Hence, by Eq. (10), if \(\delta ' >0\) is a number such that

$$ t \ge q \cdot (\log |R| + p) + \log \frac{1}{\delta '} \quad \text {and} \quad \log \frac{1}{2 \cdot \mathsf {UP}^{\varPhi }(\lambda )} \ge q \log |R| + 2 \log \frac{1}{\epsilon '} + \log t + 2, $$

then the condition on t in Eq. (1) in Lemma 1 is satisfied. Furthermore, due to Eq. (10) and the assumption on \(\log (1/\mathsf {UP}^{\varPhi }(\lambda ))\) in Lemma 2, all random variables \(\varvec{X} = (X_1, \dots , X_q) \in \mathcal {X}\) satisfy the second condition (i.e. the lowerbound on the min-entropy in each entry \(X_i\)) in Eq. (1). Hence, by applying Lemma 1 to the set of variables \(\mathcal {X}\) (which we have seen satisfies all the requirements for Lemma 1), we have \(|\mathsf {GoodHash}_{\epsilon '}| \ge (1 - \delta ') \cdot |\mathcal {H} |\).

Having defined the things we need, we are now ready to show an upperbound on the advantage of all non-adaptive adversaries \(\mathcal {A} \) in the \(\mathtt {naCIPR} \) game. Fix arbitrarily a computationally unbounded adversary \(\mathcal {A} \) that makes at most q queries in the \(\mathtt {naCIPR} \) game. Fix also arbitrarily functions \(\epsilon = \epsilon (\lambda )\) and \(\delta = \delta (\lambda )\) satisfying Eq. (3). Our goal is to show that Eq. (5) is satisfied for the above \(\mathcal {A} \), and numbers \(\epsilon ' = \epsilon \), and \(\delta ' = \delta \).

Let \(\mathsf {S}\) be the event that \(\mathcal {A} \) succeeds in guessing its challenge bit (i.e. \(b' = b\) occurs), and let \(\mathsf {GH}\) (which stands for “Good Hash”) be the event that the hash function H that \(\mathcal {A} \) receives satisfies \(H \in \mathsf {GoodHash}_{\epsilon }\), and let \(\mathsf {NC}\) (which stands for “No Collision”) be the event that there exist no indices \(i, j \in [q]\) such that \(\phi _i(x) = \phi _j(x)\), where \(x \in D\) is the value chosen randomly at the non-adaptive game, and \(\phi _i\) (resp. \(\phi _j\)) be the i-th (resp. j-th) function in the parallel query \((\phi _1, \dots , \phi _q)\) submitted by \(\mathcal {A} \) on input \((1^{\lambda }, H)\).

We proceed to estimating lower and upperbounds for \(\Pr [\mathsf {S}]\). On the one hand, we have

$$\begin{aligned} \Pr [\mathsf {S}]&\ge \Pr [\mathsf {S}\wedge \mathsf {GH}\wedge \mathsf {NC}] \nonumber \\&= \Pr [\mathsf {S}| \mathsf {GH}\wedge \mathsf {NC}] \cdot \Pr [\mathsf {GH}\wedge \mathsf {NC}] \nonumber \\&= \Pr [\mathsf {S}| \mathsf {GH}\wedge \mathsf {NC}] \cdot (1 - \Pr [\overline{\mathsf {GH}} \vee \overline{\mathsf {NC}}]) \nonumber \\&\ge \Pr [\mathsf {S}| \mathsf {GH}\wedge \mathsf {NC}] - \Pr [\overline{\mathsf {GH}}] - \Pr [\overline{\mathsf {NC}}] . \end{aligned}$$
(11)

On the other hand, we have

$$\begin{aligned} \Pr [\mathsf {S}]&= \Pr [\mathsf {S}\wedge \mathsf {GH}\wedge \mathsf {NC}] + \Pr [\mathsf {S}\wedge (\overline{\mathsf {GH}} \vee \overline{\mathsf {NC}})]\nonumber \\&\le \Pr [\mathsf {S}| \mathsf {GH}\wedge \mathsf {NC}] + \Pr [\overline{\mathsf {GH}} \vee \overline{\mathsf {NC}}]\nonumber \\&\le \Pr [\mathsf {S}| \mathsf {GH}\wedge \mathsf {NC}] + \Pr [\overline{\mathsf {GH}}] + \Pr [\overline{\mathsf {NC}}] . \end{aligned}$$
(12)

Here, by definition, we have \(\Pr [\mathsf {GH}] \ge 1 - \delta \) and \(\Pr [\mathsf {NC}] \ge 1 - \genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda )\), where the probabilities in the left hand side of both of the inequalities are over the \(\mathtt {naCIPR} \) game. Furthermore, the event \(\mathsf {S}\) conditioned on \(\mathsf {GH}\) and \(\mathsf {NC}\), corresponds to the situation where \(\mathcal {A} \), on input \(1^{\lambda }\) and \(H \in \mathsf {GoodHash}_{\epsilon }\), receives \((h_1, \dots , h_q)\) that is sampled from either the distribution \(H(\varvec{X}_{\mathcal {A},H})\) where \(\varvec{X}_{\mathcal {A},H} \in \mathcal {X}\) or the uniform distribution \((U_R)^q\) over \(R^q\), and succeeds in guessing which is the case. Here, due to the definitions of \(\mathsf {GoodHash}_{\epsilon }\) and \(\varvec{X}_{\mathcal {A},H}\), the statistical distance between \(H(\varvec{X}_{\mathcal {A},H})\) and the uniform distribution \((U_R)^q\) is at most \(\epsilon \). Hence, we have

$$ \frac{1}{2} - \epsilon \le \Pr [\mathsf {S}| \mathsf {GH}\wedge \mathsf {NC}] \le \frac{1}{2} + \epsilon . $$

Combining these inequalities with Eqs. (11) and (12), we obtain

$$ - (\epsilon + \delta + \genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda )) \le \Pr [\mathsf {S}] - \frac{1}{2} \le \epsilon + \delta + \genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda ), $$

which implies

$$ \mathtt {Adv} ^{\mathtt {naCIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }(\lambda ) = 2 \left| \Pr [\mathsf {S}] - \frac{1}{2} \right| \le 2 \left( \epsilon + \delta + \genfrac(){0.0pt}1{q}{2} \cdot \mathsf {CR}^{\varPhi }(\lambda ) \right) , $$

as required.   \(\square \)(Lemma 2 )

Finally, as the last step of the proof of Theorem 6, we show that by a complexity leveraging argument, ordinary (adaptive) correlated-input pseudorandomness is implied by its non-adaptive version. More precisely, we show the following lemma:

Lemma 3

Let \(q = q(\lambda )\) be a positive polynomial. Let \(\mathcal {H} = \{H:D \rightarrow R\}\) and \(\varPhi = \{\phi : D \rightarrow D \}\) be families of functions with domain \(D = D_\lambda \) and ranges \(R = R_\lambda \) and D, respectively. Then, for all computationally unbounded adversaries \(\mathcal {A} \) that make q queries, there exists a computationally unbounded non-adaptive adversary \(\mathcal {B} \) that makes q queries, such that

$$\begin{aligned} \mathtt {Adv} ^{\mathtt {naCIPR}}_{\mathcal {H},q,\mathcal {B},\varPhi }(\lambda ) = \frac{1}{|R|^{q-1}} \cdot \mathtt {Adv} ^{\mathtt {CIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }(\lambda ). \end{aligned}$$
(13)

Proof

(of Lemma 3). Fix arbitrarily a positive polynomial q and a computationally unbounded adversary \(\mathcal {A} \) that runs in the \(\mathtt {CIPR} \) game and makes q queries. Using \(\mathcal {A} \) as a building block, we show how to construct another computationally unbounded adversary \(\mathcal {B} \) that runs in the \(\mathtt {naCIPR} \) game, makes in exactly the same number of queries as \(\mathcal {A} \), and has the advantage as stated in Eq. (13). The description of \(\mathcal {B} \) is as follows:  

\(\mathcal {B} (1^{\lambda }, H)\)::

\(\mathcal {B} \) first chooses \(q-1\) values \(h'_1, \dots , h'_{q-1} \leftarrow _{\$}R\) uniformly at random, and runs \(\mathcal {A} (1^{\lambda }, H)\), where \(\mathcal {B} \) answers to \(\mathcal {A} \)’s i-th query \(\phi _i\) by \(h'_i\) (no matter what \(\phi _i\) is). When \(\mathcal {A} \) makes the q-th query \(\phi _q\), \(\mathcal {B} \) submits q functions \((\phi _i)_{i \in [q]}\) as its “parallel” query to \(\mathcal {B} \)’s hash oracle, and receives the results \((h^*_i)_{i \in [q]}\). Then, \(\mathcal {B} \) proceeds as follows:

–:

If \(h^*_i = h'_i\) holds for all \(i \in [q-1]\), then \(\mathcal {B} \) finds that its simulation for \(\mathcal {A} \) was “good”, and returns \(h^*_q\) as the answer to \(\mathcal {A} \)’s q-th query. When \(\mathcal {A} \) terminates with output \(b'\), \(\mathcal {B} \) sets \(\sigma ' \leftarrow b'\).

–:

Otherwise (i.e. \(h^*_i \ne h'_i\) holds for some \(i \in [q-1]\)), \(\mathcal {B} \) decides that it does not use \(\mathcal {A} \)’s output, and sets \(\sigma ' \leftarrow _{\$}\{0,1\}\) uniformly at random.

 

Finally, \(\mathcal {B} \) terminates with output \(\sigma '\).

The above completes the description of \(\mathcal {B} \). Let \(\sigma \) be \(\mathcal {B} \)’s challenge bit in its non-adaptive game. Furthermore, let \(\mathsf {S}\) be the event that \(\sigma ' = \sigma \) occurs, and \(\mathsf {G}\) be the event that \(h^*_i = h'_i\) holds for all \(i \in [q-1]\) (where both of the events are defined in \(\mathcal {B} \)’s \(\mathtt {naCIPR} \) game). By definition, \(\mathcal {B} \)’s advantage in the \(\mathtt {naCIPR} \) game can be estimated as follows:

$$\begin{aligned} \mathtt {Adv} ^{\mathtt {naCIPR}}_{\mathcal {H},q,\mathcal {B},\varPhi }(\lambda )&= 2 \left| \Pr [\mathsf {S}] - \frac{1}{2} \right| \nonumber \\&= 2 \left| \Pr [\mathsf {S}| \mathsf {G}] \cdot \Pr [\mathsf {G}] + \Pr [\mathsf {S}| \overline{\mathsf {G}}] \cdot \Pr [\overline{\mathsf {G}}] - \frac{1}{2}(\Pr [\mathsf {G}] + \Pr [\overline{\mathsf {G}}]) \right| \nonumber \\&= 2 \left| \Pr [\mathsf {G}] \cdot (\Pr [\mathsf {S}| \mathsf {G}] - \frac{1}{2}) + \Pr [\overline{\mathsf {G}}] \cdot ( \Pr [\mathsf {S}| \overline{\mathsf {G}}] - \frac{1}{2}) \right| . \end{aligned}$$
(14)

Now, since all \(\{h'_i\}_{i \in [q-1]}\) are chosen uniformly at random, independently of \(\mathcal {A} \)’s behavior and \(\mathcal {B} \)’s challenge bit, we have \(\Pr [\mathsf {G}] = 1/|R|^{q-1}\). Moreover, once \(\mathsf {G}\) occurs, \(\mathcal {B} \) simulates the \(\mathtt {CIPR} \) game perfectly for \(\mathcal {A} \) so that \(\mathcal {A} \)’s challenge bit is that of \(\mathcal {B} \)’s, and thus \(\Pr [\mathsf {S}| \mathsf {G}]\) is equal to the probability that \(\mathcal {A} \) succeeds in guessing the challenge bit in the \(\mathtt {CIPR} \) game. This implies \(2 |\Pr [\mathsf {S}| \mathsf {G}] - 1/2| = \mathtt {Adv} ^{\mathtt {CIPR}}_{\mathcal {H},q,\mathcal {A},\varPhi }(\lambda )\). On the other hand, if \(\mathsf {G}\) does not occur, \(\mathcal {B} \) uses a uniformly chosen random bit as its final output bit \(\sigma '\), which implies \(\Pr [\mathsf {S}| \overline{\mathsf {G}}] = 1/2\). Using the above in Eq. (14), we obtain Eq. (13), as required.   \(\square \) (Lemma 3 )

Theorem 6 follows from the combination of Lemmas 2 and 3.   \(\square \) (Theorem 6 )

6.3 Bounded RKA-Secure PRF

Finally, we show that by combining a \((q, \varPhi )\)-\(\mathtt {CIPR} \)-secure function family with a standard PRF, we obtain a PRF that provides \(\varPhi \)-RKA security, as long as an adversary uses at most q functions for deriving related keys in the security game. We stress that although the number of functions is a-priori bounded by q, the number of evaluations that an adversary may observe (through \(\textsc {Eval}\) queries) is unbounded. We refer to this slightly weaker variant of \(\varPhi \)-RKA security of a PRF as \((q, \varPhi )\)-\(\mathtt {RKA}\) security.

We formally define \((q, \varPhi )\)-\(\mathtt {RKA}\) security of a PRF via the security game shown in Fig. 6. This game is a simple modification of the PRF game in Sect. 2.4. Specifically, in the \((q, \varPhi )\)-\(\mathtt {RKA}\) security game, an initial key \(k^*\) is picked, and the game maintains a counter ctr (initialized to 0) that tracks the number of related keys the adversary has requested. The oracle \(\textsc {RKD}\) (which stands for Related-Key Derivation) takes a function \(\phi \in \varPhi \) as input, increments the counter \(ctr \leftarrow ctr + 1\), computes a related key \(k_{ctr} \leftarrow \phi (k^*)\), and returns the handle ctr that can be used in an \(\textsc {Eval}\) query to specify the index of the key under which an adversary wish to see an evaluation result. Furthermore, like the \(\textsc {Hash}\) oracle in the \(\mathtt {CIPR} \) game, the oracle \(\textsc {RKD}\) can be used at most q times, and all functions used in \(\textsc {RKD}\) queries are required to be distinct. However, we again stress that there is no restriction on the number of queries on the \(\textsc {Eval}\) oracle.

Definition 14

Let \(\varPhi \) be a function family, and let the advantage of an adversary \(\mathcal {A} \) playing the security game in Fig. 6 with respect to a PRF \(\mathtt {F} = (\mathtt {Setup}, \mathtt {KeyGen}, \mathtt {Eval})\) be defined as

$$ \mathtt {Adv} ^{\mathtt {RKAPRF}}_{\mathtt {F},q,\mathcal {A},\varPhi }(\lambda ) = 2\left| \Pr [\textsc {RKAPRF}^{\mathtt {F}}_{q,\mathcal {A},\varPhi }(\lambda ) \Rightarrow 1] - \frac{1}{2} \right| . $$

\(\mathtt {F}\) is said to be a \((q,\varPhi )\)-\(\mathtt {RKA}\) secure if for all PPT adversaries \(\mathcal {A} \), \(\mathtt {Adv} ^{\mathtt {RKAPRF}}_{\mathtt {F},q,\mathcal {A},\varPhi }(\lambda )\) is negligible in the security parameter \(\lambda \).

Fig. 6.
figure 6

Game defining \((q, \varPhi )\)-\(\mathtt {RKA}\) security of a PRF.

Full size image

We will now show how we construct a \((q, \varPhi )\)-\(\mathtt {RKA}\) secure PRF. Let \(\mathcal {H} = \{H : D \rightarrow R\}\) be a family of functions with domain \(D = D_\lambda \) and range \(R = R_\lambda \), and let \(\mathtt {F} \) be a PRF. We assume that the key space of \(\mathtt {F} \) is R, and furthermore that \(\mathtt {F}.\mathtt {KeyGen} (par)\) just samples a uniformly random element from R, and outputs this as a key, for any par output from \(\mathtt {F}.\mathtt {Setup} (1^{\lambda })\).Using these components, we construct another pseudorandom function \(\widehat{\mathtt {F}}\) as in Fig. 7. Note that the key space of \(\widehat{\mathtt {F}}\) (when set up with the security parameter \(\lambda \)) is D (which is equal to the domain of the hash function \(H \in \mathcal {H} \)).

Fig. 7.
figure 7

\((q, \varPhi )\)-\(\mathtt {RKA}\)-secure PRF \(\widehat{\mathtt {F}}\) constructed from a standard PRF \(\mathtt {F} \) and a \((q, \varPhi )\)-\(\mathtt {CIPR} \)-secure function family \(\mathcal {H} \).

Full size image

Theorem 7

Let \(q = q(\lambda )\) be any positive polynomial, let \(\varPhi = \{\phi : D \rightarrow D\}\) be a family of functions with domain and range \(D = D_\lambda \), and let \(\mathcal {H} = \{H : D \rightarrow R\}\) be a \((q, \varPhi )\)-\(\mathtt {CIPR} \) secure family of (hash) functions with domain D and range \(R = R_\lambda \).Footnote 8 Let \(\mathtt {F} \) be a secure PRF with key space R (when set up with the security parameter \(\lambda \)), and with a key generation algorithm that outputs a uniformly random element from R. Then, the construction \(\widehat{\mathtt {F}}\) shown in Fig. 7 is \((q, \varPhi )\)-\(\mathtt {RKA}\) secure. More precisely, for all PPT adversaries \(\mathcal {A} \), there exist PPT adversaries \(\mathcal {B} _1\) and \(\mathcal {B} _2\), such that

$$\begin{aligned} \mathtt {Adv} ^{\mathtt {RKAPRF}}_{\widehat{\mathtt {F}},q,\mathcal {A},\varPhi }(\lambda ) \le \mathtt {Adv} ^{\mathtt {CIPR}}_{\mathcal {H},q,\mathcal {B} _1,\varPhi }(\lambda ) + \mathtt {Adv} ^{\mathtt {PRF}}_{\mathtt {F},\mathcal {B} _2}(\lambda ). \end{aligned}$$
(15)

The intuition behind the proof of this theorem is fairly simple. Recall that \((q, \varPhi )\)-\(\mathtt {CIPR} \) security of the underlying hash family \(\mathcal {H} \) essentially ensures the property that, for a randomly chosen function \(H \leftarrow _{\$}\mathcal {H} \), and for any functions \(\phi _1, \dots , \phi _q \in \varPhi \), having access to the functions \(\{\mathtt {F}.\mathtt {Eval} (H(\phi _i(k^*), \cdot )\}_{i \in [q]}\) is indistinguishable from having access to the functions \(\{\mathtt {F}.\mathtt {Eval} (\widetilde{k}_i, \cdot )\}_{i \in [q]}\), where \(k^* \in D\) and each \(\widetilde{k}_i \in R\) are chosen uniformly at random. Then, the security of the PRF \(\mathtt {F} \) ensures that the latter is indistinguishable from having access to q independently chosen random functions. The full proof of Theorem 7 can be found in the full version of the paper.

Fig. 8.
figure 8

Scheme \(\mathtt {PRF}\text {-}\mathtt {PKE}\) constructed from a PKE scheme \(\mathtt {PKE} \) and a PRF \(\widehat{\mathtt {F}}\).

Full size image

7 IND-RRR-CCA Security in the Standard Model

We will now show that, for any predetermined polynomial n, we can transform a PKE scheme \(\mathtt {PKE} \) which is secure in the standard sense (without related-randomness security) into a scheme \(\mathtt {PRF}\text {-}\mathtt {PKE}\) that is \((n,\varPhi ,\varPsi )\)-\(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) secure in the standard model, by using a \((n,\varTheta )\)-RKA secure PRF for an appropriate function class \(\varTheta \). This approach is similar to that of [34, 43], but we obtain security for a much richer class of function families that captures non-algebraic functions, such as bit-flipping and bit-fixing functions.

More formally, the construction of \(\mathtt {PRF}\text {-}\mathtt {PKE}\) is as follows: let \(\mathtt {PKE} \) be a PKE scheme for which the randomness space of \(\mathtt {PKE}.\mathtt {Enc} \) is \(\{0,1\}^{\lambda }\), let \(\widehat{\mathtt {F}}\) be a PRF with key space \(\mathcal {R} \) and a key generation algorithm \(\widehat{\mathtt {F}}.\mathtt {KeyGen} (par)\) returning a uniformly random element from \(\mathcal {R} \) as a key, for any par output by \(\widehat{\mathtt {F}}.\mathtt {Setup} (1^{\lambda })\). Using these components, we construct a PKE scheme \(\mathtt {PRF}\text {-}\mathtt {PKE}\) as in Fig. 8. Note that the randomness space of \(\mathtt {PRF}\text {-}\mathtt {PKE}.\mathtt {Enc} \) is \(\mathcal {R} \). The related-randomness security of \(\mathtt {PRF}\text {-}\mathtt {PKE}\) is guaranteed by the following theorem:

Theorem 8

Let \(n = n(\lambda )\) be an integer-valued positive polynomial. Let \(\varPhi = \{\phi : \mathcal {R} \rightarrow \mathcal {R} \}\) and \(\varPsi = \{\psi : \mathcal {R} \times \mathcal {R} \rightarrow \mathcal {R} \}\) be function families, where \(\mathcal {R} = \mathcal {R} _\lambda \). Let \(\varTheta \) be the function family defined by using \(\varPhi \) and \(\varPsi \) as follows:

$$\begin{aligned} \varTheta := \Bigl \{ f(\cdot ) := \phi (\psi (r, \cdot )) \Big \vert \phi \in \varPhi , \psi \in \varPsi , r \in \mathcal {R} \Big \} \cup \varPhi . \end{aligned}$$

Let \(\widehat{\mathtt {F}}\) be a \((n, \varTheta )\)-\(\mathtt {RKA}\) secure PRFFootnote 9, and let \(\mathtt {PKE} \) be an \(\mathtt {IND}\text {-}\mathtt {CCA} \) secure PKE scheme. Then, the construction \(\mathtt {PRF}\text {-}\mathtt {PKE}\) shown in Fig. 8 is \((n, \varPhi ,\varPsi )\)-\(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) secure. More precisely, for all PPT \((n, \varPhi ,\varPsi )\)-restricted adversaries \(\mathcal {A} \) that make at most \(q_r = q_r(\lambda )\) \(\textsc {Refresh}\) queries, there exist PPT adversaries \(\mathcal {B} _1\) and \(\mathcal {B} _2\) such that

$$\begin{aligned} \mathtt {Adv} ^{\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}}_{\mathtt {PRF}\text {-}\mathtt {PKE},\mathcal {A}}(\lambda ) \le 2(q_r + 1) \mathtt {Adv} ^{\mathtt {RKAPRF}}_{\widehat{\mathtt {F}},n,\mathcal {B} _1, \varTheta }(\lambda ) + \mathtt {Adv} ^{\mathtt {IND}\text {-}\mathtt {CCA}}_{\mathtt {PKE},\mathcal {B} _2}(\lambda ). \end{aligned}$$
(16)

The proof of Theorem 8 is based on a hybrid argument over the refresh epochs. More specifically, in each epoch, we use the \((n, \varTheta )\)-\(\mathtt {RKA}\) security of \(\widehat{\mathtt {F}}\) to replace the output \(\widetilde{r}\) with uniformly random values. This is possible since the randomness \(r'\) used in the response to \(\textsc {LR}\) and \(\textsc {Enc}\) oracle queries will correspond to related keys of \(\widehat{\mathtt {F}}\) computed by \(f \in \varTheta \). More precisely, it will be either of the form \(r' = \phi (r_1)\) (in the first epoch) or \(r' = \phi (\psi _{j-1}(r_{j-1}, s_{j-1}))\) (in the \(j( \ge 2)\)-th epoch), where \(r_1\) and \(s_{j-1}\) are chosen uniformly at random, and thus can be viewed as related keys of the initial key \(k^*\) in the \(\mathtt {RKA}\) game by viewing \(r_1\) or \(s_{j-1}\) as \(k^*\). Note that the adversary is assumed to make in total at most n LR and Enc queries in each epoch, and thus \((n,\varTheta )\)-\(\mathtt {RKA}\) security will suffice. Then, in the last hybrid, the values \(\widetilde{r}\) are all uniformly chosen, and we can rely on the \(\mathtt {IND}\text {-}\mathtt {CCA}\) security of the underlying PKE scheme \(\mathtt {PKE} \) to conclude the proof. The full proof can be found in the full version of the paper.

Combining Theorem 8 with Corollary 1, we obtain the following corollary:

Corollary 2

Let \(t = t(\lambda )\), \(p = p(\lambda )\), and \(n = n(\lambda )\) be integer-valued positive polynomials such that t is always even and larger than 8. Let \(\mathtt {PKE} \) be an \(\mathtt {IND}\text {-}\mathtt {CCA}\) secure PKE scheme, let \(\mathtt {F} \) be a PRF, and let \(\mathcal {H} \) be a t-wise independent hash family. Assume that the key space of \(\mathtt {F} \) and the output space of \(\mathcal {H} \) are \(\{0,1\}^\lambda \) when \(\mathtt {F} \) is set up with a security parameter \(\lambda \). Let \(\widehat{\mathtt {F}}\) be the PRF constructed from \(\mathtt {F} \) and \(\mathcal {H} \) as shown in Fig. 6, and let \(\mathtt {PKE} '\) be the PKE scheme obtained from \(\mathtt {PKE} \) and \(\widehat{\mathtt {F}}\) as shown in Fig. 8. Let \(\varPhi \) and \(\varPsi \) be function families such that \(|\varPhi | \le 2^p\) and \(|\varPsi | \le 2^{p'}\), respectively. Assume that

$$\begin{aligned} t&\ge n(p + p' + \log |\mathcal {R} | + 2\lambda + 2), \end{aligned}$$
(17)
$$\begin{aligned} \max \{\mathsf {UP}^{\varPhi }(\lambda ), \mathsf {sUP}^{\varPhi ,\varPsi }(\lambda )\}&\le 2^{-(3n\lambda + O(\log \lambda ))}, \end{aligned}$$
(18)
$$\begin{aligned} \max \{\mathsf {CR}^{\varPhi }(\lambda ), \mathsf {sCR}^{\varPhi ,\varPsi }(\lambda ) \}&\le \genfrac(){0.0pt}1{n}{2}^{-1} \cdot 2^{-n \lambda }. \end{aligned}$$
(19)

Then, \(\mathtt {PKE} '\) is \((n, \varPhi ,\varPsi )\)-\(\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}\) secure. More precisely, for all PPT \((n, \varPhi ,\varPsi )\)-restricted adversaries \(\mathcal {A} \) that make at most \(q_r = q_r(\lambda )\) \(\textsc {Refresh}\) queries, there exist PPT adversaries \(\mathcal {B} \) and \(\mathcal {B} '\) such that

$$ \mathtt {Adv} ^{\mathtt {IND}\text {-}\mathtt {RRR}\text {-}\mathtt {CCA}}_{\mathtt {PKE} ',\mathcal {A}}(\lambda ) \le 12(q_r+1) \cdot 2^{-\lambda } + 2(q_r + 1) \mathtt {Adv} ^{\mathtt {PRF}}_{\mathtt {F},\mathcal {B}}(\lambda ) + \mathtt {Adv} ^{\mathtt {IND}\text {-}\mathtt {CCA}}_{\mathtt {PKE},\mathcal {B} '}(\lambda ). $$

Proof

(of Corollary 2). Note that each function \(f \in \varTheta \) can be specified by (1) a bit indicating whether f is in the set \(\{\phi (\psi (r, \cdot ))| \phi \in \varPhi , \psi \in \varPsi , r \in \mathcal {R} \) or in the set \(\varPhi \), (2-1) a tuple \((\phi , \psi , r) \in \varPhi \times \varPsi \times \mathcal {R} \) in case f belongs to the former set, and (2-2) a function \(\phi \in \varPhi \) in case f belongs to the latter set. This implies that \( |\varTheta | \le 2 \cdot (|\varPhi | \cdot |\varPsi | \cdot |\mathcal {R} | + |\varPhi |) \le 2^{p + p' + 2} \cdot |\mathcal {R} | = 2^{p''}. \) where \(p'' = p + p' + 2 + \log |\mathcal {R} |\). Furthermore, by definition, the output unpredictability of \(\varTheta \) is at most the maximum of the output unpredictability of \(\varPhi \) and that of the seed-induced output-unpredictability of \(\varPhi \) with respect to \(\varPsi \), i.e. \(\max \{\mathsf {UP}^{\varPhi }(\lambda ), \mathsf {sUP}^{\varPhi ,\varPsi }(\lambda )\}\), and exactly the same relation holds for collision resistance. Recall also that the output space of \(\mathcal {H} \) is \(\{0,1\}^{\lambda }\).

Now, by using the definition of the function class \(\varTheta \) with the parameters described above in Corollary 1, we obtain the requirements in Eqs. (17), (18), and (19), and the upperbound \(6 \cdot 2^{-\lambda }\) for the advantage of any (even computationally unbounded) adversary that attacks the \((n, \varTheta )\)-\(\mathtt {CIPR} \) security of \(\mathcal {H} \). Then, using it in turn in Theorem 8, we obtain this corollary.   \(\square \) (Corollary 2 )

The reason the impossibility result from Sect. 4 is not applicable to the above construction, is that for each security parameter \(\lambda \), with high probability over the choice of the t-wise independent hash function H, the function families \(\varPhi \) and \(\varPsi \) are not capable of expressing H and thereby the encryption function of the scheme, due to requirement on t in Eq. (17). Note also that, as the size of the description of H must be linear in t, and this description is part of the parameters \(par''\) in Fig. 8, the size of the parameters of the construction will grow linearly in the right hand side of Eq. (17) i.e. linearly in number of queries an adversary is allowed to make in an epoch, and logarithmically in the size of the function families \(\varPhi \) and \(\varPsi \).