Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Provable Security in the Computational Model
II – Encryption
David Pointcheval
MPRI – Paris
Ecole normale superieure, CNRS & INRIA
ENS/CNRS/INRIA Cascade David Pointcheval 1/68
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 2/68
Basic Security Notions
Outline
Basic Security Notions
Public-Key Encryption
Signatures
Game-based Proofs
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 3/68
Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 4/68
Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 4/68
OW− CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
OW− CPA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
OW− CPA Security Game
A
kdke Gm* randomr* random
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
OW− CPA Security Game
A
kdke Gm* randomr* random
Er*m* c*
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
OW− CPA Security Game
A
kdke Gm* randomr* random
Er*m* c*
m
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
OW− CPA Security Game
A
kdke G
m
m* randomr* random
m* = m?
Er*m* c*
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
OW− CPA Security Game
A
kdke G
m
m* randomr* random
m* = m?
Er*m* c*
SuccowS (A) = Pr[(sk ,pk)← K(); m R←M; c = Epk (m) : A(pk , c)→ m]
ENS/CNRS/INRIA Cascade David Pointcheval 5/68
IND− CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
IND− CPA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
IND− CPA Security Game
A
m1
m0
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
IND− CPA Security Game
A
m1
m0
kdke Gb∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
b’ = b?
ENS/CNRS/INRIA Cascade David Pointcheval 6/68
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
b’ = b?
(sk ,pk)← K();(m0,m1, state)← A(pk);
b R← {0,1};c = Epk (mb); b′ ← A(state, c)
Advind−cpaS (A)=
∣∣Pr[b′ = 1|b = 1]−Pr[b′ = 1|b = 0]∣∣= ∣∣2× Pr[b′ = b]−1
∣∣ENS/CNRS/INRIA Cascade David Pointcheval 6/68
Outline
Basic Security Notions
Public-Key Encryption
Signatures
Game-based Proofs
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 7/68
Signature
Goal: Authentication of the sender
ENS/CNRS/INRIA Cascade David Pointcheval 8/68
Signature
Goal: Authentication of the sender
ENS/CNRS/INRIA Cascade David Pointcheval 8/68
EUF− NMA
A
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
EUF− NMA
A
kskv G
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
EUF− NMA
A
kskv G
(m,σ)
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
EUF− NMA
A
kskv G
(m,σ)
V(kv,m,σ)?
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
EUF− NMA
A
kskv G
(m,σ)
V(kv,m,σ)?
SucceufSG(A) = Pr[(sk ,pk)← K(); (m, σ)← A(pk) : Vpk (m, σ) = 1]
ENS/CNRS/INRIA Cascade David Pointcheval 9/68
Game-based Proofs
Outline
Basic Security Notions
Game-based Proofs
Provable Security
Game-based Approach
Transition Hops
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 10/68
Provable Security
One can prove that:
• if an adversary is able to break the cryptographic scheme
• then one can break the underlying problem(integer factoring, discrete logarithm, 3-SAT, etc)
ENS/CNRS/INRIA Cascade David Pointcheval 11/68
Provable Security
One can prove that:
• if an adversary is able to break the cryptographic scheme
• then one can break the underlying problem(integer factoring, discrete logarithm, 3-SAT, etc)
hard →instance
→solution
ENS/CNRS/INRIA Cascade David Pointcheval 11/68
Direct Reduction
Oracles
ChallengerAdversary 0 / 1
Security GameOracles
ChallengerAdversary
Instance
Simulator
Solution
Reduction
ENS/CNRS/INRIA Cascade David Pointcheval 12/68
Direct Reduction
Oracles
ChallengerAdversary 0 / 1
Security GameOracles
ChallengerAdversary
Instance
Simulator
Solution
Reduction
Unfortunately
• Security may rely on several assumptions
• Proving that the view of the adversary, generated by thesimulator, in the reduction is the same as in the real attack gameis not easy to do in such a one big step
ENS/CNRS/INRIA Cascade David Pointcheval 12/68
Direct Reduction
Oracles
ChallengerAdversary 0 / 1
Security GameOracles
ChallengerAdversary
Instance
Simulator
Solution
Reduction
Unfortunately
• Security may rely on several assumptions
• Proving that the view of the adversary, generated by thesimulator, in the reduction is the same as in the real attack gameis not easy to do in such a one big step
ENS/CNRS/INRIA Cascade David Pointcheval 12/68
Direct Reduction
Oracles
ChallengerAdversary 0 / 1
Security GameOracles
ChallengerAdversary
Instance
Simulator
Solution
Reduction
Unfortunately
• Security may rely on several assumptions
• Proving that the view of the adversary, generated by thesimulator, in the reduction is the same as in the real attack gameis not easy to do in such a one big step
ENS/CNRS/INRIA Cascade David Pointcheval 12/68
Outline
Basic Security Notions
Game-based Proofs
Provable Security
Game-based Approach
Transition Hops
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 13/68
Sequence of Games
Real Attack GameThe adversary plays a game, against a challenger (security notion)
Oracles
ChallengerAdversary 0 / 1
Game 0
ENS/CNRS/INRIA Cascade David Pointcheval 14/68
Sequence of Games
SimulationThe adversary plays a game, against a sequence of simulators
Oracles
ChallengerAdversary
Distribution 1
Simulator 1
Game 1
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 15/68
Sequence of Games
SimulationThe adversary plays a game, against a sequence of simulators
Oracles
ChallengerAdversary
Distribution 2
Simulator 2
Game 2
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 16/68
Sequence of Games
SimulationThe adversary plays a game, against a sequence of simulators
Oracles
ChallengerAdversary
Distribution 3
Simulator 3
Game 3
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 17/68
Output
• The output of the simulator in Game 1 is related to the output ofthe challenger in Game 0 (adversary’s winning probability)
• The output of the simulator in Game 3 is easy to evaluate(e.g. always zero, always 1, probability of one-half)
• The gaps (Game 1↔ Game 2, Game 2↔ Game 3, etc) areclearly identified with specific events
ENS/CNRS/INRIA Cascade David Pointcheval 18/68
Output
• The output of the simulator in Game 1 is related to the output ofthe challenger in Game 0 (adversary’s winning probability)
• The output of the simulator in Game 3 is easy to evaluate(e.g. always zero, always 1, probability of one-half)
• The gaps (Game 1↔ Game 2, Game 2↔ Game 3, etc) areclearly identified with specific events
ENS/CNRS/INRIA Cascade David Pointcheval 18/68
Output
• The output of the simulator in Game 1 is related to the output ofthe challenger in Game 0 (adversary’s winning probability)
• The output of the simulator in Game 3 is easy to evaluate(e.g. always zero, always 1, probability of one-half)
• The gaps (Game 1↔ Game 2, Game 2↔ Game 3, etc) areclearly identified with specific events
Oracles
ChallengerAdversary
Distribution 1
Simulator 1
Game 1
0 / 1
Oracles
ChallengerAdversary
Distribution 3
Simulator 3
Game 3
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 18/68
Outline
Basic Security Notions
Game-based Proofs
Provable Security
Game-based Approach
Transition Hops
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 19/68
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
• perfectly identical behaviors [Hop-S-Perfect]
• different behaviors, only if event Ev happens• Ev is negligible [Hop-S-Negl]
• Ev is non-negligible (but not overwhelming) [Hop-S-Non-Negl]
and independent of the output in GameA
→ Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
• perfectly identical behaviors [Hop-S-Perfect]
• different behaviors, only if event Ev happens• Ev is negligible [Hop-S-Negl]
• Ev is non-negligible (but not overwhelming) [Hop-S-Non-Negl]
and independent of the output in GameA
→ Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
• perfectly identical behaviors [Hop-S-Perfect]
• different behaviors, only if event Ev happens• Ev is negligible [Hop-S-Negl]
• Ev is non-negligible (but not overwhelming) [Hop-S-Non-Negl]
and independent of the output in GameA
→ Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
Two Simulators
Oracles
ChallengerAdversary
Distribution
Simulator A
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution
Simulator B
Game B
0 / 1
• perfectly identical behaviors [Hop-S-Perfect]
• different behaviors, only if event Ev happens• Ev is negligible [Hop-S-Negl]
• Ev is non-negligible (but not overwhelming) [Hop-S-Non-Negl]
and independent of the output in GameA
→ Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 20/68
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
• perfectly identical input distributions [Hop-D-Perfect]
• different distributions• statistically close [Hop-D-Stat]
• computationally close [Hop-D-Comp]
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
• perfectly identical input distributions [Hop-D-Perfect]
• different distributions• statistically close [Hop-D-Stat]
• computationally close [Hop-D-Comp]
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
• perfectly identical input distributions [Hop-D-Perfect]
• different distributions• statistically close [Hop-D-Stat]
• computationally close [Hop-D-Comp]
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
Two Distributions
Oracles
ChallengerAdversary
Distribution A
Simulator
Game A
0 / 1
Oracles
ChallengerAdversary
Distribution B
Simulator
Game B
0 / 1
• perfectly identical input distributions [Hop-D-Perfect]
• different distributions• statistically close [Hop-D-Stat]
• computationally close [Hop-D-Comp]
ENS/CNRS/INRIA Cascade David Pointcheval 21/68
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore itShoup’s Lemma: |Pr[GameA]− Pr[GameB]| ≤ Pr[Ev]
|Pr[GameA]− Pr[GameB]|
=
∣∣∣∣∣ Pr[GameA|Ev] Pr[Ev] + Pr[GameA|¬Ev] Pr[¬Ev]
−Pr[GameB|Ev] Pr[Ev]− Pr[GameB|¬Ev] Pr[¬Ev]
∣∣∣∣∣=
∣∣∣∣∣ (Pr[GameA|Ev]− Pr[GameB|Ev])× Pr[Ev]
+(Pr[GameA|¬Ev]− Pr[GameB|¬Ev])× Pr[¬Ev]
∣∣∣∣∣≤ |1× Pr[Ev] + 0× Pr[¬Ev]| ≤ Pr[Ev]
• Ev is non-negligible and independent of the output in GameA,Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 22/68
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore itShoup’s Lemma: |Pr[GameA]− Pr[GameB]| ≤ Pr[Ev]
|Pr[GameA]− Pr[GameB]|
=
∣∣∣∣∣ Pr[GameA|Ev] Pr[Ev] + Pr[GameA|¬Ev] Pr[¬Ev]
−Pr[GameB|Ev] Pr[Ev]− Pr[GameB|¬Ev] Pr[¬Ev]
∣∣∣∣∣=
∣∣∣∣∣ (Pr[GameA|Ev]− Pr[GameB|Ev])× Pr[Ev]
+(Pr[GameA|¬Ev]− Pr[GameB|¬Ev])× Pr[¬Ev]
∣∣∣∣∣≤ |1× Pr[Ev] + 0× Pr[¬Ev]| ≤ Pr[Ev]
• Ev is non-negligible and independent of the output in GameA,Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 22/68
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore itShoup’s Lemma: |Pr[GameA]− Pr[GameB]| ≤ Pr[Ev]
|Pr[GameA]− Pr[GameB]|
=
∣∣∣∣∣ Pr[GameA|Ev] Pr[Ev] + Pr[GameA|¬Ev] Pr[¬Ev]
−Pr[GameB|Ev] Pr[Ev]− Pr[GameB|¬Ev] Pr[¬Ev]
∣∣∣∣∣=
∣∣∣∣∣ (Pr[GameA|Ev]− Pr[GameB|Ev])× Pr[Ev]
+(Pr[GameA|¬Ev]− Pr[GameB|¬Ev])× Pr[¬Ev]
∣∣∣∣∣≤ |1× Pr[Ev] + 0× Pr[¬Ev]| ≤ Pr[Ev]
• Ev is non-negligible and independent of the output in GameA,Simulator B terminates in case of event Ev
ENS/CNRS/INRIA Cascade David Pointcheval 22/68
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore it• Ev is non-negligible and independent of the output in GameA,
Simulator B terminates and outputs 0, in case of event Ev:
Pr[GameB] = Pr[GameB|Ev] Pr[Ev] + Pr[GameB|¬Ev] Pr[¬Ev]
= 0× Pr[Ev] + Pr[GameA|¬Ev]× Pr[¬Ev]
= Pr[GameA]× Pr[¬Ev]
Simulator B terminates and flips a coin, in case of event Ev:
Pr[GameB] = Pr[GameB|Ev] Pr[Ev] + Pr[GameB|¬Ev] Pr[¬Ev]
= 12 × Pr[Ev] + Pr[GameA|¬Ev]× Pr[¬Ev]
= 12 + (Pr[GameA]− 1
2 )× Pr[¬Ev]
ENS/CNRS/INRIA Cascade David Pointcheval 23/68
Two Simulations
• Identical behaviors: Pr[GameA]− Pr[GameB] = 0• The behaviors differ only if Ev happens:
• Ev is negligible, one can ignore it• Ev is non-negligible and independent of the output in GameA,
Simulator B terminates in case of event Ev
Event Ev
• Either Ev is negligible, or the output is independent of Ev
• For being able to terminate simulation B in case of event Ev,this event must be efficiently detectable
• For evaluating Pr[Ev], one re-iterates the above process,with an initial game that outputs 1 when event Ev happens
ENS/CNRS/INRIA Cascade David Pointcheval 24/68
Two Distributions
Oracles
ChallengerAdversary
Distribution
0 / 1
Distinguisheur
Pr[GameA]− Pr[GameB] ≤ Adv(Doracles)
ENS/CNRS/INRIA Cascade David Pointcheval 25/68
Two Distributions
Pr[GameA]− Pr[GameB] ≤ Adv(Doracles)
• For identical/statistically close distributions, for any oracle:
Pr[GameA]− Pr[GameB] = Dist(DistribA,DistribB) = negl()
• For computationally close distributions, in general, we need toexclude additional oracle access:
Pr[GameA]− Pr[GameB] ≤ AdvDistrib(t)
where t is the computational time of the distinguisheur
ENS/CNRS/INRIA Cascade David Pointcheval 26/68
Two Distributions
Pr[GameA]− Pr[GameB] ≤ Adv(Doracles)
• For identical/statistically close distributions, for any oracle:
Pr[GameA]− Pr[GameB] = Dist(DistribA,DistribB) = negl()
• For computationally close distributions, in general, we need toexclude additional oracle access:
Pr[GameA]− Pr[GameB] ≤ AdvDistrib(t)
where t is the computational time of the distinguisheur
ENS/CNRS/INRIA Cascade David Pointcheval 26/68
Two Distributions
Pr[GameA]− Pr[GameB] ≤ Adv(Doracles)
• For identical/statistically close distributions, for any oracle:
Pr[GameA]− Pr[GameB] = Dist(DistribA,DistribB) = negl()
• For computationally close distributions, in general, we need toexclude additional oracle access:
Pr[GameA]− Pr[GameB] ≤ AdvDistrib(t)
where t is the computational time of the distinguisheur
ENS/CNRS/INRIA Cascade David Pointcheval 26/68
Advanced Security for Encryption
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Advanced Security Notions
Cramer-Shoup Encryption Scheme
Generic Conversion
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 27/68
Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 28/68
Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 28/68
IND− CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
IND− CPA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
IND− CPA Security Game
A
m1
m0
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
IND− CPA Security Game
A
m1
m0
kdke Gb∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
b’ = b?
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
IND− CPA Security Game
A
m1
m0
kdke G
Ermb c*
b’
b∈{0,1}r random
b’ = b?
The adversary cannot get any information about a plaintext of aspecific ciphertext (validity, partial value, etc)
ENS/CNRS/INRIA Cascade David Pointcheval 29/68
Malleability
Semantic security (ciphertext indistinguishability) guarantees thatno information is leaked from c about the plaintext m
But it may be possible to derive a ciphertext c′
such that the plaintext m′ is related to m in a meaningful way:
• ElGamal ciphertext: c1 = gr and c2 = m × y r
• Malleability: c′1 = c1 = gr and c′2 = 2× c2 = (2m)× y r
From an encryption of m, one can build an encryption of 2m, or arandom ciphertext of m, etc.
ENS/CNRS/INRIA Cascade David Pointcheval 30/68
Malleability
Semantic security (ciphertext indistinguishability) guarantees thatno information is leaked from c about the plaintext m
But it may be possible to derive a ciphertext c′
such that the plaintext m′ is related to m in a meaningful way:
• ElGamal ciphertext: c1 = gr and c2 = m × y r
• Malleability: c′1 = c1 = gr and c′2 = 2× c2 = (2m)× y r
From an encryption of m, one can build an encryption of 2m, or arandom ciphertext of m, etc.
ENS/CNRS/INRIA Cascade David Pointcheval 30/68
Malleability
Semantic security (ciphertext indistinguishability) guarantees thatno information is leaked from c about the plaintext m
But it may be possible to derive a ciphertext c′
such that the plaintext m′ is related to m in a meaningful way:
• ElGamal ciphertext: c1 = gr and c2 = m × y r
• Malleability: c′1 = c1 = gr and c′2 = 2× c2 = (2m)× y r
From an encryption of m, one can build an encryption of 2m, or arandom ciphertext of m, etc.
ENS/CNRS/INRIA Cascade David Pointcheval 30/68
Malleability
Semantic security (ciphertext indistinguishability) guarantees thatno information is leaked from c about the plaintext m
But it may be possible to derive a ciphertext c′
such that the plaintext m′ is related to m in a meaningful way:
• ElGamal ciphertext: c1 = gr and c2 = m × y r
• Malleability: c′1 = c1 = gr and c′2 = 2× c2 = (2m)× y r
From an encryption of m, one can build an encryption of 2m, or arandom ciphertext of m, etc.
ENS/CNRS/INRIA Cascade David Pointcheval 30/68
Non-Malleability: NM− CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
Non-Malleability: NM− CPA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
m*, m' ← Dr random
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
m*, m' ← Dr random
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
c
m*, m' ← Dr random
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
c
m*, m' ← Dr random
m = D(c)
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
c
m*, m' ← Dr random
R(m*,m)vs. R(m',m) m = D(c)
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
Non-Malleability: NM− CPA Security Game
A
D, R
kdke G
Erm* c*
c
m*, m' ← Dr random
R(m*,m)vs. R(m',m) m = D(c)
Advnm−cpaS (A) =
∣∣Pr[R(m∗,m)]− Pr[R(m′,m)]∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 31/68
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
Additional Information
More information modelled by oracle access
• reaction attacks: oracle which answers, on c,whether the ciphertext c is valid or not
• plaintext-checking attacks: oracle which answers,on a pair (m, c), whether the plaintext m is really encrypted in cor not (whether m = Dsk (c))
• chosen-ciphertext attacks (CCA): decryption oracle(with the restriction not to use it on the challenge ciphertext)=⇒ the adversary can obtain the plaintext of any ciphertext of itschoice (excepted the challenge)
• non-adaptive (CCA− 1) [Naor-Yung – STOC ’90]
only before receiving the challenge• adaptive (CCA− 2) [Rackoff-Simon – Crypto ’91]
unlimited oracle accessENS/CNRS/INRIA Cascade David Pointcheval 32/68
IND− CCA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
IND− CCA Security Game
A
kdke G
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
IND− CCA Security Game
A
kdke G
Dc
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
IND− CCA Security Game
Am1
m0
kdke G
Dc
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
IND− CCA Security Game
A
b∈{0,1}r random
m1
m0
kdke G
Dc
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
Dc ≠ c*
m
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
Dc ≠ c*
mb’
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
Dc ≠ c*
mb’b’ = b?
ENS/CNRS/INRIA Cascade David Pointcheval 33/68
IND− CCA Security Game
AErmb c*
b∈{0,1}r random
m1
m0
kdke G
Dc
m
Dc ≠ c*
mb’b’ = b?
The adversary can ask any decryption of its choice:Chosen-Ciphertext Attacks (oracle access)
(sk ,pk)← K();(m0,m1, state)← AD(pk);
b R← {0,1};c = Epk (mb); b′ ← AD(state, c)
Advind−ccaS (A)=
∣∣Pr[b′ = 1|b = 1]−Pr[b′ = 1|b = 0]∣∣= ∣∣2× Pr[b′ = b]−1
∣∣ENS/CNRS/INRIA Cascade David Pointcheval 33/68
Relations [Bellare-Desai-Pointcheval-Rogaway – Crypto ’98]
NM-CPA ⇐ NM-CCA1 ⇐ NM-CCA2
IND-CPA ⇐ IND-CCA1 ⇐ IND-CCA2
strong security: CCA
minimalsecurity
weak security
OW-CPA
⇒ ⇔⇒
⇒ENS/CNRS/INRIA Cascade David Pointcheval 34/68
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Advanced Security Notions
Cramer-Shoup Encryption Scheme
Generic Conversion
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 35/68
Cramer-Shoup Encryption Scheme [Cramer-Shoup – Crypto ’98]
Key Generation
• G = (〈g〉,×) group of order q
• sk = (x1, x2, y1, y2, z), where x1, x2, y1, y2, zR← Zq
• pk = (g1,g2,H, c,d ,h), where• g1, g2 are independent elements in G• H a hash function (second-preimage resistant)• c = gx1
1 gx22 , d = gy1
1 gy22 , and h = gz
1
Encryptionu1 = gr
1, u2 = gr2, e = m × hr , v = cr d rα where α = H(u1,u2,e)
ENS/CNRS/INRIA Cascade David Pointcheval 36/68
Cramer-Shoup Encryption Scheme [Cramer-Shoup – Crypto ’98]
Key Generation
• G = (〈g〉,×) group of order q
• sk = (x1, x2, y1, y2, z), where x1, x2, y1, y2, zR← Zq
• pk = (g1,g2,H, c,d ,h), where• g1, g2 are independent elements in G• H a hash function (second-preimage resistant)• c = gx1
1 gx22 , d = gy1
1 gy22 , and h = gz
1
Encryptionu1 = gr
1, u2 = gr2, e = m × hr , v = cr d rα where α = H(u1,u2,e)
ENS/CNRS/INRIA Cascade David Pointcheval 36/68
Cramer-Shoup Encryption Scheme vs. ElGamal
u1 = gr1, u2 = gr
2, e = m × hr , v = cr d rα where α = H(u1,u2,e)
(u1,e) is an ElGamal ciphertext, with public key h = gz1
Decryption
• since h = gz1 , hr = uz
1 , thus m = e/uz1
• since c = gx11 gx2
2 and d = gy11 gy2
2
cr = grx11 grx2
2 = ux11 ux2
2 d r = uy11 uy2
2
One thus first checks whether
v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e)
ENS/CNRS/INRIA Cascade David Pointcheval 37/68
Security of the Cramer-Shoup Encryption Scheme
TheoremThe Cramer-Shoup encryption scheme achieves IND− CCAsecurity, under the DDH assumption, and the second-preimageresistance of H:
Advind−ccaCS (t) ≤ 2× Advddh
G (t) + SuccH(t) + 3qD/q
Let us prove this theorem, with a sequence of games, in which A isan IND− CCA adversary against the Cramer-Shoup encryptionscheme.
ENS/CNRS/INRIA Cascade David Pointcheval 38/68
Security of the Cramer-Shoup Encryption Scheme
TheoremThe Cramer-Shoup encryption scheme achieves IND− CCAsecurity, under the DDH assumption, and the second-preimageresistance of H:
Advind−ccaCS (t) ≤ 2× Advddh
G (t) + SuccH(t) + 3qD/q
Let us prove this theorem, with a sequence of games, in which A isan IND− CCA adversary against the Cramer-Shoup encryptionscheme.
ENS/CNRS/INRIA Cascade David Pointcheval 38/68
Real Attack Game
Challenger
● (pk, sk) ← Setup()● Chooses a bit b● c ← E(pk,m
b)
● if b=b': 1● else 0
Adversary0 / 1
Game 0
pkm0,m1
c
b'
Oracles
DSetup
Key Generation Oracle
x1, x2, y1, y2, zR← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z)
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz1 : pk = (g1,g2,H, c,d ,h)
Decryption Oracle
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz1
ENS/CNRS/INRIA Cascade David Pointcheval 39/68
Proof: Invalid ciphertexts
• Game0: use of the oracles K, D• Game1: we abort (with a random output b′)
in case of bad (invalid) accepted ciphertext,where invalid ciphertext means logg1
u1 6= logg2u2
Event FA submits a bad accepted ciphertext
(note: this is not computationally detectable)
The advantage in Game1 is: Pr1[b′ = b|F] = 1/2
PrGame0
[F] = PrGame1
[F] PrGame1
[b′ = b|¬F] = PrGame0
[b′ = b|¬F]
=⇒ Hop-S-Negl: AdvGame1 ≥ AdvGame0 − Pr[F]
ENS/CNRS/INRIA Cascade David Pointcheval 40/68
Proof: Invalid ciphertexts
• Game0: use of the oracles K, D• Game1: we abort (with a random output b′)
in case of bad (invalid) accepted ciphertext,where invalid ciphertext means logg1
u1 6= logg2u2
Event FA submits a bad accepted ciphertext
(note: this is not computationally detectable)
The advantage in Game1 is: Pr1[b′ = b|F] = 1/2
PrGame0
[F] = PrGame1
[F] PrGame1
[b′ = b|¬F] = PrGame0
[b′ = b|¬F]
=⇒ Hop-S-Negl: AdvGame1 ≥ AdvGame0 − Pr[F]
ENS/CNRS/INRIA Cascade David Pointcheval 40/68
Proof: Invalid ciphertexts
• Game0: use of the oracles K, D• Game1: we abort (with a random output b′)
in case of bad (invalid) accepted ciphertext,where invalid ciphertext means logg1
u1 6= logg2u2
Event FA submits a bad accepted ciphertext
(note: this is not computationally detectable)
The advantage in Game1 is: Pr1[b′ = b|F] = 1/2
PrGame0
[F] = PrGame1
[F] PrGame1
[b′ = b|¬F] = PrGame0
[b′ = b|¬F]
=⇒ Hop-S-Negl: AdvGame1 ≥ AdvGame0 − Pr[F]
ENS/CNRS/INRIA Cascade David Pointcheval 40/68
Proof: Invalid ciphertexts
• Game0: use of the oracles K, D• Game1: we abort (with a random output b′)
in case of bad (invalid) accepted ciphertext,where invalid ciphertext means logg1
u1 6= logg2u2
Event FA submits a bad accepted ciphertext
(note: this is not computationally detectable)
The advantage in Game1 is: Pr1[b′ = b|F] = 1/2
PrGame0
[F] = PrGame1
[F] PrGame1
[b′ = b|¬F] = PrGame0
[b′ = b|¬F]
=⇒ Hop-S-Negl: AdvGame1 ≥ AdvGame0 − Pr[F]
ENS/CNRS/INRIA Cascade David Pointcheval 40/68
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
= 2× PrGame0
[b′ = b|¬F] PrGame0
[¬F] + PrGame0
[F]− 1
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
= 2× PrGame0
[b′ = b|¬F] PrGame0
[¬F] + PrGame0
[F]− 1
= 2× PrGame0
[b′ = b]− 2× PrGame0
[b′ = b|F] PrGame0
[F]
+ PrGame0
[F]− 1
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
= 2× PrGame0
[b′ = b|¬F] PrGame0
[¬F] + PrGame0
[F]− 1
= 2× PrGame0
[b′ = b]− 2× PrGame0
[b′ = b|F] PrGame0
[F]
+ PrGame0
[F]− 1
= AdvGame0 − PrGame0
[F](2× PrGame0
[b′ = b|F]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
Details: Shoup’s Lemma
AdvGame1 = 2× PrGame1
[b′ = b]− 1
= 2× PrGame1
[b′ = b|¬F] PrGame1
[¬F]
+2× PrGame1
[b′ = b|F] PrGame1
[F]− 1
= 2× PrGame0
[b′ = b|¬F] PrGame0
[¬F] + PrGame0
[F]− 1
= 2× PrGame0
[b′ = b]− 2× PrGame0
[b′ = b|F] PrGame0
[F]
+ PrGame0
[F]− 1
= AdvGame0 − PrGame0
[F](2× PrGame0
[b′ = b|F]− 1)
≥ AdvGame0 − PrGame0
[F]
ENS/CNRS/INRIA Cascade David Pointcheval 41/68
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
Details: Bad Accept
In order to evaluate Pr[F], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = ux1+αy11 ux2+αy2
2
The adversary just knows the public key:
c = gx11 gx2
2 d = gy11 gy2
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v = r1(x1 + αy1) + sr2(x2 + αy2)
The system is under-defined: for any v , there are (x1, x2, y1, y2)
that satisfy the system =⇒ v is unpredictable=⇒ Pr[F] ≤ qD/q =⇒ AdvGame1 ≥ AdvGame0 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 42/68
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
Proof: Simulations
• Game2: we use the simulations
Key Generation Simulation
x1, x2, y1, y2, z1, z2R← Zq, g1,g2
R← G: sk = (x1, x2, y1, y2, z1, z2)
g2 = gs1
c = gx11 gx2
2 , d = gy11 gy2
2 , and h = gz11 gz2
2 : pk = (g1,g2,H, c,d ,h)
z = z1 + sz2
Distribution of the public key: Identical
Decryption Simulation
If v = ux1+αy11 ux2+αy2
2 where α = H(u1,u2,e): m = e/uz11 uz2
2
Under the assumption of ¬F, perfect simulation=⇒ Hop-S-Perfect: AdvGame2 = AdvGame1
ENS/CNRS/INRIA Cascade David Pointcheval 43/68
Proof: Computable Adversary
• Game3: we do no longer exclude bad accepted ciphertexts=⇒ Hop-S-Negl:AdvGame3 ≥ AdvGame2 − Pr[F] ≥ AdvGame2 − qD/q
This is technical: to make the simulator/adversary computable
ENS/CNRS/INRIA Cascade David Pointcheval 44/68
Proof: Computable Adversary
• Game3: we do no longer exclude bad accepted ciphertexts=⇒ Hop-S-Negl:AdvGame3 ≥ AdvGame2 − Pr[F] ≥ AdvGame2 − qD/q
This is technical: to make the simulator/adversary computable
ENS/CNRS/INRIA Cascade David Pointcheval 44/68
Proof: Computable Adversary
• Game3: we do no longer exclude bad accepted ciphertexts=⇒ Hop-S-Negl:AdvGame3 ≥ AdvGame2 − Pr[F] ≥ AdvGame2 − qD/q
This is technical: to make the simulator/adversary computable
ENS/CNRS/INRIA Cascade David Pointcheval 44/68
Proof: Computable Adversary
• Game3: we do no longer exclude bad accepted ciphertexts=⇒ Hop-S-Negl:AdvGame3 ≥ AdvGame2 − Pr[F] ≥ AdvGame2 − qD/q
This is technical: to make the simulator/adversary computable
ENS/CNRS/INRIA Cascade David Pointcheval 44/68
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
Proof: DDH Assumption
• Game4: we modify the generation of the challenge ciphertext:
Original Challenge
Random choice: b R← {0,1}, r R← Zq [α = H(u1, u2, e)]
u1 = gr1, u2 = gr
2, e = mb × hr , v = cr d rα
New Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
With (U = gr1,V = gr
2): Uz1V z2 = hr and Ux1+αy1V x2+αy2 = cr d rα
=⇒ Hop-S-Perfect: AdvGame4 = AdvGame3
ENS/CNRS/INRIA Cascade David Pointcheval 45/68
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
Proof: DDH Assumption
• Game5: we modify the generation of the challenge ciphertext:
Previous Challenge 1
Given (U = gr1,V = gr
2) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
New Challenge 2
Given (U = gr11 ,V = gr2
2 ) and random choice b R← {0,1}
u1 = U, u2 = V , e = mb × Uz1V z2 , v = Ux1+αy1V x2+αy2
The input changes from (U = gr1,V = gr
2) to (U = gr11 ,V = gr2
2 ):=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× Advddh
G (t)
ENS/CNRS/INRIA Cascade David Pointcheval 46/68
Proof: DDH Assumption
The input from outside changes from (U = gr1,V = gr
2) (a CDH tuple)to (U = gr1
1 ,V = gr22 ) (a random tuple):
PrGame4
[b′ = b]− PrGame5
[b′ = b] ≤ AdvddhG (t)
=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
(Since Adv = 2× Pr[b′ = b]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 47/68
Proof: DDH Assumption
The input from outside changes from (U = gr1,V = gr
2) (a CDH tuple)to (U = gr1
1 ,V = gr22 ) (a random tuple):
PrGame4
[b′ = b]− PrGame5
[b′ = b] ≤ AdvddhG (t)
=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
(Since Adv = 2× Pr[b′ = b]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 47/68
Proof: DDH Assumption
The input from outside changes from (U = gr1,V = gr
2) (a CDH tuple)to (U = gr1
1 ,V = gr22 ) (a random tuple):
PrGame4
[b′ = b]− PrGame5
[b′ = b] ≤ AdvddhG (t)
=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
(Since Adv = 2× Pr[b′ = b]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 47/68
Proof: DDH Assumption
The input from outside changes from (U = gr1,V = gr
2) (a CDH tuple)to (U = gr1
1 ,V = gr22 ) (a random tuple):
PrGame4
[b′ = b]− PrGame5
[b′ = b] ≤ AdvddhG (t)
=⇒ Hop-D-Comp: AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
(Since Adv = 2× Pr[b′ = b]− 1)
ENS/CNRS/INRIA Cascade David Pointcheval 47/68
Proof: Collision
• Game6: we abort (with a random output b′)in case of second pre-image with a decryption query
Event FH
A submits a ciphertext with the same α as the challenge ciphertext,but a different initial triple: (u1,u2,e) 6= (u∗1,u
∗2,e∗), but α = α∗, were
“*” are for all the elements related to the challenge ciphertext.
Second pre-image of H: =⇒ Pr[FH ] ≤ SuccH(t)
The advantage in Game6 is: PrGame6 [b′ = b|FH ] = 1/2
PrGame5
[FH ] = PrGame6
[FH ] PrGame6
[b′ = b|¬FH ] = PrGame5
[b′ = b|¬FH ]
=⇒ Hop-S-Negl: AdvGame6 ≥ AdvGame5 − Pr[FH ]
AdvGame6 ≥ AdvGame5 − SuccH(t)ENS/CNRS/INRIA Cascade David Pointcheval 48/68
Proof: Collision
• Game6: we abort (with a random output b′)in case of second pre-image with a decryption query
Event FH
A submits a ciphertext with the same α as the challenge ciphertext,but a different initial triple: (u1,u2,e) 6= (u∗1,u
∗2,e∗), but α = α∗, were
“*” are for all the elements related to the challenge ciphertext.
Second pre-image of H: =⇒ Pr[FH ] ≤ SuccH(t)
The advantage in Game6 is: PrGame6 [b′ = b|FH ] = 1/2
PrGame5
[FH ] = PrGame6
[FH ] PrGame6
[b′ = b|¬FH ] = PrGame5
[b′ = b|¬FH ]
=⇒ Hop-S-Negl: AdvGame6 ≥ AdvGame5 − Pr[FH ]
AdvGame6 ≥ AdvGame5 − SuccH(t)ENS/CNRS/INRIA Cascade David Pointcheval 48/68
Proof: Collision
• Game6: we abort (with a random output b′)in case of second pre-image with a decryption query
Event FH
A submits a ciphertext with the same α as the challenge ciphertext,but a different initial triple: (u1,u2,e) 6= (u∗1,u
∗2,e∗), but α = α∗, were
“*” are for all the elements related to the challenge ciphertext.
Second pre-image of H: =⇒ Pr[FH ] ≤ SuccH(t)
The advantage in Game6 is: PrGame6 [b′ = b|FH ] = 1/2
PrGame5
[FH ] = PrGame6
[FH ] PrGame6
[b′ = b|¬FH ] = PrGame5
[b′ = b|¬FH ]
=⇒ Hop-S-Negl: AdvGame6 ≥ AdvGame5 − Pr[FH ]
AdvGame6 ≥ AdvGame5 − SuccH(t)ENS/CNRS/INRIA Cascade David Pointcheval 48/68
Proof: Collision
• Game6: we abort (with a random output b′)in case of second pre-image with a decryption query
Event FH
A submits a ciphertext with the same α as the challenge ciphertext,but a different initial triple: (u1,u2,e) 6= (u∗1,u
∗2,e∗), but α = α∗, were
“*” are for all the elements related to the challenge ciphertext.
Second pre-image of H: =⇒ Pr[FH ] ≤ SuccH(t)
The advantage in Game6 is: PrGame6 [b′ = b|FH ] = 1/2
PrGame5
[FH ] = PrGame6
[FH ] PrGame6
[b′ = b|¬FH ] = PrGame5
[b′ = b|¬FH ]
=⇒ Hop-S-Negl: AdvGame6 ≥ AdvGame5 − Pr[FH ]
AdvGame6 ≥ AdvGame5 − SuccH(t)ENS/CNRS/INRIA Cascade David Pointcheval 48/68
Proof: Invalid ciphertexts
• Game7: we abort (with a random output b′)in case of bad accepted ciphertext,we do as in Game1
Event F′
A submits a bad accepted ciphertext(note: this is not computationally detectable)
The advantage in Game7 is: PrGame7 [b′ = b|F′] = 1/2
PrGame6
[F′] = PrGame7
[F′] PrGame7
[b′ = b|¬F′] = PrGame6
[b′ = b|¬F′]
=⇒ Hop-S-Negl: AdvGame7 ≥ AdvGame6 − Pr[F′]
ENS/CNRS/INRIA Cascade David Pointcheval 49/68
Proof: Invalid ciphertexts
• Game7: we abort (with a random output b′)in case of bad accepted ciphertext,we do as in Game1
Event F′
A submits a bad accepted ciphertext(note: this is not computationally detectable)
The advantage in Game7 is: PrGame7 [b′ = b|F′] = 1/2
PrGame6
[F′] = PrGame7
[F′] PrGame7
[b′ = b|¬F′] = PrGame6
[b′ = b|¬F′]
=⇒ Hop-S-Negl: AdvGame7 ≥ AdvGame6 − Pr[F′]
ENS/CNRS/INRIA Cascade David Pointcheval 49/68
Proof: Invalid ciphertexts
• Game7: we abort (with a random output b′)in case of bad accepted ciphertext,we do as in Game1
Event F′
A submits a bad accepted ciphertext(note: this is not computationally detectable)
The advantage in Game7 is: PrGame7 [b′ = b|F′] = 1/2
PrGame6
[F′] = PrGame7
[F′] PrGame7
[b′ = b|¬F′] = PrGame6
[b′ = b|¬F′]
=⇒ Hop-S-Negl: AdvGame7 ≥ AdvGame6 − Pr[F′]
ENS/CNRS/INRIA Cascade David Pointcheval 49/68
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
Details: Bad Accept
In order to evaluate Pr[F′], we study the probability that
• r1 = logg1u1 6= logg2
u2 = r2,
• whereas v = u1x1+αy1u2
x2+αy2
Let us use “*” for all the elements related to the challenge ciphertext.
Three cases may appear:
• Case 1: (u1,u2,e) = (u∗1,u∗2,e∗), then necessarily
v 6= v∗ = Ux1+α∗y1V x2+α
∗y2 = u∗1x1+α
∗y1u∗2x2+α
∗y2
Then, the ciphertext is rejected =⇒ Pr[F′1] = 0
• Case 2: (u1,u2,e) 6= (u∗1,u∗2,e∗), but α = α∗:
From the previous game, Aborts =⇒ Pr[F′2] = 0
• Case 3: (u1,u2,e) 6= (u∗1,u∗2,e∗), and α 6= α∗
ENS/CNRS/INRIA Cascade David Pointcheval 50/68
Details: Bad Accept (Case 3)
The adversary knows the public key, and the (invalid) challengeciphertext:
c = gx11 gx2
2 d = gy11 gy2
2
v∗ = Ux1+α∗y1V x2+α
∗y2 = gr∗1 (x1+α∗y1)
1 gr∗2 (x2+α∗y2)
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v∗ = r∗1 (x1 + α∗y1) + sr∗2 (x2 + α∗y2)
log v = r1(x1 + αy1) + sr2(x2 + αy2)
ENS/CNRS/INRIA Cascade David Pointcheval 51/68
Details: Bad Accept (Case 3)
The adversary knows the public key, and the (invalid) challengeciphertext:
c = gx11 gx2
2 d = gy11 gy2
2
v∗ = Ux1+α∗y1V x2+α
∗y2 = gr∗1 (x1+α∗y1)
1 gr∗2 (x2+α∗y2)
2
Let us move to the exponents, in basis g1, with g2 = gs1:
log c = x1 + sx2
log d = y1 + sy2
log v∗ = r∗1 (x1 + α∗y1) + sr∗2 (x2 + α∗y2)
log v = r1(x1 + αy1) + sr2(x2 + αy2)
ENS/CNRS/INRIA Cascade David Pointcheval 51/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ =
∣∣∣∣∣∣∣∣∣1 s 0 00 0 1 sr∗1 sr∗2 r∗1α
∗ sr∗2α∗
r1 sr2 r1α sr2α
∣∣∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ =
∣∣∣∣∣∣∣∣∣1 s 0 00 0 1 sr∗1 sr∗2 r∗1α
∗ sr∗2α∗
r1 sr2 r1α sr2α
∣∣∣∣∣∣∣∣∣=
∣∣∣∣∣∣∣0 1 s
sr∗2 r∗1α∗ sr∗2α
∗
sr2 r1α sr2α
∣∣∣∣∣∣∣− s ×
∣∣∣∣∣∣∣0 1 sr∗1 r∗1α
∗ sr∗2α∗
r1 r1α sr2α
∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ =
∣∣∣∣∣∣∣0 1 s
sr∗2 r∗1α∗ sr∗2α
∗
sr2 r1α sr2α
∣∣∣∣∣∣∣− s ×
∣∣∣∣∣∣∣0 1 sr∗1 r∗1α
∗ sr∗2α∗
r1 r1α sr2α
∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ =
∣∣∣∣∣∣∣0 1 s
sr∗2 r∗1α∗ sr∗2α
∗
sr2 r1α sr2α
∣∣∣∣∣∣∣− s ×
∣∣∣∣∣∣∣0 1 sr∗1 r∗1α
∗ sr∗2α∗
r1 r1α sr2α
∣∣∣∣∣∣∣= s2 ×
∣∣∣∣∣∣∣
0 1 1r∗2 r∗1α
∗ r∗2α∗
r2 r1α r2α
∣∣∣∣∣∣∣−∣∣∣∣∣∣∣
0 1 1r∗1 r∗1α
∗ r∗2α∗
r1 r1α r2α
∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
∣∣∣∣∣∣∣
0 1 1r∗2 r∗1α
∗ r∗2α∗
r2 r1α r2α
∣∣∣∣∣∣∣−∣∣∣∣∣∣∣
0 1 1r∗1 r∗1α
∗ r∗2α∗
r1 r1α r2α
∣∣∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
∣∣∣∣∣∣∣
0 1 1r∗2 r∗1α
∗ r∗2α∗
r2 r1α r2α
∣∣∣∣∣∣∣−∣∣∣∣∣∣∣
0 1 1r∗1 r∗1α
∗ r∗2α∗
r1 r1α r2α
∣∣∣∣∣∣∣
= s2 ×
r2 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ − r∗2 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣−r1 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ + r∗1 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
r2 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ − r∗2 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣−r1 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ + r∗1 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
r2 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ − r∗2 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣−r1 ×
∣∣∣∣∣ 1 1r∗1α∗ r∗2α
∗
∣∣∣∣∣ + r∗1 ×
∣∣∣∣∣ 1 1r1α r2α
∣∣∣∣∣
= s2 ×
(r2 × (r∗2 − r∗1 )× α∗ − r∗2 × (r2 − r1)× α−r1 × (r∗2 − r∗1 )× α∗ + r∗1 × (r2 − r1)× α
)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
(r2 × (r∗2 − r∗1 )× α∗ − r∗2 × (r2 − r1)× α−r1 × (r∗2 − r∗1 )× α∗ + r∗1 × (r2 − r1)× α
)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 ×
(r2 × (r∗2 − r∗1 )× α∗ − r∗2 × (r2 − r1)× α−r1 × (r∗2 − r∗1 )× α∗ + r∗1 × (r2 − r1)× α
)= s2 × ((r2 − r1)× (r∗2 − r∗1 )× α∗ − (r∗2 − r∗1 )× (r2 − r1)× α)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × ((r2 − r1)× (r∗2 − r∗1 )× α∗ − (r∗2 − r∗1 )× (r2 − r1)× α)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × ((r2 − r1)× (r∗2 − r∗1 )× α∗ − (r∗2 − r∗1 )× (r2 − r1)× α)
= s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
The system is under-defined:for any v , there are (x1, x2, y1, y2) that satisfy the system
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
The system is under-defined:for any v , there are (x1, x2, y1, y2) that satisfy the system
=⇒ v is unpredictable
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
The system is under-defined:for any v , there are (x1, x2, y1, y2) that satisfy the system
=⇒ v is unpredictable =⇒ Pr[F′3] ≤ qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Details: Bad Accept (Case 3)
The determinant of the system is
∆ = s2 × (r2 − r1)× (r∗2 − r∗1 )× (α∗ − α)
6= 0
The system is under-defined:for any v , there are (x1, x2, y1, y2) that satisfy the system
=⇒ v is unpredictable =⇒ Pr[F′3] ≤ qD/q
=⇒ AdvGame7 ≥ AdvGame6 − qD/q
ENS/CNRS/INRIA Cascade David Pointcheval 52/68
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
Proof: Analysis of the Final Game
In the final Game7:
• only valid ciphertexts are decrypted
• the challenge ciphertext containse = mb × Uz1V z2
• the public key containsh = gz1
1 gz22
Again, the system is under-defined:for any mb, there are (z1, z2) that satisfy the system=⇒ mb is unpredictable =⇒ b is unpredictable=⇒ AdvGame7 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 53/68
Conclusion
AdvGame7 = 0
AdvGame7 ≥ AdvGame6 − qD/q
AdvGame6 ≥ AdvGame5 − SuccH(t)
AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
AdvGame4 = AdvGame3
AdvGame3 ≥ AdvGame2 − qD/q
AdvGame2 = AdvGame1
AdvGame1 ≥ AdvGame0 − qD/q
AdvGame0 = Advind−ccaCS (A)
Advind−ccaCS (A) ≤ 2× Advddh
G (t) + SuccH(t) + 3qD/qENS/CNRS/INRIA Cascade David Pointcheval 54/68
Conclusion
AdvGame7 = 0
AdvGame7 ≥ AdvGame6 − qD/q
AdvGame6 ≥ AdvGame5 − SuccH(t)
AdvGame5 ≥ AdvGame4 − 2× AdvddhG (t)
AdvGame4 = AdvGame3
AdvGame3 ≥ AdvGame2 − qD/q
AdvGame2 = AdvGame1
AdvGame1 ≥ AdvGame0 − qD/q
AdvGame0 = Advind−ccaCS (A)
Advind−ccaCS (A) ≤ 2× Advddh
G (t) + SuccH(t) + 3qD/qENS/CNRS/INRIA Cascade David Pointcheval 54/68
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Advanced Security Notions
Cramer-Shoup Encryption Scheme
Generic Conversion
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 55/68
First Generic Conversion [Bellare-Rogaway – Eurocrypt ’93]
For efficiency: random oracle model
Setup
• A trapdoor one-way permutation family {(f ,g)} onto the set X
• Two hash functions, for the security parameter k1,
G : X −→ {0,1}n and H : {0,1}? −→ {0,1}k1 ,
where n is the bit-length of the plaintexts.
Key GenerationOne chooses a random element in the family
• f is the public key
• the inverse g is the private key
ENS/CNRS/INRIA Cascade David Pointcheval 56/68
First Generic Conversion [Bellare-Rogaway – Eurocrypt ’93]
For efficiency: random oracle model
Setup
• A trapdoor one-way permutation family {(f ,g)} onto the set X
• Two hash functions, for the security parameter k1,
G : X −→ {0,1}n and H : {0,1}? −→ {0,1}k1 ,
where n is the bit-length of the plaintexts.
Key GenerationOne chooses a random element in the family
• f is the public key
• the inverse g is the private key
ENS/CNRS/INRIA Cascade David Pointcheval 56/68
First Generic Conversion (Cont’ed)
EncryptionOne chooses a random element r ∈ X
a = f (r), b = m ⊕ G(r), c = H(m, r)
DecryptionGiven (a,b, c), and the private key g,
• one first recovers r = g(a)
• one gets m = b ⊕ G(r)
• one then checks whether c ?= H(m, r)
If the equality holds, one returns m,otherwise one rejects the ciphertext
ENS/CNRS/INRIA Cascade David Pointcheval 57/68
First Generic Conversion (Cont’ed)
EncryptionOne chooses a random element r ∈ X
a = f (r), b = m ⊕ G(r), c = H(m, r)
DecryptionGiven (a,b, c), and the private key g,
• one first recovers r = g(a)
• one gets m = b ⊕ G(r)
• one then checks whether c ?= H(m, r)
If the equality holds, one returns m,otherwise one rejects the ciphertext
ENS/CNRS/INRIA Cascade David Pointcheval 57/68
Security of the Bellare-Rogaway Conversion
TheoremThe Bellare-Rogaway conversion achieves IND− CCA security,under the one-wayness of the trapdoor permutation f :
Advind−ccaBR (t) ≤ 2× Succow
f (T ) +4qD
2k1,
where T ≤ t + (qG + qH) · Tf .
Let us prove this theorem, with a sequence of games, in which A isan IND− CCA adversary against the Bellare-Rogaway conversion.
ENS/CNRS/INRIA Cascade David Pointcheval 58/68
Security of the Bellare-Rogaway Conversion
TheoremThe Bellare-Rogaway conversion achieves IND− CCA security,under the one-wayness of the trapdoor permutation f :
Advind−ccaBR (t) ≤ 2× Succow
f (T ) +4qD
2k1,
where T ≤ t + (qG + qH) · Tf .
Let us prove this theorem, with a sequence of games, in which A isan IND− CCA adversary against the Bellare-Rogaway conversion.
ENS/CNRS/INRIA Cascade David Pointcheval 58/68
Real Attack Game
H
Challenger
● (pk, sk) ← Setup()● Chooses a bit b● c ← E(pk,m
b)
● if b=b': 1● else 0
Adversary0 / 1
Game 0
pkm0,m1
c
b'
Oracles
DSetup
Key Generation OracleRandom permutation f , and its inverse g
Decryption OracleCompute r = g(a), and then m = b ⊕ G(r)
if c = H(m, r), outputs m, otherwise reject
ENS/CNRS/INRIA Cascade David Pointcheval 59/68
Simulation of the Random Oracles
• Game0: use of the perfect oracles
Challenge CiphertextRandom r , random bit b: a = f (r), b = mb ⊕ G(r), c = H(m, r)
AdvGame0 = 2× PrGame0
[b′ = b]− 1 = ε
• Game1: use of the simulation of the random oracles
Random OraclesFor any new query, a new random output: management of lists
AdvGame1 = AdvGame0
ENS/CNRS/INRIA Cascade David Pointcheval 60/68
Simulation of the Random Oracles
• Game0: use of the perfect oracles
Challenge CiphertextRandom r , random bit b: a = f (r), b = mb ⊕ G(r), c = H(m, r)
AdvGame0 = 2× PrGame0
[b′ = b]− 1 = ε
• Game1: use of the simulation of the random oracles
Random OraclesFor any new query, a new random output: management of lists
AdvGame1 = AdvGame0
ENS/CNRS/INRIA Cascade David Pointcheval 60/68
Simulation of the Challenge Ciphertext
• Game2: use of an independent random value h+
Challenge Ciphertext
Random r , random bit b: a = f (r), b = mb ⊕ G(r), c = h+
This game is indistinguishable from the previous one, unless(mb, r) is queried to H: event AskMR (it can only be asked bythe adversary, since such a query by the decryption oracle wouldbe for the challenge ciphertext).Note that in case of AskMR, we stop the simulation with arandom output:
AdvGame2 ≥ AdvGame1 − 2× PrGame2
[AskMR]
ENS/CNRS/INRIA Cascade David Pointcheval 61/68
Simulation of the Decryption Oracle
• Game3: reject if (m, r) not queried to H
Decryption OracleLook in the H-list for (m, r) such that c = H(m, r).If not found: reject,if for one pair, a = f (r) and b = m ⊕ G(r), output m
This makes a difference if this value c, without having beenasked to H, is correct: for each attempt, the probability isbounded by 1/2k1 :
AdvGame3 ≥ AdvGame2 − 2qD/2k1
PrGame3
[AskMR] ≥ PrGame2
[AskMR]− qD/2k1
ENS/CNRS/INRIA Cascade David Pointcheval 62/68
Simulation of the Challenge Ciphertext
• Game4: use of an independent random value g+ (and h+)
Challenge Ciphertext
Random r , random bit b: a = f (r), b = mb ⊕ g+, c = h+
This game is indistinguishable from the previous one, unless r isqueried to G by the adversary or by the decryption oracle. Wedenote by AskR the event that r is asked to G or H by theadversary (which includes AskMR). But r cannot be asked to Gby the decryption oracle without AskR: only possible if r is in theH-list, and thus asked by the adversary:
AdvGame4 ≥ AdvGame3 − 2× PrGame3
[AskR ∧ ¬AskMR]
PrGame4
[AskR] = PrGame3
[AskMR] + PrGame3
[AskR ∧ ¬AskMR]
ENS/CNRS/INRIA Cascade David Pointcheval 63/68
Simulation of the Challenge Ciphertext
• Game5: use of an independent random value a+ (and g+, h+)
Challenge Ciphertext
random bit b: a = a+, b = mb ⊕ g+, c = h+
This determines r , the unique value such that a+ = f (r), whichallows to detect event AskR.This game is perfectly indistinguishable from the previous one:
AdvGame5 = AdvGame4
PrGame5
[AskR] = PrGame4
[AskR]
ENS/CNRS/INRIA Cascade David Pointcheval 64/68
Inversion of the Permutation
Since we can assume that a+ is a given challenge for inverting thepermutation f , when one looks in the G-list or the H-list, one can findr , the pre-image of a+:
PrGame5
[AskR] ≤ Succowf (t + (qG + qH) · Tf )
But clearly, in the last game, because of g+ that perfectly hides mb:
AdvGame5 = 0
ENS/CNRS/INRIA Cascade David Pointcheval 65/68
Conclusion
As a consequence, 0 = AdvGame5
= AdvGame4 ≥ AdvGame3 − 2× PrGame3
[AskR ∧ ¬AskMR]
≥ AdvGame2 − 2× PrGame3
[AskR ∧ ¬AskMR]− 2qD/2k1
≥ AdvGame1 − 2× PrGame2
[AskMR]− 2× PrGame3
[AskR ∧ ¬AskMR]− 2qD/2k1
≥ AdvGame0 − 2× PrGame3
[AskMR]− 2× PrGame3
[AskR ∧ ¬AskMR]− 4qD/2k1
≥ AdvGame0 − 2× PrGame4
[AskR]− 4qD/2k1
≥ AdvGame0 − 2× PrGame5
[AskR]− 4qD/2k1
And then,
AdvGame0 ≤ 4qD/2k1 + 2× Succowf (T )
ENS/CNRS/INRIA Cascade David Pointcheval 66/68
Conclusion
Outline
Basic Security Notions
Game-based Proofs
Advanced Security for Encryption
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 67/68
Conclusion
Game-based Methodology: the story of OAEP [Bellare-Rogaway EC ’94]
ENS/CNRS/INRIA Cascade David Pointcheval 68/68
Conclusion
Game-based Methodology: the story of OAEP [Bellare-Rogaway EC ’94]
• Reduction proven indistinguishable for an IND-CCA adversary(actually IND-CCA1, and not IND-CCA2) but widely believed forIND-CCA2, without any further analysis of the reductionThe direct-reduction methodology
• [Shoup - Crypto ’01]
Shoup showed the gap for IND-CCA2, under the OWPGranted his new game-based methodology
• [Fujisaki-Okamoto-Pointcheval-Stern – Crypto ’01]
FOPS proved the security for IND-CCA2, under the PD-OWPUsing the game-based methodology
ENS/CNRS/INRIA Cascade David Pointcheval 68/68
Conclusion
Game-based Methodology: the story of OAEP [Bellare-Rogaway EC ’94]
• Reduction proven indistinguishable for an IND-CCA adversary(actually IND-CCA1, and not IND-CCA2) but widely believed forIND-CCA2, without any further analysis of the reductionThe direct-reduction methodology
• [Shoup - Crypto ’01]
Shoup showed the gap for IND-CCA2, under the OWPGranted his new game-based methodology
• [Fujisaki-Okamoto-Pointcheval-Stern – Crypto ’01]
FOPS proved the security for IND-CCA2, under the PD-OWPUsing the game-based methodology
ENS/CNRS/INRIA Cascade David Pointcheval 68/68
Conclusion
Game-based Methodology: the story of OAEP [Bellare-Rogaway EC ’94]
• Reduction proven indistinguishable for an IND-CCA adversary(actually IND-CCA1, and not IND-CCA2) but widely believed forIND-CCA2, without any further analysis of the reductionThe direct-reduction methodology
• [Shoup - Crypto ’01]
Shoup showed the gap for IND-CCA2, under the OWPGranted his new game-based methodology
• [Fujisaki-Okamoto-Pointcheval-Stern – Crypto ’01]
FOPS proved the security for IND-CCA2, under the PD-OWPUsing the game-based methodology
ENS/CNRS/INRIA Cascade David Pointcheval 68/68