Simulation-based Selective Opening CCA Security for PKE fromKey Encapsulation Mechanisms ?

Shengli Liu1 and Kenneth G. Paterson2

1 Department of Computer Science and Engineering,Shanghai Jiao Tong University, Shanghai 200240, China

2 Information Security Group, Royal Holloway, University of Londonslliu@sjtu.edu.cn kenny.paterson@rhul.ac.uk

Abstract. We study simulation-based, selective opening security against chosen-ciphertext attacks(SIM-SO-CCA security) for public key encryption (PKE). In a selective opening, chosen-ciphertext at-tack (SO-CCA), an adversary has access to a decryption oracle, sees a vector of ciphertexts, adaptivelychooses to open some of them, and obtains the corresponding plaintexts and random coins used in thecreation of the ciphertexts. The SIM-SO-CCA notion captures the security of unopened ciphertextswith respect to probabilistic polynomial-time (ppt) SO-CCA adversaries in a semantic way: what a pptSO-CCA adversary can compute can also be simulated by a ppt simulator with access only to the openedmessages. Building on techniques used to achieve weak deniable encryption and non-committing encryp-tion, Fehr et al. (Eurocrypt 2010) presented an approach to constructing SIM-SO-CCA secure PKE fromextended hash proof systems (EHPSs), collision-resistant hash functions and an information-theoreticprimitive called Cross Authentication Codes (XACs). We generalize their approach by introducing aspecial type of Key Encapsulation Mechanism (KEM) and using it to build SIM-SO-CCA secure PKE.We investigate what properties are needed from the KEM to achieve SIM-SO-CCA security. We alsogive three instantiations of our construction. The first uses hash proof systems, the second relies onthe n-Linear assumption, and the third uses indistinguishability obfuscation (iO) in combination withextracting, puncturable Pseudo-Random Functions in a similar way to Sahai and Waters (STOC 2014).Our results establish the existence of SIM-SO-CCA secure PKE assuming only the existence of one-wayfunctions and iO. This result further highlights the simplicity and power of iO in constructing differentcryptographic primitives.

1 Introduction

Selective Opening Attacks (SOAs) concern a multi-user scenario, where an adversary adaptively corrupts aset of users to get their secret state information. In the case of public key encryption (PKE), we assume thatseveral senders send ciphertexts encrypting possibly correlated messages to a receiver. The SOA adversaryis able to (adaptively) corrupt some senders, exposing their messages and also the random coins used togenerate their ciphertexts. Security against selective opening attacks (SOA security) considers whether theuncorrupted ciphertexts remain secure.

There are two ways of formalizing SOA security: indistinguishability-based (IND-SO) and simulation-based (SIM-SO). According to whether the adversary is able to access to a decryption oracle during itsattack, SOA security is further classified into IND-SO-CPA, IND-SO-CCA, SIM-SO-CPA and SIM-SO-CCA.In the formalization of SOAs, we allow a probabilistic polynomial-time (ppt) adversary to get the publickey, a vector of challenge ciphertexts, and to adaptively corrupt (open) some ciphertexts to obtain openedplaintexts and random coins (and also access to a decryption oracle in the case of SO-CCA). The IND-SOsecurity notions require that the real messages (used to generate the challenge ciphertexts) and re-sampledmessages conditioned on the opened messages are computationally indistinguishable to an SOA adversary.Here we have to assume that the joint message distributions are efficiently conditionally re-samplable after theopened messages are exposed. On the other hand, the SIM-SO security notions have no such limitations. Theyrequire that what a probabilistic polynomial-time (ppt) SOA adversary can compute from the informationit has learned can be simulated by a ppt simulator only knowing the opened plaintexts. SIM-SO securityseems to be stronger than IND-SO security and significantly harder to achieve. We note the existence ofa stronger IND-SO security notion, namely full IND-SO security, which imposes no limitation on the jointmessage distributions. However, there is no PKE achieving full IND-SO-CPA security yet. The relationsamong SIM-SO security, IND-SO security, and traditional IND-CPA/CCA security were explored in [5, 17].

? An extended abstract of this paper will be published in the proceedings of the 18th International Conference onPractice and Theory in Public-Key Cryptography (PKC 2015). This is the full version.

Lossy encryption [3] has shown itself to be a very useful tool in achieving IND-SO-CPA security. Differentapproaches to achieving IND-SO-CCA security include the use of lossy trapdoor functions [22], All-But-N [14], and All-But-Many lossy trapdoor functions [15]. The basic idea is to make sure that only challengeciphertexts are lossy encryptions, while ciphertexts queried by the adversary are normal encryptions. If thereexists an efficient opener which can open a lossy encryption to an encryption of an arbitrary message, thenan IND-SO-CCA secure PKE can also been shown to be SIM-SO-CCA secure. However, it seems that, todate, only a single, DCR-based PKE scheme [15] is known to have this property.

In [12], Fehr et al. proposed a black-box PKE construction to achieve SIM-SO-CCA security basedon an Extended Hash Proof System (EHPS) associated with a subset membership problem, a collision-resistant hash function and a new information-theoretic primitive called Cross-Authentication Code (XAC).As pointed in [18, 19], a stronger property of XACs is needed to make the security proof rigorous.

1.1 Our Contributions

We generalize the black-box PKE construction of Fehr et al. [12] by using a special kind of key encapsulationmechanism (KEM) in combination with a strengthened XAC. Essentially, the KEM replaces the EHPScomponent in [12], opening up a new set of construction possibilities. In more detail:

– We characterise the properties needed of a KEM for our PKE construction to be SIM-SO-CCA secure. Ata high level, these properties are that the KEM should have efficiently samplable and explainable (ESE)ciphertext and key spaces; tailored decapsulation; and tailored, constrained chosen-ciphertext (tCCCA)security. Here tailored decapsulation roughly means that the valid ciphertexts output by the KEM aresparse in the ciphertext space, while tCCCA security is an extension of the CCCA security notion of[16]. If a KEM has all three properties, then we say that it is a tailored KEM.

– We show three constructions for tailored KEMs, including one based on hash proof systems (HPS) [8],a specific KEM from the n-Linear assumption [16] (but different from the HPS-based one) and oneconstructed from indistinguishability Obfuscation (iO) in combination with an extracting puncturablePseudo-Random Function (PRF) [23]. Consequently, we obtain PKEs of three different types, all enjoyingSIM-SO-CCA security. Thus, by adopting the KEM viewpoint, we significantly enlarge the scope of Fehret al.’s construction.

– Since our PKE construction does not rely on collision-resistant hash functions, we immediately obtainthe following results:

• PKE with SIM-SO-CCA security from HPS and strengthened XACs (as compared to the PKEconstruction of [12] using EPHS, a strong XAC, and a collision-resistant hash function).

• PKE with SIM-SO-CCA security from the n-Linear assumption in a way that differs from our HPS-based construction.

• PKE with SIM-SO-CCA security assuming only the existence of iO and one-way functions.

1.2 Ingredients of Our Main Construction

We follow the outline provided by the black-box PKE construction of Fehr et al. [12]. Observing that theEHPS used in [12] can actually be viewed as a KEM, our construction can be considered as a generalizationof their result. We first outline the properties of KEMs and XACs needed for our result, before describingthe construction and its security analysis at a high level.

The KEM component in our construction needs to be “tailored” with the following properties:

(1) Efficiently samplable and explainable (ESE) domains. The key space K and ciphertext space Cof the KEM should both be ESE domains. (Meaning that, given a randomised sampling algorithmSampleD for D, there exists an efficient algorithm, SampleD−1(D, ·), with the property that, given elementd from a domain D as input, SampleD−1(D, ·) outputs value R such that d can be “explained” as havingbeen sampled using R, i.e., d = SampleD(D;R).)

(2) Tailored decapsulation. The valid ciphertexts output by the encapsulation algorithm constitute onlya (small) subset of ciphertext space C. When the input is a ciphertext randomly chosen from C, thedecapsulation will either output⊥ with overwhelming probability or output a key that is almost uniformlydistributed over K.

2

(3) Tailored, constrained CCA (tCCCA) security. The output of the encapsulation algorithm is com-putationally indistinguishable from (KR, ψR), a pair of key and ciphertext randomly chosen from K×C,for any ppt adversary, even if the adversary has access to a constrained decryption oracle. The adversaryis allowed to make queries of the form (ψ, P (·)) to the constrained decryption oracle, where ψ is anelement of C and P (·) is a ppt predicate, such that P (·) : K → {0, 1} evaluates to 1 only for a negligiblefraction of keys. The constrained decryption oracle will provide the decapsulated K to the adversary ifonly if P (K) = 1.

We will also need a strengthened XAC definition. A strengthened `-XAC is a collection of algorithmsXAC = (XGen,XAuth,XVer) having the following properties:

Authentication and Verification. Algorithm XAuth computes a tag T ← XAuth(K1, . . . ,K`) from `inputs (which will be random keys in our construction). Any Ki used in generating the tag T almostalways satisfies XVer(Ki, T ) = 1.

Security against impersonation/substitution attacks. Security against impersonation attacks meansthat, given a tag T , a randomly chosen key K will almost always fail verification with this specifictag, i.e., XVer(K,T ) = 0. A substitution attack considers an (all-powerful) adversary who obtains a tagT = XAuth(K1, . . . ,K`) and tries to forge a tag T ′ 6= T such that XVer(Ki, T

′) = 1, where Ki is oneof the keys used in computing T . Security against substitution attacks requires that, if Ki is randomlychosen, then any adversary succeeds in outputting T ′ with T ′ 6= T and XVer(Ki, T

′) = 1 with negligibleprobability, even if it is given T and all keys except Ki as input.

Strongness and semi-uniqueness. Strongness says that when Ki is randomly chosen, then Ki, given(Kj)j∈[`],j 6=i and the tag T = XAuth(K1, . . . ,K`), is re-samplable with the correct probability dis-tribution. That is to say, there exists a ppt algorithm ReSample((Kj)j∈[`],j 6=i, T ) such that ReSample

outputs a key Ki that is statistically indistinguishable from Ki, even given (Kj)j∈[`],j 6=i and T =XAuth(K1, . . . ,K`). Semi-uniqueness says that it is possible to parse a key K as (Kx,Ky) ∈ Kx×Ky forsome sets Kx,Ky, and for every Kx ∈ Kx and a tag T , there is at most one Ky ∈ Ky such that (Kx,Ky)satisfies XVer((Kx,Ky), T ) = 1.

1.3 Overview of Our Main Construction

Given a tailored KEM KEM and a strengthened (`+ s)-XAC XAC, our construction of a PKE scheme PKEis as follows. (See Figure 4 for full details.)

– The public key of PKE is the public key pkkem of KEM, an injective function F with domain C` andrange (Ky)s, and a vector of values (Kx1

, . . . ,Kxs) ∈ (Kx)s. The secret key of PKE is skkem, the secretkey of KEM.

– The encryption operates in a bitwise mode. Let the `-bit message be m1|| . . . ||m`.

• When mi = 1, we set (Ki, ψi)← KEM.Encap(pkkem).

• When mi = 0, we choose (Ki, ψi) randomly from K × C.• After encrypting ` bits, we compute F (ψ1, . . . , ψ`) to get (Ky1 , . . . ,Kys), and construct s extra

keys K`+j = (Kxj ,Kyj ) for j = 1, . . . , s. All ` + s keys are then used to compute a tag T =XAuth(K1, . . . ,K`+s).

• Finally, the PKE ciphertext is C = (ψ1, . . . , ψ`, T ).

– The decryption also operates in a bitwise fashion. Omitting some crucial details, we first recompute(Ky1 , . . . ,Kys) using F and (ψ1, . . . , ψ`), reconstruct K`+j for j = 1, . . . , s, and then verify the cor-rectness of T using each K`+j in turn. Assuming this step passes, for each i, we compute Ki ←KEM.Decap(skkem, ψi), and set the recovered message bit as the output of XVer(Ki, T ). (When Ki = ⊥,we set XVer(Ki, T ) = 0).

Now, in the above decryption procedure, a KEM decapsulation error occurs whenever mi = 0. However,ψi is random in this case, and the tailored decapsulation makes sure that the output of KEM.Decap(skkem, ψi)is either ⊥ or a random key K; in either case, XVer(Ki, T ) is 0 except with negligible probability because ofthe security of XAC against impersonation attacks.

3

1.4 SIM-SO-CCA Security of Our Main Construction

We follow the techniques of non-committing and deniable encryption [7, 6, 10, 20] and try to create equiv-ocable ciphertexts that not only can be opened arbitrarily but that are also computationally indistin-guishable from real ciphertexts. In our construction, the equivocable ciphertexts are in fact encryptionsof ones. Note that tCCCA security of KEM ensures that (K,ψ) ≈c (KR, ψR), where (K,ψ) is the outputof KEM.Encap(pkkem) and (KR, ψR) is randomly chosen from K × C. On the other hand, both K and C areESE. Therefore, (K,ψ) encrypting 1 can always be explained as a random pair (KR, ψR) encrypting 0 byexposing the randomness output from SampleK−1(K,K) and SampleC−1(C, ψ).

However, this is not sufficient in the SO-CCA setting since the adversary is able to query its decryptionoracle and perform corruptions, and it might then be easy for the adversary to distinguish an encryptionof ones and an encryption of a real message. For example, consider an adversary that is given a ciphertextC = (ψ1, ψ2, . . . , ψ`, T ), where C is either an encryption of ones but opened as zeros with re-explainedrandomness, or an encryption of zeros being opened honestly. In fact, opened randomness exposes all Ki’s tothe adversary. Then the adversary can generate a different ciphertext C ′ = (ψ1, ψ2, . . . , ψ`, T

′) as follows. Anew tag T ′ (T ′ 6= T ) is computed as T ′ := XAuth(K ′1,K2, . . . ,K`+s), where K ′1 is randomly chosen and allother Ki’s (2 ≤ i ≤ `+s) are the same as in T . The decryption of C ′ will be (0, 1, . . . , 1) if C is an encryptionof ones but (0, 0, . . . , 0) if C is an encryption of zeros! The problem is that the opened randomness disclosesKi and that gives too much information to the adversary, especially when (Ki, ψi) encodes 0. To solve thisproblem, we have to use a different method to open Ki so that the adversary obtains no extra informationabout Ki when (Ki, ψi) encodes 0: first, we use algorithm ReSample of XAC to resample Ki to obtain astatistically indistinguishable Ki; then we call SampleK−1(K, Ki) and SampleC−1(C, ψi) to open (Ki, ψi) toan encryption of 0. Now an encryption of ones, say C = (ψ1, ψ2, . . . , ψ`, T ), is able to play the role of anequivocable ciphertext, due to the tCCCA security of KEM and the security of XAC.

Consequently, we can build a simulator S with respect to an adversary A to prove SIM-SO-CCA security:S simulates the real environment for A by generating public and private keys, and uses the private key toanswer A’s decryption queries; S creates n challenge ciphertexts all of which are encryptions of ones; whenA makes a corruption query concerning a challenge ciphertext C, S can open C bit-by-bit according to thereal message. If the bit mi is 1, it opens (Ki, ψi) honestly, otherwise it opens (Ki, ψi) to 0 by using ReSample,SampleC−1 and SampleK−1.

1.5 Related Work

The SOA security notion was first formally proposed by Dwork et al. [11]. SIM-SO-CPA and IND-SO-CPAnotions were given by Bellare et al. [3]. The relations among SOA security notions and traditional IND-CPAsecurity were investigated in [5, 17]. Bellare et al. [4] proposed the first SIM-SO-CPA secure Identity-BasedEncryption (IBE), while also adopting the non-committing technique and weak deniable encryption. Lai etal. [21] proposed the first construction for SIM-SO-CCA secure IBE from a so-called extractable IBE, acollision-resistant hash function, and a strengthened XAC. Recently, Sahai and Waters [23] introduced thepuncturable programming technique and employed puncturable PRFs and Indistinguishability Obfuscation(iO) to obtain a variety of cryptographic primitives including deniable encryption with IND-CPA security,PKE with IND-CPA and IND-CCA security, KEM with IND-CCA security, injective trapdoor functions,etc. It should be noted that any IND-CPA secure deniable encryption with ESE ciphertext space impliesa PKE with SIM-SO-CPA security. Therefore, the deniable encryption scheme in [23] that is based on apuncturable PRF and iO implicitly already gives us a SIM-SO-CPA secure PKE. Our result establishes thatSIM-SO-CCA security is achievable from puncturable PRFs and iO as well, albeit via the combination ofan IND-CCA secure KEM and a strengthened XAC.

2 Preliminaries

We use s1, . . . , st ← S to denote picking elements s1, . . . , st uniformly from set S. Let |S| denote the size of setS. Let [n] denote the set {1, . . . , n}. Let s1‖s2‖ . . . denotes the concatenation of strings. For a probabilisticpolynomial-time (ppt) algorithm A, we denote y ← A(x;R) the process of running A on input x withrandomness R, and assigning y as the result. Let RA denote the randomness space of A, and y ← A(x)denote y ← A(x;R) with R chosen from RA uniformly at random. Let Un denote the uniform distributionover {0, 1}n. A function f(κ) is negligible, denoted by neg(κ), if for every c > 0 there exists a κc such that

4

f(κ) < 1/κc for all κ > κc. Let ≈c (resp. ≈s) denote computational (resp. statistical) indistinguishabilitybetween two ensembles of random variables.

We use boldface letters for vectors. For a vector m of finite dimension, let |m| denote the length of thevector. For a set I = {i1, i2, . . . , i|I|} ⊆ [|m|], we define m[I] := (m[i1],m[i2], . . . ,m[i|I|]).

2.1 Public Key Encryption

A public key encryption (PKE) scheme is made up of three ppt algorithms:

KeyGen(1κ) takes as input the security parameter κ, and outputs a public key and a secret key (pk, sk).Enc(pk,M) takes as input the public key pk and a message M and outputs a ciphertext C.Dec(sk, C) takes as input the secret key sk and a ciphertext C and outputs either a message M or a failure

symbol ⊥.

The correctness of a PKE scheme is relaxed to allow a negligible decryption error ε(κ). That is, Dec(sk,Enc(pk,M)) =M holds with probability at least 1− ε(κ) for all (pk, sk)← KeyGen(1κ), where the probability is taken overthe coins used in encryption.

Let m and r be two vectors of dimension n := n(κ). Define Enc(pk,m; r) := (Enc(pk,m[1]; r[1]), . . . ,Enc(pk,m[n]; r[n])). Here r[i] is the fresh randomness used for the encryption of m[i] for i ∈ [n].

2.2 Simulation-based, Selective Opening CCA Security of PKE

We review the simulation-based definition of security for PKE against selective opening, chosen-ciphertextadversaries from [12].Let M denote an n-message sampler, which on input string α ∈ {0, 1}∗ outputs ann-vector m = (m[1], . . . ,m[n]) of messages. Let R be any ppt algorithm outputting a single bit.

Definition 1 (SIM-SO-CCA Security) A PKE scheme PKE=(KeyGen, Enc, Dec) is simulation-based,selective opening, chosen-ciphertext secure (SIM-SO-CCA secure) if for every ppt n-message sampler M,every ppt relation R, every restricted, stateful ppt adversary A = (A1,A2,A3), there is a stateful ppt simulatorS = (S1,S2,S3) such that Advso-ccaPKE,A,S,n,M,R(κ) is negligible, where

Advso-ccaPKE,A,S,n,M,R(κ) =∣∣∣Pr [Expso-cca-realPKE,A,n,M,R(κ) = 1

]− Pr

[Expso-cca-idealPKE,S,n,M,R(κ) = 1

]∣∣∣and experiments Expso-cca-realPKE,A,n,M,R(κ) and Expso-cca-idealPKE,S,n,M,R(κ) are defined in Figure 1. Here the restriction onA is that A2,A3 are not allowed to query the decryption oracle Dec(·) with any challenge ciphertext c[i] ∈ c.

Expso-cca-realPKE,A,n,M,R(κ):

(pk, sk)← KeyGen(1κ)

(α, a1)← ADec(·)1 (pk)

m←M(α), r← coinsc← Enc(pk,m; r)

(I, a2)← ADec/∈c(·)2 (a1, c)

outA ← ADec/∈c(·)3 (a2,m[I], r[I])

return R(m, I, outA)

Expso-cca-idealPKE,S,n,M,R(κ):

(α, s1)← S1(1κ)m←M(α)(I, s2)← S2(s1, (1

|m[i]|)i∈[n])outS ← S3(s2,m[I])return R(m, I, outS)

Fig. 1. Experiments used in the definition of SIM-SO-CCA security of PKE.

2.3 Key Encapsulation Mechanisms

A Key Encapsulation Mechanism (KEM) KEM consists of three ppt algorithms (KEM.Kg,KEM.Enc,KEM.Dec).Let K be the key space associated with KEM.

KEM.Kg(1κ) takes as input a security parameter κ and outputs public/secret key pair (pk, sk).

5

KEM.Encap(pk) takes as input the public key pk and outputs a key K and a ciphertext (or encapsulation)ψ.

KEM.Decap(sk, ψ) takes as input the secret key sk and a ciphertext ψ, and outputs either a key K or afailure symbol ⊥.

The correctness condition on a KEM KEM is that KEM.Decap(sk, ψ) = K holds for all κ ∈ N, all (pk, sk)← KEM.Kg(1κ), and all (K,ψ)← KEM.Encap(pk).

2.4 Efficiently Samplable and Explainable (ESE) Domain

A domain D is said to be efficiently samplable and explainable (ESE) [12] if associated with D are thefollowing two ppt algorithms:

Sample(D;R) : On input (a description of) domain D and random coins R← RSample, this algorithm outputsan element that is uniformly distributed over D.

Sample−1(D, x) : On input (a description of) domain D and any x ∈ D, this algorithm outputs R that isuniformly distributed over the set {R ∈ RSample | Sample(D;R) = x}.

Clearly D = {0, 1}κ is ESE with R = Sample(D;R) = Sample−1(D, R). It was shown by Damgard andNielsen in [10] that any dense subset of an efficiently samplable domain is ESE as long as the dense subsetadmits an efficient membership test. Hence, for example, Z∗Ns for a RSA modulus N is ESE.

2.5 Cross-Authentication Codes (XACs)

Cross-Authentication Codes (XACs) were first proposed by Fehr et al. in [12] and later adapted to strongXACs in [19] and strengthened XACs in [21].

Definition 2 (L-Cross-Authentication Code [12].) For L ∈ N, an L-cross-authentication code XACconsists of three ppt algorithms (XGen, XAuth, XVer) and two associated spaces, the key space XK and thetag space XT (whose sizes are related to the security parameter κ). The key generation algorithm XGen(1κ)outputs a uniformly random key K ∈ XK, the authentication algorithm XAuth(K1, . . . ,KL) computes a tagT ∈ XT , and the verification algorithm XVer(K,T ) outputs a decision bit.

Correctness. For all i ∈ [L], the probability

failXAC(κ) := Pr[XVer(Ki,XAuth(K1, . . . ,KL)) 6= 1],

is negligible, where the probability is taken over K1, . . . ,KL ← XK.3

Security against impersonation and substitution attacks. Define:

AdvimpXAC(κ) := max

T ′Pr[XVer(K,T ′) = 1|K ← XK]

where the max is over all T ′ ∈ XT , and

AdvsubXAC(κ) := maxi,K6=i,F

Pr

T ′ 6= T∧XVer(Ki, T

′) = 1

∣∣∣∣∣∣∣Ki ← XK,

T := XAuth(K1, . . . ,KL),

T ′ ← F (T )

where the max is over all i ∈ [L], all K 6=i = (Kj)j∈[L],j 6=i ∈ XKL−1 and all (possibly randomized) functions

F : XT → XT . Then AdvimpXAC(κ) and AdvsubXAC(κ) are both negligible.

Definition 3 (Strong and semi-unique XACs.) An L-cross-authentication code XAC is strong and semi-unique if it has the following two properties:

3 When XK = Kx × Ky, the perfect correctness can be relaxed to allow a negligible failure probability failXAC(κ)when only the first components of (Ki)i∈[L] are randomly chosen.

6

Strongness [19]: Suppose there exists a ppt algorithm ReSamp, which takes as input (Kj)j 6=i and T ,

with K1, . . . ,KL ← XGen(1κ) and T ← XAuth(K1, . . . ,KL), and which outputs Ki. We write Ki ←ReSamp(K6=i, T ). Suppose the statistical distance between Ki output by ReSamp and Ki, conditioned on(K6=i, T ), is bounded by δ(κ), i.e.,

1

2·∑k∈XK

∣∣∣Pr[Ki = k | (K6=i, T ) ]− Pr[Ki = k | (K6=i, T ) ]∣∣∣ ≤ δ(κ).

Then the code XAC is said to be δ(κ)-strong; XAC is said to be strong if there exists ppt algorithmReSamp such that δ(κ) is negligible in κ.

Semi-Uniqueness [21]: The code XAC is said to be semi-unique if XK can be written as Kx ×Ky and if,given T ∈ XT and Kx ∈ Kx, there exists at most one Ky ∈ Ky such that XVer((Kx,Ky), T ) = 1.

For completeness, we include below the construction of `-cross-authentication codes proposed by Fehr etal. [12]. That it is also strong and semi-unique was shown in [21].

– XK = Ka ×Kb = F2q and XT = F`q ∪ {⊥}.

– (a, b)← XGen, where (a, b)← F2q.

– T ← XAuth((a1, b1), . . . , (a`, b`)). Let matrix A ∈ F`×`q consists of rows (1, ai, a2i , . . . , a

`−1i ) for i ∈ [`].

Let B be a column vector consisting of b1, . . . , b` ∈ F`q. If AT = B has no solution or more than onesolution, set T :=⊥. Otherwise A is a Vandermonde matrix. Let tag T = (T0, . . . , T`−1) be the columnvector that is uniquely determined by solving the linear system AT = B.

– Define T (x) = T0 + T1x + · · · + T`−1x`−1 ∈ Fq[x] with T = (T0, . . . , T`−1). XVer((a, b), T ) outputs 1 if

and only if T 6=⊥ and T (a) = b.– (a, b) ← ReSamp((aj , bj)j 6=i,j∈[`], T ). Choose a ← Fq such that a 6= aj (1 ≤ j ≤ `, j 6= i) and computeb := T (a). Conditioned on T = XAuth((a1, b1), . . . , (a`, b`)) (T 6=⊥) and (aj , bj)j 6=i, both of (a, b) and(ai, bi) are uniformly distributed over the same support.

– Any a ∈ Fq uniquely determines b := T (a) = T0 + T1a+ · · ·+ T`−1a`−1 such that XVer((a, b), T ) = 1.

3 KEM Tailored for Construction of PKE with SIM-SO-CCA Security

We describe the properties that are required of a KEM to build SIM-SO-CCA secure PKE; the constructionitself is given in the next section.

3.1 Valid Ciphertext Indistinguishability (VCI) of KEMs

Suppose KEM = (KEM.Kg,KEM.Encap,KEM.Decap) is associated with an efficiently recognizable ciphertextspace C. For fixed κ, let Ψ ⊂ C denote the set of possible key encapsulations output by KEM.Encap, soΨ = {ψ : ψ ← KEM.Encap(pk; r), (pk, sk)← KEM.Kg(1κ), r ← Coins}. The set Ψ is called the valid ciphertextset (for κ).

Definition 4 (Valid Ciphertext Indistinguishability) Let KEM be a KEM with valid ciphertext set Ψand ciphertext space C. Define the advantage of an adversary A in the experiment depicted in Figure 2 to be

AdvVCIKEM,A(κ) :=

∣∣∣Pr[ExpVCI-0

KEM,A(κ) = 1]− Pr

[ExpVCI-1

KEM,A(κ) = 1]∣∣∣ .

Then KEM is said to be Valid Ciphertext Indistinguishable (VCI) if for all ppt adversaries A, AdvVCIKEM,A(κ)

is negligible.

3.2 Tailored KEMs

To be of service in our construction of SIM-SO-CCA secure PKE, we need a KEM that is tailored to havethe following three properties, as explained in the introduction: (1) the key space K and ciphertext space Cof the KEM should both be ESE domains; (2) the valid ciphertexts output by the encapsulation algorithmconstitute only a small subset of ciphertext space C, and the decryption of a random ciphertext results infailure or a random key; (3) the KEM has tailored, constrained CCA security. We define the last of thesethree properties next.

7

ExpVCI-bKEM,A(κ) :

(pk, sk)← KEM.Kg(1κ)ψ∗0 ← C, (K∗, ψ∗1)← KEM.Encap(pk)

b′ ← ADecap 6=ψ∗b(·)

(pk, ψ∗b )Return(b′)

Decap 6=ψ∗(P,ψ)If ψ = ψ∗ return (⊥)K ← KEM.Decap(sk, ψ)If P (K) = 0 return (⊥);Else return (K)

Fig. 2. Experiment for defining Valid Ciphertext Indistinguishability of KEMs. Here Decap 6=ψ∗(P,ψ) denotes a con-strained decryption oracle, taking as input predicate P (·) and encapsulation ψ.

Exptccca−bKEM,A (κ) :

(pk, sk)← KEM.Kg(1κ)K∗0 ← K, ψ∗0 ← C(K∗1 , ψ

∗1)← KEM.Encap(pk)

b′ ← ADecap 6=ψ∗ (·)(pk,K∗b , ψ∗b )

Return(b′)

Decap 6=ψ∗(P,ψ)If ψ = ψ∗ return (⊥)K ← KEM.Decap(sk, ψ)If P (K) = 0 return (⊥);Else return (K)

Fig. 3. Experiment for defining IND-tCCCA security of KEMs. Here Decap 6=ψ∗(P,ψ) denotes a constrained decryptionoracle, taking as input predicate P (·) and encapsulation ψ. Predicate P (·) may vary in different queries.

Definition 5 (IND-tCCCA Security for KEMs) Let KEM be a KEM with ciphertext space C and validciphertext set Ψ , let A be a ppt adversary, and consider the experiment Exptccca−bKEM,A (κ) defined in Figure 3.

Define the advantage AdvtcccaKEM,A(κ) of A by:

AdvtcccaKEM,A(κ) :=∣∣∣Pr[Exptccca−0KEM,A (κ) = 1

]− Pr

[Exptccca−1KEM,A (κ) = 1

]∣∣∣ .Then KEM is said to be secure against tailored, constrained chosen ciphertext attacks (IND-tCCCA secure)if for all ppt adversaries A with negligible uncertainty uncertA(κ) (in κ), the advantage AdvtcccaKEM,A(κ) is

also negligible in κ. Here, the uncertainty of A is defined as uncertA(κ) := 1qd

∑qdi=1 Pr [Pi(K) = 1] , which

measures the average fraction of keys for which the evaluation of predicate Pi(·) is equal to 1 in the tCCCAexperiment, where Pi denotes the predicate used in the i-th query by A, and qd the number of decapsulationqueries made by A.

Constrained CCA (CCCA) security for PKE was introduced in [16] as a strictly weaker notion thanIND-CCA security. The formal defintion of IND-CCA security is included in Appendix A. The main differ-ence between IND-CCCA security and our newly defined IND-tCCCA security is that, in the IND-CCCAdefinition, the adversary is given a pair (K∗b , ψ

∗) where ψ∗ is always a correct encapsulation of K∗1 , while inthe IND-tCCCA definition, the adversary is given a pair (K∗b , ψ

∗b ) where, when b = 0, ψ∗b is just a random

element of C and, when b = 1, ψ∗b is a correct encapsulation of K∗b . However, IND-CCCA security and VCItogether imply IND-tCCCA security for KEMs:

Lemma 1. Suppose that KEM is a KEM having an efficiently recognizable ciphertext space C. If KEM isboth IND-CCCA secure and VCI then it is also IND-tCCCA secure.

Proof. Recall that the VCI and CCCA experiments are almost the same except for the construction of theadversary’s challenge. Let (K(R), ψ(R)) be chosen from C×K uniformly at random. Let (K,ψ) be the outputof KEM.Encap in the CCCA experiment. IND-CCCA security implies (K,ψ) ≈c (K(R), ψ). The VCI propertyimplies that ψ ≈c ψ(R), hence (K(R), ψ) ≈c (K(R), ψ(R)) when K(R) is chosen uniformly and independentlyof everything else. Finally, (K,ψ) ≈c (K(R), ψ(R)) follows from transitivity. ut

Tailored Decapsulation. We also tailor the functionality of our KEMs’ decapsulation algorithms to suitour PKE construction.

Definition 6 (Tailored Decapsulation) Suppose KEM = (KEM.Kg, KEM.Encap, KEM.Decap) is a KEM.Then KEM is said to have tailored decapsulation if there exists a negligible function η(κ) such that for all(pk, sk) output by KEM.Kg(1κ), one or the other of the following two cases pertains:

8

KeyGen(1κ) :(pkkem, skkem)←KEM.Kg(1κ)Kx1 , . . . ,Kxs ← Kxpk = (pkkem, (Kxj )j∈[s], F )sk = (skkem, pk).Return(pk, sk)

Enc(pk,m1|| . . . ||m`) :Parse pk as (pkkem, (Kxj )j∈[s], F )For i = 1 to `

If mi = 1(Ki, ψi)← KEM.Encap(pkkem)

Else ψi ← C;Ki ← K(Ky1 , . . . ,Kys)← F (ψ1, . . . , ψ`)For j = 1 to sK`+j ← (Kxj ,Kyj )

T ← XAuth(K1, . . . ,K`+s)Return (ψ1, . . . , ψ`, T )

Dec(sk, C) :

Parse C as (ψ1, . . . , ψ`, T )

For i = 1 to `

m′i ← 0

(K′y1 , . . . ,K′ys)← F (ψ1, . . . , ψ`)

For j = 1 to s

K′`+j ← (Kxj ,K′yj )

If∧sj=1 XVer(K

′`+j , T ) = 1

For i = 1 to `

K′i ← KEM.Decap(skkem, ψi)

If K′i =⊥, then m′i ← 0

Else m′i ← XVer(K′i, T )

Return(m′1||m′2|| . . . ,m′`)

Fig. 4. Construction of PKE scheme PKE from tailored KEM and (`+ s)-XAC.

– KEM.Decap rejects a random ψ′ ∈ C, except with negligible probability, i.e.,

Pr [KEM.Decap(skkem, ψ′) 6=⊥ | ψ′ ← C] ≤ η(κ).

– KEM.Decap outputs η(κ)-uniform keys on input a random element from C. That is, the statistical distancebetween the output and a uniform distribution on K is bounded by η(κ):

1

2

∑k∈K

∣∣∣∣Pr [KEM.Decap(skkem, ψ′) = k | ψ′ ← C]− 1

|K|

∣∣∣∣ ≤ η(κ).

Remark. The former case implies that valid ciphertexts are sparse in the whole ciphertext space, i.e., |V|/|C|is negligible. In the latter case, VCI (when VCI holds for all (pk, sk) ← KEM.Kg(1κ)) alone might implyIND-tCCCA security of KEM, since the decapsulated key is uniquely determined by the secret key and theciphertext (be it valid or invalid).

4 Construction of PKE with SIM-SO-CCA Security from Tailored KEMs

Let KEM = (KEM.Kg,KEM.Encap,KEM.Decap) be a KEM with valid ciphertext set Ψ , efficiently recognizableciphertext space C, and key space K = Kx ×Ky. We further assume that:

(1) KEM.Decap has tailored functionality as per Definition 6 (this will be used for the correctness of ourPKE construction);

(2) KEM is IND-tCCCA secure (this will be used in the SIM-SO-CCA security proof of the PKE construc-tion).

(3) Both the key space K and the ciphertext space C of KEM are efficiently samplable and explainabledomains, with algorithms (SampleK,SampleK−1) and (SampleC,SampleC−1) (these algorithms are alsoused in the security analysis).

We refer to a KEM possessing all three properties above as being a tailored KEM.Let F : C` → (Ky)

sbe an injective function (such functions are easily constructed using, for example,

encodings from C to bit-strings and from bit-strings to Ky, provided s is sufficiently large). Let XAC =(XGen,XAuth,XVer) be a δ(κ)-strong and semi-unique (` + s)-XAC with tag space XT and key space XK;suppose also that XK = K = Kx × Ky. Our main construction of PKE scheme PKE = (KeyGen,Enc,Dec)with message space {0, 1}` is shown in Figure 4.

Note that in the decryption, if XVer(K ′`+j , T ) = 1 for all j ∈ [s], then the recovered bit m′i equals 0 ifand only if the decapsulated key K ′i equals ⊥ or XVer(K ′i, T ) = 0.

9

KeyGen’(1κ) :(pkkem, skkem)←KEM.Kg(1κ)Kx ← Kx, H ← HGen(1κ).pk = (pkkem,Kx, H)sk = (skkem, pk)Return(pk, sk)

Enc’(pk,m1|| . . . ||m`) :For i = 1 to `

If mi = 1(Ki, ψi)← KEM.Encap(pkkem)

Else ψi ← C;Ki ← KKy ← H(ψ1, . . . , ψ`)K`+1 ← (Kx,Ky)T = XAuth(K1, . . . ,K`+1)Return (ψ1, . . . , ψ`, T )

Dec’(sk, C) :C = (ψ1, . . . , ψ`, T )For i = 1 to ` m′i ← 0K′y ← H(ψ1, . . . , ψ`)K′`+1 ← (Kx,K

′y)

If XVer(K′`+1, T ) = 1For i = 1 to `K′i ← KEM.Decap(skkem, ψi)If K′i =⊥, then m′i ← 0Else m′i ← XVer(K′i, T )}

Return(m′1||m′2|| . . . ,m′`)

Fig. 5. Construction of PKE scheme PKE’ from tailored KEM, (`+ 1)-XAC and CR hash function.

Correctness. Encryption and decryption are performed in bitwise fashion. Suppose mi = 1. Then (Ki, ψi)are the encapsulated key and corresponding valid encapsulation; by the correctness of KEM and XAC, thedecryption algorithm outputs m′i = 1, except with negligible probability failXAC. Suppose mi = 0. Then Ki

and ψi are chosen independently and uniformly at random from K and C, respectively. It follows that thetag T is independent of ψi. Now, during the decryption of the i-th bit, according to the tailored property ofKEM.Decap, K ′i is either ⊥ (and thus m′i = 0) with probability at least 1− η(κ), or K ′i is η(κ)-close to being

uniformly distributed on K. In the latter case, it holds that m′i = 0 except with probability η(κ)+AdvimpXAC(κ)

due to the η(κ)-uniformity of the key and the security of XAC against impersonation attack. Consequently,

decryption correctly undoes encryption except with probability at most ` ·max{failXAC(κ),AdvimpXAC(κ)+η(κ)},

which is negligible.

Lemma 2. PKE scheme PKE in Figure 4 has the property that, if two distinct ciphertexts C, C both passthe verification step

∧sj=1 XVer(K`+j , T ) = 1 during decryption, then they must have different tags T 6= T .

Proof. The proof is by contradiction and relies on the injectivity of F . Let C = (ψ1, . . . , ψ`, T ) and C =

(ψ1, . . . , ψ`, T ) be two different ciphertexts. Let (Ky1 , . . . ,Kys) = F (ψ1, . . . , ψ`) and (Ky1 , . . . , Kys) =

F (ψ1, . . . , ψ`). Suppose∧sj=1 XVer((Kxj ,Kyj ), T ) =

∧sj=1 XVer((Kxj , Kyj ), T ) = 1. If T = T , then C 6= C

implies (ψ1, . . . , ψ`) 6= (ψ1, . . . , ψ`), which further implies Kyj 6= Kyj for some j ∈ [s], by the injectivity

of F . On the other hand, we know that XVer((Kxj ,Kyj ), T ) = 1 and XVer((Kxj , Kyj ), T = T ) = 1; the

semi-unique property of XAC now implies that Kyj = Kyj , a contradiction. ut

The SIM-SO-CCA security of PKE will rely on Lemma 2, which in turn relies on the injectivity of F .The size of F ’s domain is closely related to parameter s: generally the parameter s will be linear in `. Sincewe need a (` + s)-XAC in the construction, the size of public key will be linear in `. The size of tag T inthe ciphertext will also grow linearly in s and therefore in `. To further decrease the size of public key andtags in our PKE construction, we can employ a collision-resistant (CR) hash function H = (HGen,HEval)mapping C` to Ky instead of the injective function F (see Appendix B for definitions). Then an (`+ 1)-XACis sufficient for the construction, and this results in more compact public keys and tags, but requires anadditional cryptographic assumption. When F is replaced by a CR hash function H, Lemma 2 still holds butrelies on the existence of collision-resistant (CR) hash function mapping Cl to a smaller range. We omit theobvious modifications to our PKE construction needed to accommodate the use of CR hash functions. Theconstruction using CR hash functions is given in Figure 5.

Theorem 1 Suppose KEM is a tailored KEM, and the (`+ s)-cross-authentication code XAC is δ(κ)-strong,semi-unique, and secure against impersonation and substitution attacks. Then the PKE scheme PKE con-structed in Figure 4 is SIM-SO-CCA secure. More precisely, for every ppt adversary A = (A1,A2,A3)against PKE in the SIM-SO-CCA real experiment that makes at most qd decryption queries, for every pptn-message sampler M, and every ppt relation R, we can construct a stateful ppt simulator S = (S1,S2,S3)

10

for the ideal experiment, and a ppt adversary B against the IND-tCCCA security of KEM, such that:

Advso-ccaPKE,A,S,n,M,R(κ) ≤ n` · AdvtcccaKEM,B(κ) + n`2qd ·(AdvsubXAC(κ) + Advimp

XAC(κ) + η(κ))

+ n` · δ(κ).

First, we give a high level overview of the proof before presenting our formal proof. We construct a pptsimulator S as follows. (See Figure 6.)

– S generates a public/private key pair and provides the public key to A.– S answers A’s decryption queries using the private key.– S prepares for A a vector of n challenge ciphertexts, each ciphertext encrypting ` ones.– When A decides to corrupt a subset of the challenge ciphertexts, S obtains the messages corresponding

to the corrupted ciphertexts and opens the corrupted ciphertexts bit-by-bit according to the messages.If bit mi should be opened to 1, S reveals to A the original randomness used by KEM.Encap to generate(Ki, ψi). If bit mi should be opened to 0, S first explains ψi with randomness output by SampleC−1(C, ψi)(as if ψi were randomly chosen). Then S uses algorithm ReSample of XAC to resample Ki to get Ki, andexplains Ki with randomness output by SampleC−1(K, Ki) (as if Ki was randomly chosen).

– S finally outputs whatever A outputs.

The essence of the SIM-SO-CCA security proof is then to show that encryptions of 1’s are computationallyindistinguishable from encryptions of real messages, even if the adversary can see the opened (real) messagesand the randomness of a corrupted subset of the challenge ciphertexts of his/her choice, and have access tothe decryption oracle. This is done with a hybrid argument running from Game 0 to Game n`. In Game kthe first k bits of messages are 1’s and are opened as S does while the last n` − k bits come from the realmessages and are opened honestly. The proof shows that Games k and k− 1 are indistinguishable using thetCCCA security of the tailored KEM and the security properties of the strengthened XAC.

If the k-th bit of the messages is 1, Games k and k−1 are identical. Otherwise, a tailored KEM adversaryB can be constructed to simulate Game k or k + 1 for adversary A. B is provided with a public key pkkem,a challenge (K∗, ψ∗) and a constrained decryption oracle, and is going to tell whether (K∗, ψ∗) is an outputof KEM.Encap(pkkem) or a random pair. B can generate a public key for A. When preparing the vector ofchallenge ciphertexts, B will encrypt the first k−1 bits from the real messages, use (K∗, ψ∗) as the encryptionof the k-th bit, and encrypt n`−k ones for the remaining bits. If (K∗, ψ∗) is an output of KEM.Encap(pkkem),the challenge vector of ciphertexts is just that in Game k, otherwise it is just that in Game k − 1. Finally,to answer A’s decryption query C = (ψ1, . . . , ψ`, T ), B can query (ψi,XVer(·, T )) (note that XVer(·, T ) is apredicate) to his own constrained decryption oracle if ψ∗ 6= ψi; B then replies to A with decrypted bit 0 iff Bgets ⊥ from its own oracle. The decryption is correct because B’s oracle outputs ⊥ iff the decapsulated keyis Ki = ⊥ or XVer(Ki, T ) = 0. If ψ∗ = ψi, B is not allowed to query his own oracle, but can instead respondto A with the output of XVer(K∗, T ) as the decrypted bit. This decryption is also correct with overwhelmingprobability for the following reasons: (1) If K∗ is the encapsulated key of ψ∗, then XVer(K∗, T ) = 1 anddecryption is correct. (2) If (K∗, ψ∗) is a random pair, then all the information leaked about K∗ is just thevery tag T ∗ that is computed by K∗ during the generation of some challenge ciphertext. The semi-uniquenessof XAC guarantees that T 6= T ∗, and the adversary’s corruption only reveals information about a re-sampledK∗. The security of XAC against substitution attacks shows that even if A knows T ∗ and all keys other thanK∗, then A forges a different tag T such that XVer(K∗, T ) = 1 with negligible probability. Therefore, B willalmost always respond to A with bit 0, which is the correct answer.

Proof. (Proof of Theorem 1.) For every ppt n-message sampler M, every ppt relation R, every stateful pptadversary A = (A1,A2,A3), we construct a stateful ppt simulator S = (S1,S2,S3) as follows (see also Figure6).

– S1 calls KeyGen to obtain (pk, sk). Then it calls ADec(·)1 (pk) to obtain α and the state a1. Note that S1

possesses sk and is able to provide a decryption oracle to A1. The view of A1 is exactly the same as thatin Expso-cca-realPKE,A,n,M,R(κ).

– Without the knowledge of m = (m[1], . . . ,m[n]), which is the output ofM(α), S2 generates the challengeciphertext vector c = (c[1], . . . , c[n]) with each c[i] being an encryption of ` ones, i.e.,

c[i] = Enc(pk, 1`; r[i]).

Then S2 calls ADec/∈c(·)2 (a1, c) to get the corruption set I and state a2. Recall that in ‘real’ experiment

Expso-cca-realPKE,A,n,M,R(κ), A2 receives encryptions of real messages m.

11

S1(1κ):(pk, sk)← KeyGen(1κ)

(α, a1)← ADec(·)1 (pk)

s1 ← (pk, sk, a1)Return(α, s1)

S2(s1, (1|m[i]|)i∈[n]):

pk = (pkkem,Kx, H)sk = (skkem, pk)For i = 1 to n

For j = 1 to `(K

(i)j , ψ

(i)j )← KEM.Enc(pkkem; rij)

(K(i)y1 , . . . ,K

(i)ys )← F (ψ

(i)1 , . . . , ψ

(i)` )

For j = 1 to sK

(i)`+j ← (Kxj ,K

(i)yj )

T (i) ← XAuth(K(i)1 , . . . ,K

(i)`+s)

c[i]← (ψ(i)1 , . . . , ψ

(i)` , T (i))

r[i]← (ri1, ri2, . . . , ri`)

k[i]← (K(i)1 , . . . ,K

(i)`+s)

c← (c[1], c[2], . . . , c[n])r← (r[1], r[2], . . . , r[n])k← (k[1],k[2], . . . ,k[n])

(I, a2)← ADec/∈c(·)2 (a1, c)

s2 ← (a2, c, r, k, s1)Return(I, s2)

S3(s2,m[I]):For i ∈ I do

c[i] = (ψ(i)1 , . . . , ψ

(i)` , T (i))

r[i] = (ri1, ri2, . . . , ri`)

k[i] = (K(i)1 , . . . ,K

(i)`+s)

For j = 1 to `If m[i][j] = 1 rij ← rij ;Elserc ← SampleC−1(C, ψ(i)

j )

K(i)j ← ReSamp(j, (K

(i)v )v 6=j , T

(i))

rk ← SampleK−1(K, K(i)j )

rij ← (rc, rk)

K(i)j ← K

(i)j

r[i]← (ri1, ri2, . . . , ri`)

outA ← ADec/∈c(·)3 (a2,m[I], r[I])

Return(outA)

Fig. 6. Construction of simulator S for Expso-cca-idealPKE,S,n,M,R(κ).

– S3 opens the challenge ciphertext vector (c[i])i∈I , where c[i] = (ψ(i)1 , . . . , ψ

(i)` , T (i)) = Enc(pk, 1`; r[i]),

according to the corrupted set of messages (m[i])i∈I .• If m[i][j] = 1, S3 opens with the original random coins;

• If m[i][j] = 0, S3 utilizes SampleC−1 to recover a properly distributed randomness for ψ(i)j , and

ReSamp to re-sample K(i)j so as to hide the real key K

(i)j , and then uses SampleK−1 to recover a

properly distributed randomness for K(i)j .

Finally, S3 collects the newly opened randomness r[I] and calls ADec/∈c(·)3 (a2,m[I], r[I]) to get the output

outputA as its own output.

The differences between the real and ideal experiments lie in two points. The first is how the challengeciphertext vector is generated. We formalize it by an algorithm Generate-c; the second is how the corruptedciphertexts are opened, which is formalized by an algorithm Open-c. These algorithms are shown in Figure7. In the proof, we focus on these two points, and proceed with a series of games starting with Game G−2and ending with Game Gn`, with adjacent games being proven to be computationally indistinguishable. Thefull set of games are illustrated in Figures 7 and 9.

Game G−2: This is the original real experiment Expso-cca-realPKE,A,n,M,R(κ). Here we elaborate how the challengeciphertext vector c is generated with algorithm Generate-c and how the randomness is opened withalgorithm Open-c. Let m←M(α). In fact, c is the output of Enc(pk,m; r) and c[I] is opened with thereal randomness r[I] that was used to compute c[I]. So

Pr[Expso-cca-realPKE,A,n,M,R(κ) = 1

]= Pr [G−2 = 1] . (1)

Game G−1: This game is the same as Game G−2 except for the way c[I] is opened. If m[i][j] = 0 fori ∈ I, j ∈ [`], we use SampleC−1 and SampleK−1 to obtain the randomness in Open-c. Then theoriginal rij used to encrypt m[i][j] = 0 does not need to be kept any more and we can set rij to be ⊥in Generate-c. This change makes no difference because both K and C are efficiently samplable andexplainable. Hence

Pr [G−1 = 1] = Pr [G−2 = 1] . (2)

Game G0: This game is the same as Game G−1 except for the way c[I] is opened. In case of m[i][j] = 0 for

i ∈ I, j ∈ [`], we do not use the original key K(i)j , which was used to create T (i), as the input of SampleK−1.

Instead, we use the ReSamp algorithm to re-sample a key K(i)j , i.e, K

(i)j ← ReSamp(j, (K

(i)v )v 6=j , T

(i)).

12

ExpPKE,A,n,M,R(κ): all games(pk, sk)← KeyGen(1κ)

(α, a1)← ADec(·)1 (pk)

m←M(α)(c, r, k)← Generate-c(pk,m)

(I, a2)← ADec/∈c(·)2 (a1, c)

r[I]← Open-c(I,m, c, r, k)

outA ← ADec/∈c(·)3 (a2,m[I], r[I])

return R(m, I, outA)

Generate-c(pk,m) G−2 G−1, G0

pk = (pkkem, (Kxj )j∈[s], F )For i = 1 to n

For j = 1 to `If m[i][j] = 1

(K(i)j , ψ

(i)j )← KEM.Enc(pkkem; rij)

ElseK

(i)j ← SampleK(K; r′ij)

ψ(i)j ← SampleC(C; r′′ij);

rij ← (r′ij , r′′ij); rij ←⊥

(K(i)y1 , . . . ,K

(i)ys )← F (ψ

(i)1 , . . . , ψ

(i)` )

For j = 1 to sK

(i)`+j ← (Kxj ,K

(i)yj )

T (i) ← XAuth(K(i)1 , . . . ,K

(i)`+s)

c[i]← (ψ(i)1 , . . . , ψ

(i)` , T (i))

r[i]← (ri1, ri2, . . . , ri`)

k[i]← (K(i)1 , . . . ,K

(i)`+s)

c← (c[1], c[2], . . . , c[n]); r← (r[1], r[2], . . . , r[n])k← (k[1],k[2], . . . ,k[n])Return( c, r, k)

Open-c(I,m, c, r, k) G−2

Return(r[I])

Open-c(I,m, c, r, k) G−1, G0 ∼ Gn`For i ∈ I do

c[i] = (ψ(i)1 , . . . , ψ

(i)` , T (i))

r[i] = (ri1, ri2, . . . , ri`)

k[i]← (K(i)1 , . . . ,K

(i)`+s)

For j = 1 to `If m[i][j] = 1 rij ← rij ;Else

K(i)j ← ReSamp(j, (K

(i)v )v 6=j , T

(i)); K(i)j ← K

(i)j

r′ij ← SampleK−1(K,K(i)j )

r′′ij ← SampleC−1(C, ψ(i)j )

rij ← (r′ij , r′′ij)

r[i]← (ri1, ri2, . . . , ri`)Return(r[I])

Dec 6=c(sk, (ψ1, . . . , ψ`, T )) G−2 ∼ Gn`If (ψ1, . . . , ψ`, T ) ∈ c Return(⊥)sk = (skkem, pk)For i = 1 to ` m′i ← 0(K′y1 , . . . ,K

′ys)← F (ψ1, . . . , ψ`)

For j = 1 to sK′`+j ← (Kxj ,K

′yj )

If∧sj=1 XVer(K

′`+j , T ) = 1

For i = 1 to `K′i ← KEM.Decap(skkem, ψi)If K′i =⊥, then m′i ← 0Else m′i ← XVer(K′i, T )}

Return(m′1||m′2|| . . . ,m′`)

Fig. 7. Games

The new key K(i)j is statistically δ(κ)-close to the real key K

(i)j , due to the δ(κ)-strongness of XAC. A

union bound gives

|Pr [G0 = 1]− Pr [G−1 = 1] | ≤ (n`)δ(κ). (3)

Game Gk: Here k ∈ {0, 1, . . . , n`}. Let k = (u − 1)` + w with u ∈ [n] and w ∈ {0, 1, . . . , ` − 1}, then eachk determines a unique pair (u,w). The difference between Gk and G0 is how the challenge ciphertextvector c is created in Generate-c. There are in total n` bits in m; denote them by b1, b2, . . . , bn`. In thisgame, c can be thought of as an encryption of bit-sequence 1kbk+1, . . . , bn`. More precisely, as in Figure9,

– (c[i])i∈[u−1] are all encryptions of ones, i.e., c[i] = Enc(pk, 1`; r[i]) for i ∈ [u− 1];

– For the u-th ciphertext cu = (ψ(u)1 , . . . , ψ

(u)` , T (u)), we have (K

(u)j , ψ

(u)j )← KEM.Enc(pkkem; ruj) for

j ∈ {0, 1, . . . , w}. The remaining (K(u)j , ψ

(u)j ) for j ∈ {w + 1, . . . , ` − 1} are generated according to

the value of m[u][j] as in Game G0. Finally T (u) is computed as T (u) ← XAuth(K(u)1 , . . . ,K

(u)`+s).

– The remaining ciphertexts c[i] for i ∈ {u+ 1, . . . , n} are generated according to the value of m[i] asin Game G0.

When k = n`, the game is exactly the environment provided by our S (as described above) in the idealexperiment. All we have to prove is that Game G0 and Gn` are computationally indistinguishable. Furtherwe have:

Pr [Gn` = 1]− Pr [G0 = 1] =

n∑k=1

Pr [Gk = 0]− Pr [Gk−1 = 1] . (4)

13

BDecap,LR(pkkem):u← [n]; w ← {0, 1, . . . , `− 1}k ← (u− 1)`+ wKx1 , . . . ,Kxs ← Kxpk = (pkkem, (Kxj )j∈[s], F )K∗ ←⊥; ψ∗ ←⊥(α, a1)← AB.Dec(·)

1 (pk)m←M(α)(c, r, k)← Gk.Generate-c(pk,m)If m[u][w] = 0 (K∗, ψ∗)← LR(pkkem, b

∗)

K(u)w ← K∗; ψ

(u)w ← ψ∗

(K(u)y1 , . . . ,K

(u)ys )← F (ψ

(u)1 , . . . , ψ

(u)` )

For j = 1 to s K(u)`+j ← (Kxj ,K

(u)yj )

T (u) ← XAuth(K(u)1 , . . . ,K

(u)`+s)

c[u]← (ψ(u)1 , . . . , ψ

(u)` , T (u))

(I, a2)← AB.Dec/∈c(·)2 (a1, c)

r[I]← Gk.Open-c(I,m, c, r, k)

outA ← AB.Dec/∈c(·)3 (a2,m[I], r[I])

return R(m, I, outA)

B.Dec(ψ1, . . . , ψ`, T ): B.Dec/∈c(ψ1, . . . , ψ`, T ) :

If (ψ1, . . . , ψ`, T ) ∈ c Return(⊥)

For i = 1 to ` m′i ← 0(K′y1 , . . . ,K

′ys)← F (ψ1, . . . , ψ`)

For j = 1 to sK′`+j ← (Kxj ,K

′yj )

If∧sj=1 XVer(K

′`+j , T ) = 1

For i = 1 to `If ψi = ψ∗ then m′i ← XVer(K∗, T )Else

K′i ← Decap(XVer(·, T ), ψi)if Ki =⊥, then m′i ← 0m′i ← XVer(K′i, T )

Return(m′1||m′2|| . . . ,m′`)

Decap(XVer(·, T ), ψ)K ← KEM.Decap(sk, ψ)If K =⊥ or XVer(K,T ) = 0 return (⊥);Otherwise return (K)

Fig. 8. Algorithm B, where Gk.Generate-c(pk,m) (resp.Gk.Open-c) is algorithm Generate-c (resp. Open-c) ingame Gk.

Generate-c(pk,m) Gk = G(u,w), k ∈ [n`]pk = (pkkem, (Kxj )j∈[s], F )For i = 1 to u− 1

For j = 1 to `(K

(i)j , ψ

(i)j )← KEM.Enc(pkkem; rij);

(K(i)y1 , . . . ,K

(i)ys )← F (ψ

(i)1 , . . . , ψ

(i)` )

For j = 1 to sK

(i)`+j ← (Kxj ,K

(i)yj )

T (i) ← XAuth(K(i)1 , . . . ,K

(i)`+s)

c[i]← (ψ(i)1 , . . . , ψ

(i)` , T (i))

r[i]← (ri1, ri2, . . . , ri`); k[i]← (K(i)1 , . . . ,K

(i)`+s)

For i = u doFor j = 1 to w

(K(u)j , ψ

(u)j )← KEM.Enc(pkkem; ruj);

For j = w + 1 to `If m[u][j] = 1

(K(u)j , ψ

(u)j )← KEM.Enc(pkkem; ruj)

Else K(u)j ← SampleK(K; r′uj);

ψ(u)j ← SampleC(C; r′′uj); ruj ←⊥

(K(u)y1 , . . . ,K

(u)ys )← F (ψ

(u)1 , . . . , ψ

(u)` )

For j = 1 to sK

(u)`+j ← (Kxj ,K

(u)yj )

T (u) ← XAuth(K(u)1 , . . . ,K

(u)`+s)

c[u]← (ψ(u)1 , . . . , ψ

(u)` , T (u))

r[u]← (ru1, ru2, . . . , ru`)

k[u]← (K(u)1 , . . . ,K

(u)`+s)

For i = u+ 1 to nFor j = 1 to `

If m[i][j] = 1

(K(i)j , ψ

(i)j )← KEM.Enc(pkkem; rij)

Else K(i)j ← SampleK(K; r′ij)

ψ(i)j ← SampleC(C; r′′ij); rij ←⊥

(K(i)y1 , . . . ,K

(i)ys )← F (ψ

(i)1 , . . . , ψ

(i)` )

For j = 1 to sK

(i)`+j ← (Kxj ,K

(i)yj )

T (i) ← XAuth(K(i)1 , . . . ,K

(i)`+s)

c[i]← (ψ(i)1 , . . . , ψ

(i)` , T (i))

r[i]← (ri1, ri2, . . . , ri`); k[i]← (K(i)1 , . . . ,K

(i)`+s)

c← (c[1], c[2], . . . , c[n]); r← (r[1], r[2], . . . , r[n])k← (k[1],k[2], . . . ,k[n])Return( c, r ,k )

Fig. 9. Generation of challenge ciphertext vector in Gk.

Let E(k)j be the event that m[u][w] = 0 with k = (u−1)`+w in Game Gj . Since E

(k)j is independent of j,

we have Pr[E

(k)0

]= Pr

[E

(k)1

]= · · ·Pr

[E

(k)n`

]. Therefore, we use E(k) to denote the event that m[u][w] = 1

for any game. If E(k) does not happen, i.e., m[u][w] = 1 where k = (u − 1)` + w, then the two adjacentGames Gk and Gk−1 are identical. Now:

Pr [Gk = 1]− Pr [Gk−1 = 1] = (Pr[Gk = 1 | E(k)

]Pr[E(k)

]+ Pr

[Gk = 1 | ¬E(k)

]Pr[¬E(k)

])

−(Pr[Gk−1 = 1 | E(k)

]Pr[E(k)

]+ Pr

[Gk−1 = 1 | ¬E(k)

]Pr[¬E(k)

])

=(

Pr[Gk = 1 | E(k)

]− Pr

[Gk−1 = 1 | E(k)

])Pr[E(k)

].

14

Then we have

Pr [Gn` = 1]− Pr [G0 = 1] =

n∑k=1

Pr [Gk = 0]− Pr [Gk−1 = 1]

=

n∑k=1

(Pr[Gk = 1 | E(k)

]− Pr

[Gk−1 = 1 | E(k)

])Pr[E(k)

]=

n∑k=1

(Pr[Gk = 1, E(k)

]− Pr

[Gk−1 = 1, E(k)

])(5)

The computational indistinguishability of G0 and Gn` will be proved based on the IND-tCCCA securityofKEM, and the security of XAC. Let B be an adversary in the IND-tCCCA experiment Exptccca−bKEM,B (κ).Now B is provided with a KEM public key pkkem, and has access to a constrained decapsulation oracle

Decap 6=ψ∗(·) and (effectively) a one-time encapsulation oracle LR(pkkem, b). If b = 1, LR(pkkem, b) will callKEM.Encap(pkkem) to output (K∗, ψ∗), a key and a valid ciphertext encapsulating the key. If b = 0, itchooses (K∗, ψ∗) from K×C uniformly at random. B is aiming to tell whether b = 0 or b = 1 after obtaining

(K∗, ψ∗) from LR(pkkem, b), while having access to a constrained decapsulation oracle Decap 6=ψ∗(·). Now Bcan be constructed as follow (see also Figure 8).

– B randomly chooses u ← [n] and w ← {0, 1, . . . , ` − 1}. Setting k = (u − 1)` + w, we have that k isuniformly distributed in [n`].

– B chooses Kx1, . . . ,Kxs ← Kx, an injective function F : C` → (Ky)s, and sets pk = (pkkem, (Kxj )j∈[s], F ).

– B providesA1 with a decryption oracle, denoted by B.Dec(·), with the help of its own constrained decapsu-

lation oracle Decap(·). Given a query C = (ψ1, . . . ψ`, T ), algorithm B.Dec verifies∧sj=1 XVer((Kxj ,K

′yj ), T ) =

1, where (K ′y1 , . . . ,K′ys) = F (ψ1, . . . , ψ`). If the verification fails, B returns ` zeros. Otherwise, the de-

cryption goes bitwise as follows. B queries its oracle Decap with (P,ψi), where the predicate P definedas

P (K) :=

{1 if XVer(K,T ) = 10 if XVer(K,T ) = 0 or K =⊥

If the output of Decap(·) is ⊥, B sets m′i = 0, otherwise B sets m′i = 1. Finally B returns (m′1, . . . ,m′`).

Note that B.Dec(·) functions exactly the same as the decryption oracle Dec(·).– B runs AB.Dec(·)

1 (pk) to get (α, a1) and uses α to sample a message vector m. There are in total n` bitsin m, denoted b1, b2, . . . , bn`. Then B computes c as follows.• if m[u][w] = 1, B will encrypt the n messages consisting of bit sequence 1kbk+1, . . . , bn` to get c. In

this case, c is exactly the output of algorithm Generate-c in Game Gk.• if m[u][w] = 0, B will obtain c by encrypting nmessages which constitute bit sequence 1k−1bbk+1, . . . , bn`

(notice the presence of B’s challenge bit b here). To do this, B queries LR(pkkem, b) to get (K∗, ψ∗)

and sets K(u)w := K∗ and ψ

(u)w := ψ∗ during the generation of c[u]. In this way, B embeds his own

challenge in the creation of c. If (K∗, ψ∗) is the output of LR(pkkem, 1), then B implicitly setsbk = b = 1. Otherwise bk = b = 0. Consequently, the challenge ciphertext vector c is just the outputof algorithm Generate-c in Game Gk−1 or Gk depending on b = 0 or b = 1.

– B uses B.Dec/∈c(·) to answer decryption queries from A2. Algorithm B.Dec/∈c(·) is almost the same asB.Dec(·) (see Figure 8) but with the restriction that the queried ciphertext C = (ψ1, . . . , ψ`, T ) does not

appear in c. Recall that B has its own constrained decryption oracle Decap/∈c(skkem, ·). This enables Bto simulate the decryption oracle for A2 so long as ψ∗ /∈ {ψ1, . . . , ψ`}. However, if ψ∗ ∈ {ψ1, . . . , ψ`},say ψj = ψ∗, then B computes m′j = XVer(K∗, T ) instead. Next it runs AB.Dec/∈c(·)

2 (a1, c) to obtain thecorruption set I and state a2.

– B calls the Open-c algorithm in Game Gk (which is the same algorithm in all games G0 – Gn`) to obtainthe randomness r[I].

– B runs AB.Dec/∈c(·)3 (a2,m[I], r[I]) to get the output outA.

– B returns R(m, I, outA).

Let Bk denote algorithm B running in Game Gk for a fixed k. (Recall that k = (u− 1)`+ w was chosenfrom [n`] uniformly at random by B at the start of its simulation.) We will show that Bk almost perfectly

15

simulates Game Gk or Gk−1 for A depending on the value of m[u][w] and B’s own challenge (K∗, ψ∗).Observe that B.Dec(·) functions exactly the same as Dec(·). If m[u][w] = 1, Bk is exactly the same as Gk.If m[u][w] = 0, Bk will be the same as Gk when b = 1 and Gk−1 when b = 0, as long as B.Dec/∈c(·) canperfectly simulate the decryption oracle Dec/∈c(·). However, there is a difference between B.Dec/∈c(·) andDec/∈c(·). Below we show that this difference has negligible influence due to the security properties of XAC.

Claim 1 Suppose that m[u][w] = 0 in Bk, where k = (u − 1)n + w. If b = 1, then the output of algorithmB.Dec/∈c(·) is exactly the same as that of decryption algorithm Dec/∈c(·). If b = 0, algorithm B.Dec/∈c(·)functions identically to decryption algorithm Dec/∈c(·) except with probability at most

(`qd)(η(κ) + Advimp

XAC(κ) + AdvsubXAC(κ)).

Proof. Let C = (ψ1, . . . , ψ`, T ) denote a decryption query from A. Clearly C /∈ c. Let (K ′y1 , . . . ,K′ys) =

F (ψ1, . . . , ψ`). If∧sj=1 XVer((Kxj ,K

′yj ), T ) = 0, both algorithms Dec/∈c(·) and B.Dec/∈c(·) will output (m′1, . . . ,m

′`) =

(0, . . . , 0). From now on, we assume that∧sj=1 XVer((Kxj ,K

′yj ), T ) = 1. Then it follows that T 6= T (i) for all

i ∈ [n] by Lemma 2.

Next both algorithms Dec/∈c(·) and B.Dec/∈c(·) will decrypt C = (ψ1, . . . , ψ`, T ) bitwise to recover themessage (m′1, . . . ,m

′`). Recall that Dec/∈c(·) sets m′i = 0 iff the decapsulated key KEM.Decap(ψi) =⊥ or

XVer(KEM.Decap(ψi), T ) = 0. As for how B.Dec/∈c(·) determines m′i, we consider two cases.

– Case ψ∗ 6= ψi: B.Dec/∈c(·) will query the constrained decapsulation oracle Decap/∈c(·) with (P (·) =

XVer(·, T ), ψi). B.Dec/∈c outputs the bitm′i = 0 iff Decap/∈c returns⊥, and this happens when KEM.Decap(ψi)outputs ⊥ or XVer(KEM.Decap(ψi), T ) = 0. Hence, in this case, B.Dec/∈c(·) functions exactly as Dec/∈c(·)does.

– Case ψ∗ = ψi, B.Dec/∈c(·) simply computes m′i := XVer(K∗, T ). We further consider two sub-cases.

• Case b = 1: Then (K∗, ψ∗) is the output of B’s encryption oracle LR(pkkem, 1), thus K∗ is theencapsulated key of ψ∗, i.e. K∗ = KEM.Decap(skkem, ψ

∗). Consequently, the decrypted bit m′i :=XVer(K∗, T ) is exactly the same as the bit m′i output by Dec/∈c(·).

• Case b = 0: Then (K∗, ψ∗) is the output of B’s encryption oracle LR(pkkem, 0). Hence bothK∗ and ψ∗

are uniformly chosen. In this case, Dec/∈c(·) outputs m′i = 0 except with probability η(κ)+AdvimpXAC(κ),

according to the decryption correctness of PKE.

On the other hand, B.Dec/∈c(·) outputs m′i := XVer(K∗, T ). Recall that T 6= T (u), so XVer(K∗, T ) =0 except with probability AdvsubXAC(κ), due to the security of XAC against substitution attacks.More precisely, K∗ is uniformly chosen from K, and all information leaked about K∗ is given

by T (u) = XAuth(K(u)1 , . . . ,K

(u)w = K∗, . . . ,K

(u)` ) in the challenge ciphertext c[u] and K

(u)w =

ReSamp(w, (K(u)v )v∈[`+s],v 6=w, T

(u)) by the Open-c algorithm. However, algorithm Open-c did not

expose the real key K(u)w = K∗ and what it revealed is a fake key K

(u)w . The fake key is the output

of ReSamp on input (K(u)v )v 6=w and T (u), hence is redundant and does not leak more information

beyond (K(u)v )v 6=w and T (u). Consequently, the security of XAC against substitution attacks shows

that XVer(K∗, T ) = 0 except with probability AdvsubXAC(κ), even conditioned on the knowledge of T (u)

and (K(u)v )v 6=w.

Hence B.Dec/∈c(·) outputs an m′i different from that output by B.Dec/∈c(·) with probability at most

η(κ) +AdvimpXAC(κ) +AdvsubXAC(κ). The lemma follows by applying the union bound, since the plaintext

has ` bits and there are qd decryption queries. (End of proof of Claim 1.)

Let Errk denote the event that there exists a decryption query C to which B.Dec/∈c(·) replies differentlyfrom Dec/∈c(·) in Bk. According to the proof of Claim 1, we know that Errk occurs only when b = 0 andm[u][w] = 0; moreover

Pr [Errk | m[u][w] = 0, b = 0] ≤ (`qd)(η(κ) + Advimp

XAC(κ) + AdvsubXAC(κ)). (6)

16

Let B = b′ (respectively Bk = b′) denote that algorithm B (respectively Bk) returns bit b′. Let E(k)

denote the event that m[u][w] = 0 with k = (u− 1)`+ w in Bk. The advantage of B is given by

AdvtcccaKEM,B(κ) = Pr [B = 1 | b = 1]− Pr [B = 1 | b = 0]

=1

n`

n∑k=1

(Pr[Bk = 1, E(k) | b = 1

]− Pr

[Bk = 1, E(k) | b = 0

])(7)

=1

n`Pr[E(k)

] n∑k=1

(Pr[Bk = 1 | E(k), b = 1

]− Pr

[Bk = 1 | E(k), b = 0

])(8)

=Pr[E(k)

]n`

n∑k=1

(Pr[Gk = 1 | E(k)

]− Pr

[Bk = 1,Errk | E(k), b = 0

]−Pr

[Bk = 1,Errk | E(k), b = 0

])(9)

=1

n`

n∑k=1

Pr[Gk = 1, E(k)

]− 1

n`Pr[E(k)

] n∑k=1

Pr[Bk = 1 | Errk, E(k), b = 0

]· Pr

[Errk | E(k), b = 0

]− 1

n`Pr[E(k)

] n∑k=1

Pr[Bk = 1 | Errk, E(k), b = 0

]· Pr

[Errk | E(k), b = 0

]=

1

n`

n∑k=1

(Pr[Gk = 1, E(k)

]− Pr

[Gk−1 = 1, E(k)

]· Pr

[Errk | E(k), b = 0

])− 1

n`

n∑k=1

Pr[E(k)

]· Pr

[Bk = 1 | Errk, E(k), b = 0

]· Pr

[Errk | E(k), b = 0

](10)

≥ 1

n`

n∑k=1

(Pr[Gk = 1, E(k)

]− Pr

[Gk−1 = 1, E(k)

])−max

kPr[Errk | E(k), b = 0

](11)

Eqn. (7) follows from the fact that the output of Bk is independent of b if E(k) does not occur. Eqn. (8)follows from that E(k) and b are independent of each other. Eqn. (9) follows from the fact that Bk perfectlysimulates Gk if b = 1 and E(k) occurs. Eqn. (10) is due to the fact that Bk perfectly simulates Gk−1 whenb = 0 and Errk does not occur. According to (5), (6) and (11), we have

Pr [Gn` = 1] − Pr [G0 = 1] =

n∑k=1

(Pr[Gk = 1, E(k)

]− Pr

[Gk−1 = 1, E(k)

])≤ n` · AdvtcccaKEM,B(κ) + n`2qd · η(κ) + n`2qd · Advimp

XAC(κ) + n`2qd · AdvsubXAC(κ) (12)

Combining (1), (2), (3) and (12), we have

Advso-ccaPKE,A,S,n,M,R(κ) = |Pr [Gn` = 1]− Pr [G−2 = 1] |≤ |Pr [Gn` = 1]− Pr [G0 = 1] |+ |Pr [G0 = 1]− Pr [G−2 = 1] |≤ n` · AdvtcccaKEM,B(κ) + n`2qd · AdvsubXAC(κ) + n`2qd · Advimp

XAC(κ) + n`2qd · η(κ) + n` · δ(κ) (13)

from which the theorem follows. ut

The security of our modified construction using CR hash functions (see Figure 5) is stated in the followingtheorem, whose proof is similar to that of Theorem 1.

Theorem 2 Suppose KEM is a tailored KEM, the (`+1)-cross-authentication code XAC is δ(κ)-strong, semi-unique, and secure against impersonation and substitution attacks, and H is collision-resistant. Then thePKE scheme PKE’ constructed in Figure 5 is SIM-SO-CCA secure. More precisely, for every ppt adversaryA = (A1,A2,A3) against PKE’ in the SIM-SO-CCA real experiment that makes at most qd decryption

17

queries, for every ppt n-message sampler M, and every ppt relation R, we can construct a stateful pptsimulator S = (S1,S2,S3) for the ideal experiment, a ppt adversary B against the IND-tCCCA security ofKEM, and a ppt algorithm F against the collision-resistance of H such that:

Advso-ccaPKE’,A,S,n,M,R(κ) ≤ n` · AdvtcccaKEM,B(κ) + n`2qd ·(AdvsubXAC(κ) + Advimp

XAC(κ) + η(κ))

+ n` · δ(κ) + AdvcrH,F (κ).

5 Instantiations

In this section, we explore three different constructions of tailored KEMs, each suitable for the applicationof Theorems 1 and 2. The first is based on any Strongly Universal2 hash proof system, the second is a directconstruction relying on the n-Linear Assumption and a target collision-resistant hash function (see AppendixB for definitions), while the third uses indistinguishability obfuscation.

5.1 Strongly Universal2 Hash Proof Systems

We use hash proof systems [8] to build tailored KEMs suitable for application in our main theorem.Let Ψ ⊂ C be a language. The hardness of the subset membership problem for Ψ with respect to C

requires that a random element from Ψ is indistinguishable from a random element from C. Let K be a setand Λsk : C → K be a hash function indexed with sk ∈ SK. Then Λsk is said to be projective if there existsa map µ : SK → PK such that µ(sk) ∈ PK defines the action of Λsk on the subset Ψ ; µ is then said to be aprojection on subset Ψ .

A hash proof system (HPS) HPS consists of three algorithms (HPS.param, HPS.pub, HPS.priv). Therandomized algorithm HPS.param(1κ) outputs params = (G, C, Ψ,PK,SK, Λ, µ), where G is a group. Thesecret key sk is randomly chosen from SK, and the public key is computed as pk = µ(sk) where µ isa projection on Ψ . Algorithm HPS.Pub(pk, ψ,w) is given the public key pk, an element ψ ∈ Ψ and itswitness w, and outputs an encapsulated key K = HPS.Pub(pk, ψ,w) such that K = Λsk(ψ). AlgorithmHPS.Priv(sk, ψ) recovers K = Λsk(ψ) using sk.

The Strongly Universal2 (SU2) property of an HPS characterizes the unpredictability of Λsk(ψ) forψ ∈ C \ Ψ .

Definition 7 Let HPS = (HPS.param,HPS.pub,HPS.priv) be a hash proof system. Then HPS is said to beSU2 if

Pr [Λsk(ψ) = K | pk = µ(sk), ψ′,K ′ = Λsk(ψ′)] = 1/|K|,

for all pk ∈ PK, all ψ,ψ′ ∈ C \ Ψ with ψ′ 6= ψ and all K,K ′ ∈ K, where the probability is taken oversk ← SK.

Given that HPS is an SU2 HPS, a KEM KEM can be constructed as shown in Figure 10. The outputparams of HPS.param is used as a set of public parameters implicitly used as input in the algorithms of KEM.Notice that the valid ciphertext set for KEM is Ψ .

KEM.Kg(1κ):sk ← SKpk = µ(sk).Return (pk, sk)

KEM.Encap(pk):ψ ← Ψ with witness wK ← HPS.Pub(pk, ψ,w)Return(K,ψ)

KEM.Decap(sk, ψ):

K ← HPS.Priv(sk, ψ)

Return(K)

Fig. 10. Construction of a KEM from an SU2 hash proof system.

Theorem 3 Let HPS be an SU2 HPS with params = (G, C, Ψ,PK,SK, Λ, µ). Suppose the subset membershipproblem is hard for Ψ with respect to C. Then the KEM KEM constructed from HPS as shown in Figure10 is IND-tCCCA secure. Furthermore, if Ψ is sparse in C, and both C and K are efficiently samplable andexplainable, then KEM is a tailored KEM.

18

Proof. It was already proved in [16] that the SU2 property and the hardness of the subset membershipproblem for Ψ with respect to C implies the IND-CCCA security of KEM. On the other hand, public andsecret key pairs can be generated independently from C and Ψ and the subset membership problem holdseven if the secret key is known to the adversary. More precisely, when an adversary B is given ψ and triesto distinguish whether ψ is randomly chosen from Ψ or C, it can establish a VCI experiment for a VCIadversary A as follows: first call (pk, sk) ←KEM.Kg(1κ) and use sk to answer decryption queries. B givespk to A and gives ψ as the challenge ciphertext. Finally B outputs whatever A returns. It is clear that Bhas the same advantage as A. This implies that the VCI property holds for KEM under the hardness of thesubset membership problem. Then IND-tCCCA security follows from Lemma 1.

The SU2 property of HPS implies that

Pr [KEM.Decap(sk, ψ) = K] = Pr [HPS.Priv(sk, ψ) = K] =1

|K|

for all invalid ciphertexts ψ ∈ C \ Ψ , all K ∈ K, and all pk = µ(sk), where the probability is taken oversk ← SK. Then

Pr [KEM.Decap(sk, ψ) = K | ψ ← C] = Pr [KEM.Decap(sk, ψ) = K | ψ ∈ Ψ ] · |Ψ ||C|

+ Pr [KEM.Decap(sk, ψ) = K | ψ ∈ C \ Ψ ] ·(

1− |Ψ ||C|

)= Pr [KEM.Decap(sk, ψ) = K | ψ ∈ Ψ ] · |Ψ |

|C|+

1

|K|·(

1− |Ψ ||C|

)≤ |Ψ ||C|

+1

|K|.

Noting that Pr [KEM.Decap(sk, ψ) = K | ψ ∈ Ψ ] lies between 0 and 1, it follows that the statistical dis-tance between KEM.Decap(sk, ψ) (when ψ is uniformly selected from C) and the uniform distribution is atmost |Ψ |/|C|, which is negligible due to the sparseness of Ψ . This establishes that KEM.Decap has tailoredfunctionality.

Finally, KEM is a tailored KEM because it has samplable and explainable domains C and K, it has IND-tCCCA security, and KEM.Decap has tailored functionality. ut

Remark 1. . As pointed out in [12], both DDH-based and DCR-based HPS could have samplable and ex-plainable platform groups. For example, we can choose the subgroup of order q in Z∗p (with p = 2q + 1) asthe DDH group, and choose Z∗N2 as the DCR group.

5.2 Tailored KEM Based on n-Linear Assumption

Let G(1κ) be a group generator, that is, a ppt algorithm which outputs (G, g, p) where G is a group of primeorder p (having κ bits) and g a generator of G.

Definition 8 The n-Linear Assumption for G(1κ) states that for all ppt adversaries B, the advantage of Bdefined below is negligible.

Advn-linB (κ) :=∣∣∣Pr

[B(g1, . . . , gn, g

r11 , . . . , g

rnn , h, h

∑ni=1 ri) = 1

]− Pr [B(g1, . . . , gn, g

r11 , . . . , g

rnn , h, hz) = 1]

∣∣∣,where (G, g, p)← G(1κ), (gi)i∈[n], h← G and (ri)i∈[n], z ← Zp.

In [16], Hofheiz and Kiltz presented a KEM based on the n-Linear Assumption for a group generatorG(1κ) and a target collision-resistant hash function, and proved its IND-CCCA security. We replicate thealgorithms of this KEM in Figure 11. Note that this construction does not fall into the category of HPS-basedKEMs.

Lemma 3. If the n-Linear Assumption holds for G(1κ), and TCR is target collision-resistant, then theHofheinz-Kiltz KEM in Fig. 11 is IND-tCCCA secure.

Proof. In view of the results of [16] and Lemma 1, we need only prove that the KEM in Figure 11 has theVCI property.

Given an adversary A winning the VCI experiment with non-negligible probability, we can construct a pptalgorithm B solving the n-Linear problem with help of A with non-negligible probability. Let (g1, . . . , gn, g

r11 ,

. . . , grnn , h,K∗) be a challenge instance from the n-Linear problem, where K∗ = h∑ni=1 ri or K∗ is a random

element from G. Here, B simulates the VCI experiment for A using its input (gr11 , . . . , grnn , h,K∗).

19

KEM.Kg(1κ):

b← Zp; h← gb

For i = 1 to nai, αi, βi ← Zpgi ← gai ; ωi = a−1

i bui ← gαii ; vi ← gβii

pk = (h, (gi, ui, vi)i∈[n])sk ←

((αi, βi, ωi)i∈[n], pk

)Return (pk, sk)

KEM.Encap(pk):For i = 1 to nri ← Zp; ci ← grii

t = TCR(c1, . . . , cn)π ←

∏ni=1(utivi)

ri

K ← hr1+...+rn

ψ ← (c1, . . . , cn, π)Return(K,ψ)

KEM.Decap(sk, ψ):For i = 1 to n

Check if ci ∈ Gt = TCR(c1, . . . , cm)If∏ni=1 c

αit+βii 6= π

Return (⊥)K ←

∏ni=1 c

ωii

Return(K)

Fig. 11. KEM from n-Linear Assumption [16].

– B chooses (xi, yi)i∈[n], z, z′ ← Z∗p, and computes ui = gxii h

z and vi = gyii hz′ for i ∈ [n]. B sets pk =(

(gi, ui, vi)i∈[n], h). All the elements in pk is randomly distributed, as in the real VCI experiment. Here

B implicitly sets sk =((αi, βi, ωi)i∈[n], pk

)with αi = xi + ωiz, βi = yi + ωiz

′ and ωi = loggi h.– B computes the challenge ciphertext ψ∗ = (c∗1, . . . , c

∗n, π

∗) for A, where c∗i := grii for i ∈ [n], t∗ =

TCR(c∗1, . . . , c∗n) and π∗ = (K∗)zt

∗+z′∏ni=1(c∗i )

xit∗+yi .

• If K∗ = h∑ni=1 r

∗i , we have π∗ =

∏ni=1

(ut∗

i vi)ri

. Hence ψ∗ is just a valid ciphertext output by theKEM’s encapsulation algorithm with randomness (ri)i∈[n].

• If K∗ is random, then π∗ is also random, so that ψ∗ is uniformly distributed in C = Gn.– B uses

((xi, yi)i∈[n], z, z

′) to answer A’s constrained decryption queries (P,ψ). Let ψ = (c1, . . . , cn, π).We have that t = TCR(c1, . . . , cn) 6= t∗ due to the target-collision resistance of TCR. B computes

K =

(π∏n

i=1 cxit+yii

)1/(zt+z′)

. If P (K) = 1 then B returns K; otherwise B returns ⊥.

• If ψ is consistent, i.e., ψ satisfies∏ni=1 c

αit+βii = π, then π = h(zt+z

′)∑ni=1 r

′i ·∏ni=1 c

xit+yii , where

t = TCR(c1, . . . , cn) and r′i = loggi ci. Then K = h∑ni=1 r

′i is exactly the encapsulated key. Thus the

correct K is returned to A when P (K) = 1.

• If ψ is NOT consistent, then π 6=∏ni=1 c

αit+βii . Let β = logg π, ω = logg h, ai = logg gi, and

r′i = loggi ci. Then γ := β−∑ni=1 air

′i(αit+βi) 6= 0. Consequently, loggK = γ/(zt+ z′) +ω

∑ni=1 r

′i.

The following 2n + 2 equations in 2n + 2 unknowns ((xi, yi)i∈[n], z, z′) are linearly independent, as

long as t 6= t∗, which is guaranteed by the target-collision resistance of TCR:

logg ui = aixi + ωz i = 1, 2, . . . , n

logg vi = aiyi + ωz′ i = 1, 2, . . . , n

logg π∗ =

n∑i=1

airi(t∗xi + yi) + (loggK

∗) · (t∗z + z′)

γ

(loggK − ω

n∑i=1

r′i

)−1= zt+ z′.

This establishes that zt + z′ is uniformly distributed over Zp. Therefore, loggK is uniformly dis-tributed over Zp and the predicate P satisfies P (K) = 0 except with negligible probability. As aresult, ψ will be correctly rejected (due to the failed predicate) except with negligible probability.

Hence, B provides an almost perfect decryption oracle toA as long as t 6= t∗, for all queried encapsulationsψ 6= ψ∗.

– Eventually, B returns what A returns.

Finally, A’s non-negligible advantage in the VCI game is converted into B’s non-negligible advantage inbreaking the n-Linear Assumption. ut

Theorem 4. Suppose that the n-Linear Assumption holds for G(1κ), and TCR is target collision-resistant.If groups G output by G(1κ) are samplable and explainable, then the KEM in Figure 11 is a tailored KEM.

Proof. We note that the ciphertext space C equals Gn+1 and the encapsulated key space K equals G. If groupG is samplable and explainable, so are C and K.

Next, we have |C| = pn+1. For a valid ciphertext ψ = (c1, . . . , cn, π), we note that π is uniquely determinedby c1, . . . , cn and pk. Therefore, the valid ciphertext set |Ψ | has size pn. Consequently, a random ciphertext

20

KEM.Kg(1κ):k ← PGen(1κ)pk ← iO(Encap(k, ·))sk ← kReturn (pk, sk)

KEM.Encap(pk):r ← {0, 1}κ(K,ψ)← iO(Encap(k, r))Return(K,ψ)

KEM.Decap(sk, ψ):k ← skK ← PEval(k, ψ)Return(K)

Fig. 12. Sahai-Waters KEM from iO and Puncturable PRF [23].

Encap(k, r):ψ ← PRG(r)K ← PEval(k, ψ)Return(K,ψ)

Fig. 13. Program of Encap.

from Gn+1 passes the verification test π =∏ni=1 c

αit+βii in the decapsulation algorithm with negligible

probability 1/p. Therefore, the decapsulation algorithm has tailored functionality.Together with Lemma 3, it follows that the KEM in Figure 11 is a tailored, and therefore suitable for

the application of Theorem 1.

5.3 Tailored KEM Based on Indistinguishability Obfuscation and Puncturable PRF

Background definitions for this construction can be found in [23] and Appendix C.Sahai and Waters [23] gave a KEM construction from an indistinguishability obfuscator (iO) and a

puncturable PRF, as shown in Figure 12. Their construction makes use of a Pseudo-Random Generator(PRG) PRG : {0, 1}κ → {0, 1}2κ and a puncturable PRF family PRF = (PGen,PEval,Punc) whose functionsmap {0, 1}2κ to {0, 1}κ. We assume that (descriptions of) PRG and PRF are implicitly part of the inputs toKEM.Kg, KEM.Decap in Figure 12 and Encap in Figure 13.

The ciphertext space of the KEM is C = {0, 1}2κ, the valid ciphertext set is Ψ = {ψ | ψ = PRG(r); r ∈{0, 1}κ}, and the key space is K = {0, 1}κ. Obviously, both of C and K are efficiently samplable and explain-able with SampleC−1(C, ψ) := ψ and SampleK−1(K,K) := K.

Lemma 5 If iO(·) is an indistinguishability obfuscator for P/poly, PRG is a secure PRG, and PRF is apuncturable PRF, then the Sahai-Waters KEM in Figure 12 is IND-tCCCA secure.

Proof. In [23], the Sahai-Waters KEM was proved to be IND-CCA secure, so it is obviously IND-CCCAsecure.

Next we prove the VCI property, based on the security of PRG. If there is a ppt adversary A that candistinguish a random ciphertext from a random valid ciphertext with non-negligible probability, then we canconstruct a ppt algorithm B that breaks the security of PRG. Suppose B is given an element ψ∗ and triesto decide whether ψ∗ is the output of PRG or a randomly chosen element from C. B will simulate a VCIexperiment for A. It first chooses a puncturable PRF PRF and calls KEM.Kg(1κ) to generate (pk, sk). Thepublic key pk is given to A. Then B gives ψ∗ as the challenge encapsulation to A. Using the secret key sk andalgorithm PEval, B is able to provide a (constrained) decryption oracle for A. Finally, B outputs whateverA outputs. Then it is easy to see that A’s non-negligible advantage in the VCI security game results in anon-negligible advantage for B in breaking the security of PRG.

The IND-CCCA security and VCI property in combination with Lemma 1 establish that the Sahai-WatersKEM in Figure 12 has IND-tCCCA security. ut

Extracting puncturable PRFs are a strengthening of puncturable PRFs introduced in [23]; essentially, anextracting puncturable PRF acts as a strong extractor on its inputs.

Definition 9 (Extracting puncturable PRF) Let ε(·) and hmin(·) be functions. A puncturable PRFfamily PRF=(PGen, PEval, Punc) mapping {0, 1}`1(κ) to {0, 1}`2(κ) is said to be extracting with error ε(κ) formin-entropy function hmin(κ) if for all κ ∈ N and for all random variables X on {0, 1}`1(κ) with min-entropygreater than hmin(κ), the statistical distance between (k,PEval(k,X)) and (k, U`2(κ)) is at most ε(κ), where

k ← PGen(1κ) and U`2(κ) denotes the uniform distribution over {0, 1}`2(κ). The family PRF is said to beextracting puncturable if the error ε(κ) is negligible (for some choice of function hmin).

The existence of extracting puncturable PRFs is implied by the existence of one-way functions, as wasproved in [23]:

Lemma 4. [23] Assume that one-way functions exist. Then for all efficiently computable functions `1(κ),`2(κ), e(κ) and hmin(κ) such that `1(κ) ≥ hmin(κ) ≥ `2(κ)+2e(κ)+2, there exists an extracting puncturablePRF family PRF = (PGen,PEval,Punc) mapping {0, 1}`1(κ) to {0, 1}`2(κ) with error function ε(κ) = 2−e(κ)

and min-entropy function hmin(κ).

21

Lemma 6 If PRF is an extracting puncturable PRF obtained from Lemma 4, then the decapsulation algo-rithm KEM.Decap of the Sahai-Waters KEM in Figure 12 has tailored functionality.

Proof. We show that the output of PRF(sk, ψ) is statistically close to the uniform distribution on {0, 1}κ solong as ψ is chosen from C uniformly at random, and the puncturable PRF satisfies the bounds in Lemma 4.

Recall that PRF maps 2κ bits to κ bits. When ψ is randomly chosen from {0, 1}2κ, the min-entropy of ψis 2κ. According to Lemma 4, the statistical distance between (k,PEval(k, ψ)) and (k, Uκ) is upper-boundedby 2−(κ/2−1), where k ← PGen(1κ) and Uκ is the uniform distribution over {0, 1}κ. Hence, KEM.Decap has2−(κ/2−1)-tailored functionality. ut

Theorem 7. If iO(·) is an indistinguishability obfuscator for P/poly, PRG is a secure PRG, and PRF is anextracting puncturable PRF, then the Sahai-Waters KEM in Figure 12 is a tailored KEM.

Proof. The fact that the KEM in Figure 12 is a tailored KEM follows immediately from Lemma 5, Lemma6 and the fact that C = {0, 1}2κ and K = {0, 1}κ are efficiently samplable and explainable.

The existence of one-way functions implies the existence of PRGs and extracting puncturable PRFs.Hence the existence of one-way functions and iO implies the existence of a tailored KEM by the abovetheorem. Such a tailored KEM can further be used to build a PKE scheme encrypting ` bits at a timewith the help of an information-theoretically secure (`+ s)-XAC (for suitable parameter s), by following theconstruction in Figure 4; the SIM-SO-CCA security of the PKE scheme follows from Theorem 1. Thus weobtain the following corollary:

Corollary 8 Suppose one-way functions and indistinguishability obfuscation for P/poly exist. Then thereexists a PKE scheme with SIM-SO-CCA security.

Acknowledgements

This work was done while Shengli Liu visited Prof. Kenneth G. Paterson’s research group at Royal Hol-loway, University of London. The first author was supported by the National Natural Science Foundationof China (Grant No. 61170229 and 61373153), the Specialized Research Fund for the Doctoral Program ofHigher Education (Grant No. 20110073110016), and the Scientific innovation projects of Shanghai Educa-tion Committee (Grant No. 12ZZ021). The second author was supported by EPSRC Leadership FellowshipEP/H005455/1 and by EPSRC Grant EP/L018543/1.

References

1. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibilityof obfuscating programs. In: Kilian, J. (ed.) Advances in Cryptology - CRYPTO 2001, 21st Annual InternationalCryptology Conference, Santa Barbara, California, USA, August 19-23, 2001, Proceedings. LNCS, vol. 2139, pp.1–18. Springer (2001), http://dx.doi.org/10.1007/3-540-44647-8_1

2. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibilityof obfuscating programs. J. ACM 59(2), 6 (2012), http://doi.acm.org/10.1145/2160158.2160159

3. Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secureunder selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer (2009)

4. Bellare, M., Waters, B., Yilek, S.: Identity-based encryption secure against selective opening attack. In: Ishai,Y. (ed.) Theory of Cryptography - 8th Theory of Cryptography Conference, TCC 2011, Providence, RI, USA,March 28-30, 2011. Proceedings. LNCS, vol. 6597, pp. 235–252. Springer (2011), http://dx.doi.org/10.1007/978-3-642-19571-6_15

5. Bohl, F., Hofheinz, D., Kraschewski, D.: On definitions of selective opening security. In: Fischlin, M., Buchmann,J., Manulis, M. (eds.) Public Key Cryptography - PKC 2012 - 15th International Conference on Practice andTheory in Public Key Cryptography, Darmstadt, Germany, May 21-23, 2012. Proceedings. LNCS, vol. 7293, pp.522–539. Springer (2012), http://dx.doi.org/10.1007/978-3-642-30057-8_31

6. Canetti, R., Dwork, C., Naor, M., Ostrovsky, R.: Deniable encryption. In: Jr., B.S.K. (ed.) Advances in Cryptology- CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21,1997, Proceedings. LNCS, vol. 1294, pp. 90–104. Springer (1997), http://dx.doi.org/10.1007/BFb0052229

7. Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multi-party computation. In: Miller, G.L.(ed.) Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia,Pennsylvania, USA, May 22-24, 1996. pp. 639–648. ACM (1996), http://doi.acm.org/10.1145/237814.238015

22

8. Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-keyencryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45–64. Springer (2002)

9. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adap-tive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (Jan 2004), http://dx.doi.org/10.1137/

S0097539702403773

10. Damgard, I., Nielsen, J.B.: Improved non-committing encryption schemes based on a general complexity as-sumption. In: Bellare, M. (ed.) Advances in Cryptology - CRYPTO 2000, 20th Annual International CryptologyConference, Santa Barbara, California, USA, August 20-24, 2000, Proceedings. LNCS, vol. 1880, pp. 432–450.Springer (2000), http://dx.doi.org/10.1007/3-540-44598-6_27

11. Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.J.: Magic functions. J. ACM 50(6), 852–921 (2003), http://doi.acm.org/10.1145/950620.950623

12. Fehr, S., Hofheinz, D., Kiltz, E., Wee, H.: Encryption schemes secure against chosen-ciphertext selective openingattacks. In: Gilbert, H. (ed.) Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conferenceon the Theory and Applications of Cryptographic Techniques, French Riviera, May 30 - June 3, 2010. Proceedings.LNCS, vol. 6110, pp. 381–402. Springer (2010), http://dx.doi.org/10.1007/978-3-642-13190-5_20

13. Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscationand functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science,FOCS 2013, 26-29 October, 2013, Berkeley, CA, USA. pp. 40–49. IEEE Computer Society (2013), http://doi.ieeecomputersociety.org/10.1109/FOCS.2013.13

14. Hemenway, B., Libert, B., Ostrovsky, R., Vergnaud, D.: Lossy encryption: Constructions from general assumptionsand efficient selective opening chosen ciphertext security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS,vol. 7073, pp. 70–88. Springer (2011)

15. Hofheinz, D.: All-but-many lossy trapdoor functions. In: Pointcheval, D., Johansson, T. (eds.) EURO-CRYPT 2012. LNCS, vol. 7237, pp. 209–227. Springer (2012)

16. Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.)CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer (2007)

17. Hofheinz, D., Rupp, A.: Standard versus selective opening security: Separation and equivalence results. In: Lindell,Y. (ed.) Theory of Cryptography - 11th Theory of Cryptography Conference, TCC 2014, San Diego, CA, USA,February 24-26, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8349, pp. 591–615. Springer (2014),http://dx.doi.org/10.1007/978-3-642-54242-8_25

18. Huang, Z., Liu, S., Qin, B.: Sender-equivocable encryption schemes secure against chosen-ciphertext attacksrevisited. In: Kurosawa, K., Hanaoka, G. (eds.) Public-Key Cryptography - PKC 2013 - 16th InternationalConference on Practice and Theory in Public-Key Cryptography, Nara, Japan, February 26 - March 1, 2013.Proceedings. Lecture Notes in Computer Science, vol. 7778, pp. 369–385. Springer (2013), http://dx.doi.org/10.1007/978-3-642-36362-7_23

19. Huang, Z., Liu, S., Qin, B., Chen, K.: Fixing the sender-equivocable encryption scheme in eurocrypt 2010. In: 20135th International Conference on Intelligent Networking and Collaborative Systems, Xi’an city, Shaanxi province,China, September 9-11, 2013. pp. 366–372. IEEE (2013), http://dx.doi.org/10.1109/INCoS.2013.69

20. Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation. In: Franklin, M.K. (ed.) Advances inCryptology - CRYPTO 2004, 24th Annual International CryptologyConference, Santa Barbara, California, USA,August 15-19, 2004, Proceedings. LNCS, vol. 3152, pp. 335–354. Springer (2004), http://dx.doi.org/10.1007/978-3-540-28628-8_21

21. Lai, J., Deng, R.H., Liu, S., Weng, J., Zhao, Y.: Identity-based encryption secure against selective opening chosen-ciphertext attack. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology - EUROCRYPT 2014 - 33rdAnnual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen,Denmark, May 11-15, 2014. Proceedings. Lecture Notes in Computer Science, vol. 8441, pp. 77–92. Springer(2014), http://dx.doi.org/10.1007/978-3-642-55220-5_5

22. Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Dwork, C. (ed.) STOC 2008. pp.187–196. ACM (2008)

23. Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys,D.B. (ed.) Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31 - June 03, 2014. pp.475–484. ACM (2014), http://doi.acm.org/10.1145/2591796.2591825

A CCCA security for KEMs

A chosen-ciphertext attack against a KEM [9] allows an adversary to query a decapsulation oracle Decap(·),(which runs KEM.Decap) on any input ψ 6= ψ∗ where (K ′, ψ∗) is given to the adversary, ψ∗ is an encapsulationof K∗ and K ′ is either K∗ or random. In a relaxed version of chosen-ciphertext attacks [16], the adversary

is allowed to query a constrained decapsulation oracle Decap(·) only if it has some a priori knowledge aboutthe decapsulated key, which can be characterized by a ppt Boolean predicate P : K ∪ {⊥} → {0, 1} (for

23

simplicity, we put ⊥ into the domain and define P (⊥) = 0). The constrained decapsulation oracle Decap(·)replies with K for a query ψ if and only if P (K) = 1 where K ← KEM.Decap(sk, ψ).

Constrained CCA security for a KEM (KEM.Kg,KEM.Enc,KEM.Dec) is formalised using the securityexperiment shown in Figure 14.

Expccca−bKEM,A (κ) :

(pk, sk)← KEM.Kg(1κ)K∗0 ← K, (K∗1 , ψ

∗)← KEM.Encap(pk)

b← ADecap 6=ψ∗ (·)(pk,K∗b , ψ∗)

Return(b)

Decap 6=ψ∗(P,ψ)If ψ = ψ∗ return (⊥)K ← KEM.Decap(sk, ψ)If P (K) = 0 return (⊥);Else return (K)

Fig. 14. CCCA security experiment for KEMs.

The advantage of an adversary A in the CCCA experiment is defined as

AdvcccaKEM,A(κ) :=∣∣∣Pr[Expccca−0KEM,A(κ) = 1

]− Pr

[Expccca−1KEM,A(κ) = 1

]∣∣∣ .Now let qd denote the number of decapsulation queries made by A. The uncertainty of A measures the

average fraction of keys for which the evaluation of predicate Pi(·) is equal to 1 in the CCCA experiment,where Pi is the predicate used in the i-th query by A, i.e.,

uncertA(κ) :=1

qd

qd∑i=1

Pr [Pi(K) = 1] .

Definition 10 (IND-CCCA Security [16]) The KEM KEM is secure against constrained chosen cipher-text attacks (IND-CCCA secure) if for all ppt adversaries A such that uncertA(κ) is negligible (in κ), theadvantage AdvcccaKEM,A(κ) is also negligible in κ.

B (Target) Collision Resistant Hash Functions

Definition 11 (CR hash function) Let H be a family of hash functions associated with two ppt algorithms(HGen, HEval). On input a security parameter κ, HGen outputs a (description of a) function H : Dκ → Rκ.Algorithm HEval, on input an element x ∈ Dκ, outputs H(x) ∈ Rκ. Then H is collision-resistant if for allppt algorithms B the following advantage is negligible in κ:

AdvcrH,B(κ) := Pr [x′ 6= x ∧H(x′) = H(x) | H ← HGen(1κ), (x, x′)← B(H)] .

Definition 12 (TCR hash function) Let H be a family of hash functions associated with two ppt al-gorithms (HGen, HEval). The security notion of target collision-resistance (TCR) requires that for all pptalgorithms B the following advantage is negligible in κ:

AdvtcrH,B(κ) := Pr [x′ 6= x ∧H(x′) = H(x) | H ← HGen(1κ), x← Dκ, x′ ← B(H,x)] .

C Indistinguishability Obfuscation (iO) and Puncturable PRFs

Indistinguishability Obfuscation (iO) was proposed in [1, 2]. Informally, it requires that the obfuscations oftwo distinct but equal-sized programs, which implement identical functionality, are computationally indistin-guishable. The first candidate construction for iO for polynomial-sized circuits was given in [13]. We followthe formal definitions in [23].

Definition 13 (Indistinguishability Obfuscation (iO) for P/poly [23]) Let κ be a security parameter.A uniform ppt machine iO is called an indistinguishability obfuscator for a circuit class Circκ if the followingtwo conditions are satisfied.

24

Exppunc−bPRF,A (κ) :

(σ, S)← A1(1κ); k ← PGen(1κ); kS ← Punc(k, S)y1 = PEval(k, S); y0 ← {0, 1}|S|`1(κ); b′ ← A2(σ, kS , S, yb)Return(b′)

Fig. 15. Experiment for defining punctured PRF pseudo-randomness.

– Identical functionality: For all κ ∈ N, for all C ∈ Circκ, on input (1κ,C), iO outputs equal-sizedcircuits all having functionality identical to C, i.e, for all inputs x,

Pr [C′(x) = C(x) | C′ ← iO(1κ,C)] = 1.

– Indistinguishability: For all (not necessarily uniform) ppt stateful adversaries D = (D1,D2), thereexists a negligible function ε(κ) satisfying the following condition. Suppose that for all x

Pr [C0(x) = C1(x) | (C0,C1, σ)← D1(1κ)] > 1− ε(κ).

Then

|Pr [D2(σ, iO(κ,C0) = 1 | (C0,C1, σ)← D1(1κ)]

− Pr [D2(σ, iO(κ,C1) = 1 | (C0,C1, σ)← D1(1κ)] | ≤ ε(κ).

A uniform ppt machine iO is called an indistinguishability obfuscator for P/poly if iO is an indistinguisha-bility obfuscator for the class of circuits of size at most κ.

Definition 14 (Puncturable PRF) A puncturable family of PRFs PRF is indexed by k, parameterizedby computable functions (`1(κ), `2(κ)), and consists of three ppt algorithms (PGen,PEval,Punc). AlgorithmPGen(1κ) samples a random key k, PEval(k, x) computes the function PRFk(·), which maps {0, 1}`1(κ) to{0, 1}`2(κ), and PPunc(k, S) takes as input the index k and a polynomial-sized set S of inputs and outputs apunctured key kS. The following conditions are satisfied:

– Functionality preserved under puncturing. For all ppt adversaries A, for all polynomial-sizedsubsets S ⊆ {0, 1}`1(κ) given by S ← A(1κ), for all x ∈ {0, 1}`1(κ) \ S, we have that

Pr [PEval(k, x) = PEval(kS , x) | k ← PGen(1κ), kS ← Punc(k, S)] = 1.

– Pseudo-random at punctured points. For all stateful ppt adversaries A = (A1,A2), define theadvantage of A against the punctured pseudo-randomness of PRF to be

AdvpuncPRF,A(κ) :=∣∣∣Pr[Exppunc−0PRF,A (κ) = 1

]− Pr

[Exppunc−1PRF,A (κ) = 1

]∣∣∣where Exppunc−bPRF,A (κ) is defined in Figure 15. Then AdvpuncPRF,A(κ) is negligible.

25